​Redefining the GRC Function: Leading the Shift Beyond Checkbox Security Training

David DellaPelle: All right, I think we can get started. Very excited to welcome everyone. Helen, do you want to jump in and say something before we get started, or should I just intro this?

Helen (Alumni Ventures): I would love to say a quick hello. I know there are a few of our Alumni Ventures community members here, so great to meet you all. I am Helen, on the Alumni Ventures platform team. We have probably crossed paths, but hopefully we will be able to put together more of these series for you. I will pass the floor to David.

David DellaPelle: Excellent. Thanks, Helen. Alumni Ventures has been a great partner to us, so very excited about this webinar today, hosted by Dune Security and Alumni Ventures. The topic for today is Redefining the GRC Function: Leading the Shift Beyond Checkbox Security Training.

I am joined here today by Meghan Hunt, cyber risk analyst at the University of Vermont Health System; Jake Wesenberg, cybersecurity program lead at Koch, formerly known as Koch Industries; and Sam Pena, senior GRC manager at Tetra Tech. I will pass to our panelists for a quick hello.

Meghan Hunt: Hi, I am Meghan Hunt. I work in IT risk and resilience for the University of Vermont Health. We used to be the University of Vermont Health Network, and now we are just University of Vermont Health. Excited to be here.

Jake Wesenberg: Jake Wesenberg. I have been in some sort of IT or security role for a little over 20 years, been at Koch for about 12, and leading the awareness program for the last five.

Sam Pena: Hi, Sam Pena. I support a few government organizations through Tetra Tech as one of their senior GRC managers.

David DellaPelle: Excellent. Thank you to our panelists for joining today. The goals of today's conversation are the following: to discuss what has really changed in the cybersecurity threat landscape, especially over the past year; how social engineering attacks are dominating the cybersecurity conversation; how traditional training and compliance models have fallen short from a GRC perspective; and how organizations can redefine readiness and prove measurable cybersecurity risk reduction in 2026.

My first question is for Jake. Beyond what we have already covered, can you tell us a bit about how the user attack surface has shifted over the past year, and share some specific examples or attack patterns you have seen in the wild? Obviously you may not be able to speak to anything specific within Koch's environment, but what have you and colleagues at other companies seen?

Jake Wesenberg: I will throw out the disclaimer that I am going to speak in generalities and nothing specific to Koch's viewpoint. But I really think that over the last year we have seen the culmination of a trend that has been building for five, maybe even ten years. A lot of the traditional signals we tried to train individuals on — misspellings, hovering over links — those have largely ceased to be reliable indicators. At the same time, our protection tools and tech stack have developed quite significantly. We are no longer in a world where one click is going to take down an entire company, and that messaging really needs to fade away.

The inverse of that is that we are seeing the biggest threat area shift to channels where we simply do not have tools that can mitigate risk: outside our environment — WhatsApp, Signal, SMS. These are where we need to put far more focus. And across the industry, we are definitely seeing very targeted, very convincing attacks, even against people who are familiar with the person being impersonated.

David DellaPelle: Tell me a little more on that point. You mentioned that one click is no longer going to take down an entire company, and I think you were alluding to how attacks are changing beyond just email. What is the most surprising type of attack you have heard about — at least at other companies?

Jake Wesenberg: So I heard recently about something that started on WhatsApp. The individual was suspicious and said, "Can we do a video call?" — they wanted to verify they were talking to who they thought they were. The attacker agreed to a video call, and it was of high enough quality that this person, who was familiar with who was being impersonated, believed they had done their due diligence. It was only a second instinct — something just did not feel right — that led them to reach out on a completely different communication channel to validate, and that is what stopped it from becoming an incident.

David DellaPelle: That is fairly common now — attacks starting on one channel and then moving to another. We are in an omni-channel world. It can start on WhatsApp and go to a video call, or theoretically the other direction. And WhatsApp is typically not a corporate messaging system — it is just someone's personal phone number. AI is allowing attackers to run these specific, targeted attacks across any channel much faster than before.

I will pass to Meghan. Looking at these types of attack patterns, where have governance and compliance programs struggled to keep pace? What is making these types of attacks so difficult to address from a GRC perspective, when you are reporting up to the CISO and typically working with a legacy security awareness training tool?

Meghan Hunt: I think overall yes — we are learning in the middle of a battlefield. I have equated it before, and my team has equated it before, to trying to plug holes on a sinking ship. You are just hoping to keep your head above water most days.

Healthcare is its own kind of strange animal. There is this immediacy-versus-security argument that plays out behind the scenes — data immediacy can sometimes trump data security in the minds of certain people. It is a high-intensity, high-functioning environment. A lot of the training we had been using was no longer working. We were not seeing the results we hoped for when we focused on training users not to click on things.

One thing we have tried to move away from in legacy training is the focus on prevention, and shift it to reporting. We are trying to get our users to report rather than just avoid clicking. That is the biggest change for us.

Jake Wesenberg: That is exactly where we have been putting a lot of our focus too. Something that made a lot of sense to me when I learned about it from a psychologist: it is a thousand times easier to teach somebody what to do than to teach them what not to do. There is a great analogy — tell people not to think about a pink elephant and they will immediately think about a pink elephant. Tell them to think about a blue elephant and that is what they are thinking about. It is so much easier to tell someone: if it feels off, just report it. That is the one action — not a list of inspect, verify headers, sandbox, and so on. Just report it.

Meghan Hunt: In healthcare especially, our users are incredibly busy. They are taking five minutes between patients to check email, running from clinician to clinician. In five minutes you might accidentally click on something you should not have. If the ingrained habit is to delete or report, we are happy with that. Just do not click — that is the one thing we want our users to internalize.

David DellaPelle: Meghan, in healthcare you have doctors and clinicians whose entire professional identity is built around helping people. That actually makes them easier targets from a social engineering perspective — attackers exploit that impulse.

Meghan Hunt: Absolutely. They prey on that desire to help and to make things easier for people. The hero mentality.

David DellaPelle: Meghan, tell me more about the tools. When you are dealing with complex roles like doctors and clinicians who handle PHI, what have you been thinking about in terms of types of awareness and training? What are the innovations you and others in similar roles are looking for?

Meghan Hunt: We actually started looking for something that would make our lives easier on the back end. We were putting a lot of time and effort into crafting training and awareness campaigns every couple of months, and it was a significant drain on resources. We have now moved to an automation and AI-driven system where we provide prompts and the emails go out for us — no manual monitoring, no cataloging. That actually just launched today. We sent out our first campaign on this new program, and I do not have results yet, but I can tell you I do not have an inbox full of angry messages, and that is already a huge improvement.

David DellaPelle: Excellent. I will direct this next question to Sam. What unique influence do GRC leaders have in connecting compliance evidence — those minimum compliance requirements — to real-world cybersecurity resilience? How do you move from the checkbox to an actual risk-reducing or risk-management posture?

Sam Pena: Thank you for that question, David. I think we have to serve as GRC champions — as translators. We take the information security dimension and translate it into risk language that boards and executives can understand. That means framing it as: here is how we could lose potential customer trust, here is how much we could face in fines and penalties if we fall short on something like CCPA or other state privacy legislation, here is the potential financial impact of a breach and how long recovery would take. That is the kind of framing we have to focus on.

David DellaPelle: Building on that, Sam — how do GRC and cybersecurity leaders actually get the attention of a CEO or a board?

Sam Pena: Honestly, in my experience, I typically find someone already on the board to champion the cause from the inside. I have tried in different situations to get that ear directly, and I am still learning how to speak board language. The key is giving them numbers. Not "here is a big problem because of X, Y, and Z" — but quantified numbers. Having a CISO who backs what you believe in and what you are trying to push forward is also critical to getting that penetration into the boardroom and making the right moves for security.

Meghan Hunt: It also really helps if you have experienced a massive cyber event. Which we did in 2020. That was, unfortunately, a very effective way to get board members on board with what we needed.

Jake Wesenberg: Yeah, budgets can increase dramatically after an event. In the absence of one, it can sometimes feel impossible. But I think if you can identify the key metrics and KPIs the board is most focused on and work backwards — here is the control we need to put in place, and here is how not having it could directly impact this KPI — it becomes much easier for them to understand, and you skip a lot of the middle layers.

David DellaPelle: Jake, question for you. Cybersecurity is a hard industry because unlike building a product that increases revenue, you are reducing money lost — reducing risk. How do you prove resilience? How do you deliver quantifiable risk reduction to boards, regulators, and CISOs?

Jake Wesenberg: I think it is again about finding the most important metrics they pay attention to and working backwards to what you are doing and how it translates. That is often easier said than done, but the opportunity is in finding those connections and being able to point to real-world examples. We had this happen once in the past five years. Without these controls, it could have happened 20 times in the last five years. Take the financial impact of that one event, multiply by 20, and now you have a number to work from. If you can pull all the right information together, it often ends up being a fairly simple formula — the hard part is getting the right information to begin with.

David DellaPelle: There is also a question in the chat from Joseph around the live video call incident. Jake, you brought this up earlier — when there is a hybrid or multi-channel attack and perhaps an AI avatar or deepfake on a video call, how would you prevent against that type of attack? AI is moving so quickly.

Jake Wesenberg: Ours was fairly straightforward — with all the usual nuances and asterisks. The simplest universal message we can give everyone is that WhatsApp and other unofficial channels are not approved communication channels for conducting business. You might use them to flag something — "Hey, I sent you a Teams message, can you respond?" — but the actual business conversation has to move to approved channels where we have controls: tools that can detect lookalike domains and lookalike display names, restrictions on communication with people outside the Teams tenant, and similar protections.

Sam Pena: I would suggest that if you are on a video call that is AI-generated, it might seem a bit unusual, but having the person put their hand in front of their face or move the camera around to show something unexpected can help. Current generation AI has difficulty rendering that kind of spontaneous action convincingly — you can still see the gaps between fingers, or small discrepancies that reveal the artificiality.

David DellaPelle: What about deepfake detection tooling? Have you thought about that as part of the stack?

Jake Wesenberg: It can certainly be part of the stack, especially when someone is initiating an external call from an actual enterprise-level account. In scenarios like vendor compromise or customer account compromise, that is where those kinds of detections become most relevant and where we should start relying on them.

David DellaPelle: Let us talk about best strategies for GRC leaders at large organizations — the shift from enforcing compliance to actually reducing risk. Carrot versus stick is the simple version, but what strategies have you seen work for enabling true resilience?

Sam Pena: I will take this one. Effective training that is tailored to both time and title. You have a baseline understanding of what you want to teach and train for, but then you build role-specific modules — one for your DBAs, one for your directors, one for your CISO, one for HR, and so on. I also strongly push for moving from annual refreshers to quarterly ones. And one thing I have found especially effective — at a previous position, around the holiday season, we pushed training not on industry-specific threats but on personal information security: understanding how to protect yourself with online shopping, how to spot spoofing in your personal life. Then tying those lessons back to: and here is how you apply this in your work environment. That really helped, and I felt it was genuinely appreciated and built a real relationship with my coworkers.

Meghan Hunt: I agree — the targeted training and awareness piece is critical. Some things are general and appropriate for everyone, but not everyone in a clinical role needs to understand how to protect direct deposit details, for instance. We occasionally get requests for targeted training for teams that have recently experienced a business email compromise attempt or have seen a spike in suspicious requests. As Sam said, the training has to be targeted to the right audience, otherwise it is not doing the job it is supposed to do.

Jake Wesenberg: A phrase we use is: only the information that is needed, only at the time it is needed, only to the people who need to hear it. If you can say there is one message I need this specific group of people to know right now, that has a far greater impact than referencing training from nine months ago and asking why someone made a mistake. Catching someone at the moment of a risky action — when they shared a document externally, for example — and sending them a targeted Teams message or Slack message right then has so much more impact.

It is also important to think about the shift from extrinsic motivators to intrinsic ones. Extrinsic motivators — carrots or sticks — can absolutely get someone to do something once. But to turn that into a lasting behavior, to keep doing it even when they are not being influenced, you have to help them understand the intrinsic value. How does this help them? How does this make them a positive force in the environment? One thing we do is give people feedback after they report an email, letting them know how many other people they protected by reporting it rather than just deleting it.

David DellaPelle: There is a good question in the chat from Ganesha, and one from Kathleen as well, that we can put together. When you are trying to quantify financial risk as it relates to cybersecurity risk, how do you do that? Are you looking at cyber insurance claims? There is a well-known issue of selection bias there — similar to the World War II airplane analogy, where the only bullet holes you see are in the wings of planes that came back. The planes that went down and were shot in the fuselage are missing from the data. How do you quantify cyber risk, especially in the absence of an actual breach?

Jake Wesenberg: Staying with that analogy: you look at the planes that went down. When did you have an incident? And if you changed one or two variables, how many more incidents could you have had? How many incidents did your tools stop at the very last second — not three or four tools catching something deep in the chain, but one tool at the very last step? Do you have that data? Can you pull it together? When it comes to things that have never happened — the planes that never came down — you have to look at industry sources, but I would always put a qualifier on those numbers to flag that they are not based on internal data.

David DellaPelle: There is also a real problem with looking at the planes that did go down: a lot of them are never reported. Companies pay the ransom and do not want the bad press.

Jake Wesenberg: Exactly. Hopefully you can look at your own internal incidents. Or hopefully you have industry partners who, while they may not be willing to publish anything publicly, are willing to have conversations like this under Chatham House rules and share a bit more with peers. I do believe the industry has been moving in this direction for a long time, and we will be stronger together. A little more openness and honesty between practitioners — in a secure and reasonable way — helps the entire industry. It is better than everyone pretending they have never been hit and keeping all that experience to themselves.

David DellaPelle: Makes perfect sense. There is a supply chain question from V in the audience: GRC is more than just cybersecurity — geopolitics and supply chain all matter. The two main challenges in cybersecurity beyond awareness are that management sometimes believes a breach will not happen to them, and the velocity of risk is increasing significantly. AI is now breaking into companies not just through social engineering but through actual technical attacks. How should cybersecurity and GRC leaders deal with a threat landscape where both the risks and the pace of innovation in attacks are accelerating?

Jake Wesenberg: You have got to try to keep pace. We use the term rapid experimentation — fail fast. Your team and your leaders need to be on board with failure. A senior leader told me something when I first moved into cybersecurity that was eye-opening: "One of my only expectations for you is that you fail at least once a year. If you do not fail at all, you did not push." I do have support to fail. We may not be 100% certain that a new tool, capability, or alert is going to mitigate risk, but in many cases you have to do the thing before you can get the data to support it.

Meghan Hunt: One of the things we are focused on is pushing for visibility — helping our user base, our C-suite, and our executives understand where the risks and vulnerabilities actually are. There is a tendency to treat cybersecurity as an IT problem and that is it. The reality is that it belongs to everybody. Part of what I have been doing with the training and awareness program is promoting the idea that everyone is a cybersecurity advocate — as long as you are advocating for security. Once you get broader understanding from your users, champions, and stakeholders, that really helps push the overall program forward.

Jake Wesenberg: I have tried to champion every instance where a business process — not a cybersecurity tool — was what actually stopped an attack. Things like: we do not update banking information without a certified letter in the mail, or we require two contacts from your company before we place this order. Those business processes are part of our defensive stack. When you share those stories within the company — when did a business process do its job as part of the defense — a lot of people take ownership and say: I do not manage any of those security tools, but I do have some control over our cybersecurity posture.

David DellaPelle: Ownership is huge. If you do not feel you have ownership over something, you will not put effort into it.

Just to recap what we have covered: attacks are succeeding in very different ways than they were years ago. Threat actors are not often trying to break through technical controls across the network, email, identity, and endpoint layers — they are manipulating people, or finding complicit or compromised people on the inside.

A question on that: when you are running cybersecurity risk programs from the awareness, testing, and training perspective, how do you quantify insider threat risk versus social engineering risk? How do you think about those within your organizations?

Jake Wesenberg: It is tricky, because hopefully you have fewer incidents of that type to look at. And those are probably the least likely to be shared across the industry. There is a lot less data to work from.

Meghan Hunt: Having at least some kind of DLP in place, or time-based access restrictions, can give you insight into things like: why is this person online at 10:30 PM when they are typically a 9-to-5 kind of person? Behavioral analysis of some kind can be helpful. There are obvious privacy considerations around how far you take that with employees, but those are things worth considering.

Jake Wesenberg: I think the easy path is when the more secure option is also the easier one. For example, conditional access: when everything looks normal, we do not require MFA. But when signals are anomalous, we require MFA for every action. When we do that, 99% of the time employees experience the easier side of security, not the harder side, and so they support it. You may not need to show the risks that were mitigated — you can show efficiency gains instead.

Meghan Hunt: There is also the important understanding that insider threat and social engineering are interconnected. You can be an involuntary insider threat because of social engineering. The distinction between good actors and bad actors within a company is not really the point anymore. The question is: how is someone going to be manipulated into doing something they should not, without realizing it?

David DellaPelle: That is a really good point, and they are not often separated — these risks are deeply interconnected. One of the core reasons we built Dune is that these types of risks should not be siloed. You need to correlate different data sources to get a complete and accurate picture of user risk within a company, whether that is social engineering or insider threat. A phishing click rate in isolation, for example, was never really a highly meaningful data point for us because it is independent from many other data points that are very relevant to the full picture of user risk.

Let me start wrapping up. We covered: a shift in how attacks are changing across channels; how organizations can remain compliant while increasing the effectiveness of their current solutions; and how to prove to boards, regulators, and the C-suite that you are actually reducing risk, quantifiably, and increasing resilience. The GRC role is evolving quickly. GRC teams need continuous visibility into user behavior, testing outcomes across any channel, and real risk signals informed by simulated attacks that are as advanced as what attackers are doing in the wild. The user has become the entire attack surface — the vast majority of attacks are breaking in through the user base.

Any parting comments from Sam, Jake, or Meghan?

Jake Wesenberg: I want to hit on the metrics you can get from running simulations. The one I look at most closely — and I know I have shared this with you, David — is who will tell on themselves. Who will click on a simulation or enter their credentials and then go back and report it, saying: I made a mistake and I need help. That number is a much better indicator of the risk level in your environment than phishing click rates alone. If that number is high, there is a very good chance you will be able to rapidly detect and respond to any real incident, because people across your company feel comfortable coming to the security team and admitting they need help. If that number is low — or zero, which is where it was when we started tracking it — that is a serious problem. It means an incident can sit in the environment for hours or days before the security team finds out.

Meghan Hunt: We try very hard not to be shame-based with our users. Shame does not accomplish anything. If someone clicked and entered their information, the response is: it is okay, you know what to avoid now. Being more optimistic about how users operate — individually and as a group — can sometimes make the metrics more than just numbers on paper. Because people are not numbers.

Sam Pena: Echoing what Jake and Meghan said — one of my bosses once said, "Bad news does not get better with time." And also: give people the grace to understand they are human. People are going to make mistakes. Let us learn from them.

David DellaPelle: Absolutely. Thank you so much, everyone, for joining. Thank you Sam, Jake, Meghan — thank you for being the panelists. Thank you to Helen and Alumni Ventures for helping us put this together. It was a great conversation, and we are really excited to continue leading in user risk and awareness here at Dune Security.

Jake Wesenberg: Thank you.

Meghan Hunt: Thanks everyone.

Sam Pena: Bye for now.\