The security industry has a habit of piling on more: tools, controls, dashboards, and 'urgent' priorities. But when you strip back the noise, most failures still come down to fundamentals.
So why is "the basics" the hardest problem in today's security?
In a live panel hosted by Dan Haagman, CEO of Chaleit and author of the CISO Global Study, four CISOs with decades of collective experience tackled the question head-on:
Steve Zalewski – Former CISO at Levi's / S3 Consulting
Tammy Klotz – CISO, Trinseo
David O'Neil – CISO, iCIMS
Mandy Andress – CISO, Elastic
Below are key learnings and takeaways from this honest, practical conversation.
Redefining the basics
Dan opened with a simple question: Do we need to redefine the basics? Because depending on who you ask — auditor, regulator, vendor, board — the basics can mean very different things.
David was the first to challenge the prevailing narrative: "Go look at the breaches. You'll find people everywhere getting hacked, and they have ISOs and SOCs." Is it a matter of "murky scopes"?
This is a pattern we see often at Chaleit: organisations equate certifications with security. Certifications help with sales, but they don't help when attackers are in the network.
The fundamentals, David argued, must start with the business:
What actually matters?
Where does the real risk sit?
What are your top ten risks, and who can name them?
If your definition of "the basics" comes from a framework rather than your own risk picture, you're already off course.
Tammy shifted the lens to people and challenged one of the most entrenched clichés in security:
"I turn that whole 'humans are the weakest link' thing on its head. I empower them to become the strongest link."
For her, basics begin with culture: continuous awareness, real stories, and daily practices that bring risk to life. Annual training won't cut it.
This is a theme we explored more in depth in an interview with Tammy on leading with empathy in security.
Mandy took a wider view: the fundamentals themselves haven't really changed.
Patch properly
Manage access
Avoid default passwords
Reduce unnecessary privilege
Understand where your data and systems live
Those principles are decades old. What's changed is the landscape we have to apply them in: cloud, AI security, hybrid environments, and SaaS sprawl.
"How do we apply the same core objectives in new technology? And how do we build that knowledge base?" Mandy asked.
For more valuable insights, read our interview with Mandy on building resilient security strategies.
Good enough, perfect, and the gap between them
Security teams value completeness, while businesses value progress. That's where the tension lives.
Mandy called out the internal misalignment most security teams ignore:
"There's a difference between your individual risk appetite and the company's risk appetite."
Security professionals often operate with a "zero-risk" instinct. Meanwhile, the organisation needs speed, revenue, and flexibility. This creates the silent friction that slows initiatives and frustrates everyone involved.
David took it a step further, grounding the debate with honesty:
"If you want 100% certainty, you'll never get breached? Shut the business down."
Good enough isn't a compromise. It's a choice — and a strategic one.
The basics start with the business model
CISOs often apply the basics through the wrong lens.
Steve brought a contrarian view. For 30 years, he argued, security has sat inside IT, treated as a technical discipline, prioritising controls rather than outcomes. And that mindset no longer fits the modern CISO's reality.
He offered a three-question diagnostic:
Am I here to secure the company?
Am I here to protect the business?
Or am I here to sell more jeans? (His now-famous Levi's line.)
Depending on the answer, your priorities shift, sometimes radically.
CISOs must recognise that businesses want to maximise risk-taking, not minimise it. Security must support that, not fight it.
"What is the cyber security poverty line? What's the minimum I have to do to allow the company to stay in business?" Steve asked.
And the most "basic" capability of all may be subtraction: stopping the work that no longer moves the organisation forward.
Read more about how to think about risk under pressure in an in-depth collaboration between Steve and Dan.
Capacity isn't a headcount problem
Dan noted that at recent conferences, capacity was the most common complaint CISOs shared.
Security teams are stretched thin, mainly because the scope of security has expanded faster than any organisation can realistically sustain.
"What worked yesterday isn't what we need today," David highlighted.
Mandy was even more direct:
"Hiring more people is the option of last resort… What else have we tried? Automation? Self-service? A different way of approaching the problem?"
The leaders agreed that scaling teams and tools without scaling thinking simply creates a bigger backlog.
Vendor acquisition. Overlapping capabilities. Multiple dashboards.
Meanwhile, "There's no reward cycle for the removal of something," as Tammy observed.
Security keeps adding. But the basics demand we subtract.
The audit detour
The audit discussions turned into one of the most illuminating segments because it exposed how easily basics get distorted.
"If you're getting hung up in the audit process, there's a good chance you have the wrong auditor," David clarified.
Auditors must understand the business. Otherwise, they impose irrelevant constraints that add friction without value.
Tammy, with her auditor background, emphasised a critical point: "You do not have to do everything the auditor says… you get to accept the risk." This statement alone could save teams hundreds of hours per year.
Steve added a more provocative take:
"Say what you do. Do what you say. The auditor must pass you."
Overall, the discussion was a reminder that:
audit isn't the goal
compliance isn't the strategy
and passing the test doesn't mean you're secure
If anything, confusing those things is one of the biggest risks of all.
Who owns security?
Too many security teams assume responsibility because no one else wants it. Over time, that becomes the expectation — and the burden.
So, who should own security? According to Mandy, the answer is straightforward, but rarely implemented:
Line 1 (the business) owns the day-to-day controls
Line 2 (InfoSec) guides, governs, and monitors
Line 3 (audit) assures independently
If everything flows into InfoSec, the model is broken before it begins.
"Our job is to grant access, not approve it," Tammy clarified.
David added nuance to the discussion: sometimes the CISO does need to roll up their sleeves, especially in emerging domains like AI, where foundations are misunderstood.
But Steve reframed the situation with a metaphor: "CISOs have a bullseye on the front — attackers — and a bullseye on the back — the business wanting plausible deniability."
His conclusion offered clarity:
"My job is to own no risk. My job is to transfer all risk into the business."
Resilience: The new core basic
Near the end, the conversation shifted from prevention to resilience.
"If someone expects perfection, I'm out," Tammy put it plainly.
Mandy described the shift underway: resilience is not just a security function, but a business capability that spans operations, technology, and people.
And Steve delivered the closing perspective:
"Resiliency is not the ability to put Humpty Dumpty back together again. It's the ability to withstand continuous attack."
He gave boards a simple metric to judge their CISOs:
Protect the brand
Protect the workforce
Protect the supply chain
"Stop doing everything else."
It's a return to clarity, purpose, and the basics — brilliantly executed.
Key takeaways
This conversation showed that brilliance at the basics is about understanding what matters, removing what doesn't, and building the kind of resilience that allows organisations to operate under pressure.
Certifications alone support sales, not security.
People aren't the weakest link, culture is.
Good enough is a risk decision, not a technical one.
Subtraction is a core security skill.
Audits must be managed, not obeyed.
Security ownership must sit with the business.
Resilience beats perfection every time.
At Chaleit, this is the work we care about: clarity, context, and security that actually works in practice, not just on paper.
These discussions challenge assumptions, keep us learning, and continuously shape everything from our content to our partnership model.
