TL;DR
The legacy of a less collaborative cyber security environment, characterised by competition, isolation, and reluctance to show vulnerability, puts organisations at a significant disadvantage against highly connected threat actors.
Drawing from their extensive experience, cyber security leaders Ali Mosajjal (Head of Security Operations, Vector) and Dan Haagman (CEO, Chaleit) advocate for a change towards greater collaboration, knowledge sharing, and transparency within the industry.
They argue that by embracing vulnerability, standardising information sharing, restructuring vendor relationships, and aligning security with business objectives, organisations can create a more effective "hive mind" environment that mirrors the collaborative advantages enjoyed by adversaries.
Context: The collaboration crisis in cyber security
The cyber security industry faces a paradox: while defenders work in silos, adversaries thrive through collaboration. This disparity creates an asymmetric advantage that leaves organisations increasingly vulnerable.
"People don't understand from a threat intel perspective how much bad guys share knowledge," observes Ali. "When reports show shared code or technology being used by increasing numbers of attackers, spanning different countries, it suggests clear knowledge sharing and collaboration between those groups."
Ali had this realisation in 2021, which he then called the "sorry state of InfoSec", identifying collaboration among adversaries as their primary advantage. "The bad guys collaborate more effectively than we do. They're winning because of their communication, while we're losing due to prioritising profit," he explains.
The collaboration gap has consequences. While attackers pool resources and knowledge to improve their effectiveness, defenders often work with limited visibility into threats faced by peer organisations, creating unnecessary blind spots and redundant defensive efforts.
Consequences are compounded by the fact that cyber threats are becoming more complex. Cyber criminals increasingly use artificial intelligence to create more sophisticated and difficult-to-detect attacks, leading to a rise in social engineering and ransomware attacks. This challenge adds to rising supply chain concerns, geopolitical tensions, and regulatory challenges, according to an analysis by the World Economic Forum.
In this context, the need for a collaborative approach becomes increasingly important.
Much like social insects that function as a collective intelligence rather than isolated individuals, a cyber security "hive mind" leverages the combined knowledge, experience, and capabilities of multiple defenders.
This creates a network of security professionals who share not just threat data but context, tactics, and lessons learned — amplifying the effectiveness of each organisation through collective wisdom. Attackers have intuitively adopted this model. Defenders have yet to fully embrace it.
However, cyber security leaders must address several critical challenges to close this collaboration gap.
#1. The fear of vulnerability in a knowledge-based industry
In an industry built on expertise, admitting knowledge gaps feels counterintuitive and potentially career-limiting. Security professionals often project an image of omniscience, creating cultures where vulnerability is perceived as weakness.
"There is a common belief that asking colleagues questions suggests a lack of expertise," observes Ali. "This results in them being reserved. We must open lines of communication to improve as professionals and experts."
In contrast, "The bad guys ask everything in their forums, even the most basic things, and that's how they get better," Ali emphasises.
This reluctance to share uncertainties and mistakes ripples across organisations and the industry at large, resulting in duplicated efforts, repeated errors, and a collective failure to learn from others' experiences.
#2. The misalignment between business and security structures
Security teams often operate with different mindsets, timeframes, and success metrics than the businesses they protect, creating friction and misunderstanding.
Ali observes that "Cyber security is treated as an add-on, like insurance, rather than a core function. It's essentially a security team embedded within a company with a different primary focus."
The misalignment manifests in several ways. While businesses focus on quarterly results and shareholder value, security teams fight what Ali describes as "an active war" against adversaries. "Much of our terminology and methodology, including red team and blue team, comes directly from the US military. We function as a small, pseudo-military unit within a company with a different primary focus."
Additionally, success metrics differ dramatically.
"We're the defenders, judged by our failures. They're the attackers, judged by their successes," explains Ali, using a football analogy. "In football, a goalkeeper's career is defined by their few mistakes, while top attackers achieve legendary status with a mere 30% conversion rate."
This difference in how success is measured creates communication barriers and misaligned priorities between security teams and business leadership.
#3. Predatory vendor behaviour and trust erosion
Security vendors often prioritise competition over collaboration, with marketing claims and technical lock-in tactics undermining trust and interoperability.
"Some vendors are sabotaging the industry with endless competition claims. They approach clients saying 'we're 10% better than them, get rid of them and work with us,' when what we need is to think together," observes Dan.
The growth imperatives of publicly traded security companies exacerbate this problem. "The need for growth and sales automatically creates predatory behaviour. There's no two ways about it," adds Ali. "Finding the right balance to healthily manage and control your hunger for growth is a delicate line to walk."
This focus on competitive advantage often results in proprietary technologies that don't integrate well with other solutions, creating technical debt and complexity for security teams.
#4. Practical and legal barriers to security collaboration
Even when security leaders want to collaborate, practical and legal obstacles often prevent effective information sharing.
Legal complexities around sharing threat intelligence, a lack of standardised frameworks for collaboration, time constraints, and competitive concerns all create friction that prevents the flow of valuable information between organisations.
"Technology provides opportunities for easier and more collaborative sharing. However, realising this potential requires standardised methods and addressing current legal complexities," notes Ali.
Time constraints further limit collaboration opportunities. Security leaders are often so consumed by operational demands that they have little bandwidth for external engagement and peer learning.
Together, these challenges create a perfect storm that enables adversaries to maintain their collaborative advantage while defenders remain isolated and reactive.
The good news is, Ali and Dan stress that the industry can overcome these challenges. From their experience, there are actually practical steps leaders can take to totally change how security teams collaborate, whether it's within the same company or with partners.
#1: Embrace vulnerability as a leadership strategy
The journey toward greater collaboration begins with embracing vulnerability and creating psychological safety within security teams.
Ali shares his personal experience:
"First, it's crucial for me to be open about human vulnerability, our shared capacity for mistakes, and the fundamental equality we all possess. It's about emphasising that, at its core, everything is flat. These social hierarchies – manager, CISO, whatever – are ultimately constructs."
His approach yielded immediate benefits: "I saw a lot of people flourish and improve very quickly because they didn't feel like they were in a lower position as human beings. This gave them the confidence and happiness to come to me and say, 'What we're doing every day is wrong, we need to change it, and this is why.'"
Dan reinforces this point: "While vulnerability makes you vulnerable, it doesn't automatically mean people will take advantage of it. That's not necessarily true."
Ali introduces the "Captain's Dinner" model for leadership, suggesting that effective security leaders, like ship captains, should allocate time for knowledge gathering rather than constant firefighting: "It's crucial for leaders at all levels, and particularly CISOs, to have a minimum of 20-30% of their time free for expansion and development."
This creates the psychological safety needed for team members to admit mistakes, ask questions, and challenge established practices — essential elements for a learning culture that can adapt to changing threats.
#2. Reframe the security-business relationship
Bridging the gap between security teams and business leadership requires translating security concerns into business language and educating executives about the unique nature of security work.
"I believe that if a CISO or CIO brings this perspective to CEOs, educating them that seemingly similar IT incidents like RAM or CPU spikes can be completely different from cyber incidents like phishing, it would be beneficial," explains Ali.
Dan adds that "Security should be seen as an ongoing journey aligned with your business objectives. Viewing it as a never-ending 'war' implies it's a constant, low-level tension and activity that needs to be normalised within the context of business risk."
This reframing helps business leaders understand that security isn't a point-in-time compliance exercise but an ongoing process that requires consistent attention and investment. It also helps them differentiate between technical incidents and security attacks, which may present similar symptoms but require fundamentally different responses.
Building allies across the organisation who understand and advocate for security concerns further strengthens this relationship. When security is viewed as everyone's responsibility rather than a specialised function isolated from the business, collaboration naturally improves.
#3. Adopt a new framework for vendor evaluation and partnership
Ali offers a four-point framework for evaluating security vendors that prioritise collaboration and transparency over marketing claims:
Assess sales culture and pressure. When evaluating a vendor, start by talking to the salespeople to understand how well the company treats its employees and the pressure they face regarding sales targets. This can offer valuable early insights.
Review code quality and development practices. If they have a GitHub presence, visit their page and examine the code. Specifically, check when the last contributions were made to get a sense of their recent activity and overall engagement in the space.
Evaluate commitment to standardisation. Consider how much the company prioritises integrating its product with standardised tools. A willingness to do so often indicates strong confidence in the company's offering, suggesting security in its value proposition.
Check industry collaboration participation. Finally, investigate their involvement in relevant open organisations. For instance, in the cloud space, their affiliations with groups like CNCF, S-Bahn, and the Linux Foundation can provide valuable insights.
This framework shifts the vendor-client relationship from transactional to partnership-based, creating space for growth and genuine problem-solving. It also encourages vendors to prioritise interoperability and industry standards, which benefits the ecosystem as a whole.
Dan explains how the Chaleit approach fits this model:
"We prioritise collaborative problem-solving and mutual wins. Our sales process is structured as a journey to connect with like-minded partners."
#4. Build standardised collaboration infrastructure
To overcome the legal and practical barriers to information sharing, the industry needs standardised frameworks that make collaboration frictionless.
What would a true security "hive mind" look like in practice? It's more than just threat feeds or information-sharing platforms. A functioning hive mind creates a cognitive network where:
Threat intelligence flows bidirectionally and includes context, not just indicators
Defensive strategies are shared with their effectiveness metrics
Failed approaches receive equal attention to successful ones
Knowledge circulates without friction from legal or competitive concerns
Ali proposes standardised legal templates for threat intelligence sharing: "Let's create common, legally sound licensing and threat intelligence sharing schemas, building on the TLP model. The aim is to have standardised legal frameworks, similar to open source licenses."
This would dramatically reduce the friction in threat intelligence sharing: "Instead of each company individually spending six months on legal negotiations to understand how to share intelligence, we provide pre-built templates they can easily adopt."
Finally, reframing security as a non-competitive advantage helps organisations overcome reluctance to share security insights.
"Cyber security efforts shouldn't aim to disadvantage competitors. Fostering a mindset of collaboration within the same industry or sector, rather than an 'us versus them' mentality, will lead to much more positive and effective cooperation," emphasises Ali.
Key takeaways
Here are practical tips that any security leader can implement right now, no matter the size or type of their organisation:
Prioritise time for peer learning and knowledge exchange. Effective security leaders allocate time for engagement, following the "Captain's Dinner" model of leadership.
Embrace vulnerability to accelerate improvement. Open acknowledgement of mistakes and gaps creates psychological safety that enables teams to learn faster and adapt more effectively.
Evaluate vendors based on collaborative behaviours. Look beyond marketing claims to assess sales culture, code quality, standardisation commitment, and industry participation when selecting security partners.
Standardise technical and legal frameworks for sharing. Reduce friction in information sharing by creating "open source-like licenses" for threat intelligence and adopting common formats and protocols.
Translate security concerns into business language. Bridge the gap between security teams and business leadership by explaining security challenges in terms executives understand and value.
Build a defender "hive mind" to counter adversaries. Leverage the collective intelligence of the security community to match the collaborative advantage enjoyed by threat actors.
The path to a more collaborative security ecosystem isn't simple, but the potential benefits — reduced costs, improved security outcomes, and increased operational efficiency — make it worth pursuing.
"Cyber security shouldn't be a competitive advantage. Ultimately, despite working for rival companies, we're on the same team when it comes to security posture, facing and solving the same challenges," Ali concludes.
Dan agrees: "We believe in the power of collaboration – together is truly better. But it's tough to disrupt that existing industry mindset."
Chaleit applies this collaborative mindset in every client engagement, rejecting the traditional vendor-client dynamic in favour of genuine partnership. But we go further: we actively publish cyber security expert content, host live, unfiltered sessions, and bring together diverse industry voices to create learning opportunities for the broader security community.
Our commitment to building the defender "hive mind" isn't just talk — it's embedded in our operating model. If you'd like to discuss a partnership that strengthens with every engagement, contact us today.
About the authors
Ali Mosajjal
Ali Mosajjal is a cyber security leader and incident response expert currently working at Vector Ltd.
He has over 10 years of experience in security operations, threat intelligence, vulnerability management, and leading high-performing teams.
Previously, Ali served as a senior security engineer and researcher.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Ali Mosajjal. Dan Haagman's views also reflect the official stance of Chaleit, while Ali Mosajjal's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.
