Super Cyber Fridays!
Join us TOMORROW, Friday [10-31-25], for "Hacking CISO Self-Interest"

Join us Friday, October 31, 2025, for “Hacking CISO Self-Interest: An hour of critical thinking about how security leaders actually make decisions.”

It all begins at 1 PM ET/10 AM PT tomorrow with guests Howard Holton, CEO, GigaOm, and Angela Williams, svp and CISO, UL Solutions. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Defense in Depth
How Do We Measure Our Defenses Against Social Engineering Attacks?

We know phishing is a serious threat to all organizations. So why does it feel like we don't have reliable metrics on how we are defending against it?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Mike Johnson, CISO, Rivian. Joining them is their sponsored guest Bobby Ford, chief strategy and experience officer, Doppel.

Listen to the full episode here.

Beyond the click

The cybersecurity industry has long relied on phishing click rates as a primary success metric. But the value is now an open question. "Click rates for phishing campaign as a stand alone metric are completely meaningless - but this is what vendors sold for years with their products - tracking click rates and tracking completion of assigned training - which fill a dashboard," said Mike Mcgannon of Rockwell Automation. Ian Edwards of Induction Healthcare Group echoed this sentiment, noting that "phishing click rates are easy to measure, and makes them tempting as a performance metric... but that doesn't mean they're meaningful. In fact, they often serve more to justify the ROI of awareness training platforms than to build true resilience." Farzan Karimi of Moderna emphasized the importance of measuring beyond the initial click, stating, "Click rates alone are a junk metric. What matters more is what happens after the click: Does the user enter credentials or provide an MFA code? Most phishing simulations stop at the click and fail to emulate an end-to-end attack chain."

High-risk users demand different metrics

While click rates may be flawed as standalone metrics, understanding who clicks, and their level of access, remains critical for risk assessment. "While click-rate may be an outdated standalone metric, what remains highly relevant is identifying which user(s) who fall for phishing have administrative or excessive privileges," said Aman Sood of Elsevier. "If there's a pattern of failure to detect, failure to report, and those individuals hold 'keys to the kingdom' — that's no longer just a training/education gap. That's a business risk with real consequences." Sam Harwin offered an alternative measurement approach, suggesting that "one of the most powerful measurements is how many people report the suspicious email (or phone call, sms, etc.) AND how soon do they get a response from the security team. This feedback loop is way more valuable than clicks on phishing email."

Building engagement over punishment

The most effective phishing programs focus on fostering collaboration rather than catching employees in gotcha moments. "I would say that 'reporting rate' is a valuable metric because it measures engagement among employees and their buy-in to helping security," said Ben Keller of Reco. "Punitive phishing simulation programs can turn employees against security and make them feel like the enemy, which in turn is a net-negative." Jason Hoenich of Human Risk Consulting was more direct about the root problem, "Click rates aren't tracked because they're easy - they're tracked because there's no strategy. No vision. Just another checkbox in a program no one's actually steering. HRM's (human resource management) biggest flaw? Mistaking measurement for progress."

Creating a security culture through community

The most successful phishing simulation programs transform security awareness from individual compliance into collective engagement. Andrey Kolesnikov shared how his organization turned phishing simulations into a community-building exercise, saying, "What I found powerful in phishing simulation practices is how much of a rallying cry and community it forms inside the company. My last company's 'suspicious-activity' Slack channel became a townhouse of pride over how we protect ourselves and laughter over the text messages I kept sending as a CEO to my team asking them for gift cards."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now. 

Huge thanks to our sponsor, Doppel

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Next Gen Protection for Next Gen Attacks with CrowdStrike

Security teams are stretched thin, juggling too many tools and alerts to stay ahead of fast-moving threats.

In this conversation, David Spark talks with Christian Rodriguez, field CTO of the Americas, CrowdStrike, about how consolidating endpoint, identity, and cloud security under one platform helps organizations respond faster and with greater confidence.

Read more and watch the video here.

A huge thanks to our sponsor, CrowdStrike

PREVIEW: CISO Series Podcast LIVE in NYC 11-5-25

The CISO Series Podcast will be recording live at FAIRCON25 in New York City. David Spark will be joined on stage by Saket Modi, CEO of Safe Security, for a candid and entertaining conversation about the biggest challenges facing security leaders today.

The event takes place November 4–5, 2025, at The Glasshouse in New York. Use promo code FC25CISOSERIESCODE for 75% off. Register here.

Watch the short video filmed in Times Square for a preview, and join us for the live recording at FAIRCON25.

Thanks to our sponsor, Safe Security

Reddit ‘Ask Me Anything’ – October 2025

Our monthly AMA on r/cybersecurity on Reddit has begun! Our topic is "I'm a security professional who worked on many mergers and acquisitions. Ask me Anything."

We’ve assembled a panel of security leaders to discuss navigating cybersecurity during mergers and acquisitions. They’re here all week to share their experiences on due diligence, integration, and risk management throughout the M&A process, and to answer your questions about what it really takes to make it work.

Please ask questions for our participants here.

This month’s participants are:

• Geoff Belknap, (u/GeoffBelknap), co-host, Defense in Depth

• Ty Sbano, (u/security-Ty) CISO, Webflow

• Jason Loomis, (u/SchrodingersFirewall), CISO, Freshworks

• Don Paquin, (u/ok-macaron-335) director, cyber mergers, acquisitions, & divestitures, RTX

• Leslie Nielsen, (u/cyberguy1729) CISO, Mimecast

Thanks to all of our participants for contributing!

LIVE!
NEW SHOW: Department of Know

Join the LIVE stream of The Department of Know every Monday at 4 PM ET / 1 PM PT with CISO Series producer Rich Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s inaugural episode featured Sasha Pereira, CISO at WASH, and Bil Harmer, Information Security Advisor at Craft Ventures. Missed Monday’s episode? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Then, set a reminder to join us for next Monday’s show!

Thanks to our sponsor, Conveyor

Cyber chatter from around the web...
Jump in on these conversations

“Anyone else seeing a large influx in attacks?” (More here)

“Foreign hackers breached a US nuclear weapons plant via SharePoint flaws” (More here)

“Is a cyber attack responsible for the large scale outages due to AWS?” (More here)

Coming Up On Super Cyber Friday...
In the weeks ahead on Super Cyber Friday we have:

• [10-31-2025] [Hacking CISO Self-Interest]

• [11-07-2025] [Hacking Remediation]

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.