What’s your personal opinion on phishing tests — should cyber professionals rethink this as a method for security awareness training, or is it a necessary practice?

Awareness & TrainingSecurity Strategy & RoadmapTesting+1 more
428 views10 Comments
Sort By:
Oldest
CIO2 months ago
I believe that phishing tests are absolutely a necessary practice. Unfortunately, in today's environment, employees are often the weakest link in securing an organization. We need to ensure they are educated on the critical attack methods that potential attackers use, and phishing is at the top of that list. With the use of Generative AI, identifying phishing emails has become more challenging because traditional signs like bad grammar and spelling errors are no longer reliable indicators. If we do not test our people and teach them how to recognize these evolving threats, we will face even greater problems in the future. I do think we need to rethink how we conduct phishing tests, but they are unquestionably necessary.
CISO in Banking2 months ago
In my opinion, phishing tests are a necessary practice. We conduct these tests monthly with our employees and plan to continue doing so indefinitely. While the goal of having zero individuals prone to phishing might seem unrealistic, we've managed to maintain a consistent 3 to 3.2% susceptibility rate, which is significantly lower than the national industry average. If an employee does fall for a phishing test, immediate remedial training is provided. We use a tool that makes phishing testing easy and offers a wide variety of templates, ensuring that even two people in the same department don't receive the same email. This helps maintain authenticity and prevents employees from warning each other about the test.

COO2 months ago
I don't believe phishing tests are as effective as many think. We're dealing with human beings who have or lack common sense, and that's not something you can account for in a test. Even organizations that conduct frequent phishing tests can still fall victim to ransomware attacks. Cybersecurity is always in a state of catching up with those who are inventing new ways to defeat systems. The best way to protect an organization is to stay informed about emerging threats and make calculated movements. Reactive measures like phishing tests are less effective than proactive strategies like real-time network behavior monitoring.

lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
CISO/CPO & Adjunct Law Professor in Finance (non-banking)2 months ago
Phishing tests are necessary as a metric. There are individuals who believe they won't fall for phishing attempts, but we need an accurate way to measure this. While it's impossible to reduce susceptibility to zero, it's important to know where we stand. I often use real phishing emails, recrafted for safety, as tests. This gives me an accurate sense of how many people might click on a real phishing email. If a significant number of people click, it's a sign that we need to prepare for potential attacks.

Associate Vice President, Information Technology & CISO in Education2 months ago
I believe phishing tests are necessary and valuable from a metrics perspective. They also encourage the culture of reporting phishing attempts, which is crucial. The quicker a phishing attempt is reported, the faster our cyber teams can react and contain the threat. Even simulated tests provide valuable data on reporting numbers. So, along with everything else that's been said, I believe phishing tests are well worth it.

Content you might like

What is your organization’s current status for implementing endpoint security to protect O365 on mobile devices?

End-User Services & CollaborationSecurity & GRCDevice Management+14 more

Implementation complete23%

Implementation in progress54%

Planned within the next 12 months12%

Not planned7%

Not enabling O365 on mobile2%

View Results
2.4k views2 Upvotes

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability ManagementSecurity Strategy & Roadmap
Director of IT in IT Services3 days ago
Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.
1.4k views1 Comment

How can CISOs influence (or perhaps even contribute to) the business’s AI adoption strategy?

Security Strategy & RoadmapSecurityDisruptive & Emerging Technologies+3 more
CISO in Manufacturinga month ago
CISOs have a unique opportunity to proactively shape their organization's AI adoption strategy, Because AI adoption is either in the process of emerging or companies that have already gone down a path are readjusting their ...read more
1
Read More Comments
701 views6 Comments

Which of the following, if any, are part of Apple's iOS Account Deletion Requirement?

Security Strategy & RoadmapEnterprise ApplicationsData Protection & Encryption

Account deletion19%

Personal data (PII) deletion from a company's own data warehouses.55%

Personal data (PII) deletion from both a company's own data warehouses and connected SaaS tools.18%

Account deletion and PII deletion from both a company's own data warehouses and connected SaaS tools.7%

View Results
1.5k views2 Upvotes

I am increasingly having to present to our board and it’s not always the best experience. Do you have any advice on how best to approach a company board that is not technical at all?

People & Leadership
Chief Cloud Officer in Software6 years ago
My board experience has primarily been with board members that are not technical. The approach I take is to "translate" technical bits into business impact information. It seems many non-technical board members care most ...read more
64 3 Replies
Read More Comments
177.4k views169 Upvotes153 Comments