Every CISO, in every industry, is aware that spear phishing can be a problem – a big one – despite millions of dollars invested in (necessary) layers of technology defenses. In May 2016, CSO Online reported ANOTHER three firms were hit by targeted phishing attacks – attacks that stole employees W2 data. I guarantee all of these firms had security devices in place on their networks. These attacks were a form of social engineering that bypasses traditional security technologies and much can be done to help enlist employees to be part of any company’s overall defense. Many CISO’s have done just that - taken steps to ensure their employees are aware and work to reduce the likelihood of opening a malicious email. But, this still isn’t solving the spear phishing problem. Companies have been conducting varying degrees of security awareness training for years. But, the attacks are still happening and they are successful in spite of the training. So, what is a well-intentioned CISO to do? Give up? Train more? Find a better training approach?