Looking at it from a bigger perspective, is training the number one thing a company needs to do? How do you look at it in the ranking of priorities for a CISO?

It depends very much on their status, in the sense of what is their current defense in depth profile. If you are already well on your way and you have defense in depth in place, and you're security awareness training is an afterthought, then doing something like this and deploying it is another layer on top. However, if you are looking for the best bang for your budget buck then effective security awareness training is one of by far the best ways to get great security ROI. Just as an illustration, 25 percent of our customers are banks and credit unions. We didn't go after that market – they found us. What they are telling us is that we are incredibly cost effective for their type of organization.

Are the challenges different in the enterprise versus SMB? Or is it just a question of scale?

Large enterprise usually have a security awareness program in place. Most of them do not do simulated phishing attacks and often that is for political reasons, which is unfortunate to say the least. Small, medium enterprise is not necessarily burdened with that type of challenge...They say if we don’t send our users simulated phishing attacks then the bad guys will. It is easier and a lot faster to deploy these types of programs in the SMB space. Also for our channel partners, it's a fairly quick sale. It is easy to do and the customers are uniformly thrilled with the results.

Talk a little bit more about how KnowBe4 approaches the channel.

I'm intimately familiar with the channel model and what problems developers cause for their channel partners. We are set up extremely channel friendly. For instance, we double compensate if a channel partner works together on an account with one of our sales reps. We like to work with the channel and we will support the channel in every case when they have an account that they want to close. We are looking for additional channel partners, by the way.

Just looking at security training in general – other than doing something like this, what other types of training would you recommend a solution provider recommending to its clients?

The other thing we recommend is to step people through a mobile security module. Firewalls are no longer really protecting your enterprise because of everyone that has their smartphone or their tablet. There is no more traditional edge or periphery or whatever you want to call it that you can protect. The end user starts to be your weak point, not only in but also outside your enterprise. With the advent of BYOD, training becomes much more important than before. 

Anything else a solution provider should know about what's going on in the security training space?

The most important trend is that cybercrime has gone pro...The one thing that I would like to warn about at the moment is that there is a wave going on with the CEO/CFO spear phish. It's a CEO scam. We are actually daily saying their CFO got a spoof email from the CEO saying they should make a wire transfer of $30, $40, $50, $80 thousand dollars to this bank for an acquisition or a large order or something seemingly important. These are highly sophisticated scammers who, the moment that money has been transferred, transfer it again to ten different banks and then it disappears into Eastern Europe or China and it's very hard to recover that money. That is the current most effective social engineering slash phishing attack that's out there. If you can warn people about that, that would be highly appreciated. We need help to get the word out.