• How 2nd Line Assurance and Public Policy share a common experience

    By Stephen Hermanson

    I recently came across a very insightful piece on Risk Management and Assurance by John Sinden (Vodafone Group). I recognised the context and situation immediately, which has lessons for Public Policy too.

    Public Policy teams are facing similar challenges, so allow me to borrow from John Sinden’s excellent framing to illustrate the point.


    There’s a moment most people in a Public Policy role may recognise. You’re in a meeting, the business is moving fast, decisions are already forming, timelines are tight — then you speak up.

    Not to block. Not to control. But to ask what contribution is being made to government and regulatory agendas, what public policy and regulatory barriers might dilute or negate business outcomes, what intelligence should we gather to assess the likelihood and impact, what political incentives are we responding to, which parties and alliances are supporting and opposing our plans, what asks would we place on government or regulators, what evidence can we offer to substantiate our case, what solutions or mitigations might we propose, what narrative are we using to convey a holistic corporate position, what are the trade-offs (for us and others) if the business plan doesn’t succeed.

    You get the gist — how can we test and prepare the ground politically, diplomatically (for international considerations such as global supply chains and multinational customers) and how do we provide researched and proportionate public policy recommendations to achieve outcomes that matter.

    You don’t have a mandate to write or decide the business strategy or opine on how the business should operate. You’re not truly “in” the business. But you’re not separate either. You sit somewhere in the middle — close enough to understand, but distant enough to challenge — and provide the voice of government, regulators, communities and geopolitics at the table (and explain the merits of the business plan to these same stakeholders and other stakeholders as may appear).

    This may also mean dealing with hostility, disinformation and misunderstanding. Public Policy teams will want to get ahead of the arguments with a clear, accurate and timely narrative that can bring parties together and resolve differences. Where opposition remains, what strategy is required to manage this politically and through institutions that could influence the debate.

    And every day, you’re trying to get that balance right. The Public Policy intent is rarely what people think it is.

    It’s not about creating barriers, being pedantic or playing politics.
    It’s about making decisions stronger.
    It’s about helping teams see around corners.
    It’s about avoiding the conversations no one wants to have “later”.

    Too often, Public Policy teams are required to fight a rearguard action when it suddenly transpires that the business plan is facing political opposition, legal/regulatory constraints or barriers on trade. Politics and geopolitics can change suddenly and unexpectedly. Be that as it may, there are respected and established principles for taking into account the political, geopolitical and economic environments to understand the risks that might present themselves. Public Policy teams will be applying this lens to help the business navigate these waters. This may require policy change and the political appetite to support it. Some of this may need months of persistent and careful engagement to frame arguments, coalesce allies, build independent evidence and devise compromises. When Public Policy teams ask questions, they are thinking ahead to this moment and calculating what is essential to understand now.

    Security and defence sectors are particularly sensitive to this. Where the business plan, political and policy risk, and economic stakes touch on national security considerations, the stakes get higher still. Public Policy teams will take a calm, measured and evidence-based approach when activating relationships and access to warn of political or policy missteps that might have unintended consequences — in extreme cases causing harms to both industry and national security. Security Public Policy is increasingly on the agenda as governments seek to respond to national and economic security objectives. This cadre in the Public Policy team will understand the stakes, the trade-offs and the formula for charting a way through.

    When delivery pressure is high, challenge can feel like friction. When momentum is building, pause can feel like delay. When you hold the line, it can feel like you’re pushing back rather than helping forward.

    And so, Public Policy teams walk a constant tightrope:

    • Be commercial, but don’t dilute standards
    • Be close, but don’t lose objectivity
    • Be pragmatic, but don’t become irrelevant
    • Be firm, but don’t become “the police”

    It’s not an easy role. And often, the better you do it, the less visible it is.

    • The political and public policy risk that doesn’t materialise.
    • The external stakeholder issue that gets fixed early.
    • The narrative that gets sharpened before it lands.

    Those rarely get called out but, that’s where the real value is — bringing clarity, perspective, and calm thinking when it’s needed most. When that balance is right, Public Policy teams are no longer seen as the people who slow things down. We’re the people who help things navigate the political and public policy sphere — which no critical national infrastructure business can ignore.

    Over the last two and a half years my previous team and I designed and built Security Influence — an integrated Threat Intelligence, Government Engagement, Business Engagement and Public Policy team to provide the Security Public Policy cadre.

    Some lessons from the journey:

    • Strategy before tactics. Is this the fight to have at this time and place (and if so, how would we elect to fight and what resources are available to sustain it — including the political will internally). What does the strategy look like when modelled with an analysis of competing hypotheses? The purpose is to double-check assumptions, objectives, constraints and resist the temptation to respond until the threat/risk is clear.
    • CxO patronage. This provides reliable, regular and trusted access to the Executive Committee (ExCo) and Board, confidence to speak truth to power, and space to play the long game. If/when you decide to activate, you’ll need the ExCo to follow you over the parapet.
    • Also create a strategic communications and engagement plan for internal stakeholders. Public Policy teams will be expert at designing and implementing external communications and engagement plans. However, you’ll need to bring everyone in the business with you (don’t assume the merits and achievements are obvious to everyone).
    • Step outside the bubble. We spent at least 25% of our time engaging externally, beyond the organisation and sector. Perspective, context and comparison count for a lot but, internal communications and engagement are essential to package the message (so what; and then what), and CxO patronage provides the access and agenda space.
    • The Public Policy mandate overlaps with Corporate/External Affairs, Strategy, Risk and Corporate Communications. In the end, some parts were absorbed by these functions and other parts remained with us. Pin down an operating model and RACI as soon as you can (and test it in practice and with ExCo). Keep sight of the holistic view (golden thread) which is often lost when the model is over complicated or contested. See my blog for an entry on the special alliance between Security, Corporate Affairs and Compliance. This can easily be extended to incorporate Strategy and Risk.
    • Technology, Security and Operations will have subject matter experts that will often need to support content reviews, consultation responses and participate in engagements. This access needs to be reliable, authoritative and sustained. The biggest danger is a bottom-up approach that meets general resistance such as AI can do this, external agencies can do this, the SMEs can do it themselves, there’s no point as we can’t influence outcomes, this is not our fight, and so forth. Be prepared for this. If the ExCo isn’t batting for it, then reset.
    • Sceptics are inevitable. Resist the pressure to reduce everything to metrics. Measures of value in government relations and public affairs are often more nuanced. What counts is business appetite to engage (and belief in the Public Affairs mission and purpose), business appetite to play the long game (and invest in policy research and think-tanks) and ultimately the level of risk tolerance and knowing when that threshold is near. Public Policy is a social science — certainties are rare and your biggest critics will be those that struggle with ambiguity and the probability yardstick.

    References

    Sinden J. June 2026. LinkedIn.

  • 19 June 2026

    By Stephen Hermanson

    Even a year in geopolitics might be considered a long time. At the Chatham House London Conference on the 20 June 2025, I reported on considerations for private sector critical infrastructure. A year on, I’ve returned to reflect on what’s changed.

    Part 1: Report from the Chatham House London Conference 2025 (20 June 2025)
    Part 2: Reflections a year on


    Part 1: Report from the Chatham House London Conference 2025

    By Stephen Hermanson

    Si vis pacem, para bellum

    This annual fixture is a good opportunity to take the pulse alongside others of a similar breed who are trying to chart and navigate the security threats stemming from geopolitical tension. As ever, a stellar line up and credit to Chatham House for a solid event in the unexpected heat atypical of the British summer.

    I stepped away reflecting mostly on the second plenary; Middle Powers: Reforming or remaking the Global Order? The panel presented a convincing case for the emerging role of Middle Powers (also recognising the definition of Middle Powers is varied and contested). On stage the representatives seemed aligned and capable. However, how does this pan out in reality where, for example, the G7 continue to pursue their interests, deals and spheres of influence.

    Who would be ready to act as referee and enforce the rules-based order the Middle Powers have in mind? The new concept for the Global Order extolled by Middle Powers (and a central pillar of China’s narrative and message to this camp) is self-determination for nations and a voice at the table (including setting the menu and eating the food as Ambassador Dino Patti Djalal expressed it).

    Middle Powers argue that the G7 lacks the capacity to find a consensus on the future Global Order, and Middle Powers have their own agency and can find a way through. I’m uncertain how this plays out with a G7 that’s wrestling with itself and others, potentially brushing aside the beginnings of a Middle Powers consensus and momentum.

    I couldn’t quite identify from the Middle Powers the appetite (political will) and resources (economic trade-offs) to see their vision of a Global Order prevail in competition with the G7, and to intervene to enforce their rules-based order when competition for resources and standards of living brings states into conflict. Put bluntly, I’m not convinced that Middle Powers would mobilise 3% of combined GDP to invest in Defence in a way that would allow them to prosecute a war against aggressors to the Global Order; least of all any of the G7.

    For the UK we heard that society has to recognise the quid-pro-quo necessary for the investments required to implement the insurance policy of the Strategic Defence Review. Middle Powers will have to do the same in my mind. Perhaps they are, and that’s commendable. The hard truth however (usefully articulated by Lt Gen Ben Hodges in the third plenary), is that many, including the UK and Europe, have done little to evidence the ability to prosecute a war to enforce the Global Order since the Second World War.

    For consensus to hold and the possibility of a clear signal to aggressors (covert or overt) it seems to me we should dust off the old adage – si vis pacem, para bellum. War is already upon us according to many. Diplomacy will play a part of course and the Corporate world has a role too. Let’s make it count.


    Part 2: Reflections a Year On

    By Stephen Hermanson

    Action this day

    It’s clear, a year on, that Middle Powers are struggling to make sustained investments in Defence and Security that exceed 3% of GDP (at least in the near to medium term). The private sector is investing in security too, although I’m yet to locate reliable numbers on the level of private sector investment in security as a percentage of market capitalisation – hoping this might offer a gauge to assess the relative scale of private and public sector investments. It seems to me these investments (public and private) ought to be co-ordinated and prioritised to prove and scale the best solutions in a timely way, especially amongst the Middle Powers that we hear must work together for the benefit of a future global order.

    Take the UK, for example; a Middle Power by most definitions but, also a G7 (and UN Security Council) member. This speaks to the broad definition of Middle Power and therefore the increased challenge of co-ordinating a consensus from a larger group of diverse members which themselves, the UK included, are wrestling with internal political and funding challenges.

    Recent comments by high profile figures such as ex-NATO Secretary General Lord Robertson and General Sir Richard Barrons, are sobering evidence that the UK Strategic Defence Review has not precipitated the transformation required despite the passage of a year. The subsequent resignations of the UK Defence Secretary and Armed Forces Minister add to the sense of unease.

    The MoD seems to be mounting a concerted defence of its programme to bring forward vital investments in areas such as drones. The private sector is investing heavily too, and here I’m sensing a potential gap in public-private co-ordination of investments to decide on the capabilities required and plans to scale and operationalise new technologies.

    The market is being trusted to surface the best solutions, which is fine but, are we confident the required capabilities will emerge in time? From where we’re stood now, it’s difficult to be entirely confident but, nor am I noticing a meaningful consensus on industrial policy amongst Middle Powers. In the UK, whilst we await the Defence Investment Plan and Defence Readiness Bill, the UK Research, Development & Innovation strategy will need to do a lot of the lifting.

    Winston Churchill’s “ACTION THIS DAY” label is one of the more enduring symbols of the Second World War. The labels were prepared by his staff and applied as part of office procedure, though the underlying impulse – his personal insistence on speed and his low tolerance for delay – will have given rise to a system that could cut through bureaucracy and hierarchy. It certainly feels like the same urgency and directness is needed now to bring Defence investment, in the UK at least, to where it needs to be.

  • Book Review

    By Stephen Hermanson

    Adrift on the Open Veld – Deneys Reitz – Stormberg 1999
    ISBN 978-0-6202-4380-3

    12 June 2026

    I find it curious that throughout my primary and secondary schooling in South Africa (culminating in 1993) I can’t recall ever encountering this high-profile figure in the syllabus or in general conversation; and I suspect the authorities at the time felt the Reitz narrative painted a rather uncomfortable portrait of South African political history.

    Therefore, it was fascinating to find this author (recommended by an ex-Royal Navy colleague I’ve discovered has a knack for uncovering some gems – thank you Richard G). I decided to tackle all three volumes – Commando, Trekking On and No Outspan. Fortuitously it also coincided with a rare visit to South Africa to see my elderly mother. So, the scene was set for a sentimental journey.

    At the outset, it’s worth mentioning that many of the names and places that would feel very familiar to someone born and growing up in South Africa, would likely feel a bit obscure to others. This doesn’t detract from the story, and when we hear about the author’s role on the Western Front during the First World War, readers that are familiar with towns and villages in Belgium and north-west France will find themselves on familiar territory. Apart from the desire to reach for a map to help with orientation from time to time, the stories about geography and places don’t require intimate knowledge of the environment.

    This review will not re-tell or summarise the story, which accomplished reviews have done far better than I could attempt. The curious amongst you can easily obtain a synopsis from other sources, and possibly a favourite AI model could do quite a good job too. My reflections focus on what stood out to me on the question of geopolitics, over 100 years after the author’s accounts.

    Despite the passage of time, the backdrop was very familiar to anyone surrounded by the history of empire, commonwealth and the world wars. Also, the story of my parents and grandparents is a story of migration across the British Empire in the late 19th and early 20th centuries until the end of the Second World War. That’s a complicated story of British, German and Swedish heritage that requires an entirely separate analysis, which I’m sure you’ll thank me for sparing you.

    Allow me to share some observations and thoughts that characterise my conclusions following the read. I’m keeping this compact as this review (and apologies for not using the classic book review formula) is not pretending to be an exhaustive analysis which I’ll leave to academics. In summary, I noticed some things that might leave you wondering whether you’re reading the latest morning papers over eggs and bacon.

    • A global tussle between super-powers (The British Empire and Germany in this context) playing out in far off lands through proxies and expeditionary forces.
    • Strategic and systemic advantage in technology (such as horses to mechanisation) and scale (early globalisation) that ultimately renders all short-medium term tactical gains largely academic (in reference to the Boer cause in this context but, also feels close to home when considering the prospects of some current campaigns to arrest or marshal emerging technology).
    • The ceaseless march of technology and national/tribal identities as disruptive forces, often working in tandem to amplify effects (in this context the great tapestry of indigenous peoples in South Africa and interaction with equally diverse European cultures). Different groups rubbed along well enough and co-existed quite comfortably albeit with inevitable skirmishes from time to time. Despite conflict – and sometimes significant conflict – repair and restoration seem to prevail.
    • Access to resources such as land (for livestock and agriculture in this context), critical minerals (gold and diamonds in this context) and energy (coal and oil in this context). In some respects, the books make the world seem like a smaller place but already, the race for resources was responding to growing populations and middle classes that increasingly enjoyed the benefits of innovation and the natural resources needed to sustain them.
    • How swiftly alliances can shift and the pragmatism of realpolitik revealing how erstwhile opponents can find common cause (having fought for the Boers, the author explains in a fascinating account how he came to command a British battalion during the First World War). The books include a vivid account of post-war politics and how the deprivations of war, the challenge of government (as opposed to opposition), and shifting global orders strengthen and fracture alliances.
    • The manner in which people moved around the world (mostly by sea at that stage) and settled temporarily (and sometimes permanently) in countries that simply absorbed them (perhaps this was the privilege of a certain set with the right connections, backgrounds and funding). Nonetheless, the books give a strong sense of a world before passports, visas, and border controls as we know them. People travelled back and forth between Africa, Europe and North America in ways that would seem impossible now.

    Any of this sound familiar?

    Even the passage of 100 years or more doesn’t rule out clear parallels to the current geopolitical manoeuvring which we see playing out around us today. It would be nice to look at how previous generations navigated similar challenges and to understand where mistakes were made to avoid them in future. I’m sure scholars are doing this already and there’s no shortage of advice for international relations practitioners.

    The only certainty it seems is that the balance of power is shifting constantly, that in the moment it’s difficult to discern how the balance will play out, and the long game is very important. This is where institutions as opposed to personalities count. Where trusted institutions come under threat, or become jaded and inefficient, it’s incumbent on the prevailing generation of public-private partnerships to renew and revitalise their purpose and scope.

    Effective and robust institutions are born of political will and good policy choices informed by Public Policy tradecraft and International Relations. It seems to me the latter is having a rather rough patch at the moment (and more reason for organisations to build a meaningful response to prepare for the world that is emerging –

    “That gap is the problem. Different teams follow different sources. Few organisations have anyone responsible for geopolitics, let alone accountable for it. Boards are often briefed only once an issue has become urgent or a risk has become material. The result is fragmented understanding: leadership teams working off different assumptions, risks recognised too late, second- and third-order effects missed entirely, and major commercial decisions made without a common picture of what is actually happening.”

    Bruckard D. 2026

    The former will need to accept that despite the very polished and proficient policy analysis produced by the latest AI models (useful as that is), it’s the relationships and access that count –

    “AI is not simply changing public affairs. It is making clearer what has always mattered most – influence. When content is easy to produce, decision-makers have to rely more heavily on their sense of which voices are credible. A well-drafted document can be produced quickly. A trusted relationship based on mutual understanding cannot.”

    Cook G. 2026

    Relationships and access are as essential now as they were for Deneys Reitz.


    References

    Reitz D. 1929 and 1943. Adrift on the Open Veld – Deneys Reitz – Stormberg 1999. ISBN 978-0-6202-4380-3

    Bruckard D. 2026. Are you the “geopolitics person” at work? A simple way to help your organisation stay on top of geopolitics. https://www.geopoliticaldispatch.com/p/are-you-the-geopolitics-person-at

    Cook G. 2026. What AI Reveals About The Real Value Of Public Affairs. https://garystephencook.substack.com/p/what-ai-reveals-about-the-real-value

  • Government Regulation over Market Incentives

    By Stephen Hermanson

    Public policy interventions in the form of security regulations need to be careful, surgical and consider harms that may arise from poor interventions

    4 June 2026

    Context

    “Last week at the World Economic Forum’s annual cybersecurity conference in Geneva, ISA President Larry Clinton and Joe Levey, President and CEO of Sophos, debated Hans De Vries (ENISA) and Megan Stifel (Institute for Security and Technology) on a question central to global cyber policy: Is cybersecurity best driven by market incentives or government regulation?” [ISA 2026, LinkedIn].

    “In a first for the WEF, the session used a true debate format with opposing sides rather than a conventional panel. The audience response was striking. Before the debate, participants favoured government regulation over market incentives by a 2:1 margin. By the end, the audience had nearly reversed course, expressing greater confidence in market incentives by the same margin.” [ISA 2026, LinkedIn].

    “The results speak for themselves: the more a sophisticated global audience engages seriously with the intersection of governance and technology, the clearer it becomes that the traditional regulatory model is a poor fit for the cybersecurity challenges ahead — especially as AI accelerates the speed and complexity of the threat environment.” [ISA 2026, LinkedIn].

    Introduction

    I was fortunate to contribute to this 2016 publication – The Cybersecurity Social Contract by the Internet Security Alliance [ISBN 9780692755037], so enjoyed seeing this debate and the outcome.

    Public policy interventions are designed to correct market failures. The question at hand is whether markets can produce good and appropriate cyber security outcomes. Therefore, public policy intervention in the form of security regulations needs to be careful and surgical.

    This reminded me of an assignment during a recent course at The London School of Economic and Political Science (LSE) in 2023, which I summarise in this article.

    Strategy to bring the issue to the policy agenda

    Policymakers may struggle to understand the causal relationships between better cybersecurity, market incentives and regulation. To reach the policy agenda it would be necessary to explain how a seemingly healthy cyber security market with many existing standards and regulations, alongside many established global players generating good levels of competition, innovation and resilience, would need intervention.

    Traditional risk assessments (likelihood vs impact) are guiding policymakers on the scope, timing and nature of possible interventions compared to competing priorities on the public policy agenda.

    For many countries cyber security is central to national resilience, and risk assessments are mature and routine. However, an assessment of the harm that may arise from poor public policy interventions is often missing. This can orientate policy makers and create better public resonance – important for a technical issue that’s prone to fast-moving issue-attention cycles.

    Stronger resonance is useful as it broadens the assessment of policy interventions to include other countries and jurisdictions. This includes ideological arguments (values & norms), technical/scientific arguments (risk assessments) or competitive arguments (economic & strategic autonomy).

    The agenda setting power is centred on national security agencies (with technical/scientific arguments) and political groups (with ideological arguments). Both groups use their levers of power to intervene through new or existing laws and incentives.

    This creates a competitive agenda setting process and prominent role for policy entrepreneurs seeking to align the problem, solution and politics. In the example of cybersecurity, the problem and political streams align naturally, but the solution stream may fall into and out of alignment quite suddenly as solutions are complex, and likely to see punctuated decision making as stakeholders realise that incremental decision making hasn’t kept pace with the policy issue.

    Factors to ensure successful policy interventions

    Cybersecurity is a complex policy issue with stakeholders across government, regulators and industry. Implementation requires extended intervention over years across different areas of the economy, and consensus on success metrics (how to know when security has reached an optimal level).

    Resource constraints and dependencies in this example are sensitive to funding (as intervention will require both private and public investments in financial, human & material resources) and co-ordination (spanning a wide group of stakeholders across the private and public sectors). As more actors become involved during implementation, having target groups and bureaucratic agencies take part in subsequent agenda setting rounds can help to mitigate implementation issues. Government convening power will play a vital role to ensure a good platform for cooperation between several different groups.

    With a prominent role for Industry as an agent for implementation (industry acting almost as street level bureaucrats in this example), the principal-agent dynamic will require a contract that balances Government monitoring and control with private corporate goals and fiduciary duties.

    Best approach for evaluation and possible constraints

    Evaluation should test a previously agreed hypothesis with a sample group in order to establish whether intervention is having a meaningful impact.

    An independent body will offer the best mechanism for stakeholders to join in a common evaluation project that builds trust in the evaluation process and findings (bearing in mind the information asymmetries and differences in interests between stakeholders). In this case the recommended form of evaluation is a cost–benefit analysis as this type of evaluation can compare the inputs and outputs of the intervention to assess its economic effectiveness. Economic effectiveness is likely to have a disproportionate influence in how cybersecurity objectives are achieved and maintained over the long term (and secure further political attention that may be needed as the policy cycle continues).

    Bounded rationality will place a significant constraint on policy makers given the duration and complexity of the interventions in this example. The use of experimental design for the impact evaluation can help to address policy maker bias (subject matter, beliefs systems or ideologies) and avoid situations where evaluation is used to justify political positions.

    References

    Bachrach, P. & Baratz, M.S. 1962. Two faces of power. The American Political Science Review, 56(4):947–952. DOI: https://www.jstor.org/stable/1952796.

    Cairney, P. 2012. Understanding public policy: Theories and Issues. London: Red Globe Press. Dahl, R.A. 1957. The concept of power. Behavioral Science, 2(3):201–215. DOI: https://doi.org/10.1002/bs.3830020303.

    Downs, A. 1972. Up and down with ecology – the “issue-attention” cycle. The Public Interest, 28(Summer):38–50.

    Howlett, M., Ramesh, M. & Perl, A. 2009. Studying public policy: policy cycles & policy subsystems. Rev. 3rd ed. Toronto: Oxford University Press.

    Kingdon, J. 2013. Agendas, alternatives, and public policies. 2nd ed. United States: Pearson Higher Education.

    Cobb, R., Ross, J. & Ross, M.H. 1976. Agenda building as a comparative political process. The American Political Science Review, 70(1):126–138. DOI: https://doi.org/10.1017/S0003055400264034.

    Hogwood, B. & Gunn, L.A. 1984. Policy analysis for the real world. Oxford: Oxford University Press.

    Lipsky, M. 1980. Street-level bureaucracy: dilemmas of the individual in public services. New York: Russell Sage Foundation.

    Bovens, M., ’t Hart, P. & Kuipers, S. 2006. The politics of policy evaluation. In The Oxford handbook of public policy. M. Moran, M. Rein & R.E. Goodin, Eds. Oxford: Oxford University Press. 319–335.

    Weiss, C. 1999. The interface between evaluation and public policy. Evaluation, 5(4):468–486. DOI: https://doi.org/10.1177/135638909900500408.

  • Security, Corporate Affairs & Compliance

    By Stephen Hermanson

    The special alliance that helps to ensure that public policy interventions achieve good and sustainable security outcomes

    29 May 2026

    The traditional cybersecurity compliance assessment arrived. The legislation had been in place for some time, the regulatory interpretation was mature, and Compliance colleagues were ready and understood the process. All good so far.

    During the process questions surface about the medium-long term relevance, effectiveness and proportionality of obligations. The compliance process continues, the outcome is positive, and these questions are put aside.

    Later, the government updates the national cybersecurity strategy, setting out an agenda for strengthening cyber security outcomes for the country. In due course a public consultation arrives, and industry invited to comment on updates to legislation.

    External/Corporate Affairs notice the consultation. It’s a security thing, not directly related to the traditional policy themes for this sector. Even so, someone asks Security about it. What happens next?

    A Security Public Policy team will have spotted the consultation already, and may even have advised on its scope, questions and timing following close engagement on the government’s security agenda.

    Prepared positions are ready, having done the legwork with SecOps teams that need to respond to the threat whilst meeting public policy expectations. Security Public Policy has already spotted that compliance assessments have highlighted some questions that need addressing and rolled those into the analysis.

    Security Public Policy collaborates naturally with External/Corporate Affairs, the corporate narrative and strategy is neatly integrated into the security position. Political and civil service engagement is synchronised and co-ordinated.

    The process repeats itself for national infrastructure resilience, national security & investment, ransomware, physical protection, cyber security, product security and the full A-Z of the security public policy agenda.

    Different departments, agencies and alliances are engaged. Trust and credibility is established or strengthened through data-led evidence about the impact of current and proposed measures. The Executive Committee and Board are confident that security obligations allow for sustainable operations and investments.

    Eventually, the next iteration of legal and regulatory updates arrives (after sustained monitoring and interventions by Security Public Policy to fact-check proposals, understand the counter-lobby, course correct and generally keep the process moving in the right direction).

    Compliance has already adapted, having been part of the Security Public Policy analysis, and everyone is confident the business understands the new obligations, the purpose, the private sector responses (and asks), and the risks. No surprises.

    SecOps are happy as they can focus on operations and defence during the public policy cycle, and know what to expect when it concludes. Compliance is happy as they can concentrate on the technicality of compliance assessment, being confident the legislation and regulatory interpretations are clear. External/Corporate Affairs are happy as the business has shown itself as a trusted and reliable advisor to government and industry. Strategy is happy as the public policy outcome introduces no barriers and may even directly support the business strategy.

    The absence of a Security Public Policy cadre, it seems to me, puts all this at risk. Perhaps this role can be given in whole or in part to a combination of SecOps, Compliance, External/Corporate Affairs or others (even 3rd parties). I’m not convinced this fragmented approach produces good public policy interventions.

    Organisations that invest in this cadre are not waiting for clarity. They’re helping to shape it by investing in intelligence, analysis, solutions, relationships and alliances.

    Organisations that only think about Security Public Policy when change, uncertainty or shifting government priorities appear, will find that key decisions have already been made and shaped by others.

  • Assessing Potential Impact

    By Stephen Hermanson

    21 May 2026

    The previous article shared an overview of the UK government’s legislative agenda for security and resilience. This follow-up helps to flesh out some of the questions that individual organisations could or should be asking about the potential impact.

    Monitoring and engagement can build a picture of the legislative agenda and how others are responding. Depending on the impact, a passive stance may suffice. However, the purpose of Security Public Policy is to understand the relevance and impact of the legislative agenda to the organization, supply chains and broader eco-system.

    Therefore, an intelligence brief about the legislative agenda should be accompanied by an impact assessment that considers how new or amended legislation may influence operational, financial, reputational and strategic risk. This understanding is important to allow business leaders to make informed choices about how to respond. In essence:

    • Protect the business (reduce risk).
    • Ensure appropriate partners and funding (sustainability & efficiency).
    • Remain compliant.

    To illustrate, I’ve taken the UK Cybersecurity & Resilience Bill as an example. Whilst the questions could apply equally regardless of the legislation, the specific purpose, scope and timing of legislation together with the specific context and constraints for the particular organisation may require more specific questions.

    The nine lenses below offer a framework for considering organisational impact. It’s not an exhaustive checklist, and each element could expand to include additional considerations. It’s offered simply as a starting point.

    LensFocus
    1Supply Chain ResponseMapping exposure and seeking to understand new or adjusted obligations on supply chains and how these co-exist with your own obligations. The ultimate aim is to strengthen operational effectiveness by driving clarity about responsibility and accountability.
    2Customer ResponseLooking closely at demand shifts, procurement criteria, contract management and consolidation risk. The ultimate aim is to ensure customers are confident about your security posture and compliance. In some instances, you may be supporting customers to understand their obligations.
    3Sector Regulator ResponseYour regulator’s interpretation is your effective compliance standard. The aim is to remain engaged with the regulator (and possibly multiple regulators) to understand the timetable and process for arriving at new/adjusted interpretations, and being ready to provide evidence-based input to support or challenge regulatory measures.
    4Cross-Sector ConsistencyDivergence risk for multi-sector operators and suppliers. This can often be the most neglected element as organisations need to look beyond their immediate sector and regulator to understand how horizontal security & resilience legislation plays out. The aim is to understand and remedy any ambiguities, gaps or inconsistencies between sectors.
    5International ComparisonSecurity and resilience are agnostic to borders and global supply chains continue to transcend jurisdictions. Many of the technical standards and guidelines that underpin the implementation of security & resilience controls stem from collaborations in regional and international standards bodies and alliances. The aim is to offer a practical perspective on where and how international approaches need to adapt.
    6Threat Actor ResponseAdversaries get a vote too. They will be looking closely at the steps governments and organisations are taking to detect, protect and respond to attacks. Threat Intelligence can play an important role in understanding how adversaries are responding and adapting. The aim is to pair good Threat Intelligence with good Security Public Policy to design measures that are relevant, effective and sustainable.
    7Internal Governance & CultureIt’s very easy for all of this to go unnoticed at ExCo and Board levels unless the impact assessment can package and articulate the risks in a timely and effective way. The aim is to ensure sustained and reliable access to the ExCo and Board to ensure literacy, ownership clarity, compliance maturity, and prioritisation. The key is to frame security and resilience as part of the broader External/Corporate Affairs strategy.
    8Insurance Market ResponseIt’s worth keeping an eye on underwriting shifts, policy terms and regulatory penalty cover. In an environment such as security and resilience where it’s acknowledged that incidents are inevitable, insurance can play a central part in response and recovery. Understanding of threat landscape, performance against regulatory obligations and credible track-record of investments in security and resilience will feature strongly in underwriting discussions.
    9Investor & ESG ScrutinyInvestors may seek to apply their own interpretation and standards (usually from their home jurisdiction or other parts of their portfolio). They will seek confidence in the organisation’s security and resilience performance and relationships with government, regulators and agencies. They’ll want to be certain about disclosure, prioritisation, efficiency and risk tolerance. The aim is to understand and reconcile these factors.

    The nine lenses are not equally urgent. They map to different planning horizons and organisational functions. Organisations should calibrate it to their sector, size, supply chain complexity and regulatory relationships. For example:

    PriorityLensesRationale
    ImmediateRegulator · Supply ChainRegulatory guidance and supply chain scope determine your actual obligations before secondary legislation is confirmed.
    Near-term 2026Cross-Sector · Governance · InsuranceSecondary legislation consultation. Board governance and insurance alignment can begin immediately.
    Strategic 2026–28Customers · International · Threats · InvestorsLonger planning cycle. These lenses inform investment decisions, international strategy and market positioning over the full implementation period.

    In conclusion, not every question will be relevant to every organisation. These proposed lenses can provide a structure for workshops or risk assessments. The key is to keep pace with the policy cycle and remain engaged at proposal, primary legislation, secondary legislation, regulatory guidance and standards development. New or reformed public policy considerations and risks could emerge at each stage, especially in response to powerful lobbies.

  • UK Legislative Agenda for Security & Resilience

    By Stephen Hermanson

    14 May 2026

    The King’s Speech traditionally receives a comprehensive level of analysis and commentary, which is no different in 2026.

    This piece is a small contribution that focuses specifically on the government’s agenda for security and resilience, which contains a number of legislative measures to respond to the security landscape driven by the current geopolitical context.

    For organisations on the frontline, responding to security threats, the timing and nature of public policy interventions has important implications for the success and sustainability of security postures and investments.

    A complex tapestry of extant, updated and new legislation has arisen to provide both governments and industry with mandates and obligations to understand and respond to threats against national security and resilience (examples in Annex-A).

    Leaving aside how governments define national security and resilience (something to return to in a future piece), the mission for organisations is to chart a course through a complex array of legal and regulatory requirements to arrive at an effective and sustainable security strategy.

    Too often, however, the strategy merely responds to the legal and regulatory position as it lands. At this point the legal and regulatory position has determined the paradigm and broad parameters. Security Public Policy gets in front of this cycle and helps to assess and shape the design and scope of legislative measures for current and future contexts.

    This is useful as it brings real world operational data about security into the public policy process. This allows for careful analysis of what works, what doesn’t and what the trade-offs might be in terms of cost, capability and intrusion. It’s also useful as it allows for a holistic approach that considers how separate pieces of legislation co-exist to support/amplify effects.

    There’s no avoiding the reality of complex legislative stacks. The role of Security Public Policy is to refine and consolidate security and resilience measures to reduce overlap, ambiguity and gaps insofar as possible – looking across primary and secondary legislation, regulatory interpretations and industry standards.

    The aim is effective and efficient public policy that creates the conditions for good security outcomes. It’s a long game that needs to span a number of policy cycles, financial years and even governments.

    Annex-A – Key Security Initiatives as of 14 May 2026

    LegislationHeadline Summary
    Cyber Security & Resilience BillReplaces 2018 Network & Information Systems (NIS) Regulations. Expands scope. 24/72-hour incident reporting. Regulators gain cost recovery and audit powers.
    Computer Misuse Act ReformNew legal defence for individuals who access systems in good faith to identify and responsibly disclose vulnerabilities where they follow defined safeguards.
    Terrorism (Protection of Premises) Act (Martyn’s Law)Comes into force no earlier than April 2027. Security Industry Authority oversees compliance of proactive steps to ensure formal security planning and training for public events.
    Border Security, Asylum & Immigration ActCounter Terrorism style ‘precursor offences’ criminalise supply chain support and information gathering for organised immigration crime.
    Crime and Policing ActNew youth diversion orders for terrorism-related arrests. Police can extract data from cloud accounts accessed via seized devices.
    Tackling State Threats BillNew designation mechanism for state-linked organisations to disrupt foreign proxies and front companies. 2023 National Security Act offences also extended to state proxies.
    National Security BillCriminalises creation and sharing of the most harmful online material associated with mass casualty planning. Extends Online Safety Act framework.
    Energy Independence BillExplicitly framed as a national security measure and creates a dual regulatory track for energy operators that intersects with Cyber Security & Resilience Bill obligations.
    Armed Forces BillIntroduced in 2024–26 session and carries over to 2026-27. Improves the service justice system and establishes the Armed Forces Covenant in statute.
    Defence Readiness BillAbsent. Would have implemented the Strategic Defence Review 2025 recommendations. Defence Investment Plan stalled.
  • By Stephen Hermanson

    Critical national infrastructure’s increasing significance as a central component of national security is feeding through into new primary legislation, regulation, and more exacting oversight regimes.

    The broader security environment remains challenging. Technology has become increasingly embedded, distributed, and connected — and is being met by more aggressive and greater numbers of adversaries.

    Governments and industry should work together to better understand each other’s needs, and ultimately devise and implement policies that use proportionate, cost-effective, and phased security measures based on risk and evidence.

    More to follow.