Many organisations find themselves stuck in a reactive cycle – patching vulnerabilities, responding to threats, and ticking compliance checkboxes without truly assessing whether their security strategies deliver real value.
Dan Haagman, Honorary Professor of Practice at Murdoch University and CEO of Chaleit, argues that security needs to move beyond tools, checklists, and incident response to become a fully integrated business function. In our conversation, he shared hard-hitting insights on why security teams struggle, how constraints can be advantageous, and why true cyber security leadership requires deep thinking, business engagement, and a commitment to long-term resilience.
Security’s Greatest Weakness? Over-Reliance on Tools & Misaligned Investments
Many organisations operate under the assumption that more tools equal better security – but that’s a dangerous myth. According to Haagman, companies invest heavily in security technology but fail to measure its effectiveness. He states that there’s “so much reliance on tooling... because tools solve everything, don’t they? Well, they don’t.”
Organisations often purchase security solutions but fail to fully implement, optimise, or mature them over time. Haagman warns that treating security tools as one-time investments rather than ongoing programmes is a fundamental failure.
“We buy it, we implement it a bit, and then we stop. We don’t mature it.”
Security leaders must shift from acquiring technology to evaluating and sustaining it, ensuring security investments deliver real, measurable impact.
Constraint Is Not a Weakness; it’s a Strategy
Budget constraints are often cited as the biggest challenge for CISOs, but Haagman believes that constraints force better decision-making and prioritisation. He highlights that “constraint is the solution. When you can’t buy all the tools you need, you’re forced to rationalise your approach and focus on what truly matters.”
Instead of trying to “do more with less,” security teams should aim to be more effective with what they have. That means evaluating whether security investments are truly reducing risk, prioritising outcomes over activities and finally, focusing on resilience rather than compliance-driven security.
The Illusion of Security: Near Misses & the Problem No One Talks About
Organisations obsess over major breaches, but Haagman points out that what’s not being discussed is just as important. “I have seen near miss after near miss. The ones that didn’t become full-scale breaches often had just a thin layer of luck or a single alert that someone happened to catch.”
A near miss—a vulnerability that almost became a full-blown breach—is an opportunity to learn and adjust before disaster strikes. Yet, most companies don’t have a structured way to analyse these incidents, leading to a false sense of security.
Pentesting and the Ownership Crisis
Many organisations treat Red and Purple Teaming as compliance exercises rather than a strategic tool to align security with business risk. The key, Haagman says, is using these exercises to engage the business and test real-world resiliency because “they’re applying thinking, threat modelling, and engagement between the business and its risk.”
Companies that integrate continuous testing into their decision-making process—rather than running one-off Red Team exercises—are the ones that truly improve their security posture.
Furthermore, as organisations adopt cloud-first strategies, hybrid workforces, and third-party integrations, attack surfaces are growing exponentially. But Haagman highlights a bigger issue: many organisations don’t even know what they own.
Security can’t be one team’s responsibility—it must be embedded across the entire organisation. That means breaking down silos, aligning security with business risk, and ensuring every stakeholder understands their role in protecting the company’s assets.
CISOs & the Board: Fostering Relationships
There’s a common belief that boards don’t understand cyber security, but Haagman challenges that assumption.
The real issue? A misalignment of priorities. Instead of presenting complex technical reports, CISOs must focus on three key areas:
The Future of Leadership? Think. Engage. Lead.
Cyber leadership is at a crossroads. As threats become more sophisticated and regulatory pressures mount, CISOs must transition from security enforcers to business-aligned strategists. Haagman reiterates that “The most effective CISOs aren’t running around. They think, they engage, and they lead.”
Simply reacting to threats is no longer enough—security leaders must embed cyber security into the very fabric of the organisation, ensuring that security decisions align with broader business objectives.
According to Haagman, the next generation of CISOs will be defined by deep thinking, engagement, and leadership—not just technical expertise.
Final Thought: Eat Your Broccoli
Haagman sums it up best with a simple metaphor:
“There’s no trend for solving the fundamentals. There’s no trend for broccoli. Eat your broccoli.”
Cyber security isn’t about chasing trends, buying more tools, or ticking compliance boxes. It’s about focusing on the fundamentals—risk, resilience, and business alignment.
For security leaders, the message is clear: stop firefighting. Start thinking. Engage your business. And above all, eat your broccoli.
Join the Conversation at CISO Brisbane!
Are you prioritising resilience over reaction? Find out more at CISO Brisbane on the 24th of June 2025. Share your thoughts below or reach out to discuss how your organisation can move beyond the checkbox to true cybersecurity leadership. To hear more from Dan Haagman, find him on LinkedIn here.
If you are interested to speak or partner with us at CISO Brisbane 2025, reach out to Kashmira George.