Executive Interviews

Executive Interview: Rachel Tobac

In this exclusive interview with The Executive Magazine, Rachel Tobac, CEO of SocialProof Security, reveals how AI has fundamentally changed the way hackers operate and what every business leader needs to know to stay ahead of cyber threats

Elizabeth Jenkins-Smalley

Editor In Chief at The Executive Magazine

Share this article:

Rachel Tobac has built a career out of doing something most people would never consider: hacking into organisations with their full permission, then teaching them exactly how she did it. As CEO of SocialProof Security, the company she founded in 2017, she leads a team of ethical hackers who specialise in social engineering, the art of manipulating people rather than systems to gain access to sensitive data, accounts, and buildings.

Her path to the top of the cybersecurity world was anything but conventional. A background in neuroscience, behavioural psychology, improvisational comedy, and teaching gave her a set of skills that turned out to be far more powerful in the field than any technical qualification. She first came to the attention of the security community by placing second at DEF CON’s Social Engineering Capture the Flag competition three years in a row, performing live hacks on real companies in front of a 400-person audience. It was that visibility that created the demand for SocialProof Security, and she has not looked back since.

Today, Rachel is one of the most recognised voices in cybersecurity. Her work has been featured across major broadcasters and publications, and she has appeared on CNN, 60 Minutes, and NBC Nightly News with Lester Holt to demonstrate live hacking techniques to audiences well beyond the security community. She also served on the CISA Technical Advisory Council under Director Jen Easterly, contributing to national cybersecurity policy at the highest level of government.

With AI now placing sophisticated hacking tools within reach of almost anyone, the conversation she has been having with boardrooms for years has never been more urgent. In this interview, she shares what the new threat environment looks like from the inside, and what business leaders can do right now to protect their people, their data, and their organisations.

You founded SocialProof Security in 2017 after placing second at DEF CON’s Social Engineering Capture the Flag competition three years in a row, a live contest where competitors hack real companies on stage in front of a 400-person audience. What was it about that experience that gave you the conviction to build a business around teaching organisations to protect themselves from exactly the techniques you had mastered?

“I launched SocialProof Security in 2017 because it was essentially demanded of me by folks who watched me compete the previous 3 years at DEF CON! Much of the audience for the Social Engineering Competition are decision makers at large enterprises and they came up to me after the competition and asked me to speak, train or pentest (hack with consent) for their organization. I always wonder if I would have had the conviction to create a business like SocialProof Security without the direct demand and high signal. I think it’s super brave for entrepreneurs who take the leap before they know if they have product-market fit.”

Most people associate hacking with technical exploitation and lines of code, yet your work sits at a fascinating intersection of psychology, behaviourism, and trust. You studied neuroscience before becoming a hacker, and those skills translate directly into how you approach social engineering. How does understanding the way people think give you an advantage, and how does that same understanding help organisations build stronger defences?

“My nontechnical and winding background has allowed me to be successful in cybersecurity – I wouldn’t be a strong social engineering hacker without my background in improvisational comedy (which I used to perform Friday and Sundays in the Bay Area). I’ve noticed that if I can build rapport with lighthearted banter, I’m much more likely to be successful in an attack. Humans are also unpredictable. I’m often asked by new hackers for a “decision tree” to determine which questions to ask, in which order, etc. But the actual success occurs in social engineering and hacking when you can act extemporaneously, I recommend everyone interested in cybersecurity, hacking and defending practice improv.

“In addition, my degree is in Neuroscience and Behavioral Psychology, I literally have a degree in understanding how people make decisions and how to influence those decisions (down to the molecular level). This level of behavioral understanding allows me to successfully perform account takeover, elicit a password or code well and I haven’t needed a degree in Cybersecurity to make that happen.

“I also went into teaching directly after college which taught me all of my engaging keynoting, training, and workshop skill sets. I’m know I can be confident, creative, and effective in front of an audience of executives, technical staff, or a 20,000 person All Hands event because I’ve already captivated the hardest audience on earth – middle and highschoolers.

“I think many people believe they need to have a linear path, and a linear path works for many people (such as studying cybersecurity and then getting a masters degree in the field). But for me, a background in Improv, Neuroscience, Behavioral Psychology, and Teaching has set me up for success in keynoting, training, workshops, and penetration tests.”

You have demonstrated live on CNN that it now takes less than 15 seconds of someone’s voice to create a convincing AI voice clone. For senior leaders who speak regularly at conferences, give media interviews, and appear on earnings calls, what steps can they take to stay ahead of that technology and protect both themselves and their organisations?

“It’s scary that it’s now about 10 seconds of someone’s voice to create a believable voice clone! The truth is that it’s not possible to protect your voice against voice cloning. If your voice is out on the internet (YouTube, LinkedIn, your kid’s Instagram Story, etc), it’s clonable for an attacker. Rather than worrying about attempting to control attackers from creating a voice clone of your voice (which isn’t possible), I recommend focusing on how we educate those around us to verify that people are who they say they are, and create protocols to ensure your family, friends, and teammates don’t need to think on the fly about how to verify identity. For example, if you’re an executive, your threat model is higher for someone to create a voice clone and attempt to trick your Executive Assistant in a call, voice note, voicemail, etc. Show your Executive Assistant what these voice clones look like, feel, and sound like (my videos are free online!) and then discuss how they should verify you’re you during sensitive interactions. If you call asking for a read-out of your password for One Drive how should they verify that it’s truly you calling? Maybe you want them to chat, call back to thwart spoofing, or email you to confirm authenticity of the request, or potentially you prefer to develop a spoken codeword to verify identity. Choose the identity verification method that works best for you at work and home and communicate those protocols (and the why behind them) with your colleagues and family.”

You have spoken about social engineering as something woven into the fabric of how people communicate and build trust. That insight sits at the heart of what makes your work so valuable. How can organisations use a deeper understanding of human behaviour as a genuine asset in building more resilient security cultures?

“Social engineering truly is just using principles of persuasion to convince people to do things that may or may not be in their best interest. This includes tricking people into handing over their password, opening a door for me, or just convincing a child to eat their spinach. Understanding these principles allows you to notice them in action and be politely paranoid in the moment. My favorite researcher on persuasion is Robert Cialdini. I recommend his book called Influence to learn more about his principles of persuasion such as Authority and Urgency (and many more)! For example, if you notice that a caller says they are with the police and need you to pay a fine within 24 hours to avoid jail you can then check in with your knowledge of the principles of persuasion and spot an appeal to Authority (police) and Urgency (24 hour requirement) in the moment to shut down the attack immediately.”

You served on the CISA Technical Advisory Council under Director Jen Easterly, contributing to national cybersecurity initiatives at a government level. That experience of working across both the private sector and national policy gives you a rare perspective. What are the most valuable lessons from that role that business leaders can apply directly within their own organisations?

“Working on the CISA Technical Advisory Council was such an honor under Director Jen Easterly. Her approach to educating really resonated with me. I could tell she often asked herself how she could make a dry topic (like multi-factor authentication) punchy and interesting to the general public. This principle was essential to my work with CISA, I worked with Jen to create a series of principles and videos that addressed typically boring topics in a creative way (we even made a little music video together).

“At work, consider how you might take that dry required topic or workflow and dress it up in a punchy way. This doesn’t mean you need to feel cringe-worthy at work. It may be as simple as investing your design talent into the communication of a topic so it leaps off the page or presentation.”

Your live demonstrations show how a well-built public profile, press coverage, conference appearances, and a strong social media presence, gives you useful material to work with as a hacker. For leaders who want to remain visible and engaged publicly, what practical habits can help them do that confidently and safely?

“I would be a huge hypocrite if I advised all executives to avoid the public eye. Instead, I recommend engaging publicly with an awareness of your threat model. As an exec, you, your team and family are more likely to receive phishing emails, text messages, and calls. Educate those around you on the likely scams they will see this year because they’re in your orbit (scams such as: gift card requests, wire transfer asks, impersonation for passwords and codes and more).

“Build a method to verify identity into your everyday habits and reinforce folks around you when they do it right (without getting frustrated with the additional necessary friction). Make your personal social media private and your work related social media public (same with your family). Use a password manager to ensure you leverage long, random, and unique passwords for each account, and turn on MFA (that second step when you log in) to ensure attackers can’t access your accounts if your when your password appears in a breach.”

Research shows that AI-generated phishing emails now achieve a click rate of 54%, compared to 12% for a standard control group. You have built your business on the belief that informed human behaviour is the most powerful line of defence. What does a genuinely strong security culture look like inside a large organisation, and how do the best leaders go about building one?

“If you can employ the Be Politely Paranoid protocol at work and at home, you’re likely to catch phishing. This means verifying that people are who they say they are before taking sensitive actions like clicking, downloading, sending money, etc. You can verify that the sender of that email truly them by chat, call, any other method of communication before taking action. Same with a phone call or text message.”

You have chaired the board of Women in Security and Privacy for eight years, working to bring more women into leadership roles across the field. In your experience, what does greater diversity of perspective bring to the way organisations approach security, and what opportunities does that create for the industry as a whole?

“Diversity of perspective is crucial for protecting the highest number of people. If your team doesn’t reflect the population of people your product serves, you won’t be able to see around corners to protect those folks! For example, women on the Trust and Safety or Security and Privacy team often develop protocols to protect users from harassment and abuse that others may not realize are essential. Mirror your team to the people you want to protect to best serve their security and privacy needs.”