Defense in Depth Should You Phish Your Employees or Not?
Feb 26, 2026
Mark Eggleston, Chief Information Security Officer at CSC, shares his take on phishing testing and security program design. He debates whether simulated phishing erodes trust while arguing for measurable testing. Discussion covers technical controls like MFA, measuring reporting not just clicks, and treating phishing drills as teachable fire drills rather than gotchas.
AI Snips
Chapters
Transcript
Episode notes
Host's Real Phishing Hit And Fast Recovery
- David Spark described a recent real phishing hit where he immediately recognized the signs and remediated within 60 seconds.
- He changed his password, enabled MFA, and credited rapid action for preventing further compromise.
Phishing Tests Can Undermine Trust
- Critics say phishing simulations damage trust and create adversarial relationships that reduce voluntary reporting.
- Ryan Whalen compared punitive training to punishing a dog, arguing it teaches hiding mistakes rather than learning.
Prioritize Technical Controls Over Deceptive Tests
- Tommy Ward and Andrew Kirch recommend emphasizing technical defenses over simulated deception: harden systems with SSO, 2FA/FIDO2, conditional access, endpoint protections, backups, and incident response.
- Mark Eggleston added these controls should be protective not punitive, e.g., limited web access after repeated failures.