What is a 90-day phishing program rollout?

A 90-day phishing program rollout is the structured first-quarter plan that takes an organization from no phishing simulation program to a steady-state operating rhythm: a baseline click rate, a documented executive sponsor, a working platform, three completed campaigns, an auto-assigned remediation pipeline and the first board-tier metrics report. Day 0-30 establishes the foundation. Day 30-60 runs the first three campaigns. Day 60-90 locks in the operating cadence and produces the deliverables auditors, brokers and the board will ask for. Programs that skip the 90-day structure typically stall at the 'one annual training' plateau and never reach the maturity tier where measurable outcomes appear.

What should you do in the first 30 days?

Six things. One: secure an executive sponsor in writing, ideally CFO or COO, because the legitimacy of the program flows from there. Two: run a baseline test - a single low-difficulty phishing simulation across the entire workforce - and record the click rate. Three: stand up the platform, including SSO, employee directory sync, the reporting add-in for Outlook or Workspace and the auto-assigned-training pipeline. Four: write the one-page program policy covering simulation cadence, what gets measured, who owns response and what users will see. Five: brief the workforce in advance via an all-hands or company-wide email so the program reads as transparent rather than entrapment. Six: define the day-30 metric snapshot so you have a reference point for measuring improvement.

What's a realistic baseline click rate at day 30?

Industry baselines for first-test click rate typically fall in the 18-30% range for organizations that have never run formal phishing simulations - higher for retail, hospitality and manufacturing where workforce composition skews toward less email-trained roles, lower for financial services and government where security-mindfulness culture has had time to develop. Anything below 10% on a first baseline is suspicious and usually indicates either too-easy templates or a workforce that was tipped off before the test. Anything above 40% is also suspicious and typically indicates a workforce that has never received any security training. The first-30-day deliverable is the baseline number itself, not a target - you can't measure improvement without it.

When should you start tracking report rate?

From day 1, with the reporting channel deployed during Days 0-30. Click rate measures passive susceptibility (how many users fell for the lure); report rate measures active detection (how many users recognized and reported it). Mature programs report both; reporting only the click number tells half the story. The 30-day baseline should capture both metrics so the 90-day deliverable can show paired-trend movement. Cyber-insurance underwriters increasingly ask for 12-month paired click-rate AND report-rate trend lines; programs that didn't track report rate from day 1 spend the second year retrofitting measurement into a program that should have had it from launch.

What's the day-90 deliverable?

A four-page packet showing the baseline click rate (day 0-30), the three subsequent campaign click rates (days 30-60), the report-rate trend across all four campaigns, the completion-rate trend on auto-assigned remediation training, the cohort heatmap surfacing the highest-deviation department, the documented playbook for threshold-exceedance response and the Q2 forward roadmap. This packet is simultaneously the board report, the cyber-insurance broker submission and the SOC 2 audit-evidence starter pack. Day 90 is when the program transitions from 'rollout project' to 'continuous operating function' - and the packet is the artifact that proves it.

90-Day Phishing Program Rollout Plan: Day-by-Day Playbook

Q: How do you handle executive pushback in week 2?

Executive pushback in the first 30 days is usually predictable: 'I don't have time for this,' 'we're not the target,' or the post-baseline-click 'I want my click removed from the data.' The mitigation work happens before the pushback. Brief the executive cohort separately and in advance, frame the program as standard SOC 2 / cyber-insurance evidence rather than security paranoia, set the expectation that exec data is aggregated to the audit committee and never broadcast to managers, and have the executive sponsor's email signed and ready before the baseline test fires. If pushback escalates anyway, escalate via the documented sponsor rather than negotiating ad hoc - the sponsor letter is the spine of executive participation.

90-Day Phishing Program Rollout Plan: Day-by-Day Playbook

The first 90 days of a phishing simulation program decide whether it becomes a steady-state operating function or stalls at the one-annual-training plateau. The plan below is the day-by-day playbook for getting from no program to a renewable one - sponsor secured, baseline measured, three campaigns run, remediation auto-assigned, board-tier metrics produced. Programs that skip the 90-day structure typically run an annual click test, never advance to continuous cadence and never reach the maturity tier where measurable outcomes appear in cyber-insurance underwriting, SOC 2 evidence packets or board reporting.

This is written for the security or IT leader who has been told "we need a phishing program" and has a quarter to make that real. The plan covers Days 0-30 (foundation), Days 30-60 (first three campaigns), Days 60-90 (operating-rhythm lock and board deliverable), the cohort and metric expectations at each milestone, and the predictable obstacles you'll need to plan around.

Days 0-30: Foundation

Six things. None are technical implementation - the platform stands up in days, but the program legitimacy and measurement scaffolding need the full first month.

Executive sponsor in writing. CFO or COO is ideal - they own audit-committee communication and the cyber-insurance renewal cycle, which are the two adjacent governance functions the program will integrate with. The sponsor letter goes to all-staff and is signed before any test fires.
One-page program policy. Covers simulation cadence (monthly minimum after baseline), what gets measured (click rate, report rate, completion rate, time-to-remediation), who owns response (security operations, with HR for personnel-impacting cases) and what users will see. The policy gets executive sign-off and goes into the SOC 2 evidence package as the program's governance artifact.
Platform stand-up. SSO integration, employee-directory sync, reporting add-in deployed across Outlook or Workspace, auto-assigned-training pipeline tested. The reporting channel must be live before the baseline test - that's how you measure report rate from day 1 rather than retrofitting it later.
Workforce briefing. All-hands or company-wide email two weeks before the baseline test announcing the program, naming the executive sponsor and framing the program as transparent measurement rather than entrapment. The framing is governance, not security paranoia: this is what cyber-insurance underwriters and SOC 2 auditors expect to see, and the program is the organization's response.
Baseline test (day 25-30). Single low-difficulty campaign across the whole workforce. The result is your reference number for measuring improvement. Industry baselines typically fall in the 18-30% click-rate range for organizations that have never run formal phishing simulations; higher for retail, hospitality and manufacturing; lower for financial services and government.
Day-30 metric snapshot. Click rate, report rate, open rate, cohort distribution (who clicked, by department). This is the program's measurement reference point - everything subsequent gets framed as movement away from baseline.

Days 30-60: First three campaigns

Three campaigns over 30 days at staircased difficulty - one easy, one medium, one harder template family. The progression matters: a flat-difficulty campaign series produces noise, not signal. The intent is to give the workforce a measurable curve to bend.

Each campaign produces four metrics: click rate, report rate, completion rate (auto-assigned remediation completed within 7 days), open rate. The four data points across the four campaigns (baseline + three) start to make a trend line readable. By day 60, you can answer "is the program working?" with data, not assertion.

Two design decisions matter at this stage. First, auto-assignment must fire on every click, not selectively - the operational cost of selective assignment is bookkeeping that scales badly. Second, the campaigns must be communicated only to the executive sponsor and security operations, not to managers - the moment manager teams know a campaign is coming, they tip off their reports and the data corrupts. The framing is "campaigns happen on a schedule the workforce doesn't know about; no individual is targeted; aggregated cohort data goes to the executive sponsor."

Days 60-75: Threshold playbook and cohort intervention

By day 60, the four-data-point trend will have surfaced the highest-deviation cohort - typically a single department or a single role pattern. Day 60-75 is when intervention happens: a manager-led discussion in the cohort, role-specific template families in the next campaign, additional training assignment. The intervention itself is part of the program's measurable response.

The threshold-exceedance playbook gets written here. What happens when a department's click rate exceeds the company average by 2x? What happens for repeat clickers (users who clicked on baseline AND a subsequent campaign)? What happens when an executive clicks? The playbook is documentation, not aspiration - it gets sent to the executive sponsor and the audit committee chair so that when a real threshold-exceedance event happens, the response is consistent rather than ad hoc. The threshold playbook is also part of the day-90 deliverable.

Days 75-90: Operating rhythm and board packet

The transition from "rollout project" to "continuous operating function" happens in the last 15 days. The artifacts are the spine of the day-90 deliverable.

Monthly cadence locked. The Q2 calendar shows scheduled campaigns at month-1, month-2, month-3 with template-family selection and difficulty progression. This is what the executive sponsor signs as continuation.
Four-page board packet. Page 1: executive summary with paired click-rate AND report-rate trend across baseline + 3 campaigns. Page 2: cohort heatmap. Page 3: top findings and remediation. Page 4: forward roadmap. The same packet doubles as cyber-insurance broker submission and SOC 2 evidence starter - board reporting on phishing results covers the four-page structure in detail.
Multi-channel plan for Q2. SMS smishing then voice vishing introduction scheduled for months 4-6. Multi-channel coverage is now an explicit cyber-insurance underwriting question, so the Q2 plan is broker-relevant content.
Day-90 review with executive sponsor. The deliverable is reviewed, the sponsor signs the continuation policy and the program is formally transitioned from rollout to continuous-operating-function status.

Predictable obstacles to plan around

Three obstacles appear in roughly every 90-day rollout. Plan for them in advance rather than reacting when they happen.

Executive pushback in week 2-3. Usually one of three patterns: "I don't have time for this," "we're not the target," or post-baseline-click "I want my click removed from the data." Mitigation happens before the pushback - brief the executive cohort separately and in advance, frame the program as standard SOC 2 / cyber-insurance evidence rather than security paranoia, set the expectation that exec data is aggregated to the audit committee and never broadcast to managers. If pushback escalates anyway, escalate via the documented sponsor rather than negotiating ad hoc.

The "we're already trained" claim. A department or business unit asserts they don't need the simulations because they had vendor training last year. The mitigation is data: run the baseline, show the click rate, let the number do the work. Subjective confidence is not a control; measurement is. Mature programs treat the claim as a leading indicator that the cohort is overdue for re-baselining.

Click-rate plateau at month 3. The first three campaigns often show steady decline; by month 4-5, the curve flattens. The plateau is normal and is when the program needs the next operational input - difficulty progression, multi-channel introduction or role-specific templates - to keep the bend moving. Programs that don't anticipate the plateau interpret it as program failure and de-fund.

The day-90 reality check

If the day-90 packet shows: baseline measured, three campaigns run, remediation auto-assigned, paired click-rate AND report-rate trend, threshold playbook documented, monthly cadence locked, multi-channel Q2 plan signed - the program is operating. The next 12-18 months are about maintaining the cadence, advancing the maturity tier and producing the renewable broker-and-board metrics. The 5-tier maturity model covers what advancing past Intermediate looks like.

If the day-90 packet is missing any of those elements, the rollout has slipped and the gap will compound through Q2. The most common failure mode is "baseline measured, no auto-assignment" - the click data exists but no remediation pipeline fires, so the workforce never receives the corrective input the program is supposed to provide. The fix is operational, not strategic; rebuild the auto-assignment integration and re-run from day 30.

To stand the program up against this plan, start a 25-user free trial for the first-30-day baseline OR talk to us for a 90-day rollout walkthrough. Pricing covers the standard rollout package; the 90-day plan content is included.

Blog

90-Day Phishing Program Rollout Plan: Day-by-Day Playbook

Days 0-30: Foundation

Days 30-60: First three campaigns

Days 60-75: Threshold playbook and cohort intervention

Days 75-90: Operating rhythm and board packet

Predictable obstacles to plan around

The day-90 reality check

Related reading