Efficacy Over Efficiency: A Collaborative Deep Dive with Mark Eggleston

Faster tools, leaner teams, smoother audits.

Lately, I’ve started asking an uncomfortable question: Does any of it work?

In a recent conversation with Mark Eggleston , Global CISO and long-time security and privacy evangelist, the word that kept surfacing was efficacy. It’s not a term you hear often in this field, but it’s one that matters.

Efficiency is about speed and scale.

Efficacy is about value.

It begs the question: Are we actually reducing risk, or just producing reports that say we are?

In our recent collaborative essay that tackles this theme in depth, Mark used a great analogy from healthcare. Hospitals don’t reimburse treatments that don’t work. Why do we still fund cyber controls that deliver little measurable protection? If a control, tool, or process can’t prove its value, it shouldn’t consume time or money.

That’s a reminder that compliance isn’t the destination. Just the starting point. Too many teams still confuse passing an audit with being secure. They meet the standard and then miss the issues that really matter.

I saw this first-hand with a client who had tens of thousands of accounts misdeployed. Brilliantly resourced, heavily audited, and still exposed. The problem wasn’t a lack of investment but a lack of focus.

More people and more tools don’t automatically mean better outcomes. In many cases, constraint drives better thinking than abundance does.

That idea — that less can lead to more effective security — runs through everything Mark and I discussed. Limited resources force you to prioritise, to design solutions that actually hold up. It’s uncomfortable, but it’s where progress happens.

The other thread in our discussion was the human one, because passion and purpose are as important as technical capability.

You can automate detection, but not curiosity. You can enforce process, but not purpose.

As Mark said, “Make the fundamentals fun.”

If people see how their work connects to a bigger mission, they care more and do better.

And maybe the hardest part of all is keeping perspective. Experience can narrow your vision. If we don’t keep challenging assumptions, talking to peers, and looking outside our own echo chamber, we risk losing the very thing that makes this work interesting.

You can read the full essay with Mark Eggleston here. I promise it’s worth your time:

That’s really what all of this work comes down to for me and for Chaleit. The essays, the conversations with other CISOs, the research behind the CISO Global Study — they all serve the same purpose: to understand what actually works in practice.

 I’ve spent years meeting experts who think deeply about these problems, not just the tools or the headlines. Those discussions shape how we write, test, and help others see what’s real versus what looks good on paper.

In the end, it’s about bringing clarity to the noise and helping the industry focus on what genuinely makes us safer.