SYSTEM SECURE

One phishing report a week. That is the entire ask of this Sunday letter, addressed to every CEO who has read this far in the series. Not the dashboard. Not the trend chart. One specific phishing report, end to end, every Monday morning, for one quarter. Then we can talk about whether your security culture is what you assume it is.

According to the Verizon 2025 DBIR, phishing and pretexting remain consistently in the top three initial-access vectors across industries. The 2025 Anti-Phishing Working Group quarterly reports reinforce the operational reality: the volume is steady, the sophistication is rising, and the only durable defense is a workforce that reads suspicious emails carefully and reports them quickly.

Why One Report a Week, Not a Dashboard

A dashboard summarizes signal. A specific phishing report tells a story: the lure, the click rate, the people who reported it, the people who clicked, the response time, the lessons. Reading one report a week for a quarter teaches a CEO more about their organization’s actual security culture than any trend chart ever will, because the report contains the texture of how the workforce actually behaved.

It also changes how the security team writes the report. Reports written for a CEO who is going to read them carefully are written more carefully than reports written for an executive summary. The discipline of expecting a reader changes the writing, and the writing changes the program. The cycle compounds in both directions.

“If the CEO reads one specific phishing report every Monday for a quarter, the security culture of the company is different at the end of the quarter than it was at the start. The change happens in how the security team writes the reports.”

Sunday letter reader, iSECTECH Sunday letter notes

What One Report Actually Contains

A useful phishing report contains the lure with the indicators that should have made it suspicious, the population it was delivered to, the click rate broken down by team or seniority where defensible, the report rate from the workforce, the response time of the security operations team, and a one-paragraph honest assessment of what the campaign revealed about the workforce’s current posture. It should fit on two pages. It should be readable in 12 minutes.

The boardroom version of this conversation is a 30-second update every quarter, not a fresh report. The board does not need the individual reports. They need the CEO’s confidence that the CEO is reading them, that the trends are visible, and that the security organization is acting on the patterns the reports reveal.

Three Habits Every CEO Should Build This Quarter

First, ask for one specific phishing report every Monday and reserve 15 minutes to read it. Second, send a short personal note to the security team about the report once per quarter, with one specific observation that demonstrates you read it carefully. Third, in your next all-hands meeting, share one anonymized lesson from one of the reports. The combination of those three habits, repeated for a year, will reshape how the workforce thinks about phishing more than any policy document or annual training course.

“The CEO who reads phishing reports does not need to do anything other than read them. The act of reading them is the intervention. The security culture follows.”

Theresa Payton, former White House CIO and CEO of Fortalice Solutions

Where This Habit Belongs in the Operating Rhythm

The 15 minutes belong on Monday morning, before the executive operating rhythm starts. Reading the phishing report after the operational fires of the week have started will become impossible by Tuesday. Reading it before the day’s first meeting is sustainable. The discipline that survives is the discipline that does not compete with the rest of the day.

This Sunday letter sits inside a longer sequence on executive engagement with security. See the earlier letters on CHRO and CISO cyber conversation, cybersecurity as practice not project, and CEO and CFO cyber question. The connecting thread is unchanged: security culture is built in the calendar.

Read one specific phishing report this week. Not a summary. The actual report, with the lure and the click rate and the response timeline. Notice which details matter most to you and ask the security team to put those details first in the next report. The customization is part of the habit.

Send the calendar invite to yourself this morning. 15 minutes, Monday, every week, for the next 13 weeks. Title it: Phishing Report. Read the report when it arrives. At the end of the quarter, decide whether the practice has produced a different conversation with your security team and your workforce. The honest answer will tell you whether the habit was worth it.

iSECTECH advises CEOs and CISOs on the executive habits that quietly change security culture. If your one-report-a-week habit needs structure to start, talk to us. We will help you design the report format and the cadence that makes the habit sustainable for a full year rather than a single quarter.

A Note on Workforce Confidence

Workforce confidence in the phishing reporting button is the single highest-leverage cultural metric in any phishing program. Workforces that trust the button report suspicious emails quickly. Workforces that do not trust the button click first and report never. The CEO’s observable interest in the phishing reports the workforce produces is what builds and sustains that trust, and the trust is what produces the reporting rate that defends against the next campaign.

“If you want to know whether your workforce trusts the phishing reporting button, look at the report rate against the click rate over the last 90 days. The honest number is the trust number.”

iSECTECH Sunday letter review summary

One operational nuance worth raising is governance cadence. The teams that mature fastest on CEO and phishing reports run a 90-minute review every quarter that includes engineering, security, and one executive sponsor who reports the findings into the next board meeting without translation. That single meeting, repeated four times a year, has more impact on program maturity than any tooling decision an organization will make in the same period.

Another observation from the field: most enterprise programs that fail on CEO and phishing reports fail at the handoff between teams and not at the technical decision itself. A documented handoff template, with explicit acceptance criteria and a 48-hour clarification window, eliminates more program-level risk than any architectural diagram on its own.

A note on metrics: pick three numbers, publish them internally every quarter, and refuse to report on the fourth until those three are trending in the right direction. The discipline of reporting on three numbers concentrates the conversation. Mature CEO and phishing reports programs in 2026 share that discipline almost without exception.

A final observation: the gap between the best and average CEO and phishing reports programs in 2026 is not a tooling gap. It is a discipline gap, closed one quarterly review at a time. Programs that age well are programs that show up.

A Quiet Closing Note

One report a week. Fifteen minutes a Monday. Thirteen weeks. That is the ask. If the practice is worth continuing at the end of the quarter, the answer will be obvious. If it is not, the only loss is 195 minutes of calendar time. The probable outcome, based on every CEO we have watched try it, is that the practice extends well past the first quarter.

What Changes in the Security Team When the CEO Reads

The change that surprises most CISOs is not in the workforce. It is in the security team itself. Reports written for a CEO who reads them carefully are written more carefully. The lure description becomes more specific. The click-rate analysis becomes more honest. The lessons section becomes less generic. The team starts writing reports they are proud of rather than reports they are obligated to produce, and pride in the work compounds over a year of weekly reports into a team that takes phishing program quality personally rather than procedurally.

A Closing Observation From the Field

The CEOs we have watched run this habit consistently report a second-order benefit they did not expect. Reading a specific phishing report each week makes them noticeably better at reading suspicious emails themselves. The pattern recognition that a workforce develops over years of awareness training accumulates in 13 weeks of careful reading for the CEO who pays attention. That is a defensive benefit worth the calendar time on its own, before any cultural change in the rest of the organization is measured.

A final practical note for any CEO starting this habit on Monday morning: ask the security team to include a single sentence at the end of each report describing what the team intends to do differently this week as a result of what the report shows. That single sentence makes the report actionable. It also gives the CEO a reliable signal about whether the security team is learning from each campaign or simply reporting it.

The habit will surprise you twice. The first surprise is how quickly the workforce notices that the CEO is paying attention. The second surprise is how quickly the security team starts taking quiet pride in their craft when they know an executive reader is engaged with what they produce week after week.