TL;DR
The biggest sources of cyber security risk aren’t always external. They are often created within the organisation through bureaucracy, misaligned incentives, shallow governance practices, and internal noise that distracts CISOs from the work that actually matters.
Drawing on decades of leadership across not-for-profit, large enterprise, consulting, and board advisory roles, Jo Stewart-Rattray (Director of Cyber Security & Assurance) and Dan Haagman (CEO, Chaleit) argue that cyber security has drifted away from its purpose. It has become wrapped in rituals and processes that offer comfort without improving protection.
Their discussion reframes security as a practical discipline anchored in proportionality, clarity, and judgment. The result is an honest and occasionally provocative exploration of what it really takes to run a security function that works.
Context
Ask any security leader where the real difficulty lies, and they will rarely start with attack techniques or tooling gaps. The most draining work happens internally, navigating governance processes, negotiating with legal teams, responding to board expectations, and fighting for budgets that never quite match the responsibility placed on their shoulders.
Jo knows this frustration firsthand: “Some of the things that irritate me are things that shouldn’t be a bother.” Her examples are familiar across sectors: licence renewals that become six-week legal cycles, procurement barriers that block the very experts who could reduce risk, and repeated contract reviews that add no value.
“People grab the tangibles and run with them rather than the things that really matter,” Dan observes. He sees this daily across clients who spend more time debating contract wording than addressing the gaps attackers are already exploiting.
Both leaders share a concerning view: internal friction is not neutral. It creates real exposure.
As Jo warns, “Every company is a heartbeat away from being owned by the bad guys.” If internal systems slow action, the organisation is leaning into that heartbeat.
With this context in mind, Jo and Dan outlined the four main challenges security leaders face and the corresponding actions to help reset the balance.
Challenges
The challenges below reflect the day-to-day reality of senior security leaders. They come from delayed decisions, priorities that were pulled apart, and systems that make necessary work harder than it should be. Each one shows how internal structures can increase risk, even when intentions are good.
Challenge #1. Manufactured risk
Governance is meant to protect the organisation. Instead, it often binds CISOs in layers of process that delay the work that would genuinely reduce exposure.
Jo describes how something as minor as renewing a licence becomes unnecessarily complex.
“Every time I have licences up for renewal, I have to go back to procurement. They then send it to legal for another review of the terms and conditions. What should take hours becomes a six-week exercise.”
Her real concern is what those six weeks represent. Security improvements stall. Important work cannot begin. Attackers don’t wait for legal review cycles.
Procurement cycles for technology, including cyber security tools, vary significantly by sector and organisation size, with public sector averages reaching 22 months due to regulatory complexities. Large enterprises report 9-18 months for cyber security solutions, including 4 months for evaluation alone.
Delays often stem from multi-stakeholder involvement, scope changes, and manual processes, heightening incident exposure by extending vulnerability windows.
The issue deepens when procurement rules block small but highly skilled firms, Jo explains. “If they’re a micro-business, I’ve got two chances of getting them through procurement. They don’t have fifty million dollars in cyber insurance, even though they have everything appropriate for their size — and they have the skill set and credentials I need. That’s what gives me confidence they can do the job.”
Dan adds another example. A global insurer recently requested unlimited liability for a relatively safe engagement. “We simply said no. We’re not taking unlimited liability for a piece of work where you’re receiving fifty thousand attacks an hour from elsewhere.” When the clause disappeared overnight, he was left wondering why it was included in the first place.
These stories highlight a shared concern: governance mechanisms intended to reduce organisational risk often have the opposite effect.
Challenge #2. Struggles with analogous transfer
Leaders understand governance deeply in the context of their own industry. The difficulty arises when those governance principles must be applied in other domains, such as cyber security.
Jo explains: “We are incredibly poor at analogous transfer. Directors understand, for example, the governance of healthcare because that’s their world. They can’t see how those same principles work for cyber security.”
When leaders cannot transfer existing knowledge, they want certainty. This results in unrealistic requests. “They ask me for strategy seven years out,” Jo says. “I can tell you twelve months. Maybe two years. But seven? That requires a crystal ball.”
Dan challenges the idea that board members lack capability. “Board members are usually smart. I don’t buy that they don’t get cyber.” His point is not to deny the gap, but to show that the gap is structural rather than intellectual.
The consequence is predictable: boards lean on checklists, frameworks, or template-driven questions that feel safer than engaging with ambiguity. This creates friction rather than insight.
Challenge #3. Misaligned incentives and short-term thinking
Cyber security competes with financial pressures, political priorities, and organisational habits that favour short-term optics over long-term strength.
Jo sees the financial impact directly.
“Security is being treated as discretionary spend — we’re back to where we were ten years ago.”
Budget allocations have dropped sharply, with many CISOs receiving as little as two percent of the technology budget. “You’ll be lucky to see more than that,” she says, contrasting it with guidance from years past that recommended eight to ten percent which is not unreasonable given the continual increase in tooling costs and other such protections.
The short horizon of CISO tenures compounds the issue. “The average CISO stays around for two and a half years,” Jo says. “I’m a survivor at five and a half.” Short tenures encourage short timelines, which encourage unrealistic uplift expectations.
Organisations also funnel money to high-visibility initiatives. Jo notes:
“Research and innovation teams get their hands on every new toy. But ask for tools that will assist with basic cyber hygiene and you’re told no. You can’t expect to see a return on investment if you don’t invest in the first place.”
Dan sees the same pattern: reluctance to invest in modest audit fees while funding clearly optional projects elsewhere.
The result is a misalignment between responsibility and influence. CISOs carry the risk without holding the levers needed to reduce it.
Challenge #4. Distraction overload
CISOs work at the intersection of too many expectations. They manage audits, compliance cycles, operational alerts, M&A reviews, vendor negotiations, internal reporting, and political relationships across the organisation. Many of these tasks are important. A few of them are urgent. Some contribute little to security at all.
Dan uses an analogy that resonates with any leader under pressure:
“You’re flying the plane, something has gone bang, and someone opens the door and asks whether you’d like a cup of tea.” The timing is wrong, but the pattern is accurate.
Jo describes it as “an unnecessary distraction when there’s enough going on already.” Her week includes operational oversight, multiple governance committees, and reporting cycles that sometimes misinterpret the purpose of the work. One board member told her that reading her reports felt like being in a Star Wars film — humorous, but not entirely reassuring.
Dan expands the idea with another image: “It’s like chewing gum. Stretch it too thin, and it becomes porous.” When CISOs are asked to stretch across too many priorities, gaps appear because of a lack of bandwidth.
M&A scenarios are particularly fraught. “The first thing we should do is a full testing regime. Otherwise, we’re opening up a whole set of attack vectors we don’t need,” Jo says. Yet organisational pressure often demands rapid integration rather than careful assessment.
This combination of noise and urgency pulls CISOs away from the work that actually lowers exposure.
Taken together, these challenges show why cyber security work so often feels harder than it needs to be. The pressure does not come from a single source, but from accumulation: process layered on process, incentives pulling in different directions, and attention spread too thin. Let’s now turn to what leaders and organisations can do differently.
Solutions
These solutions focus on practical changes that make security work possible. They address how decisions are made, how effort is spent, and where judgment needs room to operate, offering ways to reduce friction and restore momentum.
Solution #1. Restore proportionality
The first step to reducing organisationally-induced risk is restoring proportionality, which means treating low-risk activities with low-friction processes and reserving scrutiny for situations that genuinely warrant it.
Jo describes the ideal contract process: “Negotiate it, get it right in the first place, stick it in the bottom drawer, and get on with the work.” Good governance helps the business move. It does not trap it in place.
Practical actions include:
Setting clear thresholds for when legal review is necessary.
Allowing exceptions for small but high-calibre vendors who offer capabilities that large vendors cannot match.
Implementing multi-year terms for standard renewals rather than renegotiating unchanged T&Cs annually.
Measuring procurement delays as a form of operational risk, not administrative inconvenience.
Dan’s example with the global insurer reinforces the value of proportionality. When challenged, the most obstructive clause disappeared. The barrier wasn’t risk but habit.
Solution #2. Reframe cyber security
Boards do not need technical fluency. They need clarity, relevance, and a sense of how cyber security connects to the governance principles they already use.
The task is not to educate directors into being technical experts but to show continuity between domains.
Practical steps include:
Positioning cyber decisions as matters of risk appetite, financial stewardship, and contractual responsibility.
Communicating in terms of consequences rather than controls.
Offering realistic forecasting grounded in known variables.
Drawing analogies from the board’s own sector to anchor unfamiliar concepts.
Respectful challenge and clear framing build confidence and improve decision-making.
Solution #3. Align incentives
A clearer conversation about money helps counter short-term thinking. As Jo notes, “The average hack cost five million dollars last year.” When framed this way, a million-pound annual investment looks less like a cost and more like a financial safeguard.
Organisations can improve alignment by:
Presenting breach cost projections using contemporary benchmarks.
Proposing multi-year security investment plans tied to organisational strategy.
Demonstrating the risk of deferred action through incident trends.
Encouraging transparent discussion of trade-offs, especially in budget-restricted sectors.
Dan points to the reality that board members hold “inherent conflicts of interest.” Their incentives may lean toward immediate gains. Honest economic framing helps balance those pressures.
Solution #4. Protect the CISO’s bandwidth
CISOs need space to think, not just react. The work becomes stronger when leaders can combine data with instinct, pattern recognition, and what Dan calls “soak cycles.”
His first step in any engagement is simple: “I need to know what’s bugging you.” The fastest route to clarity is naming the pressure points.
Jo’s instincts are shaped by long experience across sectors. These insights often detect issues long before formal evidence appears.
Organisations can protect CISO bandwidth through:
Streamlining reporting to focus on insight rather than volume.
Involving security early in M&A decisions, not after acquisition and subsequent integration.
Delegating non-critical administrative tasks to free senior attention.
Recognising experience and intuition as legitimate assets, not soft skills.
These solutions do not require sweeping change. They rely on clearer decisions and a shared understanding of what effective security is. When organisations remove unnecessary friction, security leaders gain the space to focus on reducing risk where it matters most.
Key takeaways
The takeaways below highlight where effort pays off, where it is wasted, and what leaders can change without waiting for a breach to force the issue.
Internal friction is a genuine source of cyber security risk.
Governance only works when it supports outcomes.
Boards benefit from translation, not technical detail.
Security funding must reflect risk economics, not yearly budget cycles.
CISOs need protected bandwidth to apply their expertise fully.
Instinct, judgment, and experience matter just as much as controls.
Organisations do not typically need more processes and tools. They need clarity, uplift, and the confidence to remove the internal noise that slows the work.
If you want a security function that works with purpose, Chaleit helps leaders reduce the drag and focus on what protects the organisation.
Speak with our team about building a security model that supports real outcomes.
About the authors
Jo Stewart-Rattray
Jo has over 30 years’ experience in the IT field some of which were spent as CIO in the Utilities and as Group CIO in the Tourism space, and with significant experience in the Information Security arena including as CISO in the healthcare sector. She underpins her information technology and security background with her qualifications in education and management.
She specialises in consulting in risk and technology issues with a particular emphasis on governance and security in both the commercial and operational areas of businesses. Jo provides strategic advice to organisations across a number of industry sectors including banking and finance, utilities, manufacturing, tertiary education, retail, healthcare and government.
Jo has extensive board and committee experience. She has chaired a number of ISACA’s international committees including the Board Audit & Risk Committee, Leadership Development and Professional Influence & Advocacy. She served as an Elected Director on ISACA’s international Board of Directors for seven years and was the founder of its global women’s leadership initiative, SheLeadsTech and is Vice President, Communities for the Australian Computer Society.
Dan Haagman
Dedicated to strategic cyber security thinking and research, Dan Haagman is a global leader in the cyber domain — a CEO, client-facing CISO, Honorary Professor of Practice, and trusted advisor to some of the world’s most complex organisations.
Dan’s career began nearly 30 years ago at the London Stock Exchange, where he was part of the team that developed its first modern Security Operations Centre (SOC). He went on to co-found NotSoSecure and 7Safe, both acquired after helping shape the industry’s penetration testing and training practices.
His deepest commitment is to what followed: Chaleit — a company that has become Dan’s life’s work and passion. Founded not just to participate in the industry, but to elevate it, Chaleit brings together deep offensive testing capabilities and mature consulting, helping clients move from diagnosis to resolution.
Today, he leads a globally distributed team across seven countries, steering Chaleit with principles of longevity and transparency, and guiding it toward a future public offering.
Dan is also the founder of the CISO Global Study — an open-source initiative created for the benefit of the broader industry. Through it, he works alongside hundreds of CISOs globally, distilling insight, exchanging learning, and challenging the assumptions that shape the field.
Disclaimer
The views expressed in this article represent the personal insights and opinions of Dan Haagman and Jo Stewart-Rattray. Dan Haagman's views also reflect the official stance of Chaleit, while Jo Stewart-Rattray's views are her own and do not necessarily represent the official position of her organisation. Both authors share their perspectives to foster learning and promote open dialogue.
