TL;DR
Breaches keep happening despite ballooning security budgets. Complexity, overtooling, and misaligned board reporting are getting in the way of doing the basics right.
Drawing on years of experience across academia and industry, Abbas Kudrati (Chief Cyber Security Advisor, Silverfort and formerly Microsoft) and Dan Haagman (CEO, Chaleit, Author of CISO Global Study) make the case for a simpler, identity-first mindset in cyber security.
It’s not about adding more tools or reports. It’s about understanding what attackers actually do, closing the obvious gaps, and building systems that recover quickly when something breaks — because something always does.
Context: Simplicity is hard
Cyber security budgets are at an all-time high. But so are successful breaches.
Cyber security spending is forecast to exceed $212 billion in 2025, a 15% increase from 2024. Despite massive investments, the impact and frequency of breaches are not slowing down. The cost of cyber crime worldwide is estimated to reach $10.5 trillion in 2025, and is expected to continue to grow and reach new peaks.
At the same time, the frequency of cyber breaches and attacks remains high, especially in medium and large businesses. For example, in the UK alone, 74% of large companies and 67% of medium-sized businesses experienced a successful breach or attack in 2025.
Attackers are getting faster, and security teams are stretched thin trying to keep up.
"We're in the middle of the biggest complexity set we've ever seen," says Dan. "At the same time, budgets are under pressure and boards are asking for more with less."
Meanwhile, attackers don’t need to get smarter. They just need defenders to keep doing the basics badly. Abbas puts it simply:
"It used to take 90 days for an attacker to breach and extract data. Now it takes 60 minutes."
One reason for this is the rise of artificial intelligence. "AI is your frenemy. It’s your friend until it becomes your enemy. Hackers are using it to automate everything from phishing emails to credential analysis. And if you haven’t got good data governance, AI just makes the damage faster," Abbas explains.
The central problem isn’t capability. It’s focus. Security teams are investing in new tools, new frameworks, and new dashboards, but often miss the simple, high-impact gaps that attackers exploit again and again.
As this collaborative essay shows, the issue isn’t a lack of effort. It’s a lack of clarity. And the cost of getting it wrong is rising by the hour.
Challenges
Challenge #1. Too many tools, not enough visibility
Organisations are drowning in security tools. Abbas shared that a typical company with 2,000 to 3,000 employees might use 80 different tools across its environment. That number isn’t just inefficient, it’s dangerous.
"Three different antivirus solutions in one company. Why?" Abbas asks. Tool sprawl creates blind spots, integration failures, and overlapping responsibilities. And when an incident hits, teams often waste critical time pointing fingers.
Dan adds an alarming observation: "Companies are spending millions on a SIEM to collect data, but they’re not getting any value out of it."
This complexity also drives staff burnout. Security teams are constantly retraining on new tools, then leaving for higher pay elsewhere, taking that knowledge with them.
Challenge #2. Identity is the real attack surface
As organisations locked down endpoints, attackers pivoted. First, to infrastructure. Then to the cloud. Now, identity is the new front door, and it’s often left wide open.
"Attackers are targeting non-human identities: API keys, tokens, expired certificates. Most organisations don’t even know what they have, let alone how to protect it," Abbas warns.
Dan agrees: "If we’ve lost identity, we’ve lost the game." Even simple techniques like password spraying still work. "Every red team exercise we run starts with a password spray," Dan says. "And the SOC rarely even sees it."
This identity gap opens the door not only to initial compromise but also to lateral movement and privilege escalation. Once attackers are inside, they often blend in with legitimate users. The problem is, most SOCs still struggle to detect or respond quickly to these intrusions. That brings us to the next challenge.
Challenge #3. SOC teams react too slowly
The problem isn’t just detection. It’s acknowledgement. Abbas stresses the importance of measuring MTTA (mean time to acknowledge). "It doesn't mean you've solved the issue. It means you've seen it and started working on it."
He adds:
"Most organisations can't acknowledge an incident in under an hour. And if it takes more than 60 minutes, the attacker is already gone."
Dan elaborated with a concrete example from a Chaleit client engagement: “A major financial organisation narrowly avoided a ransomware breach. Their internal tools didn’t catch the intrusion. The tip-off came from a third party — someone noticed something strange. They acted just in time. One more hour, and their Active Directory would have been gone.”
These close calls highlight that many organisations are not set up to respond in real time. They're running SOCs that operate from 9 to 5, while attackers work around the clock. This detection and response lag leaves gaps and invites exploitation.
Which brings us to another issue: even when threats are known, the message often fails to reach decision-makers in a meaningful way.
Challenge #4. Board reporting misses the point
Boards are demanding cyber security updates, but they're often asking the wrong questions. "How many threats were blocked? Are we secure?" These aren't helpful metrics. They reflect activity, not risk.
"Cyber security professionals spend weeks fine-tuning board materials, but they often miss the obvious: What would actually breach us?", Dan observes.
Part of the issue is communication. Security leaders know what the problems are, but they often struggle to translate technical risks into business language that lands with executives.
Instead of showing a dozen dashboards, Abbas focuses on helping boards ask better questions and take ownership of outcomes. He shares a best practice from his experience:
"I gave the board a single sheet each quarter, showing risks ranked high, medium, and low. That got them asking the right questions: Do you need money, people, or just authority to act?"
Without shared understanding, you get misaligned priorities. Boards want confidence. CISOs want readiness. The gap between the two can leave organisations exposed, not because they lack resources, but because they lack clarity.
Which raises the bigger question: if these challenges are so well understood, why haven’t they been solved? Let’s look at how security leaders and organisations could do things better.
Solutions
Solution #1. Simplify your stack
Dan and Abbas both advocate for consolidation. Not into a single product, but into logical platforms with clear ownership.
"One platform for endpoint. One for the cloud. One for identity," Abbas recommends. "Not 80 tools that no one can manage."
This doesn’t mean sacrificing capability. It means picking tools that integrate well, reduce noise, and help teams focus on what matters. Dan notes: "Better to have basic telemetry that works than the fanciest dashboard you don’t trust."
Abbas acknowledges that consolidation is a long-term effort: "We spent 10 years adding tools to secure endpoints. Now we’re spending years untangling them. But it’s doable if you approach it as a slow, steady process."
Solution #2. Treat identity as a core security layer
Abbas offers an actionable priority list for the next six months:
Roll out MFA across all users, including on-prem
Inventory non-human identities (tokens, keys, service accounts)
Monitor identity activity for anomalies and reuse
He also highlights the value of password hash syncing: "Microsoft can detect when a password matches a known breach and block access automatically. That kind of proactive control works."
This identity-first mindset reflects a broader principle: trust nothing by default: Zero Trust. As Abbas puts it, "Zero Trust is not your 81st product. It’s a mindset. You don’t finish Zero Trust, you practise it."
He breaks this mindset down into three principles:
Verify everything.
Assume breach.
Enforce least privilege.
Dan adds: "Treat it as a journey, not a box to tick. Otherwise, you’re just creating more complexity under a new label."
Solution #3. Close the detection gap
To get faster at spotting incidents, Abbas emphasises the need to reduce MTTA to under 30 minutes. Few organisations can do it, but it's the right benchmark.
Here are three stages of readiness:
Compliance mode: reactive, box-ticking.
Curiosity-driven: pen tests, red teaming.
Proactive: real attack modelling, scenario planning.
Abbas shared an unconventional example: "I once added 'crane falling on our building' to our tabletop exercise. People laughed — until COVID hit and showed how fragile our assumptions were."
Dan endorses this creative risk thinking: "That’s the future of scenario planning. The stuff you think can’t happen is often what breaks you."
Solution #4. Strengthen executive reporting and transparency
Abbas's one-sheet board update is a useful model. He uses a simple quadrant chart (likelihood vs. impact) and updates it quarterly. More importantly, he trains the board to ask better questions:
Which risks are getting worse?
What’s in the high quadrant?
Do you need help clearing this?
Dan shares a useful metaphor: "Flying a plane takes three instruments: speed, altitude, direction. Cyber security is the same. We overcomplicate it, but a few indicators — if they're accurate — are enough."
Transparency matters just as much as clarity. Abbas praised the Optus breach response: "They came forward immediately. That scared the attackers off. They even apologised and claimed to delete the data."
In this context, Dan highlights the importance of communities like ISACs and CISO forums:
"These aren’t just talking shops. When people share near misses or early warning signs, others can take action before it’s too late."
Public-private collaboration and honest incident sharing aren't signs of weakness. They’re signs of maturity.
Key takeaways
These are the habits, principles, and mindset shifts that came through clearly in Abbas and Dan’s discussion:
Security doesn’t fail for lack of tools. It fails when the basics are ignored.
Non-human identity is your biggest blind spot. Fix that first.
Password spraying still works. If your SOC can’t see it, you're exposed.
A good SIEM is worthless without good data and fast acknowledgement.
Boards don’t need volume. They need clarity and risk ownership.
Assume breach. Focus on how fast you can recover, not whether you can prevent it.
Zero Trust is a culture, not a capability. Treat it as an ongoing practice.
Transparency builds resilience. Share what almost went wrong.
Abbas sums it up best:
"Cyber security is a people issue, not a technology issue. Tools help, but mindset is everything."
And Dan agrees:
"Improvement isn’t about big transformations. It’s the small things, consistently done, that make the difference."
If you're wrestling with too many tools, unclear reporting, or identity blind spots, and you want a more effective, less reactive way forward, the Chaleit team is happy to assist. We’ve helped organisations focus on what attackers actually exploit and fix it properly.
Reach out if you’d like to talk about what’s working, what’s not, and what you can do next.
About the authors
Abbas Kudrati
With over 25 years in cybersecurity across India, Kuwait, Bahrain, and Australia, Abbas Kudrati bring a global lens to securing identities and building modern cyber defence strategies.
Currently, he is the Chief Identity Security Advisor – APAC at Silverfort, guiding CISOs across the region on Zero Trust, Identity Threat Detection & Response (ITDR), and non-human identity security. Before this, he was Microsoft Asia’s Chief Cybersecurity Advisor, helping organisations shape resilient security postures.
He is also a Professor at La Trobe University, where he teaches GRC and mentors tomorrow’s cyber leaders. As an author of multiple best-selling books, he simplifies complex topics like Zero Trust, Human and Non-Human Identities, and cloud container security through practical frameworks and case studies.
Abbas regularly speaks at global conferences like AISA CyberCon, Identiverse, and RSAC, sharing insights with a blend of real-world breaches, battle-tested models, and a touch of storytelling.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is a global leader in the cyber domain — a CEO, client-facing CISO, Honorary Professor of Practice, and trusted advisor to some of the world’s most complex organisations.
Dan’s career began nearly 30 years ago at the London Stock Exchange, where he was part of the team that developed its first modern Security Operations Centre (SOC). He went on to co-found NotSoSecure and 7Safe, both acquired after helping shape the industry’s penetration testing and training practices.
His deepest commitment is to what followed: Chaleit — a company that has become Dan’s life’s work and passion. Founded not just to participate in the industry, but to elevate it, Chaleit brings together deep offensive testing capabilities and mature consulting, helping clients move from diagnosis to resolution. Dan has spent years learning how to solve problems, not just report them — and that mindset is now embedded into Chaleit’s DNA: working the problem, not passing it along.
Today, he leads a globally distributed team across seven countries, steering Chaleit with principles of longevity and transparency, and guiding it toward a future public offering.
Dan is also the founder of the Global CISO Study, an open-source initiative created for the benefit of the broader industry. Through it, he works alongside hundreds of CISOs globally, distilling insight, exchanging learning, and challenging the assumptions that shape the field. Behind this sits a Doctoral research program, specifically a DIT (Doctorate of Information Technology) to provide rigour and ethics.
He is a respected conference chair and keynote speaker, leading CISO events across Australia (Perth, Brisbane, Canberra, Melbourne, Sydney), as well as New Zealand, Singapore, and New York City. He sits on the Australian CISO Advisory Board for Corinium and is a 2025 judge of the CSO Awards.
A lifelong learner and systems thinker, Dan is currently pursuing applied doctorate-level research into cyber security leadership. He has authored multiple MSc programmes grounded in commercial and operational relevance.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Abbas Kudrati. Dan Haagman's views also reflect the official stance of Chaleit, while Abbas Kudrati's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
