Defense in Depth
Should You Phish Your Employees or Not?

We know that phishing is a major threat vector. So why does it seem like phishing tests only make things worse?

Check out this post by Dan Desko of Echelon for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Mark Eggleston, CISO, CSC.

Listen to the full episode here.

Breaking trust to test it

Phishing tests can unintentionally damage the relationship between security teams and employees. "Phishing tests do not work. Educating employees works," said Eirick Luraas of Raytheon. "It's the education part of the phish test that works, not the phish part. The phish is a huge violation of trust, and it creates an adversarial feeling between employees and security." Ryan Whalen of BSE Global drew a parallel to modern thinking about behavioral training: "Catching people making a mistake and forcing them to sit through a mandatory 20-minute training because they clicked a link isn't how you build a positive feedback loop. Most people today understand that punishing your dog for bad behavior doesn't teach good behavior; it just teaches them to hide their mistakes. People work the same way."

Technical controls over testing

Some security leaders have abandoned phishing tests entirely in favor of "defense in depth" and technical safeguards. "I don't do phishing tests on my users, and won't do so," said Tommy Ward of Waymark. "My belief is that it is detrimental to building and maintaining trust." Instead, he focuses on technical controls to minimize threats that get through, privilege restrictions, endpoint protection, FIDO2 for MFA, and robust backup and recovery plans. Andrew Kirch of Stoic Cybersecurity pointed to research showing the downstream consequences of testing programs, saying, "Employees subjected to phishing tests are roughly half as likely to notify someone of an indicator of compromise, fearing they will get in trouble."

The measurement imperative

Others defend phishing tests as essential measurement tools that validate security awareness programs and protect against organizational liability. "I phish test ALL employees monthly," said Chris Spohr, CISO at Republic Finance. "You can train people all day long, but if you don't measure the effectiveness by practical testing, then you are creating a false sense of security." Eric Benante of BAYADA Home Health Care framed it as a matter of professional accountability, noting that social engineering and targeted phishing campaigns are the most effective attacks because they compromise credentials. "If you're a CISO whose company is compromised due to a phishing campaign and there's evidence that you haven't taken the most basic steps to mitigate that threat, I could easily see you losing your job, or worse," he emphasized. Joshua Cloud of NFI put it simply: "If you can't measure something, you can't manage it. I don't think testing the efficacy of a training program is an immoral practice at all."

Fire drills, not gotchas

The conversation shifts when phishing tests are reframed as practice rather than punishment. Matt Seitz of Santa Clara County Office of Education drew the fire drill analogy, explaining, "A drill isn't about tricking employees into thinking there is an actual fire. It's about practicing so that people know what to do when a fire actually happens." He emphasized viewing failures as training gaps rather than employee failures. Emre Saglam of Anyscale argued for focusing beyond prevention entirely: "Instead of focusing only on preventing phishing, I believe it's just as important — if not more — to teach employees what to do after they realize they've been phished. Assume breach. Someone, at some point, will click. What matters most is how quickly they respond and how comfortable they feel reporting it."

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Scanner

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Friday
Join us next week for “Hacking Citizen Developers”

Join us on Friday, March 6, 2026, for Super Cyber Friday: “Hacking Citizen Developers: An hour of critical thinking about how to embrace democratizing development without creating security chaos.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Amichai Shulman, CTO and co-founder, Nokod Security, and Bil Harmer, information security advisor, Craft Ventures, for an hour of insightful conversation and engaging games. And stick around for our always-popular meetup, hosted right inside the event platform.

Register for the Super Cyber Friday event series on Airmeet. Join us for just this episode, or choose to register for all of our upcoming episodes in this ongoing event series.

Thanks to our Super Cyber Friday sponsor, NOKOD

What happens when cybersecurity marketers get criticized by CISOs?

At Cyber Marketing Con 2025 in Austin, TX, David Spark posed a question to the industry: "Have you ever done a marketing effort that didn't sit well with a CISO?"

Cybersecurity marketers opened up about campaigns that missed the mark, including vague messaging, competitor attacks that backfired, and not-so-ethical engagement tactics. The takeaway? Your buyer is allergic to sales. Be the antihistamine.

Thank you to our video partner, Cybersecurity Marketing Society, and to all participants for their candid insights.

Watch the full conversation, and if you're a cybermarketing professional, let us know in the LinkedIn comments, "What's the harshest criticism you've received from a security professional?"

CISO Series Podcast LIVE in Clearwater, FL 3-3-26

CISO Series Podcast is coming to Clearwater, Florida for a live recording at Convene on March 3! David Spark will be joined on stage by Jason Mayor, Deputy CISO, Raymond James Financial, and Pam Lindemoen, CSO and VP of Strategy, Retail & Hospitality ISAC.

Use code CISOPodcast for 15% off tickets. All the details can be found here.

Thanks to our sponsors, Adaptive Security, KnowBe4 and Zepo Intelligence

Reddit ‘Ask Me Anything’ – February 2026

Our monthly AMA on r/cybersecurity on Reddit is underway! Our topic is "I've been a CISO more than once. Ask me anything about how the job differs between organizations."

For this edition, we're focusing on the unique experiences of CISOs who have held the role at multiple organizations. Our panel will share insights on how the job differs between companies, what aspects change with each organization, and what remains consistent regardless of where you work. They'll discuss navigating different company cultures, adapting security strategies to varied business contexts, and the lessons learned from leading security at more than one place.

Please ask questions for our participants here.

This month's participants are:

• Andrew Wilder, (u/CyberInTheBoardroom), CISO, Vetcor

• Krista Arndt, (u/thedrivermod), associate CISO, St. Luke's University Health Network

• David Cross, (u/MrPKI), CISO, Atlassian

• Peter Clay, (u/cpthuah36), CISO, Aireon

Thanks to all of our participants for contributing!

Cybersecurity Headlines - Department of Know

Our LIVE stream of Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Montez Fitzpatrick, CISO, Navvis, and Peter Gregory, best selling cybersecurity author. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday. Next week’s show marks 250 episodes of our weekly live show, now known as Department of Know!

Thanks to our Cybersecurity Headlines sponsor, Adaptive Security

Cyber chatter from around the web...
Jump in on these conversations

"Infosec exec sold eight zero-day exploit kits to Russia: DoJ" (More here)

"Dutch defense chief: F-35s can be jailbroken like iPhones" (More here)

"[ALERT] The Department of War is building an AI-driven domestic surveillance infrastructure—and it's a cybersecurity nightmare." (More here)

Cybersecurity Headlines - Daily News Shorts

Subscribe to the CISO Series YouTube channel, for daily shorts videos from CISO Series reporter, Rich Stroffolino. You can find all of the stories he’s covered, plus new content every weekday, at the Cybersecurity Headlines Shorts YouTube playlist.

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.