A really good interview question to scope out how mature an infosec person’s understanding of corporate security programs is this:

“How to you measure the success of a phishing test security awareness program?”
People who didn’t move laterally into cybersecurity from another another field tend to have a very distinct 5-10 year growth pattern on their understanding of those programs and what their purpose is.
I don’t mean to be cagey; I’ve blogged about my personal answer before. Just overall, this is a great question to separate the people who think about security in a vacuum versus people who understand the purpose of doing security and what successful security programs look like.
It tends to migrate from, “‘make the best email to trick users” to “get clicks reduced from the stupid users” to “these programs are stupid and pointless” to “encourage end user participation in security as part of defense in depth”. They gain a better understanding of KPIs, too.
You can follow @hacks4pancakes.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.