The conversation between the CHRO and the CISO may be the single most underused executive conversation in 2026. In nearly every breach post-mortem I have read this year, there was a moment six to twelve months before the incident when an HR signal and a security signal pointed at the same risk, and no one was in the room to connect them. This Sunday letter is about that conversation, why it matters more than it gets credit for, and how to start it on Monday morning if it has not been happening on yours.
According to Verizon’s 2025 DBIR, insider-related incidents, whether malicious or accidental, remain a meaningful share of the breach picture. The 2025 Ponemon Institute insider risk research adds the operational dimension: most insider events are preceded by observable HR signals that the security team did not have access to and would not have known how to interpret if they had.
Why CHRO and CISO Need a Standing Cadence
The CHRO sees signals the CISO does not: performance issues, disengagement, organizational restructuring, the slow erosion of team cohesion. The CISO sees signals the CHRO does not: anomalous data access, unusual login patterns, after-hours activity on critical systems. Neither leader can reasonably act on the other’s signals in isolation. Together, with a standing cadence and a shared vocabulary, they can detect a meaningful share of insider risk before it becomes an incident.
The cadence that works in our 2026 engagements is straightforward. A 45-minute monthly meeting between the CHRO and the CISO, with no agenda items beyond a quiet review of any signal either side has noticed in the last 30 days that the other should know about. Most months the meeting is uneventful. The months when it is eventful are the months that quietly prevent something the organization would otherwise have read about later.
“The most underused executive conversation in cybersecurity is the one between the CHRO and the CISO. When it is happening, insider risk gets caught early. When it is not, insider risk gets caught in the post-mortem.”
Senior Sunday letter reader, iSECTECH engagement notes
What the Conversation Actually Looks Like
The conversation is not a joint investigation. It is a structured exchange of awareness. The CHRO might share that a specific team has been restructured and the team lead is taking it harder than expected. The CISO might share that an analyst on a different team has been accessing data outside their usual pattern, with no clear explanation yet. Neither signal is actionable on its own. The conversation is about making sure both leaders know enough to act faster if a second signal appears.
Three Boardroom Conversations That Defined This Letter
The boardroom version of this conversation needs to surface twice a year. The board does not need the operational details, but it does need to know that the conversation is happening, on what cadence, and what the leaders have learned from it. Boards that ask about the CHRO-CISO cadence tend to find out quickly whether it is real or whether it is a slide.
Three Habits Every CISO Should Build With Their CHRO This Quarter
First, schedule the standing 45-minute monthly meeting and do not let it slip below a six-month cancellation rate of zero. Second, build a shared vocabulary for insider risk that both leaders can use without offense: red flags, yellow flags, green-flag patterns. Third, run one tabletop per year together that involves both an HR-side and a security-side dimension, so the muscle memory for working together exists before any real event tests it.
“Insider risk is a joint operational concern. Treating it as a security-only concern misses half the signals. Treating it as an HR-only concern misses the other half. The mature organizations have stopped treating it as a single-function problem.”
Theresa Payton, former White House CIO and CEO of Fortalice Solutions
Where This Conversation Belongs in the Organization
The CHRO-CISO cadence belongs inside the executive operating rhythm of the company, not in a special working group that meets when insider risk has already become urgent. The cadence that prevents incidents is the cadence that runs in quiet months as well as loud ones. Once it becomes a working group convened in crisis, it has already lost the prevention property that made it valuable.
How This Connects to the Rest of Your Security Program
This Sunday letter sits inside a longer sequence on executive conversations. See the earlier letters on cybersecurity as practice not project, co-founders cyber conversation, and board incident report discipline. The connecting thread is the same: security culture is built in conversations on the calendar, not in policy documents on the shelf.
What to Read Before Monday Morning
Read one insider risk post-mortem this week from outside your industry. Pay attention to which signals were available before the incident, which were noticed, and which were either missed or noticed by someone who did not know to share them. The post-mortem will almost always include a quiet moment six months earlier that someone could have flagged if the conversation had been happening.
What to Do This Week
Send the calendar invite this week. 45 minutes, monthly, CHRO and CISO, no fixed agenda. Make the first meeting genuinely about getting to know each other’s operating cadence. The structured exchange of signals comes naturally once the working relationship is in place. The hardest part is starting, and the only way to start is to send the invite.
Talk to a Senior Sunday letter reader Practitioner
iSECTECH advises CISOs on building cross-functional executive cadences that catch insider risk before it becomes an incident. If your CHRO and CISO have not been in a room together in the last six months, talk to us. We will help you design the meeting structure and the shared vocabulary that make the conversation productive.
A Note on Joint Investigations
When insider risk crosses from signal to investigation, the joint conversation has to evolve into a joint operating protocol with legal counsel, HR, and security all aligned on what evidence can be collected, retained, and discussed. The organizations that have run those protocols once know how to run them again. The organizations that have not are improvising at the worst possible time. Mature programs run a tabletop on the protocol annually, even in years when no investigation is needed.
“The Sunday letter version of this point is simple. Insider risk is a relationship problem first, a data problem second, and a technology problem third. Most organizations work the order backwards.”
iSECTECH Sunday letter review summary
A Quiet Closing Note
If you take one thing from this Sunday letter, let it be the calendar invite. Forty-five minutes, monthly, CHRO and CISO. That single meeting, run for a year, will change how your organization sees and responds to insider risk more than any tooling decision you make in the same period.
One operational nuance worth raising is governance cadence. The teams that mature fastest on CHRO and CISO conversation run a 90-minute review every quarter that includes engineering, security, and one executive sponsor who reports the findings into the next board meeting without translation. That single meeting, repeated four times a year, has more impact on program maturity than any tooling decision an organization will make in the same period.
Another observation from the field: most enterprise programs that fail on CHRO and CISO conversation fail at the handoff between the security team and the engineering owners, not at the technical decision itself. A documented handoff template, with explicit acceptance criteria and a 48-hour clarification window, eliminates more program-level risk than any architectural diagram on its own. The handoff is where good programs become great programs in 2026.
A final note on metrics: pick three numbers, publish them internally every quarter, and refuse to report on the fourth until those three are trending in the right direction. The instinct to report on everything dilutes the conversation. The discipline of reporting on three numbers concentrates it. Mature CHRO and CISO conversation programs in 2026 share that discipline almost without exception, and the boards that fund those programs tend to remember which three numbers the team reports on.
A practical observation worth capturing: the gap between the best and the average CHRO and CISO conversation programs in 2026 is not a tooling gap, a budget gap, or a talent gap. It is a discipline gap, and it is closed one quarterly review at a time. The discipline of showing up, of closing findings, of reviewing exceptions, of running the next drill, is what separates the programs that age well from the programs that quietly degrade.
A Final Note on Tone
The tone of the CHRO and CISO conversation matters as much as its existence. The mature pattern is collegial rather than adversarial, curious rather than accusatory, and protective of employee dignity rather than dismissive of it. Insider risk programs that lean toward surveillance theater tend to lose the trust of the workforce they depend on, and the trust deficit shows up later in reduced reporting from employees who saw something and decided not to say anything. The conversation that catches insider risk early is the conversation that the workforce understands as protective rather than punitive.
