David DellaPelle: Thank you everyone for joining today. This is the fourth webinar in the Dune Security webinar series. I am really excited today to be joined by three storied, industry-leading CISOs who have been instrumental in their careers — driving innovation at companies like Dune Security and at their own organizations, and in Rob's case, in the military defending large numbers of people and institutions.
I am joined by Harshal Mehta, who is the CISO at CWT; Amir Niaz, who is the CISO at Culligan; and Rob Lyman, who is a Brigadier General in the Air Force, formerly the CIO of US Transportation Command, and also a senior industry adviser.
I will pass to Amir here for our first question. Amir, from your experience at Culligan, what are the biggest challenges you face with traditional one-size-fits-all security models, especially in the context of complex user behaviors?
Amir Niaz: Cybersecurity training and user awareness training has always been a recurring exercise at Culligan. It was designed to train users every quarter, run a phishing campaign once a year, and there was no real focus on the benefits. It was a checkbox exercise.
The challenge for me, and for any CISO, is how do you actually improve user behavior — especially for privileged users who have authority to move money, change bank account information, and similar high-stakes actions? The other challenge was that the training was very long — 30 to 40 minutes — and with HR, legal, and compliance trainings competing for attention, the feedback from users was that it was taking too much time. We were training everyone the same way regardless of role, regardless of how long they had been with the company, and I have never met a single user who was happy about doing these trainings.
So the challenge became: how do we make this engaging? How do we make it competitive for users? And most importantly, how do we give users some agency over how much training they receive based on their own behavior?
With those challenges in mind, we went to market and found Dune. That is where we found the answer: a scoring system that tracks whose behavior is improving and whose is not. We created categories for our critical users — anyone doing PCI compliance, HIPAA, or other financial functions — and decided to train them differently. The campaigns became AI-driven, so if a user is consistently failing on clicking URLs, the platform focuses on that. If they tend to fall for fake shipping notifications from FedEx or UPS, it focuses more on that. The goal was to actually receive value and not just tick a box.
David DellaPelle: Fantastic. Let us build on this for Rob. Rob, you have a storied career in both industry and the military. Talk to us about adaptive controls. How do you think about adaptive controls versus static controls, and how can that impact the human dimension of security risks — insider threats or unintentional user errors?
Rob Lyman: Thanks, David. The most important part of what you raised is the human dimension. There will always be adaptive cybersecurity technologies that secure our networks and communications, and threats that adapt to and exploit new vulnerabilities. The constant is the human. The better trained people are — and the more their behavior is shaped toward secure habits — the better off we all are.
The largest percentage of breaches still start with some form of phishing, which relies on an insecure behavior by a user. When I think of static controls, I think of the traditional state of cybersecurity training in the Department of Defense: a yearly computer-based training you complete online to retain your network access for another year. In an enterprise that large, there is really no way to keep that training fresh. We all know the same animations, we took the same tests. Everyone in DoD knows the animated cybersecurity character from those trainings. But it all comes down to memorization and retention, which does not always translate into actual behavior change when a user goes back online and starts working.
I think of it as the difference between classroom training and field training. In Marksmanship, recruits learn in the classroom about breathing control, sight alignment, trigger squeeze — all of that. But when you are on the firing line, what you know in your head is different from what you actually do in practice. What makes field training work is the drill instructor right behind you. When they see a negative behavior, they can immediately correct it. They see your shots drifting right and they know exactly what you are doing wrong and how to fix it — in real time. That is the next evolution: the ability to observe actual behaviors and correct them immediately. Better trained individuals, reinforced positive behaviors, and negative behaviors caught and addressed quickly — that is the key.
David DellaPelle: I love that analogy. Harshal, when we look at other forms of reducing human risk — network segmentation, email security solutions — have you seen times when static security controls fail to address different risk profiles of individuals?
Harshal Mehta: It is great coverage from both Rob and Amir on how the user is at the center of the entire CIA Triad for information security. CWT was in the same boat as most enterprises in the past. We used to rely on very similar static controls: an awareness program once a year, content that never changed year over year, users who got so familiar with the training that they would just click through — next, next, next, finish, submit the quiz, move on.
Times have changed. The sophistication of attacks has changed significantly. In the past we would train users to look for spelling errors and urgency cues in emails. Those days are largely gone. With the advent of AI and the sophistication of targeted attacks, threat actors are not just relying on urgency or typos. They are building highly tailored environments that can come in through SMS, through phone networks. The classic example in Hong Kong, where a finance organization was hit through a highly convincing deepfake environment that created a significant financial impact — that is real. We see it every day in call center environments.
That is why static controls like outdated annual awareness programs need to evolve into behavior-based ecosystems. They need to keep pace with the sophistication of today's threat actors. And ultimately, we need to think about how the human risk layer integrates with the rest of your security stack — CrowdStrike, SentinelOne, Microsoft — to either incentivize or de-incentivize user behavior day in and day out.
David DellaPelle: You brought up the Hong Kong attack — that was January 2024, and it still feels recent. Ten executives on a call, nine of them deepfakes, and the tenth authorized a $25 million wire transfer. Terrifying.
Harshal Mehta: And it happens every day. That incident got reported because of the dollar amount, but many organizations are being hit with smaller losses that never surface publicly.
David DellaPelle: Exactly. Let us move further into the technical security stack. Amir, in a perfect world, if you had a user risk score that ingested comprehensive data sets and could create real-time, accurate user risk quantification, how would you integrate that into an existing identity solution like Okta or Microsoft Entra? And how might you change your identity infrastructure based on user risk profiles?
Amir Niaz: That is the end goal — how do we put automation in place and proactively detect and predict user behavior through access management and identity.
Some of what we are starting to look at is how we feed user data into our Netskope and cloud security access controls so that if a user's behavior shows they are repeatedly falling for phishing campaigns, we can remove their access from certain applications. This could work as a gamification mechanism — if you demonstrate good behaviors, you are rewarded with greater access. If you do not, you may find yourself needing to re-qualify for certain permissions, because you are deemed to be at elevated risk to the company.
We are starting to look at integrating through Entra ID, attaching the risk score there, and using the user risk score as the basis for role, function, and privileged access control. At Dune, we talk about this as shifting centricity. There have been different focal points in cybersecurity over the years — perimeter, network, cloud. Now I think it is time for the user-centric perspective to take center stage, and that is where we are heading with the enterprises we work with.
David DellaPelle: Rob, you have managed security at massive organizations — the Air Force, TRANSCOM. One thing we focus on is that adaptive security can increase controls and training for high-risk users while actually reducing friction for low-risk users. Talk to us about security culture — how would you manage it in a world where the only previous option was increasing friction for everyone?
Rob Lyman: Security has never been convenient, and it is not. But as we get more nuanced, we are able to reduce friction. Many times in the past, if an administrator saw an anomaly of some sort, they would lock an account until they could verify what happened. Then came retraining for that individual — but the training itself was not nuanced enough to address the specific negative behavior that had been observed. It was all or nothing. The user had to go through the entire cybersecurity training, not just a targeted refresher on the specific behavior that was flagged.
Typically in these situations, unless you are dealing with insider or malicious activity, you are really just trying to correct bad habits. Now, rather than going through the full training, you can get a targeted refresher on exactly the specific behavior that was observed. It reinforces correction in a positive sense, it is more effective, and it saves a lot of time for the user who made a mistake. The time from observing a negative behavior to completing corrective training and returning fully to work is significantly reduced.
It feels less like retribution and punishment and much more like continuing to refine your skills and improve. That is exactly the kind of culture you want to promote. In terms of reducing friction in a security culture, this is Leaps and Bounds ahead of where we have been.
David DellaPelle: Let us talk about scalability. Harshal, you have managed security for massive organizations like CWT throughout your career. How can adaptive security help with scalability in a large global company? Maybe you could touch on incident response, risk profiling, or related areas.
Harshal Mehta: The vision we have is very similar to what Rob described — risk-based scoring that reflects how a user is behaving day to day. But there is also the aspect of assigning a risk score based on the user's profile within the organization. People holding sensitive information should carry a higher risk score than knowledge-based users who do not.
We also adapted our risk-based profiling by geography. Being a global organization, we have regions that carry inherently higher risk scores, and we reflect that accordingly. All of this builds into a risk portfolio where the risk score assigned to a user informs what activities and trainings are delivered to that user set.
In incident response, one of the things we try to replicate early in the process is looking at user history: has this person had compromised credentials before? Have they been visiting sites that are known to be insecure? That populates into more frequent training. We also give those user sets more simulation exercises — not just phishing, but smishing attacks for call center agents, vishing simulations, because that is the real-world environment they face. We want to create conditions that closely replicate live production scenarios and see how users respond. That becomes the template for the following year's security program.
One classic example: once a user fails a phishing, smishing, or vishing simulation, they remain in the pool for all future exercises. Once you fail, you stay in. The other aspect we are aligning is that users are responsible as part of their roles and responsibilities for maintaining the security of the organization. We want to incentivize good behavior and introduce consequences for users who are consistently failing and not aligning with security processes. That is a long-term vision — we want to incentivize as well as have a system for demerit points when users are not meeting the standard.
David DellaPelle: That is exactly right. What we hear from enterprise teams is positive reinforcement for the vast majority — the 96% — and then a defensible, data-driven way to identify and address the 3% who need more intervention. That is part of what Dune Security is aiming to do for large companies.
Amir, thinking about cost considerations: are there savings to be realized from adaptive security controls? And maybe a bold prediction — how do you see the industry changing five years from now?
Amir Niaz: Definitely. Any ransomware attack you can avoid saves money and protects your brand. The majority of ransomware attacks start with a simple email that a user clicked on. Security tools, if configured properly, can protect you 90 percent of the time. The remaining 10 percent is always the user — the person we trust to do the right thing who clicks on the wrong thing and lets the attacker in.
One thing we are looking at from a Culligan standpoint is the onboarding process. HR does a lot of training, questionnaires, and assessments during onboarding — but the one thing they never ask is where this new hire stands on cybersecurity. What I am working on with HR is building a training module — a set of three or four short trainings a new hire needs to complete and pass to be qualified for their role, especially privileged roles. It takes no more than 30 minutes and it gives you a starting risk score for that person on day one, before you have handed them credentials with access to critical and confidential information. That is a light-bulb moment for a lot of people.
We need to shift away from the reactive nature of how we have approached this and look proactively at how we predict behavior and implement automations so that before damage is done, we can either remove access or contain the threat. Same with ransomware — the biggest challenge is not whether it will happen, because anyone who tells you they are 100 percent safe and will never experience ransomware is not being straight with you. The question is how quickly you can contain it and control the blast radius. If I can get in front of it fast, that is one less thing keeping me up at night. Maybe a few more minutes of sleep per night.
Harshal Mehta: I want to build on what Amir is saying. The way we need to change awareness programs and how we think about the entire human element is to move away from mandatory annual training. That is where the friction comes from — users dreading a 30-minute training every year that impacts their productivity. The moment we change that mindset to: we are not going to force that on you, we are going to teach you something you can implement not just at work but also at home — how to secure your bank account, how to teach your kids to use social media more safely — then there is real impact. Users become more engaged and more willing to participate.
We are moving away from static content toward more interactive, shorter snippets: this week we are talking about AI and how to use ChatGPT securely; next month we are talking about how to properly configure IoT devices, because everyone has them. Those basic snippets, taken in over time, keep users passively conscious. When something does not feel right, when an email does not match what their manager would normally send, the passive side of their brain kicks in and they start acting on that instinct.
Amir Niaz: And some of the controls we are starting to look at connect directly to this. My help desk supports over 50,000 employees globally. They do not know everyone's voice and they do not know everyone's role. So starting January 15, we will no longer allow password changes over the phone. Users will have to enroll in self-service password reset. That one control will prevent a whole category of creative social engineering — and deepfakes are becoming trivially easy to produce. If you go on TikTok, there are videos showing you how to do it in three steps.
David DellaPelle: That is critical. Real-time testing that is completely specific to who users are — their geography, their function, their company — and dynamically changing tests almost like a red-teaming solution to figure out who is susceptible to social engineering.
Rob, I want to turn to you about operational readiness. When you think about adaptive cybersecurity in enterprises, what parallels can you draw from your time in the military? I assume operational readiness in the Air Force was not just a KnowBe4 training once a year.
Rob Lyman: It is a constant evolution. Going back to that Marksmanship example — that was very simplistic. The network is infinitely more complex. It is more like flying an airplane. For military personnel serving on a staff or in a command and control center, the network is the window through which they create effects. In that sense, it becomes your weapon system — just as a rifle or an aircraft is a weapon system for other operators. Becoming expert in its employment is critical to making the unit more operationally effective and ready.
Expert employment is the mindset we would bring to adaptive security. Reinforcing positive online network behaviors becomes as important as ensuring a pilot demonstrates proper airmanship in combat airspace, or that an infantry unit has the skills to shoot, move, and communicate as they advance across the terrain. It is the same in the cyber domain. We want to be expert in employing our cyber weapon systems, and adaptive security gives us the ability to address the specific negative behaviors we observe — again, like that drill instructor helping with training in real time. That makes the unit much more ready and effective.
David DellaPelle: I want to shift gears a bit. Harshal, CWT has a massive customer service component as a travel company. What role does data privacy play here? Informing adaptive controls requires gathering a lot of data about your user base — and potentially your customer base. Talk to me about the tension between privacy and security.
Harshal Mehta: It is becoming more complicated as we inject more and more user behavior data into a risk-based platform. I am not just gathering basic information about a user — I am trying to understand their behavioral profile and their usage patterns. That becomes more complex outside of the US, particularly in the European region. And as one of the contractors supporting large US government organizations, we are also sensitive about what kinds of information we monitor.
For behavior monitoring, what we try to use is data signals from endpoint agents — CrowdStrike, Microsoft — where only basic behavioral signals are sent to the platform. From a user monitoring perspective, zero PII leaves our ecosystem. That is how we have carefully designed the program. There are vendors out there who want more intrusive behavioral data and are extracting more personal information, which becomes a problem under GDPR and European privacy regulations.
Our intent was never to bring PII outside our ecosystem or to use this platform to assess productivity or personal capability. This is entirely for the purpose of understanding a user's security risk profile. We shared that vision with European works councils and they are comfortable as long as we stay within those boundaries and do not engage in more intrusive monitoring. Organizations just want to understand that we are here to protect the organization — that security is of paramount importance — and when you give them concrete examples of how compromised credentials could give an attacker access to the entire organization, they understand the balance.
David DellaPelle: Let us touch on the intersection of security and HR. Amir, how is the relationship between security and human resources changing? If we are creating user risk profiles and some of those profiles indicate that a small percentage of employees may be potential insider threats, how do you ideally work with HR to address that?
Amir Niaz: There are two different dynamics depending on the region. In countries like Germany, France, Italy, and the UK, works councils are very focused on what data you are collecting on users and what you are going to do with it. Our message from our CEO down is that there is no compromising on security, and that consistently clicking on phishing links after being trained and warned is something that can result in job termination — and we can prove it through our tooling.
HR has become our partner. The main things we work with them on are defining risk categories in the onboarding process and creating a competitive dynamic around security. What we have done is built a dashboard that displays each department's risk score — visible in common areas like the cafeteria. People see it and develop a natural competitive instinct: marketing has the lowest risk score, why does my team not? It was a struggle at first because nobody wanted to show their dirty laundry, but we positioned it positively: each department is going to work to bring their score down, and that is something to take pride in.
The whole point is that this is not a mandatory 30-minute training everyone resents. This is something you should look forward to, and it is entirely in your hands. You might get trained once a year or you might get trained much more frequently — it depends on your behavior and your risk score. HR, legal, compliance, and IT are all our partners. When the GRC team comes in and asks whether users have been trained, we can provide dashboards showing exactly who has been trained, when, and why. We are making it work.
David DellaPelle: Brilliant. Rob, let us talk about distilling security culture through managers and leaders. In the military, how did you get lieutenants, captains, and majors to carry good security culture throughout the organization?
Rob Lyman: It is a balance. As Amir said, we are not going to compromise on security — that is the bedrock. But at the same time, embracing that culture is more about constant improvement and evolution. It is not about retribution. It is a culture of improvement, a culture of effectiveness. Rather than security training feeling like a reprimand, it is positive reinforcement. It is a constant evolution of skills, a way to stay sharp — because network security is a perishable skill. You have to stay engaged.
As people make mistakes, they recognize: I just need to correct this and move forward. It does not become a barrier to being effective at their job. It becomes a way to be more effective. Empowering those first-line supervisors — the officers and NCOs you just mentioned — to carry that message is what drives culture. It becomes a people problem, not a technology problem. Helping people understand that and communicating it consistently is really what it is all about.
David DellaPelle: Harshal, Amir, anything to add on security culture?
Harshal Mehta: It is an ongoing process. It is not done and dusted the moment you finish a training cycle. It takes time, dedicated effort, and consistent input from senior leadership to change the culture of an organization. You have to adapt, change, and evolve every day as the threat landscape shifts. I am glad that organizations like Dune are helping us move in the right direction.
Amir Niaz: It is all data driven. The dashboards Dune provides are our talking points — these are the people we are focusing on, and here is the reason. We also receive threat intelligence reports, so when a new campaign is circulating, it is easy for us to go to Dune and say: focus on these finance users because there is a threat going around targeting bank account changes and billing information manipulation.
Everyone here is in the same boat. We do not have unlimited time to train users, but we want to focus on behavior and help users do the right thing. We know they are busy. But if they just stop and think before they click, we would be in a much better place.
David DellaPelle: We have gotten through the main portion of today's webinar. I am going to open it up to the audience for Q&A, and while we are waiting for questions — any parting thoughts? Let us start with Rob, then Harshal, then Amir.
Rob Lyman: We talked a lot about adaptive security evolving to handle new emerging technologies. The piece we sometimes forget is that emerging technologies also change how users interact with networks and systems. Adaptive security gives you the ability to see both sides of that equation and evolve accordingly. If you can address not just the technology nuances but how users interact with it, you stay ahead of the security curve. It is almost like Agile development — the ability to quickly field new capabilities rather than waiting on long waterfall upgrade cycles. That is the next evolution of cybersecurity, and I would close with that. And thank you for your service comment earlier — it means a lot.
Harshal Mehta: I want to shift toward the people and culture side. One of the things we as security leaders sometimes take for granted is empathy. We need to make sure the user base at the center of this entire program understands why we are doing this and feels the importance of security. To create that kind of environment, you have to make it interesting rather than forcing it upon people. The softer path drives more lasting change. If we want to be change enablers and cultural ambassadors, we have to put people, empathy, and emotions at the center of everything we do.
Amir Niaz: Going back to basics: doing the right thing, taking more accountability. As leaders, our job is to make sure our users are equipped — providing them with tools and resources to improve, just like any other function in the business. No single tool or solution is going to win this battle alone. It is going to take a village, and that is what we are working toward.
David DellaPelle: That is the constant journey. Thank you so much to Harshal, Amir, and Rob — really amazing insights. We will share recordings and clips with our content team after this, but today was a fantastic conversation about adaptive security and the future of user-centric, AI-driven defense. Thank you so much for joining everyone and appreciate your time.
Harshal Mehta: Thanks for having me.
Rob Lyman: Thank you.
Amir Niaz: Thank you.
Annual checkbox training has been the industry default for two decades, and it is no longer fit for purpose. AI-generated phishing, deepfake CFO scams, and out-of-bound social engineering across SMS, voice, and encrypted apps have outpaced what static modules and stale phishing templates can prepare users for.
In this session, Amir Niaz (VP & CISO, Culligan), Harshal Mehta (VP & CISO, CWT), and retired Air Force Brig Gen Rob Lyman walk through the real-world limitations of traditional security models, how behavior-based risk scoring and real-time interventions improve User Layer defenses, and what implementation actually looks like inside large, global organizations – including how to balance compliance requirements with the pace of innovation in an AI-first enterprise.
Key Takeaways
- Generic annual training is over. Sophisticated, AI-enabled, multi-channel attacks have outpaced static modules. Programs must move to behavior-based ecosystems that integrate with the rest of the security stack and treat users as the center of the CIA triad, not an afterthought.
- Real-time correction beats classroom memorization. Behavior-based security observes negative behaviors and delivers a targeted response immediately, whether that is a contextual nudge, a temporary access restriction, or performance management pathways, rather than routing users through a generic module months after the relevant behavior occurred.
- Risk scores should drive access, not just training. Feeding a behavior-based user risk score into Entra ID, Okta, Netskope, and cloud security access controls turns identity into a true real-time control: good behavior earns access, repeated risky behavior triggers restrictions and re-qualification.
- Onboarding is the first risk decision. Adding short cybersecurity modules into HR onboarding gives every new hire a starting risk score before they receive privileged access, and forces the conversation about user risk into the hiring lifecycle for the first time.
- Privacy-respecting design is non-negotiable. European works councils and GDPR require that behavior monitoring uses only the signals it needs, keeps PII inside the ecosystem, and is never repurposed for productivity or capability assessment. Programs designed this way scale globally.
Stay Updated
Get the latest threat intelligence, research, and product updates from Dune Security.
Photo Gallery
Step into the atmosphere of our past event — watch the recap and relive the moments where cybersecurity, innovation, and community came together.
Our Latest Insights


Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security
Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security




Hitachi Digital future-proofs security training for a global workforce with Dune Security
Hitachi Digital future-proofs security training for a global workforce with Dune Security




Phishing Didn't Leave the Inbox. It Expanded Around It.
Mobile-centric phishing carries a 40% higher success rate than email. Vishing is up 442%. Deepfake fraud is projected to hit $40 billion by 2027. The attack surface didn't shift, it expanded. Here's what that means for enterprise defense.


Social Engineering Is About to Be the Only Game in Town
AI is finding and patching zero‑days at machine speed. The traditional attack surface is collapsing. The only place attackers can still win consistently is the user. Learn what that means for CISOs trying to defend the enterprise, and why the operating model that worked for networks, endpoints, and identity has to come to the User Layer next.




The Top User-Driven Cyber Threats Targeting Law Firms
Law firms sit on some of the most sensitive and valuable data in the enterprise, and attackers have built an entire playbook around exploiting the users who handle it. Learn how four dominant threat vectors are targeting legal sector workflows in 2026 and what it takes to stop attacks at the User Layer.




From Generic to Adaptive Security
Dune Security CTO Michael Waite joins the Cyber Security Matters podcast to discuss how AI-driven social engineering is evolving, why legacy security awareness training no longer works, and how behavior-based risk quantification can better protect users from emerging threats.




From Generic to Adaptive Security
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.




From Generic to Adaptive Security
Dune Security CEO David DellaPelle joins the Cyber Security America podcast to explain how AI-driven social engineering is outpacing traditional security awareness training and why organizations need a behavior-driven approach to identifying and reducing user risk.




Philadelphia Area Cyber Technology Showcase & Golf Outing
Dune Security sponsored GuidePoint Security's Philadelphia Area Cyber Technology Showcase and Golf Outing, a regional gathering of cybersecurity professionals and technology partners.
.avif)
.avif)


Controlled Chaos: Enabling Innovation While Ensuring Safety & Security
GRC and security leaders from UiPath, Yugabyte, and CXD Consulting on enabling rapid innovation without losing the controls that keep the business standing.





.avif)