TL;DR
The traditional separation between CIO and CISO roles, coupled with a tick-box approach to security compliance, is failing modern organisations. Drawing from decades of combined experience, Noel Toal (CIO, DPV Health) and Dan Haagman (CEO of Chaleit) argue for a shift in how organisations approach security leadership: embedding security from project inception, creating psychologically safe environments for error reporting, and moving beyond mere compliance to meaningful security outcomes.
This requires a new type of security leader who can balance technical expertise with business acumen while fostering a culture where security is everyone's responsibility rather than an afterthought.
Context: The evolution of security leadership
Cyber security has reached a critical juncture. Recent high-profile breaches, such as those experienced by Optus and Medibank in Australia, have highlighted the inefficiency of traditional approaches to security leadership.
In fact, in 2024, Australia faces an unprecedented surge in cyber threats, with one attack occurring every second. This escalation has driven the average cost of a cyber incident to A$4.26 million, a 27% increase since 2020 (source).
These incidents and statistics serve as reminders that security cannot be an afterthought but must be woven into the fabric of organisational strategy and operations.
"A good CIO is very much a business leader," explains Noel Toal, a three-time CIO50 honoree. "They should have a seat at the table with the business. They should have a full understanding of what the business is trying to achieve strategically."
However, this business-first approach must be balanced with robust security considerations — a balance many organisations struggle to achieve.
Dan Haagman, drawing from his extensive experience, notes that the cyber security industry has evolved too quickly, which has created a disconnect between traditional security approaches and modern business needs.
"The industry needs a hard reboot. It needs to spend less and be less focused on shiny objects of fascination," Dan argues.
The path forward requires addressing fundamental challenges that shape modern security leadership: security integration in projects, value measurement, human psychology in security, and the evolution of security leadership roles. These aren't theoretical problems but real challenges that need practical solutions.
Challenges
Security as an afterthought
The fundamental challenge many organisations face is the late integration of security considerations into business initiatives. Noel illustrates this with an analogy: "It's like trying to bake a whole cake, and we forgot to add an ingredient in it. You're not going to get the perfect cake."
The problematic pattern repeats across industries.
"Too often, security is an afterthought. We build something beautiful for the business, and only at the very end do we bring in the CISO to 'make it secure'," Noel explains.
The consequences of this approach can be severe, with organisations discovering critical security vulnerabilities even after extensive testing periods, often in fundamental areas like authentication that should have been secured from the start.
It all comes with significant financial implications. Recent Security Compass research shows that a single vulnerability can cost over $50,000 to fix, while implementing security from the design phase reduces vulnerabilities by nearly 80%. For enterprises managing multiple applications, delaying security-by-design by just one month can add over $416,000 in remediation costs.
Quantifying the invisible
One of the most demanding aspects of security leadership is demonstrating value through the absence of incidents.
Dan compares it with aviation: "No one celebrates a successful landing. It's a non-event. Yet it's the most critical and perilous part of any flight."
Just as a safe landing represents countless prevented risks, security success often means averting threats others never see.
The invisibility of success creates a fundamental challenge. Noel explains that security teams might successfully prevent a sophisticated, motivated attacker from breaching the network, yet have no way to prove or quantify this prevention.
Unlike CIOs, who can point to successful project deliveries, security leaders must justify investments based on what didn't happen — especially given that prevented incidents leave no visible trace of their potential impact.
Understanding human factors
Perhaps the most overlooked aspect of security leadership is the psychological dimension.
"Hackers understand our people better than we do," Noel observes.
He explains that humans are more easily manipulated than they realise, and hackers actively exploit this vulnerability through social engineering and psychological manipulation.
This psychological vulnerability is made worse by organisational cultures that inadvertently discourage incident reporting. Noel highlights a critical issue: employees often hesitate to report potential security mistakes for fear of consequences. This fear of reporting can leave security teams blind to potential breaches for weeks, dramatically increasing the risk to the organisation.
Dan builds on this with a crucial observation: “Threats cause people to make mistakes.” This reveals a fundamental gap in how organisations approach security: while extensive frameworks exist for technical controls, there's a notable absence of standards for handling human error in cyber security.
Unlike mature industries such as aviation, which have developed comprehensive error-handling frameworks over decades, cyber security lacks standardised approaches for managing and learning from human mistakes.
Balancing technical and business acumen
The role of security leadership itself is evolving, yet significant gaps remain between aspiration and reality. 2025 PwC research reveals that fewer than half of executives say their CISOs are involved to a large extent with strategic planning, board reporting, and overseeing tech deployments — proof of the disconnect between security leadership and business strategy.
This disconnect contributes to high turnover in security leadership roles. While IANS and Artico Search report that CISO turnover rates have improved from 21% in 2022 to 11% in early 2024, the rotation remains significant. “Some CIOs have a strong technical background and deep understanding,” Noel explains. However, the modern security leader must balance technical expertise with business acumen — a combination that's increasingly rare.
The challenge is compounded by what Dan identifies as the "rate of change" impact on security leadership. This rapid pace of change contributes to leadership burnout and can impede effective security governance.
While these hurdles paint a complex picture of security leadership, they also point toward clear opportunities for improvement. The following solutions draw from proven experiences and best practices to address these fundamental issues.
Solutions and opportunities
Embedding security by design
Security considerations must be embedded from the start of any initiative, not added as an afterthought.
A recent Chaleit case study demonstrates the power of this approach: by integrating security into the development process from inception, a shipping company reduced vulnerable dependencies from 250-300 to less than 40 per repository while avoiding over $250,000 in security tool investments. The transformation required more than just technical changes. It demanded a cultural shift that positioned security as a core feature rather than a post-development fix.
The customer story shows that security can be an enabler rather than a barrier to progress by establishing threat modelling at the design phase and working directly with development teams.
Effective security integration isn't about implementing expensive tools but embedding security thinking into every stage of development and operations. Organisations that make this shift not only improve their security posture but also achieve better business outcomes through reduced remediation costs and more efficient development processes.
Creating meaningful metrics
The measurement paradox of security — where success means nothing happened — requires a shift in how organisations demonstrate security value. The solution lies in moving from prevention-based metrics to quantifiable business risk indicators that resonate with leadership. This means developing frameworks that can translate security efforts into business outcomes, establishing clear risk quantification methodologies, and creating meaningful reporting structures that connect security investments to business value.
Dan shares a customer story that demonstrates this approach in practice. Working with a global cosmetics retailer, the Chaleit team found that fragmented risk management across multiple international locations was preventing effective security measurement.
Through the implementation of a unified risk framework, the organisation transformed disconnected processes into clear business insights. Results speak for themselves: risk reporting time reduced to 2-3 minutes, identification of previously unknown risks, and the ability to develop targeted investment priorities based on quantifiable business impact.
Making this work requires that security metrics actually matter to the business. When security teams speak the language of business impact rather than technical details, they can show clear value to leadership. It's not about proving what didn't happen but showing how security actively supports business goals and protects the bottom line.
Fostering psychological safety
"We need to create a psychologically safe environment where people know they can safely admit to their mistakes," Noel emphasises. This requires a cultural switch from punishment to learning, supported by clear procedures for error reporting and incident response.
Dan shares an example from a technology company’s cultural shift: "We helped transform their approach from generic security checklists to meaningful discussions."
The key was making people feel safe to participate and share concerns. When technical teams understood the 'why' behind requirements and felt their input was valued, they became active participants rather than reluctant followers. The result was better risk management and, more importantly, a fundamental shift in how people viewed and engaged with security.
The lesson is clear: creating psychological safety isn't just about having the right policies but building an environment where security becomes a collaborative effort rather than a policing function.
Developing modern security leaders
These days, security leaders have a lot on their plate. It's not just the complicated technical side of things but also dealing with fast-paced company changes and a lot more pressure than before.
The solution to developing more effective security leadership is understanding what creates resilient professionals.
As Noel observes from industry gatherings, there's a marked difference between leaders who "grew up technically through the ranks, progressively taking on more and more pressure, and so building resilience over time" versus those who advanced rapidly without building these coping mechanisms. This suggests that leadership development programs need to focus not just on technical and business skills but also on building psychological resilience.
Context matters significantly. Some organisations maintain relative stability, while others face constant disruption from regulatory changes or rapid growth — what Dan describes as having "the metaphoric carpet pulled out underneath."
Therefore, security leaders need more than tech skills. They must learn to manage change, work with people, and communicate effectively. This helps them connect security to business goals, not just tick boxes.
As they become more digital, organisations need to break down barriers between IT and security, making security a natural part of every business decision.
Key takeaways
Drawing from these expert insights, here are five essential principles for transforming security leadership:
Early security integration reduces vulnerabilities and prevents costly remediation.
Effective security measurement requires moving from prevention metrics to quantifiable business impacts that leadership understands and values.
Psychology drives security effectiveness — creating safe spaces for reporting and learning from mistakes is more valuable than technical controls alone.
Resilient security leaders need both technical depth and business acumen to address the root causes of high turnover through progressive skill building.
Cultural transformation happens when organisations replace checkbox compliance with meaningful dialogue and make security everyone's responsibility.
Want to put these recommendations into practice and transform your organisation's approach to security leadership? Contact us to discuss how we can help you build a more resilient, business-aligned security program.
About the authors
Noel Toal
Noel Toal serves as the Chief Information Officer (CIO) for DPV Health, bringing over twenty-five years of ICT leadership experience to the role, including a significant eleven-year tenure as an ICT Executive.
His multifaceted career as an Executive, Board Chair, and Entrepreneur, who successfully sold a business to a company listed on the ASX, shaped his view of ICT as a key driver of value.
As a sought-after speaker, Noel shares insights on Data Analytics, AI, Cyber Security, and Digital Transformation. His contributions to the field have been recognised by CIO Magazine, which named him one of Australia's top fifty CIOs in their CIO50 list for 2022, 2023 and 2024. In 2023 and 2024, he was also listed in the CSO30 list as one of the top thirty cybersecurity leaders in Australia.
In 2024, his CRM project was a finalist in the ITnews Benchmark awards for Best Project, and he was Highly Commended in the ITnews Benchmark Security awards. In 2025, he continued his success as a finalist in the ITnews Benchmark awards for Best Health Project for the second consecutive year, this time for a different project.
Additionally, he is a finalist in the ITnews Benchmark Awards 2025 in the Not for Profit Technology Leader category.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan’s vision for the industry’s future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Noel Toal. Dan Haagman’s views also reflect the official stance of Chaleit, while Noel Toal’s views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.