Signal to Noise: Tim Hastings on the Reality of Security Leadership at an MDR
What happens when a CISO isn’t just responsible for one organization’s security—but for hundreds?
Securing hundreds of organizations. That’s the daily reality for Tim Hastings, CISO at Legato Security, where he wears two hats: securing his own organization and ensuring Legato’s MDR (Managed Detection and Response) clients stay protected.
Tim’s career has taken him across the full spectrum of cybersecurity: from public sector CISO (State of Utah), to strategic consultant (Deloitte, Mandiant), and now leading security at an MDR. This journey gives him a unique vantage point—understanding security not just as an internal priority, but as a service that enterprises rely on. Having worked at Arctic Wolf, getting a chance to understand the CISO vantage point from another MDR’s security leader particularly resonated with me.
In this conversation, we unpack:
How security priorities shift when you’re securing both your own org and your clients.
What separates signal from noise in vendor messaging.
The role of transparency vs. reliability in security tooling.
Why resilience is more than just uptime—it’s an existential business question.
Let’s get into it!
The Noise: Security Leadership as a "Check the Box" Function
For many organizations, security is reactive—led by compliance deadlines, regulatory mandates, or the latest board-level concern. Security leaders often find themselves playing defense against shifting business priorities, struggling to balance risk management with operational efficiency.
At an MDR, that dynamic is even more intense. The stakes aren’t just about one company’s resilience; they’re about maintaining trust across an entire client base. Security failures don’t just mean financial losses—they erode credibility with the very customers that rely on MDRs for protection.
For Tim, this means the traditional CISO playbook doesn’t apply.
The Signal: How a CISO at an MDR Thinks Differently
When your clients are trusting your organization to defend them, security isn't just a priority—it’s the product. That distinction changes how Tim approaches everything from security investments to vendor relationships.
Balancing Internal Security with Client Protection
Tim’s role as CISO at Legato isn’t just about securing his own house—it’s about ensuring their MDR services remain a trusted line of defense.
“Our clients expect us to be a cut above every other tech organization out there when it comes to security. That means we have to be ultra-conservative with our own controls, because if we don’t practice what we preach, why should anyone trust us?”
For Legato, every control they recommend, they also implement internally. It’s a “trust, but verify” approach: MDR clients expect their providers to eat their own dog food—because a weak MDR can become an attack vector for every customer they serve.
What Separates Signal from Noise in Vendor Outreach
Tim has seen it all—both as a practitioner and consultant. So when vendors try to get his attention, it’s immediately obvious who did their homework and who didn’t.
“If someone cold-emails me with boilerplate marketing, I delete it. If they understand my priorities and can articulate how they reduce my risk, I listen.”
MDRs are a unique enterprise, so for security vendors looking to cut through the noise, his advice is simple: research first, message second.
Understand the MDR space and the challenges of securing both an internal org and an external client base.
Show how you reduce risk in clear, specific terms—don’t just list product features.
If you’re selling to a CISO, recognize their business priorities—security is a revenue enabler, not just a cost center.
Resilience is a Business Survival Question
Tim defines resilience beyond just cybersecurity—it’s about ensuring the business itself can survive disruption.
“At the end of the day, resilience isn’t just about uptime. It’s about whether a security failure can break my business. If my clients stop trusting us, it doesn’t matter how good our detections are.”
This applies to every company, not just MDRs. Security teams often focus on tactical defense—firewalls, endpoint protection, incident response—but real resilience means thinking bigger:
Can we survive a breach without losing customers?
Do we have visibility into our most critical systems?
Are we anticipating business risks—not just security risks?
For Tim, the key is tying security strategy directly to business continuity. Without that connection, security investments become check-the-box exercises—rather than real risk reduction.
Key Takeaways for Security Practitioners
If you’re a vendor selling to CISOs, know their priorities first. Tim ignores generic pitches—but pays attention to those who understand Legato’s security and business goals.
Security at an MDR isn’t just about defense—it’s about trust. Every control they enforce internally is a reflection of what they provide to clients.
Resilience is more than availability—it’s business survival. The goal isn’t just uptime, but ensuring a security failure doesn’t erode customer confidence.
Transparency isn’t enough—security leaders need reliability. The best security vendors aren’t just open about what they do—they prove it works.
Final Thoughts
MDRs are in a unique position: they aren’t just protecting themselves, but their customers. That means every security decision they make has second-order consequences. Tim’s perspective is clear—security at an MDR is the product, not just a function.
For security leaders, the lesson is simple: prioritize resilience, demand transparency, and only trust solutions that actually solve your risks.
Stay secure, and stay curious, my friends.
Damien