TL;DR
Despite billions spent annually on cyber security tools and compliance programs, breaches continue to affect organisations. The root cause often isn't a lack of tools or technology but a failure to understand and apply the fundamentals. Through simple threat modelling and a focus on operational basics, organisations can build more effective security programs that actually prevent breaches rather than just check compliance boxes.
The article below offers solutions to a common challenge: how to simplify security decision-making in an industry that tends to overcomplicate solutions.
The context: Security's complexity crisis
Cyber security is getting more complex, and the answer to a better security posture isn't necessarily investing in more tools.
According to the 2024 Cost of a Data Breach Report, the global average cost of a breach jumped 10% to reach USD 4.88 million — the largest increase since the pandemic. More telling is what's driving these breaches: 30% of organisations cite "the complexity of too many disaggregated tools for cyber security" as their primary challenge, while 22% struggle with the basic task of discovering all assets in their attack surface, as shown by a 2024 Enterprise Strategy Group and Dell report.
Organisations are responding to breaches by increasing security investments, with almost two-thirds planning to boost spending — a 23.5% rise over the previous year. Yet throwing more money at the problem isn't always the answer.
While organisations focus investments on incident response planning (55%) and threat detection technologies (51%), they continue to grapple with fundamental challenges: 26% report their cyber security staff lacks the skills to deal with sophisticated threats, as shown by the reports quoted above.
In an insightful interview, Dan Haagman, CEO of Chaleit, explores together with Adam Shostack, a leading authority on threat modelling and former Microsoft security leader, how organisations can move beyond complex security frameworks to implement effective, simple solutions that actually prevent breaches.
Drawing on the architectural principle that "you can fix a problem on the drawing board with an eraser or on the job site with a jackhammer," Dan and Adam argue that effective security isn't about implementing more tools or controls but understanding how systems actually work and addressing risks at their source.
Challenges
To understand why organisations struggle with this seemingly straightforward approach, let's examine four core challenges that repeatedly surface in security programs.
The complexity trap
The security industry's tendency toward complexity manifests in multiple ways. "Threat modelling enthusiasts often aim to create overly complex and elaborate approaches. This can turn a simple and effective process into a burdensome and time-consuming endeavour," Adam explains. This complexity is often a refuge, making security professionals feel more productive while actually reducing effectiveness.
Adam illustrates this through a recent experience at the University of Washington. After listening to someone explaining their complex approach to threat modelling, he went to the whiteboard and drew a simple picture with four boxes. He demonstrated that complex explanations can often be replaced with simple, effective approaches
We explore Adam's more straightforward approach in more detail in the solutions section below.
The data everywhere problem
Modern organisations face a critical challenge that many security programs fail to address: data sprawl.
Dan emphasises that data isn't simply static. Copies are frequently made for testing purposes, and these copies can easily end up in insecure locations, such as someone's personal desktop.
This proliferation creates what Dan calls "tentacles" of vulnerability extending far beyond the formal security perimeter.
The scale of this challenge is reflected in current industry research. IBM reports that shadow data played a role in one-third of all breaches last year, highlighting the challenges of tracking and securing data.
Organisations often don't know what data they have, where it resides or how it's being used. According to ESG, while 78% of organisations recognise that consistent cloud management would boost efficiency and simplify operations, only 5% have achieved such consistency.
This challenge is present in everyday business operations. Adam provides an example: "Currently, I'm dealing with a situation where two of my colleagues independently created copies of a 300-slide PowerPoint deck and made their own modifications. This now needs updating the deck in nine different places, but first, we must reconcile these conflicting versions." Such issues are not just inconvenient but pose security risks and create substantial data management hurdles.
The situation becomes even more concerning when research shows that more than 60% of sensitive data now resides on public cloud services, with that figure expected to reach 68% within two years.
The binary breach mindset
Recent IBM data show an alarming reality: breaches involving stolen credentials take an average of 292 days to identify and contain, with phishing attacks lasting 261 days and social engineering attacks persisting for 257 days. These extended timelines demonstrate that organisations aren't doing a very good job at detecting and responding.
One of the most problematic aspects that leads to this situation is the treatment of breaches as binary events. "A breach is not a singularity," Dan argues. "It's a continuum of operational components that make up and form a breach."
Adam suggests that security metrics should be viewed as operational metrics rather than purely security measures. Understanding normal system behaviour and identifying deviations provides better insight than traditional security-focused metrics alone.
The executive engagement challenge
Effective security requires consistent executive support, yet many organisations struggle to maintain it.
Adam shares a positive example: "During my time at Microsoft, Bill Gates attended a team event we hosted twice a year, known as 'Evil Day'." This level of executive engagement drove security awareness throughout the organisation.
However, this level of engagement is rare. Dan speaks of a common scenario where initial requests for extended timeframes are met with pressure for rapid reductions. For example, there might be an initial request for four hours, but this quickly gets reduced to two. This cycle continues until it's hard to get enough people together to make decisions. Things get worse when key leaders leave, taking their valuable experience and knowledge with them.
This isn't merely about attendance at meetings. Adam emphasises that "tone at the top matters" and timing is crucial. He warns that by the time formal planning processes begin, key decisions have already been shaped through "pre-meeting coffee conversation." Security leaders not part of these early discussions find themselves trying to retrofit security into already-determined priorities.
The consequences of poor executive engagement are tangible. Without clear executive priority-setting, security initiatives get deprioritised, teams struggle to maintain consistent approaches, and organisations miss opportunities to learn systematically from incidents.
Solutions
While these challenges may seem daunting, Dan’s conversation with Adam reveals tested practical approaches that work. These solutions aren't about implementing more complex tools or controls, but they focus on understanding systems, following data, and making security more intuitive for everyone involved.
Embrace simplicity through structure
The path to better security starts with simplifying approaches while maintaining rigour.
"Threat modelling essentially involves a simple exercise: visualising a system and then systematically exploring potential vulnerabilities. This seemingly minor step – drawing a picture and considering what could go wrong – is often overlooked, despite its crucial role in identifying and mitigating significant risks," Adam explains.
Adam's approach centres on four fundamental questions:
1. What are we working on?
The first question focuses on understanding the system. As Adam demonstrates in his University of Washington example, a simple diagram can often capture what's needed better than complex explanations.
2. What can go wrong?
The focus here is on realistic scenarios. As Adam points out, "We often overcomplicate things. It's crucial to question the 'why' behind our approach. Are we pursuing the most efficient and user-friendly solution, or are we unnecessarily adding complexity?"
3. What are we going to do about it?
The focus here is on practical responses. Adam emphasises that sometimes the answer is obvious — like when he encountered a healthcare system with sensitive data but no multi-factor authentication — and doesn't require complex risk analysis.
4. Did we do a good job?
The final question creates accountability and enables continuous improvement.
These questions are designed to be simple yet comprehensive, allowing teams to swap different approaches for answering each question based on their specific needs and context.
Adam compares threat modelling to backlog grooming in agile development: it's essential to work that needs regular attention and a dedicated time slot. Just as teams schedule regular backlog grooming sessions, organisations should establish regular threat modelling as a standard practice.
Follow the data
Dan emphasises that data often exists in fragmented and unprotected forms. He highlights that data might not be stored as a complete, securely encrypted dataset with robust protection.
The solution begins with understanding how data actually flows through an organisation. This means going beyond traditional data mapping to understand business processes and user behaviours.
"Why is Maureen's work not standardised?" Adam asks. "Do we really want Maureen doing her crucial business analysis in Excel on her desktop rather than in Smartsheet or Tableau?"
Successful organisations implement standardised data handling procedures that balance security with business needs. This includes role-based access controls, monitoring for data movement, and regular training programs.
The key is making secure data handling easier than insecure alternatives, encouraging compliance through convenience rather than enforcement.
Implement continuous security
Moving beyond binary breach thinking requires a fundamental shift in security operations.
Dan highlights that behavioural anomalies, such as unexpected login locations, can be strong indicators of potential security threats. He emphasises the importance of nuanced approaches, suggesting that instead of simply blocking all access, organisations could employ analytics to determine an acceptable threshold for unusual activity, such as limiting data exposure to 900,000 records instead of a blanket release of 9 million.
Security professionals should shift their perspective from a detection-and-response model to a continuous monitoring and intervention approach, where they can detect and interrupt malicious activities before they result in catastrophic data loss.
Build security naturally into work
Achieving true simplicity in security requires significant expertise and effort.
Adam illustrates this principle through Japanese design: "Japanese design often embodies true minimalism... the meticulous effort invested in crafting something like a small wooden box might seem excessive. Yet, the result is perfect: perfectly sized, opening and closing smoothly, with impeccable attention to detail." Just as a craftsman's work appears effortless to the untrained eye, effective security solutions should feel natural and straightforward to users.
This principle is valuable when applied in organisations. Dan describes working with teams who spent 18 months to two years analysing and documenting their security processes. The end result? A concise team consensus, captured in a streamlined workflow and a single-page summary in Confluence. The extensive work behind this simplification led to clear, usable processes that aligned naturally with business operations.
Yet many organisations resist this path. Instead of embracing the challenging pursuit of genuine simplicity, they resort to complexity as a smokescreen, using elaborate processes and documentation to demonstrate perceived thoroughness. This approach, while appearing impressive, often creates more problems than it solves.
The key is making secure behaviour the easier path. Rather than focusing on complex technical solutions, security should be built into how work actually happens — making the secure way the natural way.
Key takeaways
1. Master the basics
Start with simple threat modelling using the four fundamental questions
Understand systems before implementing solutions
Remember that achieving simplicity requires expertise and dedication
2. Map and protect your data
Understand how data actually flows through your organisation
Address the "tentacles" of data that extend beyond formal systems
Make secure data handling easier than insecure alternatives
3. Think in continuums
Move beyond binary security thinking
Focus on operational metrics and normal behaviour patterns
Look for early behavioural indicators of potential issues
4. Invest in executive engagement
Get involved in strategic discussions before formal planning begins
Maintain consistent leadership involvement
Protect against knowledge loss when key leaders depart
5. Build security into workflows
Make security feel natural and intuitive
Align security with how work actually happens
Focus on practical, usable processes over complex documentation
6. Learn systematically
Document and analyse security incidents
Share insights across the organisation
Build from simple foundations to appropriate complexity
Looking ahead
The future of effective security lies not in more complex tools or larger security teams but in a better understanding of business operations and simpler, more focused security measures.
As Adam emphasises, "Sometimes complex problems have simple solutions. And simple is not necessarily easy."
Organisations that embrace this approach will find themselves better equipped to handle security challenges, more efficient in their resource allocation, and more effective in preventing and responding to security incidents. Start simple, understand deeply, and build thoughtfully — using an eraser on the drawing board rather than a jackhammer on the job site.
The path to effective security requires dedication, understanding, and a willingness to challenge conventional approaches. But the results — better security with less complexity — make the journey worthwhile.
Need a partner for the road? Simple is not easy — but that's why we're here. Let's talk.
Bio
Adam Shostack
Adam Shostack is a renowned authority on threat modelling and cyber security. He authored Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. With decades of experience spanning startups to nearly a decade at Microsoft, Adam has consistently delivered impactful security solutions.
Adam played a key role in co-creating the Common Vulnerabilities and Exposures (CVE) system and served as an Emeritus member of its Advisory Board. At Microsoft, he led the design and delivery of the SDL Threat Modeling Tool (v3) and worked on addressing Autorun vulnerabilities, improving security for millions of systems. He also created the Elevation of Privilege threat modelling game, a tool widely used to teach and apply threat modelling practices. Additionally, Adam co-authored The New School of Information Security, which explores innovative approaches to cybersecurity.
Beyond his work in consulting and training, Adam is a member of the Blackhat Review Board, advises organisations and academic institutions, and is an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is the CEO and founder of Chaleit and a seasoned leader in global cyber security consulting.
With nearly 30 years of experience, he began his journey at The London Stock Exchange, where he pioneered the development of their first modern SOC and defensive team. As a co-founder of NotSoSecure and 7Safe, both acquired by reputable firms, Dan has left a lasting impact on the industry.
Today, Dan leads a team of brilliant minds in seven countries, all focused on delivering world-class cyber security consulting. Chaleit reflects Dan's vision for the industry's future. Built on the core principles of longevity and transparency, the company is poised for a public offering within the next few years.
Dan has a passion for learning. With a pen and paper at hand, he dedicates significant time to reading, researching, designing systems, and learning with clients and peers with the goal of being a leading thinker and collaborator in the cyber industry.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Adam Shostack. Dan Haagman's views also reflect the official stance of Chaleit, while Adam Shostack's views are his own and do not necessarily represent the official position of his organisation. Both authors share their perspectives to foster learning and promote open dialogue.