Geopolitics and Critical National Infrastructure

Security, Corporate Affairs & Compliance

By Stephen Hermanson

The special alliance that helps to ensure that public policy interventions achieve good and sustainable security outcomes

29 May 2026

The traditional cybersecurity compliance assessment arrived. The legislation had been in place for some time, the regulatory interpretation was mature, and Compliance colleagues were ready and understood the process. All good so far.

During the process questions surface about the medium-long term relevance, effectiveness and proportionality of obligations. The compliance process continues, the outcome is positive, and these questions are put aside.

Later, the government updates the national cybersecurity strategy, setting out an agenda for strengthening cyber security outcomes for the country. In due course a public consultation arrives, and industry invited to comment on updates to legislation.

External/Corporate Affairs notice the consultation. It’s a security thing, not directly related to the traditional policy themes for this sector. Even so, someone asks Security about it. What happens next?

A Security Public Policy team will have spotted the consultation already, and may even have advised on its scope, questions and timing following close engagement on the government’s security agenda.

Prepared positions are ready, having done the legwork with SecOps teams that need to respond to the threat whilst meeting public policy expectations. Security Public Policy has already spotted that compliance assessments have highlighted some questions that need addressing and rolled those into the analysis.

Security Public Policy collaborates naturally with External/Corporate Affairs, the corporate narrative and strategy is neatly integrated into the security position. Political and civil service engagement is synchronised and co-ordinated.

The process repeats itself for national infrastructure resilience, national security & investment, ransomware, physical protection, cyber security, product security and the full A-Z of the security public policy agenda.

Different departments, agencies and alliances are engaged. Trust and credibility is established or strengthened through data-led evidence about the impact of current and proposed measures. The Executive Committee and Board are confident that security obligations allow for sustainable operations and investments.

Eventually, the next iteration of legal and regulatory updates arrives (after sustained monitoring and interventions by Security Public Policy to fact-check proposals, understand the counter-lobby, course correct and generally keep the process moving in the right direction).

Compliance has already adapted, having been part of the Security Public Policy analysis, and everyone is confident the business understands the new obligations, the purpose, the private sector responses (and asks), and the risks. No surprises.

SecOps are happy as they can focus on operations and defence during the public policy cycle, and know what to expect when it concludes. Compliance is happy as they can concentrate on the technicality of compliance assessment, being confident the legislation and regulatory interpretations are clear. External/Corporate Affairs are happy as the business has shown itself as a trusted and reliable advisor to government and industry. Strategy is happy as the public policy outcome introduces no barriers and may even directly support the business strategy.

The absence of a Security Public Policy cadre, it seems to me, puts all this at risk. Perhaps this role can be given in whole or in part to a combination of SecOps, Compliance, External/Corporate Affairs or others (even 3rd parties). I’m not convinced this fragmented approach produces good public policy interventions.

Organisations that invest in this cadre are not waiting for clarity. They’re helping to shape it by investing in intelligence, analysis, solutions, relationships and alliances.

Organisations that only think about Security Public Policy when change, uncertainty or shifting government priorities appear, will find that key decisions have already been made and shaped by others.