This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security Awareness vs Phish Training

I'm wondering if this group feels there needs to be a better distinction between Phish Threat and General Security Awareness Training. So who am I? i am the Sr. Director of Product Management - MSG for Sophos. I joined the company just a month ago to lead our Email and Phish Threat team. I spent the last 14 years as part of the IronPort leadership team at Cisco and am excited to be here.

My question is as I ramp up on the offering from Phish Threat I also see we have many trainings that are geared towards general security technologies that aren't necessarily phishing. I'd appreciate hearing your feedback and look forward to some exciting new things coming in Sophos Email and Security Awareness.


Tom Foucha

This thread was automatically locked due to age.
  • Tom, 

    I’m a consultant specializing in security awareness. The way I see it is that phishing simulations are geared towards modifying behaviour around clickers and, hopefully, increasing reporting of suspicious emails. However, phishing simulations (only) don’t do enough to engage employees in the learning and to transform how employees feel. For that, we normally run events with management, create contests, issue practical tips, connect security and productivity solutions (e.g., learn to use OneDrive instead of saving files in USBs), connect security to company and employee values (e.g., safety), and more. A comprehensive approach, in my opinion, is more effective.