Should all users who fail phishing simulations, including C-Suite executives, face penalties?
Sort by:
A few years ago, I was at a CISO event, and there were 100 of us in the room when the discussion turned to phishing. One individual in the financial sector advocated for a “3 strikes and you're out” rule, saying the board, the CIO, and HR had approved it. And after he finished describing this, I said, “So does your CEO or CFO get fired when they fail?" He said, "Well, it's different." I told him, "I will be the plaintiff attorney’s expert witness when an administrative assistant gets terminated because they were constantly getting pummeled with problems from the executive they're supporting, making $55K a year, and then they’re fired for failing a phishing simulation. You wouldn’t fire your CEO, but I could own them in a minute." The whole room erupted into debate. Some were on my side, others said, "No, certain people are exempt from those rules." But I don’t agree.
Mentally, I lean towards what you're saying, but in any company that I've ever worked for, the board wouldn't get behind that. It just wouldn't be practical.
Another individual from a different firm described a penalty system where people wouldn’t be terminated, but their quarterly bonus structure would be affected. I still didn't like that set up, but at least it has some implication to keep you sharp.
Any consequential training should be equitable for all, including board members sometimes. Don’t enforce punitive measures, though: make it positive, and include everybody, so they all participate and learn at the same time.
No. Enforcing behavior through stick isn't always the most effective way to increase compliance. Far better is to spend additional time to educate said users, and on the other hand to know that a certain % of your users will always fail some test and as a result you should have robust controls that prevent issues should users fail their due diligence.