TL;DR
Cyber security isn't a solo mission, and it never was.
Aysha Khan (CISO and CIO, Treasure Data) and Dan Haagman (CEO, Chaleit, author of the CISO Global Study) explore a deeply human way of leading: one rooted in clarity, collaboration, and intent. Rather than chasing the next tool or checklist, they argue for building resilient cultures, enabling shared accountability, and shaping leadership from the inside out.
Aysha draws on her experience at Oracle, Symantec, and the Bank of Montreal, as well as her six years leading IT and security at Treasure Data. There, she established a cross-functional risk forum that holds the entire executive team accountable. She believes that budget constraints are not an acceptable reason to accept risk. Dan brings the outside-in view, working with CISOs globally to challenge noise, dismantle bloated stacks, and push for simpler, smarter execution.
Together, they offer a clear-eyed reframing of what cyber security leadership looks like when it actually works.
Context: A leadership, not a tech problem
Organisations have poured billions into cyber security, and yet breaches continue. According to IBM's 2025 Cost of a Data Breach report, the average breach cost $4.44 million in 2024. For the third year in a row, phishing was among the top attack vectors, alongside compromised credentials and vendor and supply chain compromise.
Despite advances in tooling, detection, and automation, attackers still outpace defenders not because of a lack of technology, but because of a lack of coordination.
Security teams are overwhelmed by alerts and tools. According to the 2025 Cisco Cybersecurity Readiness Index, 70% of companies deploy more than 10 point solutions in their security environment, and 26% admit to using over 30.
At the same time, executive turnover is high. CISOs have the shortest average tenure of any C-suite role — just 18 to 26 months, according to several studies. This instability often reflects a mismatch between expectations and structure: CISOs are held accountable for risks they can't control and outcomes they can't deliver alone.
As Aysha puts it, "Security is not just a technical issue; it's also a business issue. If you attempt to solve a business issue without involving the business, you will end up facing obstacles."
Dan sees these challenges up close. "I see security teams buried in dashboards, alerts, and backlog. Meanwhile, the real risks are sitting outside that stack."
What’s missing isn't another tool or another framework. What’s missing is a different kind of leadership, one that creates space for shared ownership, structured decisions, and personal growth.
This essay looks at the underlying challenges that prevent security from becoming a real business enabler, and what to do instead.
Challenges
Challenge #1. The lone hero CISO
The stereotype of the all-knowing, lone CISO, which Aysha refers to as the "Martyr CISO," still persists. Too many security leaders are expected to shoulder the entire burden of risk: reporting to the board, translating technical problems, managing implementation, and keeping the organisation out of the news.
Aysha emphasises, "The role of the CISO was never intended to be a solo mission. If you believe that your responsibility is solely to protect systems and not to foster growth and differentiation by building a culture of trust, you are doing a disservice to the company."
Dan notes how rare it is to see decision-making structures that reflect this reality.
"Most of the time, I see CISOs acting alone, not because they want to, but because there's no structure to support shared responsibility."
This expectation of sole responsibility often leads to overcompensation, where technology becomes the crutch. In the absence of distributed ownership, many CISOs turn to tools as proxies for control. But tool sprawl doesn’t solve leadership gaps. It creates noise.
Challenge #2. Tool overload and technical fixation
Security stacks are growing faster than teams can manage them. But more tooling doesn't mean more protection, and often obscures where real threats are hiding.
Dan recalls a client who spent 120 days on application testing with two top-tier pen testing firms. "And yet, their most critical vulnerability — a misconfigured Okta instance — went unnoticed. We bypassed MFA using exposed credentials in under a week." If you’d like to understand better why these situations occur, read this guide to effective pen testing in 2025.
Aysha cuts to the core of the problem:
"Many of these companies aren't even companies. They're features pretending to be products, and products pretending to be platforms."
This growing reliance on tools also reflects a deeper challenge: a lack of meaningful integration between security and the rest of the business. When CISOs aren’t brought into broader strategic conversations, they end up firefighting technical issues that no one else understands or owns. Which leads us to the next issue.
Challenge #3. No strategic translation across the business
Security isn't always welcome in business conversations. CISOs often speak a different language from their peers in HR, finance, or product, a gap that can stall progress.
"You can't build secure systems in isolation," Aysha says. "So I had to understand what my CPO, CTO, CFO, and HR leads cared about. Then we built department-specific security training to make it real for each of them."
Without translation, implementation teams lack clarity. "If you ask any delivery team what they need from leadership, they'll say: clarity of direction. How do you provide that when top management isn't aligned?"
But even when CISOs do gain a seat at the table, another issue appears: leading under pressure. The weight of expectation, combined with a lack of internal clarity, often erodes confidence and resilience.
That brings us to the final challenge: how leadership falters when personal development is missing.
Challenge #4. Lack of inner work in security leadership
Cyber security is a high-pressure job. Burnout, fear of blame, and endless firefighting come with the territory. What’s often missing is the personal work to manage that pressure.
"The depth of your leadership is a reflection of the depth of your self-development," says Aysha. “If you’re emotionally reactive or unclear about your intent, it’s going to show up in how you lead."
Dan sees the consequences daily. "People are constantly cycling through tools, vendors, frameworks. They don’t stop. They don’t think. And without space to think, you can’t lead."
Aysha takes it further, explaining her leadership attitude: “I don’t lead to please people, I lead to bring out their best. That means creating real psychological safety where people know they’re supported. But safety also requires truth. When something isn’t working, I’ll name it. Because leadership isn’t about avoiding discomfort, it’s about guiding people toward growth, accountability, and their highest potential.”
The challenges are clear and can be overcome. What Aysha and Dan demonstrate is that deliberate leadership, structural change, and personal accountability can turn these friction points into progress.
In the next section, we look at the practical steps they've taken and what others can learn from them.
Solutions
Solution #1. Build shared accountability
At Treasure Data, Aysha created a company-wide risk committee where no executive can accept risk alone. Every risk discussion involves the CISO, CLO, and CTO, and if they can't reach consensus, it goes to the CEO.
"Budget is not an acceptable reason to accept risk," Aysha explains. "If a peer says they can't fix something because there's no money, we escalate together. We're allies in that decision."
This system shifts security from a siloed function to a shared concern. It also provides a structured record of decisions, valuable for regulatory oversight, especially under SEC scrutiny.
Dan sees this as a standout example. "It’s intentional, defensible, and most importantly, it works."
Solution #2. Practice constraint and subtraction
Both experts advocate for simplifying security stacks, not expanding them. The goal: clarity over coverage.
"We don't have an unlimited budget. I want every product in my stack to earn its place. If I have one product that does three things, and another that overlaps for just one extra feature, why do I need both?" Aysha asks.
Dan encourages CISOs to treat constraints as an advantage: "You cannot spend your way secure. The best results often come from thinking clearly under constraint, not throwing more tools at the problem."
Solution #3. Make security business-relevant
Aysha has embedded security within business units by making it relevant to their work. "We replaced one-size-fits-all security training with department-specific sessions. What does security mean for HR? For finance? For marketing?"
This led to better engagement, faster incident response, and stronger communication up and down the organisation.
Data backs this up. NIST (National Institute of Standards and Technology) research found that segmented phishing training targeted to job functions reduced successful phishing attacks by 38%, while generic training reduced them by only 16%.
Studies also show that regular, ongoing, and interactive customised training increases employee engagement by 72%, versus far lower rates for tick-box or passive generic training.
Solution #4. Develop yourself to lead others
"I pair empowerment with accountability. I ask my team, ‘How can I make your experience twice as good?’, and then I listen. Because when people feel empowered, they step into a higher version of themselves," Aysha says.
"Self-awareness is the ultimate filter. If you’re pretending, you’ll only attract pretenders. The universe doesn’t respond to what you want; it mirrors who you are."
Dan echoes the need for deliberate reflection.
"Most CISOs are drowning in doing. They need to create space to think. That’s the only way you build something that actually works."
There is strong evidence that leaders with high emotional intelligence, defined by self-awareness, self-regulation, empathy, and social skills, are significantly more effective. Leaders with high EI excel in stress management, conflict resolution, team motivation, and adaptive decision-making.
Actionable practices for self-development include:
Schedule regular personal reflection time to assess how you show up as a leader.
Ask for feedback from your team and listen carefully.
Create space for collaboration, such as team problem-solving sessions, cross-functional discussions, or rotating leadership roles.
Support others’ growth by modelling vulnerability, clarity, and long-term thinking.
Talk to other CISOs to normalise shared learning over heroic individualism.
Key takeaways
Aysha and Dan show what happens when CISOs stop chasing perfection and start investing in clarity, clarity of roles, clarity of risks, and clarity of self. When leaders create space to think and talk openly, security shifts from noise to meaning.
Security is everyone’s business. Shared decisions build stronger outcomes.
More tools don’t equal better security. Constraints sharpen focus.
Don’t just report risk, translate it. Make it meaningful to the business.
Leadership starts within. Reflection and self-regulation are non-negotiable.
Honest conversations drive progress. Truth spoken openly creates trust.
Budget isn’t a blocker. It’s a boundary to work creatively within.
Security done well doesn’t mean the CISO has all the answers. It means they create the conditions for the right answers to emerge.
That requires structure and clarity. And most of all, it requires a team mindset. As Dan says, "The best security leaders I know aren't chasing the stack. They're thinking clearly, collaborating intentionally, and holding the mirror up to themselves and their peers."
Security leadership isn't about control. It's about coordination. And it works best when it's done together.
If you're building a security function that prioritises collaboration over complexity, and you're ready to cut through the noise, connect with us at Chaleit.
We work with CISOs, boards, and security teams to structure meaningful conversations, build defensible strategies, and fix what matters. No silver bullets. Just security done properly.
About the authors
Aysha Khan
Aysha Khan is an award-winning CISO and CIO with 20+ years leading cybersecurity, risk management, AI, and digital transformation high-growth startups and billion-dollar enterprises
Recognized as Cybersecurity Leader of the Year 2024 and among 100 Inspirational Women in Cybersecurity, she combines deep technical expertise with board-level vision. At Treasure Data, she advanced security and IT strategy while scaling global operations.
An active angel investor and advisor, she supports leading security startups while guiding U & I Ventures and Silicon Valley CISO Investments. A frequent global keynote speaker and board advisor, Aysha is recognized for advancing security as a business enabler and driving meaningful impact at scale.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is a global leader in the cyber domain — a CEO, client-facing CISO, Honorary Professor of Practice, and trusted advisor to some of the world’s most complex organisations.
Dan’s career began nearly 30 years ago at the London Stock Exchange, where he was part of the team that developed its first modern Security Operations Centre (SOC). He went on to co-found NotSoSecure and 7Safe, both acquired after helping shape the industry’s penetration testing and training practices.
His deepest commitment is to what followed: Chaleit — a company that has become Dan’s life’s work and passion. Founded not just to participate in the industry, but to elevate it, Chaleit brings together deep offensive testing capabilities and mature consulting, helping clients move from diagnosis to resolution. Dan has spent years learning how to solve problems, not just report them — and that mindset is now embedded into Chaleit’s DNA: working the problem, not passing it along.
Today, he leads a globally distributed team across seven countries, steering Chaleit with principles of longevity and transparency, and guiding it toward a future public offering.
Dan is also the founder of the Global CISO Study, an open-source initiative created for the benefit of the broader industry. Through it, he works alongside hundreds of CISOs globally, distilling insight, exchanging learning, and challenging the assumptions that shape the field. Behind this sits a Doctoral research program, specifically a DIT (Doctorate of Information Technology) to provide rigour and ethics.
He is a respected conference chair and keynote speaker, leading CISO events across Australia (Perth, Brisbane, Canberra, Melbourne, Sydney), as well as New Zealand, Singapore, and New York City. He sits on the Australian CISO Advisory Board for Corinium and is a 2025 judge of the CSO Awards.
A lifelong learner and systems thinker, Dan is currently pursuing applied doctorate-level research into cyber security leadership. He has authored multiple MSc programmes grounded in commercial and operational relevance.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Aysha Khan. Dan Haagman's views also reflect the official stance of Chaleit, while Aysha Khan's views are her own and do not necessarily represent the official position of her organisation. Both authors share their perspectives to foster learning and promote open dialogue.
