TL;DR
Technical CISOs face unique challenges balancing technical expertise with business acumen, compliance requirements, and organisational politics. Drawing on decades of combined experience, Dan Haagman (CEO of Chaleit) and Ryan Black (CISO at BlackCloak) explore the emergence of the "T-shaped CISO": a security leader who combines deep technical knowledge with broad strategic skills.
This collaborative essay examines how these versatile security leaders deal with competing priorities, build credibility with engineering teams, and drive incremental security improvements whilst maintaining their integrity.
It offers practical insights for both aspiring CISOs and organisations seeking to leverage their expertise effectively, emphasising that security is fundamentally a negotiation.
Context
The role of the Chief Information Security Officer has undergone significant transformation in recent years, shaped by increasing technological complexity, regulatory pressures, and business demands.
As Dan notes, "There's a spectrum of CISOs out there, and that spectrum is business and compliance on one end and deep tech on the other."
This spectrum reflects the diverse challenges of organisations, from facing ever-shifting regulations to securing increasingly complex environments.
Coming from a technical background, Ryan emphasises that technical CISOs are valuable across organisation types: "While relevant in many contexts, it's especially beneficial in technical environments. My experience is primarily with SaaS and security services, which heavily rely on technical expertise." However, he highlights their importance in specific contexts: "It's more important in smaller to mid-sized companies where you may not have a larger security team."
In environments with limited resources, technical CISOs often must wear multiple hats and get their hands dirty. Rather than solely focusing on strategy, they frequently engage directly in solution design, architecture reviews, and hands-on implementation work.
The CISO role is marked by a high turnover rate. Research indicates an average tenure of just 18 to 26 months, which is significantly less than other executive positions. This brief tenure reflects the high-pressure nature of the role, particularly in technology-focused companies where technical debt and innovation create constant security challenges.
We're facing increasingly complex technical environments, with cloud computing, AI integration, and distributed architectures becoming the norm. Technical expertise in security leadership is increasingly valuable. However, it must be balanced with the political and business acumen necessary to navigate organisational complexities.
Challenges of technical CISOs
Technical CISOs have a complex and demanding job. They're stuck between tech, business, and security and need to effectively manage it all. Dan and Ryan highlight four main challenges that make or break a technical CISO today.
Balancing multiple competing priorities
The technical CISO faces unprecedented competing priorities, from tactical security implementation to compliance, client relationships, and strategic planning.
Dan compares this balancing act to helicopter piloting: "Think of it like controlling a helicopter. You need to manage four distinct axes: forward and backward movement, sideways movement, rotation, and vertical ascent and descent." Each axis requires attention, and at different moments, one may need more focus than others.
Ryan frames this challenge in terms of role flexibility:
"Due to staffing and expertise considerations, my roles often require me to be versatile, handling multiple responsibilities while actively collaborating with the team on hands-on tasks."
This is particularly acute in smaller organisations with limited resources, but it remains relevant even in larger enterprises where technical credibility is essential.
This range of responsibilities creates significant time management challenges. A recent study found that 93% of CISOs believe they spend too much time on tactical tasks, leaving limited capacity for strategic initiatives. The result is often reactive rather than proactive security management, with long-term planning sacrificed for immediate needs.
Building credibility and influencing engineering teams
For technical CISOs, perhaps no relationship is more crucial than the one with engineering and development teams. These relationships directly impact how effectively security can be integrated into products and processes.
Without sufficient technical credibility, security leaders often face resistance from engineering teams who view security requirements as unnecessary obstacles to innovation and productivity.
"In software and tech firms, a technical CISO's value lies in their ability to understand and engage with development teams, becoming a partner in problem-solving, as opposed to a purely administrative role," Dan explains.
The inability to effectively use the language of engineers and developers can lead to an adversarial relationship where security is seen as the "department of no" rather than a collaborative partner in building secure, robust systems.
This friction often manifests as shadow IT: unofficial tools and systems that exist when official channels are too restrictive or cumbersome. "We offer secure email, yet sensitive data is being exchanged over chat. This raises the question: what's driving this behaviour? Is our secure email platform hindering users?" Ryan asks.
According to a 2023 survey, more than 65% of SaaS applications used within organisations were unsanctioned, meaning they were adopted by employees without IT oversight. This shadow IT creates significant security risks that often remain invisible to security teams until a breach occurs.
Managing technical debt and acceptable risk
Perfect security is an illusion. Technical CISOs must make difficult decisions about which risks to address immediately, which to accept temporarily, and which to defer for later consideration.
As Ryan puts it: "Security is often a negotiation of how much you can give."
This negotiation is particularly challenging in fast-moving business environments where feature development and market pressures create competing priorities. "The pressure to deliver features, drive growth, and adhere to tight release cycles often forces a precarious balance, where we risk overlooking crucial details," Dan explains.
Many technical CISOs struggle with the "binary close all" mentality that Dan describes: "They insist on making everything a priority, and that just means nothing gets done properly." When everything is a priority, effective risk management becomes impossible.
Unlike other operational concerns such as cost or performance, security risks are potential future events rather than current measurable metrics. This makes them easier to deprioritise in favour of immediate business needs.
Organisational politics and personal liability
Perhaps the most profound challenge facing technical CISOs today is the increasing personal liability associated with the role, combined with complex organisational politics.
This reflects the changing regulatory landscape, particularly in the United States, where SEC regulations and other legal frameworks are increasingly holding security leaders personally accountable for breaches.
"There's a real issue with personal liability, and it's not something you can just insure away, because federal laws come into play," Dan highlights.
Ryan characterises the CISO role as one of inherent personal risk: "The CISO role carries significant personal liability and risk, as recent news events have demonstrated."
A survey of CISOs found that 88% report high levels of stress, with legal and regulatory concerns being significant contributors. This stress can impact decision-making, career longevity, and, ultimately, organisational security.
The political dimension compounds this challenge. Technical CISOs must deal with competing priorities, limited resources, and varying risk appetites across the organisation.
These dynamics create significant tension for security leaders trying to implement effective security measures while maintaining productive relationships across the organisation.
Solutions
Technical CISOs face tough problems, but experience points towards solutions. Dan and Ryan offer practical strategies to handle complexity, gain influence, manage risk, and protect yourself and your company.
Adopting a "T-shaped" skill model
The "T-shaped" model offers a valuable framework for technical CISOs dealing with the challenges we discussed.
Dan describes the ideal technical CISO as a "polymath," someone with broad knowledge and deep expertise in specific areas. Ryan agrees, stating, "That's been sort of my purposeful career," confirming he's followed a similar path.
This approach combines broad knowledge across multiple domains, such as compliance frameworks, client relations, risk management, and crisis response, with deep expertise in specific technical areas, such as architecture, threat modelling, DevSecOps, infrastructure, attack vectors, and incident response. The model enables the CISO to maintain credibility in technical discussions while also engaging effectively with business stakeholders.
To handle multiple demands, Ryan emphasises the importance of team collaboration.
"Even in a small team, you can support each other with your background," Ryan says, advocating for hiring individuals with diverse strengths to broaden the team's capabilities.
Meeting engineers "where they do their work"
Ryan believes a technical background builds instant trust. "Having a development background helps me have and maintain credibility with some of the engineering teams," he says. This credibility fosters collaboration, not conflict.
He emphasises that empathy builds credibility: "By meeting them where they do their work, understanding their daily work and showing empathy, you build credibility."
"So, you're a collaborator, challenger, empathiser, and solutioner," Dan summarises the versatility essential for effectively influencing technical teams.
Ryan's philosophy, "make the right way easier," is a key takeaway. He argues that security shouldn't create roadblocks. CISOs can solve the root cause of many security problems by simplifying secure practices.
"Good technical CISOs use their skills to improve security," says Ryan. "They work with teams but aren't afraid to say, 'Hey, we can fix this,' or 'Let's add this improvement.'"
As organisations adopt DevSecOps approaches, technical CISOs who can effectively engage with and influence engineering teams will play a crucial role in shifting security left, integrating it earlier in the development process where it's most effective and efficient.
Pragmatic, incremental risk management
Ryan emphasises the importance of pragmatic, incremental improvement. Security is not a binary state but a continuous journey, and some risks must be accepted as part of business operations.
Ryan offers a metaphor:
"It's simply not practical to lock the factory door every time a truck leaves for a delivery. This means the door remains open until the next truck arrives, which creates a potential security gap. However, constantly locking and unlocking the door would significantly hinder loading operations."
Studies indicate that organisations with mature risk management practices are less likely to experience severe risk events. However, even mature organisations must make calculated decisions about acceptable risk.
Ryan warns that without measurement, security concerns can be easily overlooked. "Measure those things," he stresses, "so you can have that conversation." When security issues lack clear metrics, they often lose out to more easily measurable business goals.
Dan shared an example from working with a tech client, highlighting the power of a pragmatic approach to risk management. Despite having the right tools and processes, this company struggled with generic checklists, poor communication, and low engagement.
Instead of more rules, the Chaleit team focused on collaboration. They replaced checklists with discussions and brought security and development teams together. The result was improved risk scores across applications and enhanced cross-team collaboration and voluntary participation. The company could now demonstrate quantifiable progress in risk reduction while sharing an understanding of security priorities.
Technical CISOs can achieve better security by working with teams, understanding business needs, and making gradual improvements rather than forcing rigid compliance.
Setting clear boundaries and documenting risk decisions
The political dimension of the CISO role requires setting clear boundaries and expectations.
"Know your boundaries. Know when you should professionally decline to participate in something," Ryan recommends.
This includes clear documentation of risk acceptance. "That risk acceptance needs to live with the risk owner, and that's documented," Ryan advises. This protects both the organisation and the CISO, clarifying that business leaders own the final risk decisions.
While regulations can increase personal risk, they can also be useful, according to Ryan. He suggests that regulations requiring board involvement in security can elevate security discussions and ensure proper attention.
Ultimately, the most effective technical CISOs combine technical expertise with political savvy. They build relationships and frame security in terms of business value and risk, not just technical needs.
As Dan notes, finding the right organisational fit for a technical CISO is "absolutely darned pivotal."
Key takeaways
After exploring the challenges facing technical CISOs and effective solutions, several crucial insights deserve highlighting:
Technical credibility creates value. Technical expertise provides a foundation for collaborative relationships with engineering teams. Credibility enables security to be integrated into products and processes from the ground up rather than bolted on afterwards.
The "T-shaped" model provides a useful framework. Successful technical CISOs develop both broad business knowledge and deep technical expertise. This balance enables them to engage effectively with both technical teams and business stakeholders.
Making "the right way easier" prevents security workarounds. When security measures create significant friction, users will inevitably find workarounds. Technical CISOs who understand both user needs and security requirements can create solutions that work for both.
Security is a negotiation, not a binary state. Rather than pursuing perfect security, effective technical CISOs focus on continuous, pragmatic improvement, accepting that some risks are inherent in business operations.
Integrity and boundaries are essential for longevity. The increasing personal liability associated with the CISO role makes professional boundaries essential. This includes clearly documenting risk acceptance decisions and ensuring accountability rests with appropriate business leaders.
Organisational culture determines security effectiveness. The right organisational fit is crucial. A supportive culture that values security as a business enabler rather than a cost centre creates the conditions for technical CISO success.
The technical CISO role is crucial, bridging the gap between security realities and strategic priorities. The future of the role demands a "T-shaped" skillset, combining technical roots with strategic wings.
Across all areas, CISOs must excel in partnership.
"What you can accomplish in partnership with others is tremendous," Ryan notes.
Building strong relationships with various stakeholders is key to driving security improvements and enabling long-term success.
Chaleit champions this philosophy of partnership and collaboration. We offer concierge cyber security services that combine business acumen with technical expertise. Talk to our team to learn how we can help you achieve incremental security goals.
About the authors
Ryan Black
Ryan Black is a highly accomplished technology leader with a proven track record of driving impact across diverse disciplines, including penetration testing operations, Software as a Service (SaaS) platform architecture, development, and government compliance.
With over 20 years of experience in the information technology field, including 10 years in senior security leadership roles, Ryan combines hands-on engineering expertise, effective team enablement, and resourceful problem-solving skills to achieve pragmatic security at scale for BlackCloak.
Before joining BlackCloak, Ryan held strategic leadership positions at renowned security organisations, including HP Enterprise, Fortify, and Mandiant. He has also played a pivotal role in leading security engineering and compliance teams in early-stage start-ups, guiding these organisations to successful acquisitions.
Ryan holds several professional certifications spanning IT and security, including Certified Information Systems Security Professional (CISSP) and Certified ScrumMaster (CSM), as well as expertise in various cloud platforms.
Outside of his professional endeavours, Ryan actively contributes to the security community and is recognised as a leader in training events at notable industry conferences such as Black Hat, DEF CON, and ROOTCON. He has also made significant contributions to vulnerability research and responsible disclosure, including the development of multiple security assessment tools.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit, a seasoned leader in global cyber security consulting, and an Honorary Professor of Practice at Murdoch University in Perth, Australia.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Ryan Black. Dan Haagman's views also reflect the official stance of Chaleit, while Ryan Black's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.