Posey's Tips & Tricks

Getting Executive Leadership Onboard with Attack Simulation Training

• By Brien Posey
• 09/17/2025

The Microsoft 365 Attack Simulation Tool can be extremely effective in helping to reduce the likelihood of users falling victim to phishing attacks. For those who might not be familiar with this particular tool, it allows Microsoft 365 admins to launch realistic looking, but harmless phishing attacks against their own users. When a user falls for the phishing attack by clicking on a link, opening an attachment, or supplying credentials, the user is informed that they have just been phished. It’s also possible to subject the user to brief, but mandatory security training as a way of both educating the user and making them think twice before clicking on an email link in the future.

The problem that organizations so often face with regard to phishing attack simulation training is that the executive leadership team is unwilling to participate. They might opt out of the training, or they may refuse to take it seriously, even if they are phished. This might not be such a big deal except that executives are prime targets for attackers. Cyber criminals know that executives have broad access to sensitive data and they also have the authority to take actions such as approving wire transfers. All of this is to say, that the owners of the most high stakes accounts, are often the same people who aren’t concerned about the security of those accounts.

Unfortunately, there isn’t one single solution that is going to work in every situation. However, there are a few things that you might try.

One possible idea is to get someone else to advocate the idea for you. My own personal experience has been that often times, executives are concerned about cybersecurity, but only to the point of doing what is minimally necessary to avoid a regulatory fine. They lose interest in cyber security when it becomes inconvenient to them personally.

At the same time however, there may be one person on the executive leadership team who does care about security. You might be able to talk this person into advocating for better security on your behalf. Even if an executive in your company is unwilling to listen to you, they might be open to listening to another executive.

Another way that you might be able to get through to an executive who refuses to take attack simulation training seriously is to personalize the threat. You might for example, come up with a theoretical, but realistic scenario outlining why they might personally be targeted. This might then open the door to discussing the fallout that could occur if such a targeted attack were successful. The consequences might include substantial financial losses and reputational damage to the company. However, and this is the important part, the incident would likely also damage the executive’s career.

Yet another way that you might be able to get through to the executives in your company is to frame the discussion in terms of the potential return on investment. Assuming that your organization has a Microsoft 365 subscription that includes attack simulation training, it costs the organization nothing to launch simulated attacks. However, the return on investment could prove to be absolutely huge if the simulated phishing attacks prevent a high value account from becoming compromised.

Since executives are often all about numbers, you might consider sharing with them real world data demonstrating the losses that other companies have suffered in the wake of a successful phishing attack. As you do, it’s important to underscore the idea that your efforts aren’t just about preventing employees from clicking on bad links. Those efforts are geared more toward protecting the business’s reputation and its share price while also reducing the organization’s legal exposure.

If reasoning with the executives in your company gets you nowhere, and you are unable to pass off attack simulation training as a compliance requirement or a risk management strategy, then your best bet might be to perform a carefully controlled test. Doing so proves to the executives that the attack simulations will not cut into their time (you may have to agree to waive the mandatory training requirement) and if anyone does fall for the simulated attack, then that failure will serve to underscore just how vulnerable the executives are to real world phishing attacks. With any luck, the executives will realize that it was just a simulation this time, but if the attack had been real then serious damage would have occurred.