Phishing for Answers: An In-Depth Conversation with Harshal Mehta, CISO of CWT

In our latest episode of Fishing for Answers, I had the pleasure of sitting down with Harshal Mehta, the CISO at Carlson Wagonlit Travel (CWT), to dive deep into the evolving world of cybersecurity—and how its human element is the real game changer. Our conversation ranged from Harshal’s unconventional journey into the field to the critical importance of role-based, engaging security awareness programs. Here’s a closer look at the key insights from our discussion.

An Unconventional Journey into Cybersecurity

Harshal opened up about his path into cybersecurity, noting that unlike today’s clearly defined career tracks, the field wasn’t even on the radar when he was a young engineering student in the early 2000s. Originally, his focus was on traditional IT roles—developing systems and working on secure coding practices—but it wasn’t until he encountered courses and real-world challenges in information security that he became truly intrigued.

He recalled, “I never planned on doing cybersecurity. I was doing my engineering, but then I took a chance on InfoSec because I was curious about the people and process side of things. I just gave it a shot—and I’ve rarely looked back.” His story resonated with many of us who “stumbled” into this field and eventually embraced the challenge wholeheartedly. For Harshal, the journey from technology to cybersecurity was not just a career pivot; it was an evolution driven by curiosity and the desire to connect technical safeguards with human behavior.

Cybersecurity Beyond the Tech Department

One of the eye-opening parts of our conversation was how Harshal’s role at CWT extends far beyond conventional IT silos. At Carlson Wagonlit Travel—a leading travel management company based in Minneapolis—cybersecurity isn’t isolated in a separate function. Instead, it’s interwoven into every aspect of business operations. Harshal works closely with legal, compliance, HR, and operational teams, emphasizing that true security requires an enterprise-wide approach.

He explained, “Being the CISO at CWT means I have to understand—and sometimes even influence—how every department operates. Whether it’s reviewing password reset policies or connecting with HR about social engineering, our security strategy is built on collaboration.” This cross-functional approach underlines the idea that cybersecurity is not simply a technical problem; it is fundamentally about people and processes.

The Human Element: Training, Empathy, and Engagement

A recurring theme throughout our talk was the importance of addressing the human element in cybersecurity. Harshal is a firm believer that technical controls and advanced gadgets are only as good as the people who use them. He stressed that security awareness training must be both engaging and relevant to each individual’s role.

Role-Based Training Matters

Harshal noted that generic, “one-size-fits-all” training sessions rarely make an impact. Instead, training should be tailored to the specific needs of each business unit. For example, an HR manager should receive different security awareness content—focusing on phishing emails that mimic internal HR communications—than a frontline agent, whose exposure and risks are entirely different. By connecting training to the real-life challenges faced by employees at every level, you empower them to recognize threats effectively.

He explained, “When training is context-specific, it becomes 15 times more effective. Your tech team shouldn’t be learning the same content as your finance or HR teams. It’s all about downsizing the content into bite-sized pieces that hit home for the individual.” This customized approach not only increases awareness but also builds a culture where employees feel supported and valued.

Engagement and Empathy Over Punishment

When I asked Harshal to weigh in on the “carrot versus stick” debate in fostering a security-conscious culture, he was unequivocal: while both approaches have their merits, the carrot always wins—especially when it comes to continuous improvement and building trust.

“People are the weakest link,” he said, “but if you catch them in the act of learning, if you praise a quick report of a simulated phishing attack, you reinforce that positive behavior. Punishment might work for a one-off mistake, but it doesn’t create a long-lasting culture of vigilance.”

His philosophy is simple yet powerful: security awareness should be an ongoing, supportive conversation rather than an annual mandatory checkbox exercise. From micro-training sessions delivered via short videos to gamified phishing simulations that reward careful behavior, his ideas are firmly focused on empowering employees through sustained engagement and empathy.

Innovating the Training Experience

Harshal shared some innovative tactics CWT has implemented to keep their security awareness program fresh and engaging. One such tactic is integrating gamification into phishing simulations—for instance, offering small incentives like gift cards or public recognition when employees correctly identify suspicious emails.

“We’ve developed campaigns where, instead of simply sending out a phishing email and then following up with disciplinary measures for clicks, we create an interactive experience. We announce “phishing week” via banners on our internal systems and email, then run role-based simulations that feel more like a game than a chore,” he explained. By using positive reinforcement, the training not only improves retention but also makes cybersecurity a more approachable and less intimidating concept.

Leading Cybersecurity at Scale

Harshal also explored the unique challenges of his role as CISO in a global travel management company. Beyond training and simulations, his work involves addressing real-world incidents—like a surge in phishing attacks during the COVID-19 pandemic. With organizations adjusting to remote work and widespread anxiety, cybercriminals seized the moment to launch targeted scams (from fake vaccine alerts to fraudulent travel offers).

In response, CWT bolstered its defensive measures by introducing dual-control processes for sensitive operations such as password resets. Now, whenever a help desk request is made, the password is sent only after a manager’s validation. These tweaks offer a layer of protection that is both simple in design and effective in practice—proof that sometimes low-tech solutions go a long way in mitigating risk.

Harshal concluded our discussion by stressing the importance of balancing technical controls with open, honest communication. “At the end of the day, our goal is to empower our people, not to penalize them. We have to build a culture where cybersecurity isn’t a barrier to productivity but a shared responsibility that helps protect the company’s mission,” he said.

‍

Quick Links:

https://www.linkedin.com/in/joshuacrumbaugh/

https://www.linkedin.com/in/mehtaharshal/

https://www.linkedin.com/pulse/phishing-answers-in-depth-conversation-harshal-mehta-cmlze