.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Is All Social Engineering Malicious?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Social engineering has a reputation problem. Most people hear the term and think phishing, scams, and threat actors. AJ Nash and guest Ashley Stryker push back on that framing in this episode of Unspoken Security. The conversation opens by defining social engineering on its own terms: the act of understanding how people work and using that knowledge to get them to take a specific action. The technique itself is neutral. What determines whether it crosses a line is motive and outcome.
From there, the conversation moves into the mechanics. Urgency is one of the most effective social engineering tools threat actors use because time pressure cuts off critical thinking. Stryker argues that the real defense is not training people to recognize a specific type of phish. It is training them to pause before acting on anything that creates pressure around money or security. She also makes a pointed case against security awareness programs that raise awareness without giving employees something concrete to do. Information alone does not change behavior. Action does.
The episode closes with the show's signature "unspoken" segment, where Stryker shares the full story behind why she goes by her last name. It turns out there are several reasons, including a divorce, an ex-husband with the same first name, and a deliberate operational security strategy she has used since entering the cybersecurity field.
Unspoken Security Episode 59: Is All Social Engineering Malicious?
[00:00:00] Ashley Stryker: Security awareness training can go bite me. It's the worst name ever because raising awareness does nothing unless you talk to the right person and give them an action to take. That is social engineering.
[00:00:56] AJ Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent about 19 years in the intelligence community, mostly at NSA, and I've been building and maturing intelligence programs in the private sector for about 10 years now. I'm passionate about intelligence, security, public speaking, mentoring, and teaching.
[00:01:10] AJ Nash: I also have a master's degree in organizational leadership from Gonzaga University. Go Zags. I continue to be deeply committed to servant leadership. This podcast brings all these elements together with incredible guests to have authentic, unfiltered conversations on a wide range of challenging topics.
[00:01:22] AJ Nash: It's not your typical polished podcast. My dogs make occasional appearances. People argue and debate here. We swear — I certainly do plenty of that — and that's all fine. Think of this podcast as a conversation you'd overhear at a bar after a long day at one of the large cybersecurity conferences we all attend. These are the conversations we usually have when nobody's listening.
[00:01:37] AJ Nash: Today I'm joined by a good friend of mine, Ashley Stryker, who just goes by Stryker. She's the Director of Threat Analysis at Fable, and she spent over 10 years translating technical research and qualitative intelligence into the "so what" and "what now" materials that keep more people safe and secure.
[00:01:55] AJ Nash: She previously produced threat intelligence across financial services, cybersecurity vendors, and early-stage startups, including Ivanti, Blackpoint Cyber, and Geico. You'll usually find her running tabletop exercises after her talks at Sector or DEF CON and conferences around the country. She lives in Maryland, growing parsley for butterflies and algae for shrimp. Is there anything you want to add to that bio?
[00:02:17] Ashley Stryker: Hi! I'm really excited to be here. AJ's been doing this for many years now. He was just getting this off the ground when we first met.
[00:02:26] AJ Nash: I was actually a guest on your podcast at the time.
[00:02:27] Ashley Stryker: Yes — and it's only taken three years for you to return the favor.
[00:02:33] AJ Nash: I don't have an answer for that. It's a fair point, and a lot of people say the same thing.
[00:02:39] Ashley Stryker: The only thing I'd add is that I spent over a decade doing in-depth research producing things people find valuable — in a different career — and it turns out that intersected very nicely with threat intelligence. I've been doing threat intel for a number of years now. I've spoken at conferences about how I made that pivot. But what many people might not know is that AJ is actually one of the primary reasons I ended up in threat intel.
[00:03:09] Ashley Stryker: There's a long-since-deleted Signal thread in which I told AJ I got along much better with the cybersecurity folks than I did with my direct team, and I was thinking about pivoting in but wasn't sure what I wanted to do. He asked a terrible question, which was: "What do you like in cyber?" I remember sending about eight multi-paragraph text messages in response.
[00:03:34] AJ Nash: It was quite a read.
[00:03:37] Ashley Stryker: He said, "You really need to niche down and pick one thing." I don't even think he read all of it — which, honestly, is fair.
[00:03:44] AJ Nash: I probably read enough. I remember thinking, "That's a lot she's got on her mind." But I read through a fair amount of it, and I do remember saying, "You're going to have to slim this down. There's a lot of everything."
[00:03:58] Ashley Stryker: I ended up picking his brain a lot about what private threat intel looked like. I've never worked in the military. I was a contractor for the DOD in a previous life, but never doing clearance-level work directly. I knew the private sector was my path, and AJ has contacts, connections, and practical advice on what it takes to do well. It's served me well.
[00:04:21] AJ Nash: Glad I could help. Listen — you're very bright, talented, and genuinely great to work with. You've earned every bit of where you are. Occasionally people ask me questions and I give whatever advice I have, and I guess sometimes it's useful. I'm glad this was one of those times. And I'm excited to have you here as a full-fledged intel professional. You got a director title — Director of Threat Analysis. That's a big deal.
[00:05:08] AJ Nash: So today we're talking about social engineering. We'll give a brief foundation for anyone who isn't familiar, but social engineering is a pretty common challenge in industry and in life generally. I want to dig into it with someone who knows a lot about this and have what I'd call an ethical discussion — not theological, ethical — about it. In your own words, for the uninitiated: what is social engineering?
[00:05:34] Ashley Stryker: Social engineering depends on the audience you're speaking to. In the cybersecurity context most people know it from, it is weaponized by threat actors frequently and is one of the top — if not the top — cumulative vector for initial access, though it also plays a significant role in lateral movement, persistence, and especially reconnaissance.
[00:06:00] Ashley Stryker: As a rule, social engineering is about how you hack people. The same way hackers find the edge cases in systems — the cracks — and use tools in ways they weren't designed to be used to further their own goals. That makes hacking an ethically neutral activity. It's threat actors who abuse it for criminal purposes. And it's very creative, fun people who use those same skills for things like knitting chain mail purses. That's not what chain mail is for, but it makes a really interesting item.
[00:06:45] Ashley Stryker: In the same way, social engineering is pressing buttons in human psychology. It's not a matter of being smart. It's always a matter of context — where you are, who you are, and what the goal is. It is simply the act of consciously knowing how people work and deliberately doing something to get a person to act the way you want.
[00:07:13] Ashley Stryker: That is how I have approached social engineering — both in my previous career as a content marketer, where I created things and wrote copy to convince people to take actions they otherwise wouldn't have taken, and in what I do now as Director of Threat Analysis at Fable. My big claim to fame, as AJ mentioned, is that I can translate very technical things up the chain to leadership in a way that makes them understand why something matters and why they — or the company — would benefit from taking the recommended security actions. As opposed to slinging a 20-page PDF over the fence and calling it done because we worked hard on it and they should just listen.
[00:08:03] Ashley Stryker: How well has that approach worked for your patch program?
[00:08:15] Ashley Stryker: One of the things I didn't fully understand until I started working at Ivanti — one of my mentors there, Chris Guttel, a great person — said, "You realize what you're doing is social engineering." I asked, "What's that?" I read a book on a plane to a conference and thought, "This isn't hacking. This is just being polite."
[00:08:23] Ashley Stryker: Cialdini's "Influence" is an absolutely foundational text. I don't have it on my bookshelf right now because I gave it to someone and they never gave it back — I think I've bought it three times. Two other books I keep within reach are "Made to Stick" and "Contagious." I spent over 10 years working on persuasive writing to move people.
[00:09:08] Ashley Stryker: If you look at the rhetorical triangle from your English lit days: persuasion by authority — ethos; persuasion by emotional appeal — pathos; persuasion by logic — logos. Security over-indexes heavily on authority. "You hired me to be the expert, so just listen because I said so." And logos: "This is what the data says" — which is also a side case of "trust me, bro" because nobody else knows what the acronyms mean. And yet even people who say they're data-driven frequently justify emotional decisions by cherry-picking data.
[00:09:56] AJ Nash: People are data-driven until they don't like the data. I've often said the same thing about people who say, "I respect honesty, I want honesty." They don't actually want to be told something they don't want to hear. I've made that mistake — believed someone was deeply committed to honesty, gave them a brutal truth, and then found something else to do with my time when I was no longer invited back.
[00:10:16] AJ Nash: People will say all sorts of things and may even believe them. People who say they care about honesty or data aren't lying — it just becomes inconvenient. One thing you mentioned that I want to flag for listeners: you referenced Cialdini's "Influence." He identifies seven principles of persuasion. I'll run through them quickly.
[00:10:32] AJ Nash: Reciprocity: people feel obliged to return favors. Commitment and consistency: people want to be consistent with their past public statements. Social proof: individuals look to others to determine their own actions. Authority: people tend to follow perceived experts. Liking: people want to be liked and want others to like them. Scarcity: items and opportunities appear more valuable when they're limited. And unity: focused on shared identity — creating a "one of us" feeling. Every one of those, you've experienced in every sales pitch ever.
[00:11:11] AJ Nash: There's a fine line between social engineering and marketing. But the bigger question isn't just that social engineering exists — it's how it's used. Is it ethical? Is it unethical? Those concerns matter more to people than the technique itself. Just like hacking isn't always bad — though people picture someone in a black hoodie doing nefarious things — the same misconception applies to social engineering. So: is social engineering manipulation? Is it always bad?
[00:12:07] Ashley Stryker: Hi, Shawn from Cloud Security Office Hours. I'm officially getting on a soapbox for this one. Shawn doesn't think any social engineering is ethical. He said this recently, and I had a moment of, "Huh..."
[00:12:21] AJ Nash: Shawn's wrong.
[00:12:23] Ashley Stryker: Shawn's wrong. It has to do with the public perception of social engineering. Traditional cybersecurity professionals have aligned it exclusively with attack chain behavior — and that's where most people encounter the term. But in the same way we've incorrectly attributed hacking exclusively to threat actors when it's really an ethically neutral activity —
[00:13:02] AJ Nash: One hundred percent.
[00:13:03] Ashley Stryker: For me, the question is: does it manipulate? Do you have an ethical foundation? Are you deliberately deploying a persuasive technique, a bias? Are you doing something on purpose? And do you know whether the other person will be better or worse off after they act?
[00:13:28] AJ Nash: I think a lot of it comes down to motive. And I can already hear the audience: "Do you think the other person would be better off?" And those people are right — you don't get to decide what "better off" means for someone else. There's real subjectivity here.
[00:13:45] AJ Nash: If your goal is to manipulate someone for your benefit alone, your motives probably aren't pure. If you believe it's for the greater good, it gets into gray area. I understand the position that it's always wrong — I don't agree, but I understand it. You could argue manipulation is always wrong, the same way you could argue lying is always wrong.
[00:14:15] AJ Nash: I'm a huge believer in honesty, even when it's uncomfortable. But lying is not always wrong, and if you disagree, I can probably prove you're a hypocrite. At some point, someone asked you, "Do you like this haircut?" or "How did I do in my speech?" And you didn't say "Terrible." You were kind. At least once in your life you've told a friendly lie because you didn't want to crush someone you love. So don't tell me it's always wrong.
[00:14:51] Ashley Stryker: Let's take urgency. At Fable, we do a lot of analysis of artifacts threat actors leave behind in social engineering campaigns. One of the things I do is look for patterns beyond just one specific incident — broader patterns I can use to train employees in a way that generalizes. Instead of, "Watch out for this one thing," we step back. Urgency is a great example.
[00:15:20] Ashley Stryker: Any kind of time pressure — biologically, if you believe you don't have a lot of time, it cuts off your critical thinking. The faster a threat actor can get you to take action, the less likely you are to stop and think, "This doesn't feel like the normal process." The remediation isn't about the specific click. It's about the pause. Train your employees to wait before acting on anything involving process or finances, and you've neutralized the urgency tactic at its root.
[00:16:00] Ashley Stryker: Threat actors deploy urgency constantly: "You need to respond within 20 minutes..." I almost fell for exactly this when I worked for Ivanti. I was on my phone, creating content about cybersecurity — patches, risk, prioritized exploits. I got an email: "We're going to shut off Ivanti's Facebook ads account in 24 hours if you don't act now." I didn't click, thank God. I just forwarded it to my boss and the person who managed the ads platform and said, "I just got this. Can you go check we're okay?" I thought it was legitimate.
[00:16:56] Ashley Stryker: They came back and said, "No, this isn't real" — and the domain was something obviously fake. Had I been on a desktop, I would have seen it immediately. But I was on my phone. It's always about context.
[00:17:13] Ashley Stryker: People aren't stupid. It was that urgency — hitting me at exactly the right moment, on my phone, knowing a multimillion-dollar campaign was about to go live — that triggered the response.
[00:17:31] Ashley Stryker: Contrast that with a reminder email: "You signed up for a webinar — 24 hours left. Go ahead and register. I'll send you the recording if you can't make it." Same urgency tactic, used in a context where the person would genuinely be better off taking advantage of it. It's a rhetorical tool that threat actors abuse because they know you'll be worse off when you click — they're taking your credential. When I use it, I'm trying to make something genuinely worth your time.
[00:18:34] AJ Nash: Let's be honest — I've never met a company that said, "I'd love to take your money, but you don't need this, so put your checkbook away." But that's not nefarious in itself. I've never walked into a business discussion without the other person knowing I work for a for-profit company. I've said in rooms, "This is a for-profit company, so at some point there will be a number attached to this conversation." That's not wrong. That's being upfront. That's business.
[00:19:03] AJ Nash: It's okay for something to be a win-win. You're trying to help someone because you think it'll benefit them. If it does, yes, you'd like them to pay. Nothing wrong with that. You're not stealing from them. Threat actors are going to commit a crime. They don't care what you want. There is no quid pro quo — just "I'm taking your things and you get nothing in return." Business, at minimum, involves free will. Sure, marketing is full of manipulation — call it what it is, or call it influence. Marketing and sales exist to get you to want something that you'll then pay for. There's nothing inherently nefarious about that.
[00:20:14] AJ Nash: Social engineering has just been lumped in with bad. Email is the number one threat vector — phishing — and social engineering makes phishing better. The more a threat actor knows about you, the more precisely they can build their lures. That is nefarious. Their goal is crime. There is no other goal.
[00:21:36] AJ Nash: Anyone who has ever managed up in an organization has done social engineering, whether they realize it or not. If you haven't had to manage up, you've either worked at some of the healthiest organizations ever or you haven't been in business long enough. Anyone who's been around a while has had to figure out how to influence a difficult leader — someone who doesn't listen, is toxic, arrogant, or just hard to work with.
[00:22:17] AJ Nash: You can't just tell your boss, "You're wrong, you should listen to me." That won't go well — I can confirm from experience. So the question becomes: how do I get this person to see things differently? The moment you ask that question, you're on the path to social engineering. You're figuring out what this person respects, how they consume information, what it would take — and how to make them feel like the idea was theirs all along. Some brilliant social engineers have done exactly that and left the other person completely convinced it was their own idea.
[00:23:01] AJ Nash: Anyone who has managed up knows how to do this, even if they don't realize it. And the gap between ethical and unethical still comes down to motive. If you're being dishonest and making decisions about what's better for someone else without their knowledge, you could argue that's unethical.
[00:23:18] Ashley Stryker: If you're lying — if you're effectively lying to advance whatever you're trying to do — that's a sign you're at least on the edge. There are reasons to lie, of course. The classic example is spies. Intelligence assets have to lie to survive, and they do it in service of a greater good. Not all lying is bad. But in a personal or professional context, for most of us, if you find yourself lying to convince someone to do something, the greater good you're serving needs to be much bigger than "I want a raise" or "I don't want to learn this new tool." If it impacts customers, if it affects more people — that's where you do your risk analysis. That's a meaningful signal of whether you've crossed the line.
[00:24:35] Ashley Stryker: When I first started learning about social engineering, I was excited to find there was a vocabulary for things I'd been doing for years.
[00:24:48] Ashley Stryker: I told my boss, and she freaked out. I said, "I think I'm a social engineer" and pointed to all the things I was doing. She said, "Don't share that with anyone. Don't talk about it." And she wasn't wrong — because the perception is that you're manipulating people all the time.
[00:25:08] Ashley Stryker: The flip side: I've had people find out I was accepted to speak at a conference my first year in the industry — after being actively discouraged from applying by people close to me who said, "You don't have anything to say yet." And when I got in, they said, "Well, of course you got in — you know how to phrase things. You manipulated them. You got in over someone who deserved it more just because you're better with words."
[00:26:04] AJ Nash: You don't know who didn't get in. Nobody can say you got in over someone who deserved it more unless they're saying they were rejected and they're upset about it. And being good with words is kind of a large part of presenting, isn't it? If you're brilliant but can't put three sentences together, submit a paper and let people read it. Don't get on stage. That's just how it works. Terrible criticism. And I'll say the obvious thing.
[00:26:36] AJ Nash: These were all men, right? Every single one of them. The people who told you that you had nothing to say or that you didn't deserve to be there — all men. Some guy didn't get in, got angry, and pointed the finger at a woman. There was probably another guy on stage who didn't belong there, but no — let's go after her. That is terrible behavior, full stop.
[00:27:09] Ashley Stryker: There is a real bias. My transition into cybersecurity was twice as difficult as it would have been in most other industries — not because of the subject matter, but because I didn't come up through the traditional IT help desk or military pipeline. I came from marketing, which everyone associates with lying and manipulation.
[00:27:35] AJ Nash: Not entirely untrue.
[00:27:38] Ashley Stryker: But here's the thing — we're literally discussing the difference right now. My definition of manipulation is this: I know, or at least suspect, that someone will not be better off for the interaction, and I've convinced them to act anyway.
[00:28:10] Ashley Stryker: Marketers have poisoned that well. We keep coming back to urgency, and one of the core messaging tactics in cybersecurity is fear, uncertainty, and doubt — FUD.
[00:28:26] AJ Nash: Very common in cybersecurity marketing.
[00:28:32] Ashley Stryker: Because everyone knows you only get security budget when there's been a breach. Which isn't actually true, but that's the assumption. It's a lazy tactic, and it ruins your credibility if you over-rely on it. To the point where I refuse to report on breaches at Fable unless something actionable came out of them.
[00:28:56] Ashley Stryker: I wrote a full article the day after the Stryker Orthopedics breach was announced: "Do you need awareness training for this?" The TLDR: no. Because at that point, we had no idea how attackers got in. There was nothing a typical end user could do differently. Sending a panicked email would have been security theater — pandering to executives while accomplishing nothing for the people who actually needed to act.
[00:29:45] Ashley Stryker: It turns out, with moderate confidence, they likely got in using years-old team credentials that hadn't been rotated — pulled from an infostealer three years prior. And anyone suggesting MFA should have been deployed on a team-based shared service account: go ahead and try that and see how it goes. There was also a clear bystander effect. Everyone assumed someone else would handle it. Nobody owned it, so nothing happened.
[00:30:09] Ashley Stryker: The right response would have been targeted training: "Here's what happened. If you own a team-based shared account, assign one person as responsible. When an alert fires, that person notifies the inbox, changes the password, and documents it." I had people wanting to blast urgent alerts about script kiddie hacktivists making noise because a headline said they should. That does nothing except drum up fear in your own employees.
[00:30:40] Ashley Stryker: There's a cognitive loop at play here. One of my founders — who has a doctorate in behavioral psychology — talks about it. It's this psychological need to complete an open action. A great example of someone who does this well: John Oliver. Regardless of your politics, go watch his net neutrality video — 25 minutes of comedy on one of the driest regulatory topics on Earth.
[00:31:09] Ashley Stryker: He raised awareness for the problem. He explained what bad outcome would follow if nothing changed. And then he told viewers exactly where to go and what to submit. He gave them an action. You know what happened? They crashed the FCC website. That's what happens when you give people something to do — they do it.
[00:31:46] Ashley Stryker: If you just raise awareness without that step, security awareness training can go bite me. It's the worst name ever. Raising awareness does nothing unless you give the right person a clear action to take. That is social engineering. It requires knowing what action you want someone to take and driving them toward it. Otherwise you create discomfort without resolution — the same feeling you get reading statistics about global poverty with no sense of what you can actually do about it.
[00:32:52] Ashley Stryker: Always give someone an action to take, and make it proportional to what you've given them. Information alone isn't enough to generate reciprocity. It's about how you make them feel, and whether taking the action feels better than not taking it. That is what security training should do at its core. Make the secure action easier and feel better than the insecure one. Make your users feel like they're fighting bad guys — not like they're being caught doing something wrong.
[00:33:19] Ashley Stryker: CrowdStrike idolizes threat actors for exactly this reason. It's a powerful persuasive technique. Create a character. Tell a story. People are hardwired for stories. They turned threat actors into supervillains so that the average cybersecurity professional feels like a superhero.
[00:33:42] AJ Nash: That's great marketing. What you're describing with the need to close the loop — that's the Zeigarnik effect. A 1920s psychologist, Bluma Zeigarnik, had a theory about open loop tension. When someone starts something, they feel a constant pull to finish it. As someone with ADHD, I experience this constantly. You start 68 things, never finish them, and just accumulate stress until six months later when you realize you never needed to do any of them. Welcome to ADHD. The Zeigarnik effect is exactly what you were describing.
[00:34:32] Ashley Stryker: Cybersecurity marketing has leaned way too heavily into the FUD playbook. There are times when communicating urgency is genuinely appropriate — not all campaigns, not all marketers. But there is a whole toolbox available if you actually understand social engineering and persuasion. You can build credibility and use different techniques for different audiences in different contexts.
[00:35:04] Ashley Stryker: Learning social engineering made me more ethical because I could act deliberately instead of accidentally. I always knew that certain things triggered certain reactions — but it was intuitive, built from years of writing experimentation. It wasn't until I could map those experiences to specific named techniques that I understood what I was actually doing. Now I'm much more aware of when I'm using a technique, in person or in writing. I was more dangerous as someone who was naturally persuasive without realizing it than I am now, choosing my tools consciously.
[00:36:01] AJ Nash: That's an interesting learning experience. And often the opposite is true depending on how someone comes in. Someone with good motives who studies these techniques realizes, "I've actually been getting people to do things they didn't really want to." Versus someone who learns this specifically so they can get people to act against their own interests.
[00:36:26] Ashley Stryker: Pickup artistry.
[00:36:27] AJ Nash: Exactly. The goal is to get someone to make a decision that isn't in their best interest. To convince them you're a worthy prize when you may not be. A lot of those techniques also involve more nefarious tactics — like convincing someone to feel less confident about themselves. "She thinks she's out of your league? Make her not think that." Which is awful. But it is absolutely social engineering.
[00:42:32] Ashley Stryker: It's a very effective tactic, and it maps to scarcity and unity — "be the thing other people can't have." Pickup artistry takes the natural elements of courtship and weaponizes them. What makes it pickup artistry rather than just good social skills is the element of manipulation — presenting a false image — where the other person ends up worse off because of what you did.
[00:43:06] Ashley Stryker: I've actually had a conversation with friends about whether I'm being unethical by using a dating app, given that I spent years in copywriting, crafting small things designed to get people to take the action I wanted. Am I packaging myself too precisely?
[00:43:29] AJ Nash: But are you lying about yourself?
[00:43:32] Ashley Stryker: No — but there's always strategic presentation involved.
[00:43:34] AJ Nash: That's just marketing. Marketing yourself is acceptable. Social engineering is a different thing. You're not lying. You're saying: "I'm this person, these are the things I like, this is my experience." Whereas many dating profiles are entirely fictitious. Or take someone who says, "I work in the defense department, I can't really talk about my job" — and it turns out they're on the Pentagon cleaning crew. They didn't technically lie, but they created a completely false impression. That's manipulative. Putting your best foot forward is expected. Everyone on a dating app is trying to attract opportunities. You're fishing — not throwing dynamite in the water.
[00:45:04] Ashley Stryker: This brings us back to leaving someone better off versus lying. Here's something I'd encourage anyone who thinks social engineering is irredeemable to think about: reciprocity. The first time I encountered it, I thought it was nonsense. I was on a plane and I read the line, "Even a smile can trigger reciprocity." I thought, "That's ridiculous. It's just manners."
[00:45:37] Ashley Stryker: So I was on a plane to a conference. The flight attendant walked by wearing a deep purple cardigan — my favorite color. It was genuinely a nice sweater. I said so and smiled. When she came around with drinks, I got the full can of ginger ale instead of the third they usually pour. I thought: "I just found a cheat code." And it really does work.
[00:46:29] Ashley Stryker: More to the point — at work, when I need to work with stakeholders, I learn their goals first. What is their team supposed to accomplish? What are their roadblocks? And then I make a very small ask. "Can you point me in the right direction? Would you mind taking a quick look at this?" The equivalent of a work smile.
[00:47:12] Ashley Stryker: And the key is closing the loop. After they contribute, you go back and thank them specifically. "Because you helped me with X, we were able to achieve Y, as measured by Z." That's the moment that matters. They feel seen. They feel like their expertise moved something.
[00:47:52] AJ Nash: And they'll help you the next time.
[00:47:55] Ashley Stryker: Every time. It's such a simple thing — listening to someone. Back to active listening. You listen, you contextualize the ask around what matters to them, not just why it helps you. And then you always go back and say, "Thank you. Because of what you did, we were able to accomplish this." Technical and security people especially — they often feel like their expertise goes unrecognized. Acknowledging it genuinely goes a long way.
[00:48:48] AJ Nash: "How to Win Friends and Influence People" is a famous book for a reason. Understanding what people respond to and appealing to that — as long as you're genuinely being yourself — isn't necessarily manipulation. It's that fine line of knowing your true self. If you're playing a role and you know these people would dislike you if they saw your actual values, you're a jerk. But if you're amplifying things that are genuinely who you are, you're just accelerating the process of letting people see that.
[00:49:18] AJ Nash: One more quick example on managing up. You have an idea that needs to get through. Instead of presenting the idea directly, you present the question. You already know where you want to land — but you lead with a discussion about the challenge. "I wish I could help with this more. I was thinking it through. I'd really value your perspective." Then you ask questions that lead toward the answer: "What if it were this?" "Has anyone tried this before?" "I know you did something similar successfully — what do you think about this approach?" Don't make it about you.
[00:50:11] AJ Nash: That person now hears that you respect their opinion, that you know their track record, that you value their authority. The conversation leads somewhere. Eventually they arrive at a conclusion — which was your idea all along. Now it's their idea. And now it has a real chance.
[00:51:08] AJ Nash: If you'd walked in and said, "I think we're doing this all wrong," it would have fallen flat. You've taken a longer path — but this person believes it was their idea, it's got a better chance of actually happening, and you've built goodwill in the process. Is that manipulative? By definition, maybe. Is it nefarious? No. You're not even getting credit — you're giving away the idea just to get the right outcome.
[00:51:43] Ashley Stryker: That only holds up if you genuinely believe the outcome needs to happen and the other person will benefit from it. That's the only case where I'd call it ethically twitchy.
[00:51:53] AJ Nash: It took me a long time to learn that getting the right solution matters more than getting credit. Some people call it office politics. You figure out what motivates the person you're dealing with and lean into the things you genuinely have in common.
[00:52:28] AJ Nash: Everyone listening has been in a conversation where someone said something they cared deeply about, and you couldn't have cared less, but you leaned in anyway and said, "I love that too." That's social engineering. You want to create a bond, a sense of shared ground, because it helps you get to what you actually want to discuss. It's mostly harmless. It gets complicated when they invite you to a cat festival and now you've committed to something.
[00:52:56] Ashley Stryker: From a persuasion and context perspective: the phishing emails that get clicked most often, based on my analysis across multiple environments, are the ones that look like they belong. They look like a file the recipient regularly opens. They don't need to perfectly mimic the environment — a Windows phish sent to someone who doesn't use Windows misses for that person but hits someone else. Context is always the variable.
[00:53:35] Ashley Stryker: Same principle in professional persuasion. If I'm communicating with an executive who is clearly meticulous about their appearance and presentation, I would not lead with sports metaphors. I'd approach them differently than someone who assumes all men respond to the same framing. Using context to build an emotional connection isn't manipulation — it's being persuasive because you understand what actually moves someone.
[00:54:46] Ashley Stryker: If someone likes cats, I'm not going to lead with my fish. I might bring up my dog. That's one of my rules for social engineering: I don't lie. I present strategic truths. I wouldn't pivot to something I have no genuine connection to. I might say, "Do cats cuddle? I love when my dog does that." You find the truths that genuinely connect. Don't lie your way to the cat festival.
[00:55:37] AJ Nash: Always a danger. There are ways to social engineer back out of those situations. But it's the same fine line — where social engineering ends and lying begins. We need to wrap up. We've left a lot on the table and we'll probably do this again.
[00:55:50] AJ Nash: But I do want to get to the end of the show. The last question every guest gets, no exceptions: the name of this show is Unspoken Security. Tell me something you've never told anyone. Something unspoken.
[00:56:10] Ashley Stryker: I had a couple of ideas. One involved my hair. But the one I want to go with ties back to strategic truth-telling. Since I came into cybersecurity, I've been social engineering my own identity for several different reasons — in how I write, what I present, and how I contextualize my previous career. I don't lie about it. I contextualize it. Specifically: my name.
[00:56:30] Ashley Stryker: I go by Stryker — S-T-R-Y-K-E-R — just like the medical company that got hacked, which is partly why I had to write that breach article. I found out about the breach because ten "RIP Stryker" memes landed in my threat intel feed that morning.
[00:56:55] AJ Nash: I imagine if Nash Coffee ever got hacked, I'd probably hear about it too.
[00:57:01] Ashley Stryker: Lots of people assume it's a handle. It is truly my last name. At least once per conference, someone says, "I'm too old for that handle stuff," and I say, "Congratulations — you're today's person who gets to see my license."
[00:57:17] AJ Nash: Please stop showing people your license. We just had a whole conversation about men misreading signals.
[00:57:26] Ashley Stryker: Fair. But the question comes up enough that I've never answered it fully — all at once — until now. Here we go.
[00:57:32] Ashley Stryker: First reason: it's just cool. I lucked out with my last name. I've gone by it since high school — my youth pastor started it. One teacher thought it was disrespectful that my best friend called me by my last name. I had to explain that my pastor was fine with it, and that my French teacher heard everything anyway, so Stryker was fine.
[00:58:01] Ashley Stryker: Second reason: there are too many Ashleys. It was like living inside the Recess cartoon — the Ashleys Club, Ashley P., Ashley S., Ashley T. I was Ashley S. for all of elementary school. It sucked.
[00:58:26] Ashley Stryker: Third reason — the OPSEC one: when I go to DEF CON or BSides, people assume it's a handle and don't look any deeper. They think they already know the answer, so they don't bother. That is actually one of the best operational security protocols I've ever used. Tell enough of the truth that someone doesn't feel the need to dig deeper.
[00:58:55] Ashley Stryker: Fourth: when I came into cybersecurity, people would walk into a room where my headshot was clearly on the workshop materials and be visibly surprised that a woman was giving the talk. Going by Stryker let me sidestep some of that gender bias. There are a lot of Ashleys in cybersecurity marketing — I don't know why — and the name didn't always carry the authority I needed.
[00:59:46] Ashley Stryker: And then the fifth reason — the one I usually save for when someone is being a real jerk about it. I'm divorced. My ex-husband is an identity and access management developer at a French tech company. His first name is Ashley — spelled exactly the same way. I was transitioning into cybersecurity around the same time as the divorce. Every time someone called me Ashley, I had a physical reaction to my own name. So I said, "Just call me Stryker. I used to go by this in high school." And it stuck.
[01:00:33] AJ Nash: So your ex-husband's name is Ashley. Your name, though you don't go by it, is also Ashley. And when you got married, you didn't change your last name?
[01:00:43] Ashley Stryker: No — his last name is nowhere near as cool as mine. We tried to puzzle it out during the engagement. Nothing worked. The deal was I'd keep my maiden name and our son would have my ex's name. We have gotten each other's medical records. It has been a nightmare.
[01:01:12] Ashley Stryker: One of our friends even suggested we name the baby Ashley too, so we could do a whole thing with a shared family name. We received formal wedding invitations addressed to "The Ashleys." And for years during the marriage, I went by Lee — because my ex went by Ash.
[01:02:34] AJ Nash: I had to ask Stryker before this episode what her first name was. I've known her for years and had completely forgotten. I just knew it started with A. She has successfully rebranded to the point where even a close colleague forgot her first name. She social engineered her entire identity.
[01:03:17] Ashley Stryker: His name was on the dating app, and I thought, "I at least have to say hi to a fellow Ashley."
[01:03:24] AJ Nash: See how that worked out.
[01:03:27] Ashley Stryker: We had a very lovely relationship until we outgrew each other. He is a wonderful dad, and I genuinely cannot ask for more. And to anyone with kids who is considering separating: if you do it right, divorce just means there are more grown-ups who love your child.
[01:03:59] AJ Nash: So you're social engineering your kid into being okay with the divorce. Well done.
[01:04:06] Ashley Stryker: Just trying to make sure he doesn't resent something that happened when he was four and can't remember.
[01:04:20] AJ Nash: That is the best way to end this show. Thank you for being here, Stryker. We'll do this again. For everyone watching and listening — thank you. Please take the time to like, share, and leave feedback. If you don't like the show, keep it to yourself. If you do, let me know either way. I know there are other things you could be doing with your time. I hope this was worth it. This has been another episode of Unspoken Security.
[01:04:58] Ashley Stryker: Thanks, AJ.