Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

HoxHunt: DocuSign's Award-Winning Phishing Awareness Program

Hoxhunt
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Conference and Awards. And I am thrilled to be joined by Missy Benson. She is the Senior Security Training and Awareness Program Manager with DocuSign. So we're going to talk about all things security awareness today. And thanks so much for joining us for this conversation. So first of all, let's start right there. Tell us about yourself. Tell us about the overall security awareness program that you have at DocuSign. Yeah, absolutely. So just to give a little background. I've been in security for about 25 years now, and 15 of those officially this year is in security awareness. So very happy to know I'm kind of one of the originals, for sure. And through that time, I've worked in a variety of fields, but ultimately now with DocuSign, and I've been here three years. And as part of that program, I like to say that we have three functions. I call it my security cat, communications, awareness, and training, plus I like cats. And so within each of those pillars, I have obviously communication. So I oversee all of the communications within our security organization, whether it's internally facing and some external, and I'm starting to move more broadly into some more of our customer facing. And then awareness is always just the regular campaigns, helping employees make sure they know what they need to be aware of, if it's an alert that we need to get pushed out, or just general topics that we want to raise awareness on. And then lastly, our training, which is obviously our annual compliance training. So we have all our check the box, but then we have other trainings that we like to be able to do. And we're starting to get a lot more focused on persona and risk-based training this year. So we're really evolving the program. Great. Tell us a little bit more though about specifically what type of problems are you trying to solve in your work with Hawks Hunt? Yeah. So obviously social engineering is still one of the top risks. We're seeing that everywhere, every year, all the time. And Hawks Hunt has been an invaluable partner in helping us raise that awareness, identifying and now smishing, because we've also used their smishing modules as well as live trainings. And it's really helped us get the visibility up on what employees should be looking for. So one of our most recent smishing exercises, I thought was so fascinating to see how much people were posting about it in our Slack channels. It's really great to see that the communication is out there. I'm definitely an advocate of the employees talking about it to make others aware, because that's the biggest part of it, not keeping it to themselves and just doing something about it, but making others more aware. So like, hey, there's this potential threat. You need to do something about it. Yeah. Yeah. Dig in a little bit more as to why, when you were looking to solve some of these issues, you decided to select Hawks Hunt? Yeah, absolutely. So they are super easy to use. It's user friendly for myself on the back end, as well as our employees. It's a simple button to click. The users don't have to do anything themselves other than click. And we've even got to a point where it's a regular message within the company, Hawks Hunt it. So it's great to see, you know, we have kind of our own little built in champion program that I didn't even have to create. People just are actively doing it and love the ease of use. And the capabilities keep building. There's been more, as I said, we started with just fishing and the micro trainings, but now there's the smishing and it just continues to evolve. And we're looking forward to doing more. So what results do you think, you know, with your long experience too in the field have been most impressive? I think one of the biggest things seeing here with Hawks Hunt is the low click rate that we're getting. Since instituting Hawks Hunt, we've dropped down to the lowest click rate I've ever seen or even heard of personally. We're below 2% on average. And just seeing that is just beyond anything I've seen. And our engagement is gradually increasing. We're around industry there. I love that we're staying below industry for our click rates. Anything unexpected happen along the way that you were surprised about? I think one of the things actually was for myself. So DocuSign already had a partnership with Hawks Hunt when I started. And I came on board thinking, oh, three to five simulations every month. That seems excessive. Because I came from once a month or once a quarter was what I usually saw as a standard. And going to three to five, I don't even notice it myself. I just click it, report it, keep moving. And just hearing employees talk about the value of it and how easy it is for them. And then when they get upset, they lose their streak if they happen to click on one of the simulations. So that's always kind of fun. Yeah. Positive, negative in a way. Yeah. Yeah. Yeah. Yeah. What about feedback? What kind of feedback have you gotten from leadership about the program and about the work that you're doing with Hawks Hunt? Yeah. It's one of our major KPIs just for my area. So we always are reporting on phishing. And I'm actually trying to move over to the idea of resilience instead of just click rate. I think it's really important that we start to evolve that. And it's a proposal that I put out recently, and I'm hoping to move towards that. But it's an area that our leadership is always able to quickly see and grasp, knowing what our threat rate is, what our risk is, because the data is readily available. Hawks Hunt has a lot of reports that are easy to use and get the data as soon as I'm asked for it. Yeah. Yeah. So what are other employees saying or other security team members saying about the program? And that even goes back to what I was mentioning, how it's just Hawks Hunt. It's just a slogan. We're able to get the employees to just tell each other what to do. Our security team loves that they don't have to respond when people ask about things like, this looks suspicious, and they post it in Slack, and somebody else instantly responds with our Hawks Hunt emoji or just saying Hawks Hunt it. So it's really positive. And when we instituted the capability to put on vacation mode, people loved it because they weren't going to lose their streak anymore. Yeah. Yeah. Who would you recommend Hawks Hunt to? I think anyone that's in my space, honestly, because I think Hawks Hunt has been super easy for me. I plan to continue using it wherever I go if I'm not at DocuSign or just want to continue the partnership because honestly, it's not just about the capabilities that they provide to me, but the partnership as well. Hawks Hunt has been really good to partner with and discuss ideas that I have that I think would be good to implement and to understand what's on the road map. And it's just been really valuable in that sense. So it's not just a tool that I'm using. It's a partner that I work with. Interesting. Great. Well, Missy Benson, thank you for joining us today. Yes. Thank you so much. And thanks to you for watching. I'm Joan Goodchild with CSO. We'll see you next time.

TL;DR

  • DocuSign's phishing click rate dropped below 2% after adopting Hoxhunt — the lowest Missy Bentzen has seen in 15 years of security awareness work.
  • An organic employee champion network emerged naturally, with staff telling each other to 'Hoxhunt it' in Slack without any formal program being created.
  • The program expanded from phishing simulations to include smishing training and microlearning, running three to five exercises per month without employee fatigue.
  • Bentzen is shifting her program's success metric from click rates toward organizational resilience, reflecting a broader evolution in how security awareness is measured.

Summary

In this interview recorded at the CSO Cybersecurity Conference and Awards in Nashville, Missy Bentzen, Senior Security Training and Awareness Program Manager at DocuSign, shares how her team partnered with Hoxhunt to transform a traditional compliance-driven security awareness program into a behavior-focused, measurable risk reduction initiative. Bentzen, who brings 25 years of security experience including 15 years specifically in security awareness, describes a three-pillar program she calls "security CAT" — communications, awareness, and training — that has evolved to include persona-based and risk-based learning. The Hoxhunt partnership expanded DocuSign's simulation coverage from standard phishing to include smishing exercises and microlearning modules, running three to five simulations per month. The results have been striking: phishing click rates have dropped below 2%, a figure Bentzen describes as the lowest she has encountered in her career. Perhaps more telling than the metrics is the cultural shift: employees now spontaneously tell each other to "Hoxhunt it" when suspicious messages appear in Slack, creating an organic peer-to-peer champion network that required no formal program to establish. Bentzen also highlights the platform's ease of use, accessible reporting for leadership, and the collaborative partnership model as key differentiators — noting she intends to bring Hoxhunt with her regardless of where her career takes her next.

Chapters

0:00 - Introduction & Speaker Background
0:52 - DocuSign's Security Awareness Program
2:05 - Why DocuSign Chose Hoxhunt
4:02 - Results: Click Rates & Engagement
5:36 - Leadership Reporting & Resilience Metrics
7:13 - Recommendation & Partnership Value

Key Quotes

4:16 "Since instituting Hawks Hunt, we've dropped down to the lowest click rate I've ever seen or even heard of personally."
4:24 "We're below 2% on average. And just seeing that is just beyond anything I've seen."
3:30 "We've even got to a point where it's a regular message within the company, Hawks Hunt it."
7:57 "It's not just a tool that I'm using. It's a partner that I work with."

FAQ

How many phishing simulations does DocuSign run per month with Hoxhunt?

DocuSign runs three to five simulations per month. Bentzen initially found this frequency excessive compared to the once-a-month or once-a-quarter cadence she had seen elsewhere, but found that employees adapted quickly and she herself no longer notices the simulations.

What metrics does DocuSign use to evaluate its security awareness program?

Phishing click rate is a primary KPI, currently averaging below 2%. Bentzen is actively working to shift leadership focus toward a resilience-based metric rather than click rates alone, reflecting a broader industry trend away from failure-focused measurement.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Email Security
  • Customer Story
  • Best Practices
  • Compliance & Governance
  • Security awareness training
  • Phishing simulation
  • Smishing training
  • Human risk reduction
  • Security culture
  • Employee engagement
  • Behavior-based security
  • Microlearning
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: HoxHunt: DocuSign's Award-Winning Phishing Awareness Program

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version