What Is the Role of Security?

The Question We Rarely Stop to Ask

What is the role of security? What’s our purpose?

It sounds almost too fundamental to ask, but amid the routine cycles of weekly security work - patching, incident response, audits, awareness campaigns, access control reviews - how often do we stop and ask why we’re doing it all?

Ask that question in any programme or leadership forum and the answers are usually the same:

> “We’re here to protect the business.”

> “To help it operate safely.”

> “To make sure we can achieve our goals.”

All fair answers. But when you press for more detail - what does helping the business achieve its goals actually mean? - the silence is telling.

Defining the Role

Our definition, taught on the Next Generation Security Practitioner programme, is this:

“The role of security is to protect the business in pursuit of its goals.”

Simple, yes - but deceptively powerful. Because when you look closely, this definition places business at the centre of security. Not the other way around.

Security doesn’t exist to impose controls, to maintain compliance, or to preserve order for its own sake. It exists to protect the organisation in pursuit of what it’s trying to achieve.

Which means the motivation for every control, every investment, every decision… should be grounded in one thing: business risk.

Why Business Risk Must Come First

We’re called Governance, Risk and Compliance - but in truth, the order should be Risk, Governance, and Compliance.

Risk defines how much security is required in a given area, and how much governance is needed to keep the business safe while it grows. Yet risk often sits lower on the agenda, beneath compliance and control frameworks that promise assurance - but don’t always deliver alignment.

Businesses have to take risk to succeed. Risk is not the enemy; it’s the cost of progress. What matters is whether security understands the kind of risk the business is taking, and whether it can shape itself around that reality.

Moving from Compliance to Context

The truth is, compliance-based thinking is still deeply entrenched. For many, being “risk-based” is something to aspire to - a maturity yet to be reached. But if business risk isn’t driving your security strategy, then what is?

Remaining compliant will not stop an attack. Nor does it guarantee alignment with what the business actually needs. Compliance tells you what must be done. Risk tells you why it matters.

Making Risk Tangible

So what does “business risk” really look like?

It isn’t just a number on a register or a statement in a board paper. It’s visible in how the organisation behaves - its investments, its ambitions, its appetite for change.

On our programme, we use a model inspired by the Boston Matrix to help practitioners map this concept in practical terms. It highlights how an organisation’s mode and risk appetite shape what kind of security it really needs.

Risk Appetite vs. Ability to Mitigate Risk © Évolution Formation & Développement SARL, France | GRC-X 2025.

Reading the Model

Each quadrant represents a distinct business mode - and with it, a different expectation of security’s role:

·      Disrupting – The business is moving fast, breaking ground, taking bold bets. Your job? Enable, don’t block. Shape the risk, don’t smother it.

·      Expanding – Scaling up, launching new services, chasing opportunity. Security must keep pace, embedding controls that scale, not slow things down.

·      Protecting – The business is steady, reputation matters, risk appetite is low. Now you’re defending, maintaining trust and stability above all else.

·      Shrinking – Under pressure, budgets tight, risk rising. Security must stop the rot before it spreads, prioritising the essentials to protect what remains.

The point is this: security’s role changes with the business. There’s no single playbook. What matters is context - and how effectively security reads the organisation’s true mode and appetite for risk.

Key Takeaways: What This Means for Security Teams

When you look at the model, a few things stand out:

·      Risk appetite isn’t abstract. It’s visible in how your organisation behaves - how fast it moves, where it invests, how it reacts to setbacks. Security needs to read those signals and adapt its posture.

·      Your role changes with the business. Security looks different in every mode - enabler, scaler, defender, or stabiliser - depending on where the business sits on the risk curve.

·      Context matters more than compliance. The right security decisions start with understanding the business context, not ticking control boxes.

·      Alignment is everything. Security must track to business goals, not just vulnerabilities. When you speak the language of business, your influence grows.

·      Risk is your compass. It’s the true north of every security decision. If your choices trace back to a clear understanding of business risk, you’re already leading at the level that counts.

Final Thoughts

If security isn’t anchored in business risk, then it’s just activity. The real test of maturity isn’t how many controls we deploy - it’s how well we understand the risks the business is willing to take, and how we help it take them safely.

Because in the end, security isn’t about slowing the business down. It's about giving it the confidence to move forward.

Join the Conversation

Learn how to align security to business risk and transform the way your organisation makes security decisions.

The Next Generation Security Practitioner Learning Journey is designed to help practitioners align security with business risk and transform the way their organisations make security decisions.

Author: Matt Kent is Director of Learning & Development at GRC-X, and formerly with the Information Security Forum. With a track record in pioneering GRC training and professional development, he regularly contributes as a thought leader, international congress speaker, and panelist on the future of security leadership.