Three years ago, I worked with an organization that prided itself on having “world-class” IT controls. Firewalls, intrusion detection, antivirus subscriptions, the full package. During a strategy execution session, I asked the CEO one simple question: Would your staff recognize a phishing attempt if it landed in their inbox today? He smiled and said, “Of course. We train them every year.” To test the assumption, we ran a controlled phishing simulation. Within 24 hours, 41% of staff had clicked the malicious link. Even worse, several forwarded it internally, magnifying the risk. The breach did not start with servers; it started…