Savvy cybersecurity leaders must look to new approaches to training employees to combat social engineering. While phishing tests are seen by cybersecurity leaders around the world as essential in the fight against email-based attacks, abundant evidence exists that the outcomes do not justify the investment. Phishing testing’s lessons are not extensible to other behaviors, the exercise foments a culture of distrust between cybersecurity and the workforce (name one other function that deliberately tries to to trick employees in the name of training), and, combined with the reality that it only takes one employee clicking to generate the worst-case outcome, phishing testing is more an exercise in security theater than a contributor to a secure culture.

Andrew Walls is a vice president and distinguished analyst in Gartner’s cybersecurity practice. Prior to joining Gartner in 2007, Andrew held cybersecurity leadership posts in industries from chemical/pharmaceutical R&D to banking.