American View: So long, and thanks for all the phish

Risk Management13 Jan 2026

It’s hard for me to believe that I led the same Security Human Risk Management mission for just shy of ten years. That came to mind when my pal from HR let me know that my group was being dissolved and our functions would be integrated into the company’s ytaining division effective immediately. So it goes; these changes happen. That said, my HR pal and I were gobsmacked that it had been a decade since this adventure started.

For context, let’s go back to February 2016: on the day that the USA and Cuba agreed to restore commercial air traffic, I was on-boarding as a contractor with a “Systemically Important Financial Market Utility” (SIFMU) called the Options Clearing Corporation (OCC) with an office in Keller, Texas. OCC needed someone to help design and build a technology risk assessment program, and I’d heard they were a great place to work. Seemed like a good deal.

A scant six months after I came aboard our new ITRA program was in full swing. Our parent org – IT Governance and Risk Management (ITGRM)– were meticulous in how they documented risk, so it took us longer to build our processes than we would’ve liked, but we got everything ironed out by the end of the summer. Because of that success my first boss ^[1] recruited my partner ^[2] and me for a governance framework review initiative. We spent the next three months evaluating the COBIT, ITIL, and NIST models for OCC’s CIO. That research effort, in turn, got my partner and I invited to join the company as full-time employees. Christmas 2016 was fabulous for both our families.

OCC closed the Keller office that winter and relocated all the Texas office folks to an exponentially nicer facility in Dallas the next spring. My partner and I relocated, while our boss took a CIO gig back in his hometown. ITGRM was broken up and its components were split between the IT Dept. and the Security Dept. So it goes. While we waited for a new mission, our second boss ^[3] challenged us to leverage what we’d learned from the frameworks review and identify key functions that OCC wasn’t currently performing (but maybe should). We saluted smartly and got to work.

When OCC’s new Chief Security Officer visited the Dallas office for the first time in July of 2017, our little team had three business cases ready to present:

Our new boss pitched his life-long professional ambition: standing up an in-house cybersecurity “Red Team.” The new CSO ^[4] immediately understood the value proposition and blessed the team’s creation on the spot … and appointed our new boss as its first section head.
My partner argued for expanding the scope and importance of the ITRA process we’d developed the year before, evolving it to more of a DoD-style Certification and Accreditation process. The CSO agreed and directed the manager who inherited the ITRA program from ITGRM to make it so … then placed my partner on that team.
I swung for the fences (so to speak) and advocated for the creation of a security human risk management program. Not just a training team, I argued, but a comprehensive behaviour change program that synchronized messaging across all channels of training, education, and awareness activities. The CSO liked the idea, but what I think sold him on my pitch was that I’d already crafted an aggressive stand-up plan and had drafted all the required regulations the program activities required. We’d essentially gotten a 90-day jump start on the plan.

I strongly believe in the principle that anything worth doing is worth overdoing.

We were chartered that afternoon. OCC’s new Security Awareness Group (SAG) went live on 17th July 2017. We were going hell-bent-for-leather (so to speak) from the first day to reach fully mission capable status. Getting the new policies published was simple since I’d been the department’s proxy policy writer for months. We quickly hired a second employee for the new group ^[5] and got to work redesigning all of OCC’s required security training content.

From the beginning, the CSO framed our group’s mission as one of benevolent, incremental behaviour change. He intended that our actions should lead to substantially improved trust in the security department. We concurred; based on our analysis of key factors in (then) recent security events, we knew that:

Our colleagues needed to hear, understand, and agree to comply with security guidance
Therefore, our colleagues needed to be receptive to our department’s messaging
Therefore, we needed to create and sustain trust and confidence in our colleagues, activities, and communications
Ergo, SAG was to serve as the ambassadorial corps for the security department. Our role was to win “hearts and minds” through integrity, transparency, and credibility

That mission statement influenced all our activities for the rest of SAG’s existence. We knew that our colleagues’ trust was the essential commodity required for security programs to be effective. As such, we eschewed the industry-wide standard of delivering box-checking annual “training,” isolated technical experts in a SOC, and sticking to the dry corpo-speak preferred by corporate lawyers. Effective human risk management wasn’t a commodity that one could buy off-the-rack from a third-party service provider. Other companies might get away with that approach, but impersonal and generic content would never do for our people, our environment, or OCC’s mission.

“Promoting stability and market integrity” was more than just a marketing slogan at OCC. It was a charge that every colleague took existentially seriously.

Instead, our training content was bespoke and optimized for our culture. We didn’t squander colleagues’ time defining generic terms like “malware” and “phish” or repeating trite catchphrases like “see something, say something.” Instead, we spoke directly to our colleagues about specific threats and how they worked in the context of our business. We changed the tone of our communications to reflect our immediate boss’s irrepressible positivity and encouraged everyone in OCC to maintain a running dialogue with SAG. We published dozens of articles each year on the company intranet organised around the standard SAG structure of:

What happened?
Now that I know that, why should I care?
Now that I care, what should I do?

This approach to security human risk caught on with our colleagues. People appreciated that our bulletins were direct, succinct, and practical. We carried that approach forward to our slack channels as well. Eventually, we split one channel into two: a support channel where we celebrated people’s questions and concerns, and a virtual “lounge” where we shared funny security content and collectively dissected new scams, attacks, and phish. So many phish …

Speaking of, we held phishing tests, sure, but ours were positive events rather than punitive. For example, colleagues that fell for one of our lures but still reported the phish were thanked with a letter to the colleague’s supervisor congratulating them for living our corporate values by reporting our phish. Worde quickly got around and suspicious message reporting rates went way up.

We also made all our training content dual-delivery. That is, we always provided the corpo-standard CBT modules for people who preferred it. For those that didn’t, we taught every one of our bespoke classes live – in a classroom or over VTC – and encouraged interaction when we taught. A good percentage of our students preferred this option. One of our biggest fans was a data centre tech who would join our live session no matter what the topic was whenever he saw us hosting one. He must’ve taken new-hire training five times in one year and could probably have taught it solo, but what mattered most was that his enthusiasm for security and security training was infectious for all the other students in the session.

“Morale” and “esprit de corps” aren’t exclusively military concepts; they’re the essential elements that differentiate a gathering of workers from a team.

Additionally, we went above and beyond standard training protocols to demonstrate how dedicated the security department was to their success. Some people had to juggle absences, illnesses, and drama – those annoyances that interfere with the smooth operation of a business – and that was fine. We’d cheerfully conform to their schedule and extenuating circumstances. This proved to be hugely important during the pandemic. Even though my new partner had returned to New Jersey, his successor ^[6] and I cheerfully taught classes outside working hours, over weekends, and over holidays. We did whatever it took to do right by our people.

Over the years, we improved the quality of our custom-made CBT modules and like course decks to add interactivity, closed captioning, and video content. Most importantly, we worked out how to reach our students who preferred to skip past all the content “slides” in a CBT module and try to logic their way through the end-of-course quiz. We made all the questions in our quiz banks humorous and memorable in such a way as to teach a subject’s core concepts from the question. We regularly bumped into colleagues who would regale us with their favourite quiz questions from that year’s new courses. We also discovered just before Christmas last year that members of one department were screenshotting our quizes to share their favourite questions … they weren’t sharing the right answers, mind you; they were sharing the joy they felt when they encountered a clever and funny question.

That was exactly what we wanted: all those years of people-focused design and culture shaping paid off in the sort of individual and institutional banked trust that the CSO had charged us to deliver back in 2017. We built and incrementally optimized a rigorous and meticulously organised program that resonated with our colleagues, inspired trust in our department, and led to a much stronger enterprise security posture.

Even better, we earned the trust and confidence of our bosses along the way. Even though SAG seemed to pinball around the security department org chart every 18 months, we always demonstrated that we could be trusted to deliver on our program and all its activities without any need for micromanagement. We knew exactly what we were doing and were internally motivated to deliver. Our director ^[7], never needed to guess what we were up to; we were only a stapler’s toss away and always knew where we were in the execution of our annual operations plan.

All good things come to an end, though. Changes in organisational structure and mission resources necessitated folding SAG into OD at the turn of the year. See above, re: so it goes. What’s important – to me, anyway – is that we made the CSO’s mission happen. From start to finish – February 2016 to January 2026 – I invested just shy of ten years trying to serve and protect my friends and colleagues at OCC and don’t regret the time and effort I invested in it. It was an honour to humanise what’s normally a drearily boring administrative checklist item. We didn’t just teach “standards” … we helped security topics, practices, and people become personal, resonant, and tangible for thousands of colleagues. I’d do it all again.

So … what’s next? Beats me, reader. We stepped away from our time in SAG last Friday morning. Maybe all the time I’ve invested writing for Business Reporter has affected my priorities, because I’m thinking it’s pub time …

^[1] I can’t use people’s real names, unfortunately. That said, my first boss was a hoot of a supervisor. To raise morale that summer, he invited our entire team – spouses and kids included! – to a New England style crab bake. He lived the leadership principle “mission first, people always.”

^[2] As above. My partner back in 2016 was a devoted father who gained his American citizenship during our time in ITGRM. Everyone on the team was thrilled for him and his adorable family. Great guy.

^[3] My second boss was a wildly popular web designer in the IT Dept. when he crossed over to Security. I was captivated by his relentless positivity and unflappable demeanour. I upgraded my at-work persona to be more like him and have never regretted it.

^[4] The new CSO was a career civil servant who had come from the IT side of the Pentagon. He remains the most impressive executives I’ve ever encountered. Deeply serious but grounded and empathetic. Most of his people would follow into Hell without asking why.

^[5] My new partner in SAG was a gourmand with a law degree from New Jersey. He’d never worked in IT or cybersecurity in his life, but he was eager to learn and had a special gift for figuring out new software. He became our expert with Audacity and Adobe Captivate.

^[6] My last partner served with me from COVID through to the end of SAG. A former local rock star, USAF electrician, and career technical trainer, he embodied my first boss’s compassion, my second boss’s positivity, and my second partner’s technical acumen in one hilarious partner. I’ll work with him again anywhere in any organisation.

^[7] Our director was the epitome of an excellent people leader. Her good humour, steel-trap mind, and genuine interest in her subordinates’ activities made her a delight to work for. My last partner and I couldn’t be mad at her for having to let us go. She’s simply too decent a human being.

Management