The CEO of the world’s largest domain registrar and web-hosting company stood behind phishing tests, “even if … it was a difficult thing to do.”
GoDaddy CEO Aman Bhutani stood by a controversial phishing test in a recent town hall with employees, saying he understood employee backlash but that the company needed to prepare its employees against potential hackers.
The video call with employees came days after a Dec. 14 email offering employees a $650 holiday bonus in lieu of their annual holiday party turned out to be a phishing test from the company.
Bhutani said GoDaddy would not give out the bonuses to employees at this time.
The town hall was held a week before a Copper Courier story about the email prompted public backlash to the test. Bhutani acknowledged at the time of the call that there was backlash to the test internally, saying the test stepped on a “raw nerve.” Questions about the test were the top question at the town hall, he said.
But he also emphasized that the company’s chief security officer, Demetrius Comes, had designed the test to mimic techniques that hackers could attempt to use to steal company information. He said the company needed to “do better.”
“Somebody has to stand up for the company and be the bad guy and prepare our employee base for it,” Bhutani said. “A leader in our company, our chief information security officer, thought to do the right thing for all of us, even if he felt that it was a difficult thing to do.”
Video of the town hall was forwarded to The Copper Courier by a GoDaddy employee. When asked about the video, a GoDaddy spokesperson confirmed what was said in the recording and stood by the comments made by Bhutani during the town hall.
In a statement to The Copper Courier regarding the test, GoDaddy said it takes the security of its platform “extremely seriously” and that it had apologized to employees who were upset.
“While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees,” the statement read.
While Bhutani acknowledged during the town hall that employees were “right” to feel frustrated and angry, he issued no formal apology to employees during the call.
Bhutani pointed out on the call that 10% of GoDaddy employees who were sent the email clicked on the link promising holiday bonuses. A follow-up email sent by Comes, the chief security officer, said that approximately 500 employees had failed the phishing test.
“Hopefully you understand how challenging this is for me to agree on both sides and deal with that tension,” Bhutani said. “That tension is a good thing.”
GoDaddy Unable to “Write Off” Holiday Bonuses
GoDaddy’s phishing test was sent during a holiday season where many are experiencing financial anxiety amid the coronavirus pandemic.
In response to news of the company’s phishing test, many people on Twitter called on GoDaddy to give the bonuses to employees.
In the town hall, Bhutani said he could not give employees the $650 bonus.
“It may seem like GoDaddy is a super large company and we could give out that money,” Bhutani said. “It’s very difficult for us to turn on a dime and just say we could do that. We unfortunately are not really that big to be able to write that off.”
GoDaddy surpassed 20 million customers this year and reported “record customer growth.” However, the company laid off or reassigned hundreds of employees during the coronavirus pandemic, including in Arizona, Iowa, and Texas.
The total compensation of senior GoDaddy executives ranged from $4.2 million to $14.3 million in 2019, according to proxy statements filed with the Securities and Exchange Commission.
Bhutani, who took over as CEO in September 2019, received $14.3 million in total compensation last year. Bhutani’s compensation included $12.7 million in company stock options, his salary of $326,027, and a $1 million sign-on bonus paid at the time of his hiring.
Who Signed Off on the Email?
The GoDaddy email ignited a debate on social media among cybersecurity professionals about the ethics of the test.
While phishing tests are commonly used by large companies to gauge employees’ susceptibility to outside attacks seeking to gain access to sensitive information, many contended that GoDaddy had gone too far.
The Scottsdale-based GoDaddy has been no stranger to security breaches this year. Earlier this year, Forbes reported that 28,000 GoDaddy customers were impacted after a data breach compromised their account credentials.
Bhutani said during the town hall that GoDaddy’s senior leadership was not aware of the phishing test before it was sent out, but that he respected the autonomy of the security team to design appropriate tests for the company.
“I don’t want to send them the message that … in the future they always have to come to me for approval for what they do,” Bhutani said. “I want them to do it. I don’t want [the senior leadership] to do it. I don’t want to take away their autonomy.”
Still, Bhutani said a balance was needed to account for the angry and frustrated response from GoDaddy employees. The security team, he said, would need to find a better way to execute the tests moving forward.
“I’m going to expect that from them and I’m certain they can do it,” he said.
The last question in the town hall addressing the incident came from an employee asking how the company planned to repair the damaged trust caused by the phishing test.
Bhutani said he didn’t think trust had been damaged.
“Trust to me is about being open and honest and transparent with you about exactly what happened, how we felt about it and what we’re going to do differently,” Bhutani said.
“I’m going to continue to trust that our team members will continue to tell us when they feel something … and that leaders in security … will continue to do the things that are really important to protect us,” he added.
Want to talk about a phishing test from your employer? Reach the reporter at firstname.lastname@example.org.