I keep thinking about reframing phishing tests as phishing reminders. no measurements, no metrics, no sending people for training, you just send one out every 6 months or something and if someone clicks through they get a page saying "hey, remember phishing is a thing! if you need a refresher on our processes, go here", but very carefully worded to avoid shame or blame. keeps it in folks' consciousness but avoids the most shitty aspects of phishing tests.
yeah true. I think it all comes down to never having perfect governance due to imperfect cost benefit analysis and constraints. in an ideal world, yeah, folks get really good training and top-ups frequently enough to be useful but not so frequent to be fatiguing. not doing that IS a failure in governance, but, well, lol you know how it goes. so in lieu of perfection, making ongoing phishing training less galling seems like a nice step in the right direction.
@Fi 🏳️⚧️ Our Cyberinsurance requires it and I hate it so much. It basically means I'm forced to send them out without any reason or value. When I pushed back they sent me a document KnowB4 sent them.
Yes, but that's not within the scope of your organization and is not your problem.
Treating it as a failure by management to manage their requirements appropriately puts the agency and responsibility on management for fixing the situation.
Fi 🏳️⚧️
Unknown parent • • •Sensitive content
@patcharcana
at least in this day and age, people saying I need to be stoned are correct.
Graham Sutherland / Polynomial
in reply to Fi 🏳️⚧️ • • •Sensitive content
Fi 🏳️⚧️
in reply to Graham Sutherland / Polynomial • • •Sensitive content
@gsuberland
If your security training is inadequate such that regular 'reminders' are needed, that constitutes a failure of governance as well.
Graham Sutherland / Polynomial
in reply to Fi 🏳️⚧️ • • •Sensitive content
Fi 🏳️⚧️
in reply to Graham Sutherland / Polynomial • • •Sensitive content
@gsuberland
I'm not looking for perfect. I'm looking for adequate.
This shit is symptomatic of a failure of governance and an inadequate system.
silverwizard
in reply to Fi 🏳️⚧️ • •Fi 🏳️⚧️
in reply to silverwizard • • •Sensitive content
@silverwizard
If your management has failed to negotiate the terms of your insurance to adequately represent the realities of your organization,
that constitutes a failure on their part,
which is a failure of governance.
silverwizard
in reply to Fi 🏳️⚧️ • •Fi 🏳️⚧️
in reply to silverwizard • • •Sensitive content
@silverwizard
Yes, but that's not within the scope of your organization and is not your problem.
Treating it as a failure by management to manage their requirements appropriately puts the agency and responsibility on management for fixing the situation.
silverwizard likes this.