Breaking Convention: Security Leadership to Sales

We kicked off 2025 with exciting changes at Chaleit. Our recent rebrand and new website reflect our core philosophy: security done right requires clarity, not complexity. No buzzwords, no hype — just straight talk about building lasting security through expertise and partnership.

In this spirit of transparency and practical insights, we also launched our new "Behind the Scenes" series (alongside our existing series of collaborative essays and expert interviews), offering a straightforward look at real security challenges and solutions.?

Today's newsletter brings together four pieces that showcase our commitment to clear thinking in security, starting with a fresh perspective on the evolving CISO role.

The Contextual CISO: Matching Leadership to Organisational Need

"The traditional CISO playbook is broken," argue industry veterans Quentyn Taylor and Prof. Dan Haagman in their latest thought-provoking piece.

Moving beyond the binary "good vs. bad" security paradigm, their collaborative essay reveals several fascinating insights:

• Security effectiveness should be measured against organisational context, not universal standards — what works for a global bank might be overkill for a mid-sized enterprise.
• The concept of "transformational" vs "stabilising" CISOs suggests different phases of organisational maturity require different security leadership styles.
• There's a concerning erosion of deep technical expertise in the industry, even as the CISO role becomes more strategic.
• The current adversarial approach to security testing (like red teaming) often undermines rather than enhances organisational security.
• Organisational change must precede technological implementation — not the other way around.

The full article, "The Contextual CISO: Matching Leadership to Organisational Need," offers practical insights for security leaders looking to break free from conventional thinking.

But what happens when theory meets reality? Our next piece demonstrates how even the most sophisticated security measures can fall short when human behaviour enters the equation.

Behind Security Blind Spots: A Lesson in Predictable Human Behaviour

Think your security tools make you invincible? A recent Chaleit red team engagement uncovered how predictable human behaviour can unravel even the most sophisticated security defences.

In this eye-opening case study, our team reveals several critical insights:

• Out of 400 accounts examined, 25 used variations of the same predictable password pattern — proving that attackers only need one weak point to gain access.
• While MFA was implemented for Microsoft accounts, several critical internal applications remained exposed without this crucial security layer.
• Security teams were detecting suspicious activities but hesitating to act due to various organisational constraints — a dangerous gap between detection and response.
• Even state-of-the-art security tools cannot compensate for human behaviour and organisational shortcuts.
• The most effective security strategies must account for both technical and human factors.

Read "Behind Security Blind Spots: A Lesson in Predictable Human Behaviour" to discover how your organisation might be unknowingly compromising its security posture.

While regular security testing can help identify such vulnerabilities, the traditional approach to testing itself needs a critical examination.

Challenging the Status Quo: Are Yearly Pen Tests Still Relevant?

"Why do we wait for the annual pen test when we know there are critical areas that need attention now?" asks Prof. Dan Haagman in his analysis of one of cyber security's most unchallenged practices.

Drawing from real-world observations and featuring insights from Clyde Netto , Director of Technology and Cyber Security, Dan reveals several insights:

• The Q4 rush for annual pen tests creates a "concertina effect," leading to bottlenecked remediation work in the new year.
• In a SaaS-driven world, production environments and APIs often get overlooked - remarkably, only one customer in the past year questioned API scope in their pen test.
• Traditional yearly pen tests, while meeting compliance requirements, may not provide adequate coverage for modern security needs.
• A "low and slow" approach spread throughout the year could better align with release cycles and project go-lives.
• Effective threat modelling can uncover vulnerabilities that traditional pen testing might miss, especially in interconnected systems.

Is it time to rethink the annual pen test cycle? Read Dan's full piece to explore this critical question.

While technical solutions and testing methodologies are crucial, the human element of security extends to how we build and maintain relationships in our industry.

Fixing the Cyber Security Sales Ecosystem: Time to Rethink Relationships

"I had three trusted salespeople that I would really just listen to. The rest got put on the back burner." This insight from Chris Squatritto sets the stage for an examination of cyber security's broken sales ecosystem.

In a candid discussion, Dan Haagman and Chris S. , Cyber Security Leader and Startup Board Member, make several crucial observations:

• The shift from simple value propositions to complex, multi-layered security solutions has made trust-building increasingly challenging.
• Monthly quotas and 52-week metrics create "coin-operated" behaviour instead of fostering genuine cyber security partnerships.
• The constant movement of sales professionals in the industry makes it nearly impossible to build lasting relationships.
• Economic pressures are forcing a rethink of how security solutions are sold, and partnerships are built.
• Success lies in "longitudinal relationship building" — moving away from transactional sales to true partnerships.

Discover how we can fix the cyber security sales ecosystem in the full piece.

These insights are just a taste of what's happening at Chaleit. We invite you to explore our newly launched website, where you'll find:

• Security transformation stories that cut through the noise
• Insights from seasoned professionals who've been in the trenches
• Case studies showcasing outcomes our team is proud of
• Expert collaborations on what actually works in cyber security

Want to stay in the loop? ?? Subscribe to Future Cyber and our YouTube channel for deep dives into real-world security challenges, conversations with industry leaders, and practical lessons from the cyber security frontline.?

Let's have a conversation about your specific security challenges. Get in touch or reach out to us directly on LinkedIn.