Do phishing tests do more harm than good? – Wolfgang Goerlich – ESW #376
A month ago, my friend Wolfgang Goerlich posted a hot take on LinkedIn that is less and less of a hot take these days.
He posted, "our industry needs to kill the phish test",and I knew we needed to have a chat, ideally captured here on the podcast.
I've been on the fence when it comes to phishing simulation, partly because I used to phish people as a penetration tester. It always succeeded, and always would succeed, as long as it's part of someone's job to open emails and read them. Did that make phishing simulation a Sisyphean task? Was there any value in making some of the employees more 'phishing resistant'?
And who is in charge of these simulations? Who looks at a fake end-of-quarter bonus email and says, "yeah, that's cool, send that out."
Segment Resources:
- Phishing in Organizations: Findings from a Large-Scale and Long-Term Study
- The GoDaddy Phishing Awareness Test
- The Chicago Tribune - How a Phishing Awareness Test Went Very Wrong
- University of California Santa Cruz - This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
Guest
J. Wolfgang Goerlich is a CISO in the public sector. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held VP positions at several consulting firms, leading security advisory and assessment practices. He is an active part of the security community. Wolfgang regularly advises on the topics of security architecture and design, identity and access management, zero trust, and resilience.
Host
