Ask ten founders what's on their phone and you'll hear the same answer: email, calendar, Slack, banking, signing app, two-factor codes. Ask what would happen if that phone walked away with the wrong person and the answers get quieter. There's a real category of risk most operators carry every day and pay no attention to until they have to.
The recommendation we see fractional CISOs giving in 2026 isn't dramatic. It's a small set of practical changes.
The threat model that actually matters
Forget the spy thriller. The realistic threats for a founder or senior operator in 2026 are:
- Targeted phishing — someone who knows you by name, your CFO's name, and your last vendor invoice
- SIM swap — your carrier's call centre is the weakest link in your security
- Device theft at a conference or hotel — physical access plus a weak passcode
- Account takeover via password reuse — the breach was someone else's, the cost is yours
- Lawful interception risk in some travel jurisdictions — relevant for a small set of operators travelling to specific countries
This is not a model that requires custom hardware. It is a model that requires discipline — and one or two device-level decisions.
The stack
A senior security advisor in 2026 will typically recommend three things, in this order:
1. One phone, hardened — not a separate "secure phone"
The era of carrying a separate encrypted handset for executives is mostly over. What replaced it is a properly configured primary device:
- Latest-generation iPhone or Pixel (the security update cadence is the actual variable, not the brand)
- Lockdown Mode enabled (iPhone) or GrapheneOS (Pixel) for travel to high-risk jurisdictions
- eSIM only — physical SIMs are an attack surface
- Strong passcode, biometric for convenience, not as the only lock
- Auto-wipe after 10 failed attempts
You do not need a separate phone. You need to use the phone you have correctly.
2. Phone number isolation
Your main phone number is in too many places to be sensitive. Solution: it isn't your sensitive number.
- One number for SMS marketing, deliveries, calendar invites
- One number for banking, identity verification, government services — never published, never used for anything else
- One number for international travel — separate eSIM, separate billing
This is not paranoia. It is the same logic as having a separate email for newsletters.
3. The two account upgrades that compound
- Hardware security key (YubiKey or equivalent) for the three or four accounts whose loss would end the company
- Carrier port-out PIN on every line, with the SIM-swap protection setting your carrier offers
These two changes, together, eliminate roughly 80% of practical attack paths for a senior operator.
What's not on the list
We do not recommend custom-firmware "secure phones" for founders. The market collapsed for a reason (see our post on what happened to PGP phones). For 99% of operators, a correctly configured commercial device is more secure than a niche encrypted phone with worse hardware, fewer updates, and a smaller security team behind it.
The stack above is unsexy. That's exactly why it works.
