TL;DR
Security programs often fail to deliver their intended outcomes because organisations focus exclusively on delivery rather than creating momentum for sustainable change.
Through their combined experience cyber security leaders Lee Barney and Dan Haagman explain that successful security initiatives require embracing imperfection, establishing psychological safety, and building genuine relationships both internally and with vendors.
Their "coastal erosion" theory suggests setting initial goals as "high tide marks" — deliberately higher than required — so that when inevitable business pressures erode these goals, the final outcome still meets essential security needs. This recognises the reality of organisational constraints rather than rigidly pursuing perfect security.
Context: The disconnect between security delivery and outcomes
Cyber security professionals are frequently judged on their ability to deliver programs within budget and on schedule, but this focus can obstruct true effectiveness. The emphasis on delivery metrics creates a disconnect between the technical implementation of security controls and actual improvement in an organisation's security posture.
Lee describes how most security initiatives face a gradual wearing away of initial goals and ambitions:
"Delivering security programs can feel like coastal erosion: the cliff edge constantly receding against fierce waves and storms."
This erosion happens because security must compete with other organisational priorities. As Lee explains, "The average employee's main priority at work isn't security. If security were their primary focus, they would probably be a security professional."
In this reality, security professionals must recognise that business objectives will nearly always take precedence over security concerns. "No matter how well-intentioned or comprehensive your security awareness training is, and regardless of the context, when you introduce a security program – no matter how critical you believe it to be – it simply won't be their top priority."
This disconnect between delivery and outcomes is widespread. A 2021 CISCO survey of over 4,800 IT, security, and privacy professionals globally found that only 42% of organisations report their security programs are successfully achieving their intended outcomes, such as managing top risks, avoiding major incidents, and enabling business objectives.
To bridge the gap between implementing security controls and actually improving security posture, Lee suggests a shift in focus:
"Consider the effectiveness of your incident response capabilities, rather than just the delivery of the program itself. After all, the ultimate goal of security is to prevent negative events or, at a minimum, to enable you to respond effectively when they occur."
However, this shift comes with challenges. Understanding them is the first step toward developing more effective approaches to security program management.
Challenges in security implementation
Dan and Lee have identified four key challenges that consistently undermine security efforts across organisations. These challenges aren't merely technical problems but represent deeper issues in how security programs are conceived, managed, and measured.
#1. The "coastal erosion" of security programs
Security programs typically begin with ambitious goals, but as implementation progresses, these goals are gradually scaled back.
Lee explains what happens:
"The result is often a premature shifting of the goalposts, leading to a 'delivered' program that covers significantly fewer systems than originally planned."
This erosion happens because technical debt and previously unknown systems often create unexpected obstacles.
Business priorities also change, causing resources and attention to be diverted from security initiatives. The security team might start with full support, but when competing business objectives emerge, security typically loses priority.
While some might argue that better planning would solve this problem, Lee says this is not applicable in reality: "If you wait for absolute perfection in security, conducting every consultation, bringing in all the third parties, running every network scan, you'll need resources far exceeding what the average company has in terms of budget, time, and flexibility."
You can end up with a security program that appears successful on paper but has been so scaled back that it doesn't deliver the intended security value. This creates a false sense of security and damages the credibility of future security initiatives.
#2. The fear of error in security culture
Many security teams operate with the mindset that they must eliminate errors at all costs. This perfectionism can actually weaken security by creating fear and discouraging transparency.
Dan observes this pattern, noting, "Technical CISOs often strive for error elimination, whereas the business side is typically more comfortable with managing and mitigating errors."
This fear of error leads to several problems:
Issues remain hidden because team members are afraid to acknowledge mistakes.
Innovation and learning are stifled as teams avoid new approaches that might temporarily increase risk.
Organisations' security posture stagnates and fails to adapt to changing threats.
While internal team dynamics significantly impact security effectiveness, external relationships are equally important.
#3. Transactional vendor relationships
Many organisations manage security vendors through rigid contractual frameworks, focusing on costs and service level agreements rather than outcomes, leading to vendors doing the minimum required to meet terms without truly contributing to security goals.
When vendors are squeezed on margins during contract negotiations, they may look for ways to reduce costs, potentially at the expense of service quality. "Asking them to deviate from their planned tasks essentially costs them money, and there's no incentive for them to do so," Lee explains.
The transactional mindset extends to the internal team's view of vendors, creating an adversarial relationship rather than a cyber security partnership. Security teams may view vendors with suspicion, while vendors see the client as demanding and unreasonable.
#4. The tension between "tunnel vision" and progress
As explained above, security teams often fall into the trap of pursuing perfect security. This comes with another risk: neglecting broader risks.
Dan emphasises that security teams can become fixated on specific activities without questioning their relative value:
"I often question the effectiveness of many vulnerability management programs today. In fact, somewhat controversially, I'll even suggest: stop patching. That usually gets a few raised eyebrows."
This problem typically stems from focusing on security compliance or industry trends rather than doing a clear-eyed assessment of the organisation's actual risks. As Dan explains, security teams get "tunnel vision" and focus resources on eliminating minor risks while potentially ignoring major vulnerabilities. They also become obsessed with implementing specific controls or technologies without considering their overall impact on security posture.
Pursuing perfection, neglecting broader risks, and focusing on compliance can create a false sense of security. An organisation might have a flawless patch management program but remain vulnerable to social engineering attacks or misconfigured cloud services.
Solutions for effective security implementation
Having identified the key challenges that undermine security programs, Lee and Dan offer practical solutions based on their extensive experience. These don't require larger budgets or more resources. Instead, they focus on changing mindsets to create more effective security outcomes.
#1. Setting realistic expectations with built-in buffers
To counter the inevitable "coastal erosion" of security programs, Lee recommends deliberately setting higher initial targets:
"Set your 'high tide mark' for success ambitiously, knowing that the inevitable 'coastal erosion' of your plans will still leave you above the essential minimum."
This acknowledges reality rather than fighting against it. Instead of expecting 100% coverage or compliance, security leaders should build erosion into their planning, setting initial goals that exceed minimum requirements to ensure that even after some scaling back, the program delivers meaningful security value.
Lee also emphasises the importance of focusing on direction rather than destination: "In my experience, the most practical first step in delivering security is to establish clear organisational direction and momentum behind it."
The focus on momentum rather than perfection also helps maintain continuous progress. Instead of treating security as a series of discrete projects, it creates ongoing improvement that can withstand changing business priorities.
Dan adds that clarity about acceptable outcomes is essential: "Establish your rules, predefine your acceptable boundaries, understand your models, and then confidently declare, 'That's good enough.'"
#2. Creating psychological safety for error acknowledgement
To address the fear of error, security leaders should create what Lee calls "psychological safety": an environment where team members feel safe to acknowledge mistakes and vulnerabilities without fear of punishment.
Lee argues that error isn't just something to tolerate but something to embrace in thriving, high-performing teams.
He illustrates this with a historical example:
"We often reflect on the first great invention, fire. Consider how many burns and perhaps even lives were lost as early humans learned to control it and use it for cooking. Yet, this willingness to experiment and learn from mistakes ultimately led to a seminal moment for humanity, bringing literal light and warmth into our world."
Creating psychological safety starts with leadership. Lee notes, "If my team isn't comfortable enough to admit their mistakes to me, the responsibility lies with me. It indicates I haven't cultivated a psychologically safe space where they feel secure enough to be open about errors."
#3. Building relationship-first partnerships
To improve vendor relationships, both experts advocate moving beyond contractual enforcement to focus on building genuine connections. Lee states, "For me, business is fundamentally about people. When trusted individuals I work with transition to other companies, I frequently move my business there as well, as trust in those relationships is paramount."
This people-first approach extends to how internal teams manage vendor relationships. Lee adds, "The responsibilities of my commercial team go beyond contractual delivery and cost control. A key part of their role is ensuring that our internal teams view the external teams favourably."
Dan shares a similar philosophy:
"From the outset, I aim to establish a friendly relationship with my clients, and I prioritise taking responsibility for our actions."
He describes how this mindset creates a foundation for honest feedback and improvement on both sides.
A key aspect of this relationship-first approach is fair and transparent negotiation: "I stopped the negotiation once I realised my demands were unfairly eroding their profit margin. We won't push further because that's not good faith. Sound business practice means respecting each other's margins and letting them stand; after all, we're both in this to make money," Lee explains.
Psychological safety and vendor relationships were also discussed in "Hive Mind Security: The Captain's Table Leadership Model," featuring Ali Mosajjal, Head of Security Operations at Vector. The recurring emphasis on these topics highlights how relevant and central they are to effective security management.
#4. The 80/20 principle in security
Perfect security is impossible, especially given the pace of change. Lee notes, "With the widespread adoption of SaaS, which has been ongoing for quite some time, your technology landscape becomes increasingly unpredictable because you lack visibility into the technology decisions being made by your SaaS providers."
Instead of trying to achieve perfect security, organisations should focus on identifying and addressing their most significant risks. Dan suggests a simple but powerful question to guide organisations: "What will get you hacked?"
To resolve the tension between perfection and progress, both experts advocate applying the Pareto principle (80/20 rule) to security efforts.
"Understanding the 80/20 rule – that 80% of outcomes typically stem from 20% of the effort – I'm far more interested in identifying and leveraging that crucial 20%," Lee states.
"Instead of aiming for an unrealistic 120% coverage, let's cast our net at a more achievable 60% and focus on 'good enough,'" Dan adds.
Security leaders must identify which controls and initiatives will deliver the greatest risk reduction and focus resources there, rather than pursuing comprehensive coverage across all possible security domains.
Key takeaways
Based on the solutions discussed, here are six immediate, practical principles for security leaders to improve their program effectiveness.
Set realistic ambitions. Understand that security program goals will face "coastal erosion" and set targets accordingly, allowing for some scaling back while still achieving core objectives.
Prioritise psychological safety. Create an environment where security professionals and business stakeholders feel comfortable acknowledging errors and vulnerabilities without fear of blame.
Build people-first partnerships. Favour relationships over contracts with security vendors, understanding that mutual success comes from alignment of interests, not rigid enforcement.
Embrace necessary error. Recognise that mistakes are essential for innovation and improvement and that pursuing perfection often prevents practical progress.
Measure what matters. Focus on security outcomes and risk reduction rather than program delivery metrics, connecting security initiatives to business objectives. As
Create space for strategic thinking. Slow down the rushed pace of security work to allow thoughtful consideration of priorities.
"The moment I hear 'we're killing it' and 'we're super busy,' it triggers an immediate alarm for me, prompting me to try and slow the team down," Dan says. "What matters to me isn't the contract's value but the actual outcomes of our work," he concludes.
Security is not an end state but a continuous process of adaptation and improvement, guided by a pragmatic assessment of risks and a clear-eyed understanding of business realities.
If the principles discussed in this essay resonate with your organisation's security challenges, let's talk. At Chaleit, we specialise in helping security leaders create sustainable security programs that deliver real outcomes rather than just ticking boxes.
About the authors
Lee Barney
Lee Barney brings nearly two decades of cyber security expertise to the forefront of telecommunications security. With a distinguished career that spans across military service, consulting with the Big Four, entrepreneurship, and pivotal roles within the government and retail sectors, Lee has demonstrated a relentless dedication to advancing cyber security practices and leading teams to excellence.
Originally from the UK, Lee is now a pivotal figure in Australia's cyber security landscape.
He is renowned for his innovative approach to cyber security, particularly his work on gamifying red and blue team interactions, a strategy that has garnered international acclaim. His ability to translate complex security concepts into engaging and impactful practices has made him a sought-after speaker and thought leader in the industry.
Outside of his professional achievements, Lee is an avid rugby union fan and enjoys spending quality time exploring Australia's vast landscapes with his wife, two children, and two dogs. His commitment to family, passion for adventure, and dedication to cyber security excellence make him a respected and inspirational figure in the technology world.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Lee Barney. Dan Haagman's views also reflect the official stance of Chaleit, while Lee Barney's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
