Defense in Depth

Are Phishing Tests Helping or Hurting Our Security Program?

Sep 19, 2024

Dennis Pickett, VP and CISO at Westat, dives into the complexities of phishing tests in cybersecurity. He argues that not all education requires testing, emphasizing the need for building a culture of security awareness over punishment. Pickett champions empowering employees to report suspicious activities and discusses the significance of implementing supportive tools like phishing alert buttons. He advocates for a positive security culture that recognizes and incentivizes proactive engagement, rather than blaming victims.

27:36

Creator website

Episode guests

Dennis Pickett

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Phishing tests should shift focus from grading employees to fostering a reporting culture that enhances overall cybersecurity awareness.

Investing in advanced security measures alongside phishing simulations is essential to create a comprehensive defense strategy against potential attacks.

Deep dives

Revisiting the Purpose of Phishing Tests

Phishing tests often serve as a measurement tool, but relying solely on them does little to improve cybersecurity awareness among employees. Instead of grading individuals as pass or fail, organizations should focus on how phishing simulations can provide insights into overall employee behavior and awareness. The effectiveness of these tests is better evaluated by measuring the ratio of employees who report suspicious emails versus those who click on them. This shift toward encouraging a reporting culture is crucial, as it allows organizations to identify vulnerabilities and develop strategies to strengthen their defenses.

Intro

3min

Phishing Simulations: Learning vs. Punishment

9min

Cultivating a Culture of Phishing Awareness

5min

Enhancing Cybersecurity Through User Training

6min

Enhancing Security Culture Through Awareness and Verification

4min

All links and images for this episode can be found on CISO Series.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Dennis Pickett, vp, CISO, Westat.

In this episode:

Not all education requires tests
Understand your users
Building reflexes
An ounce of prevention

Thanks to our podcast sponsor, Concentric AI

Concentric AI’s DSPM solution automates data security, protecting sensitive data in real-time. Our AI-driven solution identifies, classifies, and secures on-premises and cloud data to reduce risk across your enterprise. Seamlessly integrated with tools like Microsoft Copilot, Concentric AI empowers your team to innovate securely and maintain compliance all while eliminating manual data protection tasks.

Ready to put RegEx and trainable classifiers in the rear view mirror? Contact Concentric AI today!

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Defense in Depth

Are Phishing Tests Helping or Hurting Our Security Program?

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Revisiting the Purpose of Phishing Tests

The Role of Education and Reporting Culture

Advancing Beyond Phishing Tests with Technology

Remember Everything You Learn from Podcasts