my job was to bring all the redteam creativity i'd been fostering before taking the job into reorganizing the internal twitter security aparatus. One thing of concern at the time (because this was the hot thing in 2011) was internal phishing training.
meaning: running soft, but live-fire phishing campaigns against the staff to measure how they did. *MY* intention was to improve things, but "the market" later ended up just calling this an insurance/compliance checkbox
my program was different