Cybersecurity as a practice, not a project is the single mental shift I have asked every executive I have advised this year to make. The companies still treating security as a multi-year initiative with a defined end state are the same companies showing up in breach notifications six months after their consultants left. The companies treating it as a daily practice, with rituals and rhythms, are the ones writing the smaller, calmer incident reports.
This Sunday letter is shorter than usual on purpose. According to IBM’s Cost of a Data Breach 2025, organizations that practiced incident response at least twice per year reduced breach costs by an average of 2.66 million USD. That is not a project budget. That is a habit budget. The discipline of repetition is what made the difference, and the discipline of repetition is what most boards still under-fund.
Why Practice Beats Project Every Year
Projects have end dates. Practices do not. When a security program is structured as a project, every milestone slipped is a reason to defer the next one. When a security program is structured as a practice, missing a week of tabletop exercises feels the way missing a week of physical training feels: noticeable, mildly embarrassing, easy to fix the following week. That difference in psychological framing is worth more than any dashboard.
The mid-market organizations I have watched recover well from incidents this year have something in common that I did not expect when I started writing these Sunday letters. They all had a standing 30-minute weekly security ritual that the CEO personally attended. Not the CISO. The CEO. The signal that sends through the organization is impossible to fake with any amount of policy documentation.
“If your CEO has not attended a security review in the last 90 days, you do not have a security practice. You have a security project that the rest of the company will treat accordingly.”
Senior Sunday letter reader, iSECTECH engagement notes
What a Security Practice Actually Looks Like
A security practice has weekly rhythms, monthly rituals, and quarterly rhythms that everyone in the organization can name without consulting a document. Weekly: triage of the last seven days of alerts with a named decision on every one. Monthly: a tabletop exercise that includes one executive who is not normally in security conversations. Quarterly: a board update that includes three numbers, not thirty, and one honest assessment of what the team got wrong in the prior quarter. Anything more complicated than that tends to collapse under its own weight within two reporting cycles.
Three Boardroom Conversations That Defined This Letter
The boardroom version of this conversation is simpler than most CISOs make it. The question is not whether the security budget is going up or down. The question is whether the security practice is showing up reliably in the calendar of every leader who needs to be involved. If the answer is no, the budget number is irrelevant. If the answer is yes, the budget number is probably easier to justify than the CISO expected.
Three Habits Every Executive Should Build This Quarter
First, attend one security review per month in person, not as a guest but as a participant who is expected to ask questions. Second, read one incident report end to end every quarter, not the executive summary, the full report including the timeline. Third, ask one uncomfortable question per quarter that does not have an easy answer, and let the silence sit until someone gives you a real one. Those three habits, repeated for a year, change the security culture of an organization more than any policy refresh.
“Culture is what people do when nobody is checking. Security culture is what people do with a suspicious email when the security team is asleep. You cannot project-manage that. You can only practice it.”
Bruce Schneier, security technologist and Harvard fellow
Where This Practice Belongs in the Organization
Security as a practice does not belong inside the IT organization. It belongs inside the operating rhythm of the whole leadership team. Finance has a monthly close. Sales has a weekly pipeline review. Engineering has a daily stand-up. Security should have all three: a daily triage, a weekly review, and a monthly cross-functional tabletop. When security shares the operating cadence of every other critical function, it stops being an outsider.
How This Connects to the Rest of Your Security Program
Sunday letters in this sequence have argued the same point from different angles. See the earlier letters on co-founders’ cyber conversation, board incident report discipline, and the CEO and CFO cyber question for the surrounding context. The thread connecting all of them is the same: security culture is built in the calendar, not in the policy document.
What to Read Before Monday Morning
Read one incident report end to end this week. Not the executive summary. The full timeline. Notice how much of the story is operational rather than technical. The technical findings are usually fixed within a quarter. The operational findings, the missed handoffs, the unread alerts, the unanswered phone, those are the findings that recur in the next breach if the practice is not built.
What to Do This Week
Put a recurring 30-minute calendar block on every Monday for the next 12 weeks. Title it: Security Practice. Attend it personally. Cancel it only for genuine emergencies. At the end of the 12 weeks, ask yourself whether the security posture of the company is different. The honest answer will tell you whether the practice is real or whether you have been running a project all along.
Talk to a Senior Sunday letter reader Practitioner
iSECTECH builds these standing rhythms for executive teams that want security to feel like a practice rather than a project. If you want help designing the cadence that fits your organization, talk to us. We will not sell you a platform. We will help you build a calendar.
A Note on Burnout and Cadence
A practice that runs at maximum intensity every week is not a practice, it is a sprint dressed up as a routine. The standing rhythms that survive five years have built-in deload weeks. The same is true for security teams. If your team has not had a week in the last quarter without an after-hours incident bridge, you are running a project under the label of a practice, and burnout will resolve the contradiction for you.
“The strongest security cultures I have seen in 2026 share one trait: they protect their team’s recovery time as deliberately as they protect their detection coverage.”
iSECTECH Sunday letter review summary
What the Best CEOs I Know Do Differently
The chief executives I have worked with who treat security as a practice share three concrete behaviors. They keep a small, private list of the three security questions they intend to ask their CISO next quarter, and they refuse to be talked out of asking them. They have a personal point of view on what an acceptable incident response time looks like for their business, expressed in hours, not in policy language, and they have stated it out loud at least once to their executive team. They read at least one breach post-mortem per quarter from a company outside their own industry, because the most useful operational lessons rarely come from competitors who frame their own incidents charitably.
A Word on Why This Sunday Letter Series Exists
These Sunday letters exist because the operating reality of cybersecurity in 2026 is not the same as the executive narrative around it. The narrative still says strategy. The reality says discipline. The narrative still says transformation. The reality says repetition. Every Sunday letter in this sequence has been an attempt to bridge that gap with a single short note that an executive can read with a cup of coffee on a Sunday morning, and then carry into Monday’s leadership meeting. If a single sentence from one of these letters has changed how a board conversation went, the series has done its job.
The Question Worth Asking on Monday Morning
If a single question summarizes this letter, it is this one. When you walk into the office on Monday morning, ask the most senior security leader in the building what the last unresolved alert from Friday afternoon turned out to be, and listen carefully to whether the answer is specific or generic. A specific answer is a sign of a practice. A generic answer is a sign of a project. There is no third category, and the answer almost never changes between this Monday and the next without deliberate intervention from the top of the organization.
Whatever you decide to take away from this letter, keep the cadence in mind. Cadence is the muscle of every security practice that survives a personnel change, a budget cut, or an executive transition. Practices outlive their founders. Projects do not.
A Quiet Closing Note
If you read only one Sunday letter from this sequence and forget the rest, let it be this one. Cybersecurity in 2026 is not a project. It is a practice. The companies that build the practice will outlast the companies that keep funding the project. That is the whole letter.