What Business Leaders and CISOs Can Learn From Fly Fishing

Four lessons every leader should learn from the river 

Any seasoned fly angler will tell you that trout are highly selective, continuous feeders. Their entire survival strategy centers on conserving energy, staying close to a safe holding place, and getting the maximum protein intake for the minimum movement. To fool a wily trout, the angler "matches the hatch," presenting an artificial fly that resembles whatever the trout are currently feeding on.

Cybercriminals behave exactly the same way.

They rarely waste time and resources hammering a company's firewall. As cybercrime has professionalized and been controlled by criminal gangs and nation-states, its approaches have become highly targeted. The modern attacker looks for the easiest and quickest way through your defenses, and that path almost always runs through a human being.

• 88%  of cyber breaches are caused by human error, poor cyber hygiene, mismanagement or insider actions.

• 2%  the share of most cybersecurity budgets spent on the employees who are the actual attack surface.

• 10x  the total cost of a breach, in downtime, lost revenue and reputation damage, compared to the ransom itself.

Here are four parallels between the river and the boardroom that every leader should understand.

1. They Both Conserve Energy

Attacking firewalls is a waste of energy

Trout hold in slow water behind rocks, waiting for food to drift to them. They do not chase. They do not waste calories. Cybercriminals operate on the same logic. Rarely do they waste time, energy, and resources bombarding a company's firewall. Cybercriminals today look for the easiest and quickest way through a company's security defenses, often focusing on individual employees using an approach called social engineering."

The implication for leaders is uncomfortable: the most expensive part of your security stack is probably not where the attack will land. The attack will land in an inbox, on a phone, or in a hurried conversation with someone pretending to be the CFO.

2. They Both Match the Hatch

Generic phishing fails.  Tailored phishing succeeds.

A good fly angler studies the insect life on a specific stretch of river, the feeding times, the water temperature, and even talks to local guides before tying on a fly. Cybercriminals do their homework in exactly the same way.

A cybercriminal spends a great amount of time researching the company they are targeting. They scour LinkedIn profiles, search company websites for the names and titles of employees, gather information about employees on Facebook, Tinder, Instagram, Snapchat and other social media platforms. In many cases, employee emails and other confidential information can be purchased from other criminal groups on the Dark Net.

They then impersonate a senior executive and demand that a lower-level employee (often in finance) wire money immediately to a fake client account. All too often, when the "urgent" email from a named senior executive hits the inbox, the employee complies. The fly looked real enough.

3. They Both Target the Most Eager

New hires are easy prey  Peer learning is the defense.

Experienced trout have seen dozens of artificial flies and learned to be wary. Young trout have not, and they are much easier to fool. Cybercriminals also know that new employees are easier to fool. This is especially true when cybersecurity training is minimal, and there is little peer-to-peer education about what to watch out for when it comes to email phishing and social engineering."

Remote and hybrid work has made this harder. When new hires cannot lean across a desk and ask a colleague, "Does this look legit to you?", the informal peer-to-peer learning that catches most phishing attempts simply does not happen. And in formal training classes, few employees want to be the one asking the "naïve" question.

4. They Both Hunt in Murky Water

Silence protects attackers.  Transparency exposes them.

Trout in crystal-clear water are wary. They can see predators coming and they are harder to fool. In murky water, they lose that advantage. The same is true in your organization.

Clarity of water in a trout stream is easily equated with openness, transparency, and cross-functional communication in the corporate world. Learning from others, ongoing communications about attempted cyberattacks and successful breaches, allows everyone to learn quickly and become more aware and accountable."

Yet 61% of cyber victims never report the incident. Shame, fear of blame and opaque reporting processes keep the water murky, which is exactly the condition attackers need to keep hunting undisturbed.

The Bottom Line: Build the Human Firewall

98% of the cybersecurity budget goes to technology. 88% of breaches are caused by humans. 

The math is not working. Technology is necessary but not sufficient. If cybercriminals think like fly anglers, leaders need to think like river guides: know the water, know the fish, and teach the next generation how to spot the difference between a real mayfly and a hook dressed up to look like one.

It's time for senior leaders to begin prioritizing the human firewall. Otherwise, cybercrime will continue to grow and pose an ever-growing threat to our global economy and way of life."

ABOUT THE AUTHOR

John R. Childress is a leadership advisor, corporate culture consultant and author with four decades of experience advising boards and executive teams across Fortune 500 and FTSE 250 organizations. He is co-founder of Senn-Delaney Leadership Consulting Group and Chairman of Pyxis Culture Technologies, whose data-driven platform helps organizations identify, map and mitigate hidden risks in cybersecurity, safety and conduct. He is also the author of Culture 4.0: The Future of Corporate Culture (LID Publishing, 2026) and co-author of Fly Fishing for Leadership. 

Where is the murky water in your organization right now? The places where incidents go unreported and new hires are swimming without cover? I'd welcome your thoughts in the comments. To see how Pyxis maps the hidden drivers of cybersecurity culture and turns them into measurable action, visit www.pyxisculture.com.