Skip to NavigationSkip to Content

27 Oct 2025

readStrategy

15 min reading time

The School of Hard Knocks CISO

Bil Harmer CISO

TL;DR

The true measure of a CISO is how well they protect the business itself.

That belief drives the conversation between Bil Harmer (Fractional CISO, Startup Security Advisor) and Dan Haagman (CEO, Chaleit). Bil, working across venture capital portfolios, describes what it means to wear three hats at once: internal CISO, fractional CISO, and trusted advisor. Dan adds his perspective from consulting with CISOs daily, underscoring that the role demands technical expertise but also business acumen, resilience, and integrity.

Together, they argue that resilience comes from “the school of hard knocks”, independence is essential for ethical decision-making, and the very title “CISO” may no longer capture the real work of security leadership.

Context

The role of the Chief Information Security Officer has always been complex, but in recent years it has become even more misunderstood. Too often, boards and executives still assume the CISO’s job is simply to “stop the hackers”. As Bil explains:

“As soon as you say CISO, everybody — especially those outside the industry — automatically thinks: it’s the techie guy that stops the hackers. That’s one part of what we do, but far from the whole picture.”

Dan adds that reaching CISO is usually seen as the pinnacle of a career, something earned through experience rather than bestowed. In venture capital, the function takes on a new shape. Bil is not only protecting one organisation, but advising dozens of portfolio companies at very different stages of growth. Some are pre-seed startups with two engineers, others are scaling businesses with established teams.

This creates a tension between technical detail and business strategy, between immediate incident response and long-term planning. As Bil puts it, “cookie-cutter doesn’t work”. What succeeded at one company cannot simply be transplanted into another. The CISO role is increasingly about context, adaptability, and acumen.

From here, their conversation turns to the most pressing challenges CISOs face today, starting with the widening gap between technical security work and business reality.

Challenges

Challenge #1. Security without business context

One of the sharpest criticisms is against CISOs who remain locked in technical detail. Reporting CVEs, patch counts, or compliance tick boxes without tying these to business risk creates what Dan calls “false confidence”.

“If you don’t understand the business, you cannot protect it,” Bil puts it simply.

In his view, security leaders must understand how revenue is generated, where financial processes are vulnerable, and how operational workflows drive risk. Otherwise, they end up protecting laptops instead of protecting the company.

This disconnect is well documented. A 2023 PwC survey found that 70% of CEOs feel CISOs struggle to explain cyber risk in business terms.

Bil’s point is that the problem isn’t simply communication but mindset. A CISO who doesn’t study the business is already failing in their duty.

For example, “identity is probably the single biggest problem we have on the internet today. We still haven’t found a way to reliably attribute the human being to the digital world without creating a full Big Brother system.”

In healthcare, for instance, doctors must authenticate instantly to access patient records. The stakes are life and death, so the process must be both fast and watertight.

Bil notes that if security leaders can take lessons from sectors like healthcare and apply them elsewhere, they can simplify identity without losing integrity. That kind of cross-pollination only happens when CISOs make the effort to learn how different businesses actually function.

The challenge is big enough in a single company. In a portfolio context, the complexity multiplies.

Challenge #2. Wearing multiple hats

Bil’s role at Craft Ventures is unusual, he admits. He operates as a traditional CISO internally, a fractional CISO for several portfolio companies, and an advisory CISO for others who call on him only in emergencies.

“I literally have all three of those jobs. Some companies I meet with regularly, I’ll even join sales calls. Others only call when there’s an incident.”

This variety can be energising but also disorienting. Dan compares it to the Thunderbirds television series: “It’s almost like Thunderbirds, selecting the mission pod — incident response, advisory, or board strategy.”

Bil extends the analogy further:

“My wife calls me James Bond because you adopt the persona of the mission, then shed it and pick up new tools for the next one.”

This constant context switching demands breadth, depth, and humility. What works for a healthcare scheduling startup does not work for an AI simulation company.

But the challenge is not only variety. The strain of switching roles and managing expectations feeds directly into another problem: burnout.

Challenge #3. Burnout and short tenures

Industry reports often cite burnout as the main reason for the shrinking average CISO tenure. But Bil questions whether burnout is the true cause. He argues that many CISOs lack leverage.

“Have a year in the bank. Because sooner or later, you’ll be asked to do something that compromises your morals or the law. If you’re leveraged — mortgage, kids, car payments — you’ll bend. If you’re not, you can walk.”

For him, independence is the key to integrity. It allows a CISO to say no when pressured and to make clear-eyed decisions without fear of losing their job.

Bit also reframes what others might call stress: “I don’t do stress. If I can effect change, I do. If I can’t, it’s not important.” It’s a practical lens that contrasts with the industry’s narrative of burnout and mental overload.

The conversation about resilience leads to the fourth challenge: whether the title of CISO itself still captures what the role should represent.

Challenge #4. The CISO title itself

Finally, Bil questions the title itself because it sends the wrong message.

“The CISO title should die and go away. It imparts the wrong ideology. Engineers come out of university, call themselves CISOs, and have no security or business training. Would you call yourself a certified accountant without the qualifications? No.”

The lack of professional standards, he argues, leaves companies misled and CISOs vulnerable. Some are even being held personally liable by regulators like the SEC.

Dan offers a balancing perspective: the “school of hard knocks” remains the real learning experience. Credentials matter, but nothing replaces the scars earned from long nights, failed audits, and firefighting incidents.

Together, their discussion highlights a profession caught between informality and increasing accountability.

But what can CISOs do differently? Both experts share practical solutions.

Solutions

Solution #1. Reframe security as business risk

Bil suggests replacing the CISO label with “technology risk leader”. That reframing forces security leaders to align with business priorities, not technical metrics.

“We should be trained the same way a CEO is trained. Move through different departments, learn finance, sales, and investment. If you know the business better than anyone else at the table, you can protect it.”

This means speaking the language of revenue and ROI. For example, instead of reporting vulnerabilities, Bil advises saying something like: “Here’s how we protect $25 million of revenue by investing $800,000 in controls, eliminating 92% of the risk.”

This framing instantly resonates with CEOs because it ties security directly to outcomes.

Once CISOs start thinking in these terms, the next step is to learn to be flexible.

Solution #2. Adopt a chameleon mindset

Rather than clinging to a single identity, CISOs, especially in portfolio or advisory roles, must be adaptable. As Bil describes, one week he may be an incident responder, the next a sales engineer, the next a board advisor.

“Change is simply an act of survival. Be a chameleon.”

Dan adds that this flexibility actually keeps CISOs sharp, preventing skill atrophy: “It keeps you current, super current. That’s mastery, intentional practice across many fronts.”

Adaptability also plays out in unexpected ways when working with startups. Bil describes conversations with founders and engineers who come in convinced they have a breakthrough product.

“You sit and talk to them for an hour or two, and then you see the penny drop. The idea just isn’t viable — either it won’t work technically, or it will cost so much that no one will pay for it. You never say ‘your idea’s bad’, but you watch them come to that realisation. Then they go off, iterate, and come back with something that really can work.”

That kind of mentoring is as important as traditional risk management. By flexing between coach, critic, and advisor, the CISO helps young companies refine their business model itself.

The lesson: resilience and relevance come from exposure to varied challenges, not from doing the same thing over and over again.

But adaptability alone won’t sustain integrity if CISOs feel trapped by financial or organisational pressures. That’s where independence becomes critical.

Solution #3. Build independence for integrity

Burnout cannot be solved by mindfulness apps or shorter tenures. The real fix, Bil argues, is independence.

“When you’ve got a year in the bank, you think differently. You articulate differently. You speak with integrity because you know the decision won’t end your life.”

Dan notes how rare it is to hear a security leader advocate financial preparation as part of professional resilience.

Resilience also comes from experience — again, “the school of hard knocks”. Harmer recalls his early days when Sony rolled in new Sun servers months before they were needed. “The first question out of my mouth was, Can I play with it? From then on, I broke that thing constantly and learned by putting it back together again.”

He links that same mentality to the “chaos monkey” principle, which means pulling cables at random to see if systems really are resilient. Bil and Dan both recount testing resilience in production years earlier because real confidence comes from deliberately pushing systems — and yourself — to breaking point, then learning to recover.

Even with independence, though, the profession itself still lacks structure. That leads to the final solution: formalising the role.

Solution #4: Formalise the profession

While Bil believes the CISO title is flawed, he supports efforts to credentialise it.

“If we’re being treated as professionals — sued by the SEC, held accountable — then we need professional standards.”

Dan agrees that certification may help, but warns not to discount lived experience.

The solution lies in balance: formal frameworks to ensure competence, combined with recognition that resilience and judgment only come from hard-earned scars.

With these solutions in mind, we end with a few lessons all security leaders can apply, regardless of industry or title.

Key takeaways

  1. Business acumen is security acumen. You cannot protect what you don’t understand.

  2. Flexibility is a strength. Be prepared to play multiple roles, sometimes in the same week.

  3. Independence enables integrity. Financial leverage undermines decision-making; CISOs need room to say no.

  4. Resilience is earned, not taught. True confidence comes from scars, not certifications alone.

  5. Titles matter less than acumen. “Technology risk leader” may describe the job more honestly than “CISO”.

  6. Collaboration must mirror adversaries. Threat actors share openly; security leaders must too.

The discussion between Bil and Dan is about more than just redefining a job title. It’s about recognising the realities of leadership in cyber security: the need for business fluency, the value of resilience, and the courage to stand firm under pressure.

Or, as Dan put it when reflecting on his own work:

“Resilience comes from calluses. You have to live the problems.”

At Chaleit, we share this conviction. Cyber security done right is about clarity, resilience, and protecting what truly matters to the business. If you’re ready to focus on what makes the difference, we’re here to help.

About the authors

Bil Harmer

With over two decades in the trenches of cybersecurity, Bil Harmer has helped steer startups through chaos, scale, and scrutiny. He’s built programs from scratch, cleaned up after breaches, and advised boards before the regulators came knocking. CISO (Supabase, Craft Ventures, SecureAuth, Zscaler & SuccessFactors), trusted advisor (Ragie, Kitecyber, SecurityPal, Adallom) and frequent speaker, Bil blends deep technical knowledge with the business acumen to make security a strategic advantage—not just a fire drill.

Dan Haagman

Dedicated to strategic cyber security thinking and research, Dan Haagman is a global leader in the cyber domain — a CEO, client-facing CISO, Honorary Professor of Practice, and trusted advisor to some of the world’s most complex organisations.

Dan’s career began nearly 30 years ago at the London Stock Exchange, where he was part of the team that developed its first modern Security Operations Centre (SOC). He went on to co-found NotSoSecure and 7Safe, both acquired after helping shape the industry’s penetration testing and training practices.

His deepest commitment is to what followed: Chaleit — a company that has become Dan’s life’s work and passion. Founded not just to participate in the industry, but to elevate it, Chaleit brings together deep offensive testing capabilities and mature consulting, helping clients move from diagnosis to resolution. Dan has spent years learning how to solve problems, not just report them — and that mindset is now embedded into Chaleit’s DNA: working the problem, not passing it along.

Today, he leads a globally distributed team across seven countries, steering Chaleit with principles of longevity and transparency, and guiding it toward a future public offering.

Dan is also the founder of the CISO Global Study, an open-source initiative created for the benefit of the broader industry. Through it, he works alongside hundreds of CISOs globally, distilling insight, exchanging learning, and challenging the assumptions that shape the field. Behind this sits a Doctoral research program, specifically a DIT (Doctorate of Information Technology) to provide rigour and ethics.

He is a respected conference chair and keynote speaker, leading CISO events across Australia (Perth, Brisbane, Canberra, Melbourne, Sydney), as well as New Zealand, Singapore, and New York City. He sits on the Australian CISO Advisory Board for Corinium and is a 2025 judge of the CSO Awards.

A lifelong learner and systems thinker, Dan is currently pursuing applied doctorate-level research into cyber security leadership. He has authored multiple MSc programmes grounded in commercial and operational relevance.

Disclaimer

The views expressed in this article represent the personal insights and opinions of Dan Haagman and Bil Harmer. Dan Haagman's views also reflect the official stance of Chaleit, while Bil Harmer's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.

Lead with clarity

Discover how business-driven security builds resilience.

Contact us

About this article

Topics:

  • Strategy

Related Insights

Profile picture of Quentyn Taylor

Strategy

The Contextual CISO: Matching Leadership to Organisational Need

Strategy

The T-Shaped CISO: How to Balance Technical Roots with Strategic Wings

Profile shot of Tony Gonzalez.

Technical

Tony Gonzalez on Navigating a Global CISO’s Challenges (Part 1): Managing Distraction and Board Relations

JANE-FRANKLAND

Strategy

Maslow Meets Malware: An Actionable Hierarchy for Cyber Resilience

Your Cookie Preferences

We use cookies to improve your experience on this website. You may choose which types of cookies to allow and change your preferences at any time. Disabling cookies may impact your experience on this website. By clicking "Accept" you are agreeing to our privacy policy and terms of use.