For the past couple of weeks, social media platforms, like Linkedin, have been flooded with debates about CISO roles, RACI matrices, and where security fits the organisational chart.

As a security professional, with roots in operational and corporate environments, I've watched these discussions unfold, and they all circle back to one uncomfortable truth: despite endless declarations that "security is our top priority," it's routinely the first line item sacrificed when budgets tighten, deadlines loom, or revenue calls.

This isn't just venting; it's a call to examine why security, privacy, compliance, AML, and other governance functions remain afterthoughts. Even with legal mandates and mature frameworks, companies prioritise growth over resilience. Below, we will break down the flaws in structure, gaps in leadership, and a better path forward: making space for security experts to lead leaders before crises hit.

Security professionals, this is your framework for demanding more. Leaders, this is your moment to act and demonstrate the truth of your claims.

“Security is a Priority”… Really?

Picture this: a conference panel where every executive proclaims, "Security is our #1 priority." The crowd cheers.

Back at the office, a critical feature launch approaches, and security scoping gets deferred to "phase 2" because resources are scarce. Or a rebrand eats the timeline, sidelining privacy reviews. We've all been there! Over 50% of security professionals reading this have nodded along at webinars, only to battle the same friction internally. What starts as motivational rhetoric crumbles under pressure. Ignored recommendations later become breach headlines.

The disconnect? Words versus actions. Security isn't prioritised; it's tolerated until inconvenient.

The Persistent Afterthought Problem

Security teams advocate "security by default" and "privacy by design," embedding risk awareness into everything. Starting from employee awareness training to supply-chain due diligence and change management. We build frameworks for risk-based cultures, yet implementation falls behind. Why? It's not maturity: it's governance choosing short-term wins over enduring controls.

Onboarding a CISO, DPO, or security manager checks the "commitment" box, but without aligned priorities, resources, and true buy-in, it's theatre. Textbook playbooks work sometimes, somewhere. But adaptability across industries demands cultural assessment first: attitudes towards compliance, leadership resistance, and turning sore points into opportunities.

Simply having someone to blame isn't prioritisation; it's deflection. You can't hit the ground running without mapping the landscape.

Where Security Sits - and What It Reveals

Conventional wisdom buries security under IT, engineering, or operations. Independence?

Rare, with direct board or C-suite lines. Reporting structures betray priorities: marketing doesn't report to HR; finance operates autonomously. So why does security answer to CTOs or COOs, blending tech ops with risk governance?

Effective teams - compliance, legal, finance - oversee the organisation at group level, advising without hierarchy. Security should hold the same strategic positioning: its own vertical for credible input. Dependency on revenue drivers ensures compromise. Recall the rush: "Onboard this supplier ASAP. They tap our customer DB via APIs, no PII worry. Is the website due diligence enough?"

Security draws the short straw in innovation, scalability without safeguards.

Ownership Without Understanding: The Wannabe Leader Trap

Executives "own" risk on paper but champion "business first" without threat literacy or regulation insight. Wannabe leaders parrot slogans, blind to trade-offs. CISOs? Held accountable without authority. "Security is everyone's responsibility!" Sure! But - who strategises amid chaos?

Which brings us to the “CISO conflict”: high responsibility, minimal power.

How do we reject this, and demand expertise-matched influence? True power lies with those who understand the stakes, making expertise more influential than mere title.

Regulation and Frameworks: Necessary but Insufficient

Laws enforce roles, policies, and structures - yet organisations "do as they wish." Regulated entities frequently minimise internal controls. This is because key performance indicators (KPIs) prioritise revenue generation over organisational resilience, and bonuses are paid without regard for security breaches - at least until incidents occur. Consequently, even mandatory, enforceable regulations are often compromised or disregarded when management pressure is applied.

Paper compliance passes audits; it doesn't embed priority. Misaligned incentives ensure security yields first. Regulation sets floors, not ceilings - leadership must raise the bar.

From “Train the Trainer” to “Lead the Leader”

Borrowed from "train the trainer": adopting "lead the leader."

Give battle-tested professionals authority, time, and access to navigate those pre-crisis situations, not post-"sh*t hits the fan" cleanup. This way we can empower shaping decisions early, positioning security as an innovation enabler.

This demands orgs value advisory over reaction. Frameworks guide; leadership executes. Professionals: claim your seat. Executives: listen before incidents force it.

End the Compromise Cycle

To prove security truly is a priority, organisations must redesign their structures: establish independent reporting lines to the board, ringfence dedicated budgets, and grant veto rights over material risks. This commitment must be demonstrated consistently, not just in words.

• For security professionals: Demand these changes and hold leaders accountable.
• For leaders: Reflect honestly. When did security last prevail in a trade-off? Elevate security teams as strategic partners, not afterthoughts.

This shift from rhetoric to reality starts now. Structure or culture. Which comes first?