Skip to NavigationSkip to Content

20 Jan 2025

readStrategy, Technical

5 min reading time

The Contextual CISO: Matching Leadership to Organisational Need

Profile picture of Quentyn Taylor

TL;DR

The traditional view of CISO effectiveness as a binary measure fails to account for organisational context and evolving industry needs. Modern CISOs must move between the axes of transformational and stabilisation while balancing technical depth with business acumen.

Success in cyber security leadership isn't about achieving perfect security but about matching security posture to business context and needs.

Context

The CISO role is increasingly recognised as a business leadership function, evolving from a purely technical position. However, this shift comes with mounting pressure and challenges.

Chief Information Security Officers face difficulties balancing budget constraints with growing cyber security demands. A recent survey revealed that 51% of CISOs cite budget limitations as their primary obstacle, a 16% increase from the previous year, with 61% reporting budget increases paired with unrealistic expectations.

Another issue is a shortage of skilled professionals, as 48% of CISOs report gaps in expertise, particularly in areas like risk assessment and cloud security. Regulatory compliance adds further pressure, with 64% of CISOs stating that evolving standards outpace their ability to achieve compliance.

Also, a recent Harvard Business Review survey of 600 boardrooms revealed that only 47% of directors regularly interact with their company's CISO, indicating a significant gap between security leaders and board directors.

Adding to these pressures is a disconnect in how we measure security effectiveness. Traditional metrics suggest that a CISO should aim for complete security coverage, zero vulnerabilities, and immediate incident response. Yet the reality is far more complex.

In this collaborative essay, Quentyn Taylor, Snr Director of Information Security at Canon Europe, Middle East and Africa, and Dan Haagman, CEO of Chaleit and External CISO, explore how security leaders can break free from binary thinking about "good" versus "bad" security. Through their extensive experience, they examine how different types of CISOs — from transformational leaders to long-term stabilisers — can effectively serve their organisations' needs.

Through practical examples and insights drawn from decades of experience, they argue that effective security isn't about achieving perfection but about understanding what's "normal" for each organisation.

Challenges

CISOs face complex interconnected challenges that go beyond technical security concerns. From misaligned perceptions to deep-rooted cultural barriers, these challenges show professionals struggle to balance binary thinking with nuanced needs.

A skewed perception of "good" security

One of the most significant challenges security leaders face is the skewed perspective of what constitutes "good" security.

The industry's standards and best practices are predominantly shaped by heavily regulated sectors, creating potentially unrealistic expectations for organisations operating in different contexts.

Quentyn illustrates this through a comparison: "Many years ago, I was having dinner with the head of information security for a large international bank operating in both London and the Far East. They mentioned that their division employed around 3,700 people. At that time, my own security team consisted of only eight individuals." This disparity isn't necessarily a problem, Quentyn explains, because “different companies have different security needs, have different regulator needs and operate at different scales and global scopes”

This perspective is reinforced by Dan, who argues that "security does not need to be absolute. Rather, it's about achieving a determined level of security that the business requires — an understanding that needs to be nurtured and communicated effectively throughout the organisation."

Security leadership requires a more nuanced understanding of organisational context and business objectives. However, achieving this understanding becomes increasingly difficult as the industry faces another critical challenge: the erosion of technical expertise.

The technical depth crisis

The growing disconnect from fundamental technical understanding threatens to undermine even well-contextualised security programs.

Quentyn explains: "As an industry, we're losing the ability to cultivate individuals with a deep understanding of how systems and components function. Instead of relying on manufacturer specifications, we need to foster a workforce that can grasp the fundamental principles behind how things operate."

Dan reinforces this point by observing that "fundamental laws of physics govern our world. A switch remains a switch, and cloud computing still relies on physical servers, generating heat and consuming power. Technology may evolve, but underlying principles remain constant."

This technical knowledge gap, while concerning on its own, often manifests in an even more problematic way: organisational barriers that hinder effective security leadership.

The cultural barrier

Perhaps the most common challenge facing security leaders is internal conflict. While external threats continue to multiply, many organisations find themselves hampered by internal discord.

Quentyn notes: "The primary threat lies external, not within the organisation. Unfortunately, internal conflicts often arise, leading to unproductive 'political' maneuvering and the misallocation of resources."

Instead of engaging in internal battles, he advises that it would be far more efficient and effective to unite as a team, focus on understanding the external threats, and develop a cohesive strategy to counter them effectively.

Yet this cultural challenge extends beyond internal team dynamics into the broader security industry's approach to testing and validation.

Adversarial relationships

The security industry has traditionally thrived on oppositional thinking: security vs. business, red team vs. blue team, compliance vs. innovation. This binary approach creates what Quentyn describes as "two groups that are kind of at war with each other," ultimately undermining organisational effectiveness.

He challenges the current state of red teaming: "Many red team companies have lost sight of their primary objective, which should be to improve the overall security posture of the client organisation." Instead of solely focusing on successfully breaching systems, the primary success factor should be leaving the organisation in a more secure state than it was before the red team engagement, he belives.

"The current approach often involves adversarial relationships,” Dan agrees. “For example, when engaging a firm like Deloitte for accounting services, we wouldn't withhold our financial records and demand that they prove their capabilities without any access to the actual data. This adversarial approach is simply illogical."

These interconnected challenges paint a complex picture of CISOs' reality. The industry is caught between binary thinking and nuanced needs, technical requirements and business imperatives, collaboration and conflict.

However, within these challenges lie opportunities for transformation.

Solutions

Quentyn and Dan propose practical solutions that embrace context-aware security leadership while maintaining technical excellence. Here's how organisations can move beyond binary thinking to build more effective security programs.

Context-appropriate security measures

Quentyn emphasises the importance of understanding organisational context:

"Professional pride often dictates a desire to run a company to its absolute best potential. However, it's crucial to recognise that 'the best' for one organisation may not be the same as 'the best' for another. What truly matters is achieving the level of excellence that is most suitable for that specific organisation's unique needs and circumstances."

He shares an example that illustrates the importance of context-appropriate security measures: "I remember a conversation with an executive from a major energy company. He discussed an acceptable infection rate for his organisation, stating that they had determined 3% to be an acceptable level. He explained that even with a 3% infection rate, they could still maintain a perfectly profitable and healthy business."

This demonstrates an important principle: There is no good or bad, just what is appropriate for that particular kind of company. However, implementing this context-appropriate approach requires the right type of security leadership at the helm.

Matching the leadership style to organisational need

The traditional view of CISO tenure suggests that longer is always better.However, as Quentyn observes, different organisational phases may require different types of security leadership:

"In some cases, CISOs may be brought in as interim leaders for transformative change. These 'transformational CISOs' are tasked with implementing significant security improvements and driving organisational change. Once the initial transformation is complete, they may transition out, allowing another CISO to focus on stabilising the new security posture and maintaining ongoing operations."

Drawing on Quentyn's experience, organisations need to honestly assess whether they need:

  • A transformational CISO to drive major change
  • A stabilising CISO to optimise and maintain
  • A hybrid approach that evolves with organisational maturity

The key to success lies in matching leadership style to organisational context — understanding not just where the organisation is today but where it needs to go tomorrow. This requires careful evaluation of current security maturity, immediate challenges, and long-term objectives.

Yet even the most appropriate leadership style can only succeed within the right organisational culture.

Transforming organisational culture

Quentyn emphasises the importance of proper sequencing in organisational change: "Organisational change must precede technological implementation. The IT system should then be designed to support the desired organisational changes.”

Essentially, human behaviour and organisational goals should drive technological adoption rather than the other way around. Technology should empower and support human needs and aspirations, not dictate them.

Moving forward

These solutions work together to create a more nuanced and effective approach to security leadership. By moving beyond binary thinking, organisations can build security programs that are both more resilient and more sustainable.

The key lies not in choosing between different approaches but in understanding how to combine and apply them appropriately based on organisational context and needs.

The infosec industry's relative youth presents an opportunity to shape its direction. As Quentyn notes, "The industry is incredibly young," while Dan adds that experience comes from "seeing what works, seeing what doesn't."

As the security industry continues to mature, a more sophisticated approach to security leadership will become increasingly important for long-term success.

Key takeaways

1. Security effectiveness must be measured against organisational context, not universal standards.

2. Technical depth remains crucial even as the CISO role becomes more strategic.

3. Different organisations require different types of security leadership at different times.

4. Success requires balancing transformation with stability.

5. Human elements remain central to effective security.

6. Collaborative approaches yield better results than adversarial ones.

CISOs shouldn’t strive to achieve perfect security, Quentyn and Dan agree, but to achieve appropriate security.

Success in this role requires a nuanced understanding of both technical and organisational dynamics, coupled with the wisdom to know which battles to fight and how to fight them effectively.

At Chaleit, this philosophy forms the foundation of our approach to security leadership. When working with clients, we begin by understanding the unique context of each organisation. This enables us to provide solutions that align with both immediate needs and long-term goals, whether that means acting as external CISOs to drive major change or helping to stabilise and optimise existing security programs. Let’s talk security.

About the authors

Quentyn Taylor

Quentyn Taylor is the maverick Snr Director of Information Security at Canon Europe, where he’s been shaking up the status quo and redefining what it means to be secure in the digital age. With a career spanning the wild west of dotcom startups to the high-stakes world of global business, Quentyn is a force to be reckoned with.

He’s not just about ticking boxes and following protocols; Quentyn is on a mission to revolutionise document security, making it not just a necessity but a strategic advantage. His approach is bold, unapologetic, and always ahead of the curve. Whether he's forging strong business relationships or advocating for security integration, Quentyn does it with a flair that’s uniquely his own.

When it comes to cybersecurity, Quentyn Taylor is the name you want on your side – fearless, innovative, and always ready to take on the next big challenge.

Dan Haagman

Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.

With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.

Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.

Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.

Disclaimer

The views expressed in this article represent the personal insights and opinions of Dan Haagman and Quentyn Taylor. Dan Haagman's views also reflect the official stance of Chaleit, while Quentyn Taylor's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.

Need expert help?

Let's cut through the noise and talk about your real security needs.

Connect now

About this article

Series:

Cyber Strategy Collective

Topics:

  • Strategy
  • Technical

Related Insights

Profile shot of Ted Heiman.

Technical

Ted Heiman on Rethinking Cybersecurity Strategies for CISOs (Part 1): Why Point Solutions Aren’t Cutting It Anymore

Profile shot of Tony Gonzalez.

Technical

Tony Gonzalez on Navigating a Global CISO’s Challenges (Part 1): Managing Distraction and Board Relations

Profile shot of Ted Heiman.

Technical

Ted Heiman on Rethinking Cybersecurity Strategies for CISOs (Part 2): Building Resilience and a Zero-Trust Approach

Your Cookie Preferences

We use cookies to improve your experience on this website. You may choose which types of cookies to allow and change your preferences at any time. Disabling cookies may impact your experience on this website. By clicking "Accept" you are agreeing to our privacy policy and terms of use.