How often do you do phishing campaigns?

Security & GRC
6.8k viewscircle icon7 Upvotescircle icon20 Comments
Sort by:
CISO in Telecommunication2 years ago

We do it 10 times a year, not on fixed schedule, which means we can do it twice a month or none in a month. We want to make it unpredictable.

VP of IT in Services (non-Government)2 years ago

Quarterly but they are staggered and run more frequently for anyone who may need additional training

CISO in Healthcare and Biotech2 years ago

Quarterly phishing campaigns targeted at different business divisions are crucial to an organization's cybersecurity strategy. They educate employees about cyber threats and enhance their ability to identify and manage phishing risks via realistic simulations. Given the role of human error in successful phishing attacks, these proactive campaigns go beyond infrastructure safeguards to mitigate vulnerabilities. They offer tailored training to employees based on their roles and potential threats. I like to increase my company's "Cyber-Paranoia" Level. :-)

CIO2 years ago

Monthly - All users

Lightbulb on1
Senior Director Engineering in Travel and Hospitality2 years ago

Depends on the risk score we get from external agencies

1 Reply
no title2 years ago

Interesting tangent Arun, thanks. but could  you please elaborate? Most of the external scoring would focus on infra layer and thus maybe externally exposed lookalike domains, smtp/relay configurations. Other than those typr of angles, are you using any service to risk score people?

Content you might like

There has been an upswell in demand for the use of MCP servers for our development community.  What security criteria and considerations do you use for performing a security review, hardening and approval process?

The use of Generative AI in the textile and industrial sectors — for instance in fashion companies or in the creation of marketing content — carries significant risks if not supported by adequate detection and risk management tools. Generative models may unintentionally incorporate elements protected by intellectual property rights, such as registered styles, patented designs, or content belonging to other fashion houses.

A notable example is the “Studio Ghibli” case, where AI-generated works reproduced distinctive, protected features.

In this context, how should Risk Managers equip themselves to prevent and mitigate such risks, ensuring innovation while avoiding legal violations and reputational damage?

Which of these areas are you targeting for funding increases in your 2026 cybersecurity budget? (Choose all applicable)

Threat detection & response 50%

Identity & access management 61%

Cloud security 48%

Security awareness training 30%

Other 2%

N/A

View Results

Has anyone drafted an SOW for a cloud-based SIEM with setup, migration, and maintenance? I’m working on a FedRAMP-authorized SIEM SOW, migrating from on-prem Splunk, covering data, searches, alerts, dashboards, and models.  Scope includes Environment Setup:  Cloud provisioning, configuration, testing. Connectors/Parsers: Custom data source integration. Content Development: Rules, use cases, threat feeds. Performance Tuning: Query/index optimization. Runbooks: Operational procedures. Also required: 24x7 support, maintenance, lifecycle and application management, role-based training, and documentation.  Must comply with NIST SP 800-53, CJIS, and FedRAMP Moderate+. Goal: Secure, scalable SIEM for rapid deployment. I may be missing elements, so suggestions are welcome. Please share redacted SOWs or tips if possible.

If you deal with physical security in your role, what lifecycle management process do you currently use?

Asset management tool28%

Facilities inventory system56%

Excel or manual process11%

None3%

View Results