TL;DR
The cyber security industry’s fixation on compliance, headcount, and process efficiency often masks a more important goal: efficacy.
In this collaborative essay, Mark Eggleston (Global CISO and Security and Privacy Evangelist) and Dan Haagman (CEO of Chaleit and Author of CISO Global Study) reflect on what truly makes cyber security effective.
They explore how constraints can drive better problem-solving, why motivation is inseparable from technical capability, and how leadership maturity depends as much on emotional intelligence as it does on technical skill.
Both experts call for a return to purpose: doing what works, not just doing more of what doesn’t.
Context
Cyber security is often mistaken for a measurement exercise. Audit checklists, compliance frameworks, and performance dashboards have become surrogates for real assurance. Yet as Dan notes, “We’re forced into these compliance boxes. Organisations tick the appendix, get the checkmark, and they can still be hacked easily.”
Mark agrees that this operational treadmill leaves many teams trapped between bureaucracy and burnout. “If you keep doing things the way you’ve always done it, you can’t expect any different outcomes,” he says. The result is a system optimised for output, not outcome, one that prizes motion over meaning.
Despite enormous investment — global spending on information security is forecast by Gartner to hit $240 billion in 2026, a 12.5% increase that year alone — breaches remain both frequent and familiar. Many of those incidents occur in organisations that were, on paper, fully compliant.
The problem is not a lack of commitment but a lack of clarity. Too few teams are measuring whether their work actually works.
This is where both leaders focus on a word rarely used in the industry: efficacy.
Efficacy means measurable impact: security that demonstrably reduces risk or improves resilience. It’s not about how much you do or how fast you do it, but whether what you do actually works.
Efficiency is necessary, but it’s not enough. The question, Dan says, should always be: “Does this actually reduce risk, or just look good in a report?”
Let’s look more closely at what reduces efficacy in practice.
Challenges
This section brings together the four recurring obstacles Mark and Dan see across organisations: the limits of compliance, the false comfort of resourcing, the difficulty of sustaining human capability, and the loss of perspective that comes with experience.
Challenge #1. Confusing compliance with security
Both experts point to the same common flaw: organisations confuse compliance with security. Audit programs are meant to assure safety, yet in practice, they often obscure it.
Dan illustrates this danger through a candid personal story. After a medical scan, his doctor focused entirely on confirming he didn’t have cancer, missing early signs of arthritis that could become a long-term problem. “It struck me how similar that is to an audit,” Dan says. “The doctor’s checklist was right, but the outcome was incomplete. We do the same in cyber security when we fixate on passing an audit instead of understanding what the results mean.”
Mark adds that the issue lies partly in the structure of audit relationships:
“Auditors have to stay independent. We can’t tell them how to do their jobs, but we can influence how we work with them, through empathy, preparation, and clarity.”
The real cost of poor auditing, he warns, is not just wasted time but misplaced assurance.
For example, many organisations still rotate passwords because auditors demand it, even though that requirement was dropped in 2017 by NIST.
“We’ve known for years that mandatory password changes make systems weaker, but customers and auditors still ask for them — and keep doing it,” Mark warns.
This inertia is one of the biggest risks in corporate security. Compliance without efficacy breeds complacency.
Challenge #2. Expansion without purpose
When faced with pressure, many CISOs default to expansion: more staff, more tools, more dashboards. But as Mark points out:
“You can’t always just add people to solve problems. Sometimes there simply aren’t enough qualified candidates or enough meaningful work to give them.”
Reports show that simply growing resources does not automatically translate to improved security. The cyber security workforce headcount has grown substantially year-on-year. However, incident response times have barely improved. Organisations with extensive use of AI and automation identified and contained breaches faster, but industry-wide averages remain sluggish, based on IBM data.
Dan shares a relevant example. The Chaleit team once reviewed a large enterprise that had over 50,000 user accounts misdeployed. The company had all the budget and personnel it could ask for. “They didn’t fail because they lacked resources,” Dan explains. “They failed because they had too many and no one was looking at what actually mattered.”
A well-funded but fragmented security team often hides inefficiency behind activity. Every project looks productive, but is it effective?
Challenge #3. Keeping people engaged
Cyber security, for all its technology, is still powered by people.
Mark describes leadership as the art of keeping teams “sharp, passionate, and connected to purpose.” Without that, capability erodes.
He recalls an earlier mentor’s advice:
“Make the fundamentals fun. F-U-N are the fundamentals.”
Repetitive work — patch management, evidence collection, control validation — may feel thankless, but it’s often where breaches begin. The challenge is not to replace these tasks with automation, but to re-frame them as contributions to a shared mission.
Dan agrees.
“You’ve got to keep people interested and on point. If someone orders steak and gets fish instead, they’re not happy. The same applies here — creative freedom is great, but delivery matters.”
According to ISACA’s State of Cybersecurity 2024 report, about 55% of organizations report difficulty retaining qualified cyber security staff, with primary reasons including high work stress (46%) and limited promotion and development opportunities (46%).
Practitioners who lose connection to purpose tend to disengage. That loss of motivation is as dangerous as any technical vulnerability.
Challenge # 4. Professional “myopia”
Experience brings credibility, but it can also create blindness. Mark uses an eyesight metaphor:
“As you get older, your lens hardens and you lose flexibility. The same happens in cyber security when we stop challenging our assumptions.”
He warns that long-tenured professionals risk becoming “myopic” — trapped in familiar patterns of thinking, recycling the same strategies, and overlooking new threats.
Dan sees the same fatigue among senior CISOs.
“You often hear people say, ‘I’ve got one more big CISO role in me.’ It’s not because they’ve lost capability, it’s because they’ve stopped learning.”
To counter that, Dan says he deliberately immerses himself in peer networks, meeting dozens of CISOs to exchange ideas and test his own assumptions. The result was a surge in mental flexibility and problem-solving capacity, he explains.
Mark agrees:
“The day we stop innovating is the day we become complacent.”
With that, we turn from challenges to practical solutions based on the experts’ extensive experience.
Solutions
By measuring what truly works, treating constraints as catalysts, investing in people, and keeping perspective broad, organisations can build security programs that deliver real outcomes.
Solution #1. Measure what works
For both Mark and Dan, solving the compliance trap means rethinking what success looks like. Instead of proving that policies exist, teams should prove that those policies work.
“Efficacy isn’t just efficiency. It’s efficiency plus doing something of value,” Mark clarifies.
Dan adds that leaders should focus less on how many controls are implemented and more on which ones actually reduce exposure.
Rather than counting tasks closed or audits passed, CISOs could measure how quickly risk signals are detected and resolved, or how often investments demonstrably reduce incident likelihood.
Mark draws on his healthcare background:
“You don’t reimburse treatments that don’t work.” The same logic applies to cyber security: only fund what demonstrably improves resilience.
Efficacy should be a filter: if an activity, tool, or control can’t prove its value, it shouldn’t consume resources.
Solution #2. Make constraints work
The second solution lies in embracing constraints as an advantage.
Constraints often spark ingenuity, Dan argues.
“When you can’t throw people or money at a problem, you’re forced to think differently, and that’s usually where the best answers come from.”
In practice, that means re-examining every activity for its measurable impact on risk reduction. Hiring should focus on depth, not breadth. Tooling should focus on integration, not proliferation.
To illustrate, Mark refers back to his experience in healthcare, where margins are thin and waste is unacceptable. “Most healthcare providers run on a one-to-three percent profit margin. You learn to be gritty, to make the best of what you have.”
That mindset is what cyber security needs: fewer checklists, more clinical precision.
Solution #3. Build enduring human capability
Sustaining high-performing teams means understanding what drives people, as it differs for everyone. “Some are motivated by money, others by recognition or freedom. As leaders, we have to know what makes each person tick,” Mark notes.
Dan puts it simply:
“You can’t separate capability from curiosity.”
To keep teams engaged, both advocate linking daily tasks to broader outcomes.
Mark’s phrase “make the fundamentals fun” is not about gamification, but about meaning. The GRC analyst collecting evidence for an audit isn’t just filling spreadsheets, they’re part of a collective mission to protect the organisation’s credibility.
Leaders must model balance by maintaining interests outside work to prevent burnout. When practitioners feel energised, they stay sharp, and when they stay sharp, the organisation stays secure.
Solution #4. Make learning social
Technical competence without emotional intelligence is a brittle combination.
“You can have all the certifications in the world, but if you can’t read a room or listen sincerely, those skills won’t get you far,” Mark says.
Dan sees empathy as equally vital for sustaining culture. “You naturally gravitate to people who think like you,” he notes. “That’s comforting, but it limits growth. Real progress comes from seeking out the people who challenge your thinking.”
Their shared advice: make learning social. Build trusted circles where practitioners can share both success and vulnerability without fear of judgment. For Mark, these communities have been essential: “In Philadelphia, we built a network of CISOs who help each other out. It’s therapeutic.”
Such networks don’t just provide support, they build perspective — the antidote to myopia.
Key takeaways
Mark and Dan’s conversation circles back to a simple but powerful idea: security that works is not the result of “more”: more controls, more people, or more process. It’s the result of clarity: knowing what matters, focusing on it, and helping others do the same.
Efficacy over efficiency. Security work should be judged by measurable outcomes, not the volume of activity.
Compliance is a tool, not a target. Use audits to learn, not to look good.
Constraints can clarify. Scarcity often drives the most elegant solutions.
People sustain capability. Motivation and purpose are as critical as skills.
Perspective prevents stagnation. Curiosity and empathy keep leaders adaptable.
Leadership is relational. The best CISOs build trust upward, downward, and sideways.
Substance over show. Real improvement over reassurance. At Chaleit, these beliefs guide how we work with clients.
If your organisation is ready to move from effort to efficacy, let's talk. Let’s make cyber security effective, measurable, and dependable.
About the authors
Mark Eggleston
Mark Eggleston is the chief information security officer (CISO) for CSC, responsible for the global security and privacy program design, operations, and continual maturation. As a senior executive specializing in security and privacy program development and management, Mark’s unique background and expertise in information technology, program, and people management have positioned him as a thought leader and frequent industry speaker.
Mark started his career as a program manager and psychotherapist at a hospital serving children and adolescents. Later, Mr. Eggleston helped develop an internal compliance approach—complete with policies and tools—ensuring a geographically dispersed health care provider organization (across 19 states) complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Mr. Eggleston then transitioned to applying his HIPAA expertise at an HMO where he has implemented many successful security controls and technologies, including single sign-on (SSO), Identity and Access Management (IAM), Cloud Access security broker (CASB), and a vulnerability assessment program.
Mark received his Bachelor of Science in psychology from Radford University. Later, Mark received both his Master of social work and his post-baccalaureate certificate in management information systems from Virginia Commonwealth University. In addition, Mark holds CHPS, CHPS, and CISSP certifications.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is a global leader in the cyber domain — a CEO, client-facing CISO, Honorary Professor of Practice, and trusted advisor to some of the world’s most complex organisations.
Dan’s career began nearly 30 years ago at the London Stock Exchange, where he was part of the team that developed its first modern Security Operations Centre (SOC). He went on to co-found NotSoSecure and 7Safe, both acquired after helping shape the industry’s penetration testing and training practices.
His deepest commitment is to what followed: Chaleit — a company that has become Dan’s life’s work and passion. Founded not just to participate in the industry, but to elevate it, Chaleit brings together deep offensive testing capabilities and mature consulting, helping clients move from diagnosis to resolution.
Today, he leads a globally distributed team across seven countries, steering Chaleit with principles of longevity and transparency, and guiding it toward a future public offering.
Dan is also the founder of the CISO Global Study — an open-source initiative created for the benefit of the broader industry. Through it, he works alongside hundreds of CISOs globally, distilling insight, exchanging learning, and challenging the assumptions that shape the field.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Mark Eggleston. Dan Haagman's views also reflect the official stance of Chaleit, while Mark Eggleston's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
