Goat rodeo security: reducing human risk amid chaos

If you’ve ever tried to secure an organization in a high-stakes, fast-moving environment, you know it’s less like a chess game and more like a goat rodeo. That’s how Steve Tran, former CISO of the Democratic National Committee (DNC), describes leading security through periods of rapid growth and intense public scrutiny—where thousands of new staffers, volunteers, and devices might come online in a matter of weeks, and every click carries risk.

“We weren’t just defending systems,” Tran said at this week’s post-keynote fireside chat at Infosec World 2025 in Orlando with Fable Security CEO Nicole Jiang and Sean Coyne, Head of Cybersecurity at MagicSchool AI. “We were trying to influence people’s behavior—and do it at scale.”

Tran faced a truth that every CISO eventually encounters: you can’t patch people. Firewalls and compliance dashboards only go so far. His team had to help employees recognize risk in the moment: spotting a deepfake, questioning an unusual link, protecting personal devices, and thinking twice before responding to unexpected outreach on a dating website. “People aren’t trying to be careless,” he said. “They’re human. Their behavior is a feature, not a bug. People want to be helpful, to click, to respond. Our job was to meet them where they were.”

That viewpoint guided his philosophy more broadly as a CISO, especially when it came to human risk. His advice: minimize friction. Instead of, say, trying to shoehorn people into a complex password system, start a passwordless authentication program. Rather than rely on one-off training, he focused on shaping secure behavior, such as updating OSs and adopting security tools, through nudges and reminders. “It’s not about lecturing people,” he said. “It’s about designing experiences that make the secure thing also the easy thing.”

Coyne, a longtime SOC leader turned advisor, built on Tran’s points. “When you think of attackers as just being evil, that’s fine, but you should think of them as being efficient,” he explains. “They’re trying to maximize their ROI. Think of them as clever, hungry, and opportunistic. They don’t want to expend a lot of effort, so they’re going to try to attack targets where they’re weakest, and that’s almost always the human. So at a very high-level, don’t focus on maximizing your strengths. You’ve got to focus on minimizing your weaknesses, and that’s what’s going to reduce your risk profile the most.” 

For Coyne, the modern playbook means blending threat intelligence and behavioral science—understanding how people work, why they make certain decisions, and how to guide them at the right moment for the greatest impact.

Both leaders agreed: the old “training and phishing” model is outdated. “Security has to be personal, contextual, and ongoing,” Tran said. Coyne added, “The network isn’t the choke point anymore. The human is. If you don’t understand how your people think, you’ll never understand how your attackers win.”

At Fable, that’s exactly the shift we’re helping organizations make—turning human behavior from a liability into a strength. Because the goat rodeo isn’t just happening in campaigns. It’s happening everywhere.