The Function That Never Got a Seat
A company can run a full security department and still have no security function. The department sits on the org chart. The function would sit inside risk, strategy, and the board agenda. Most do not.
A company can publish an org chart with a clean box marked Security. Head of department, a budget line, a set of quarterly KPIs, an access-control system that logs every door. By every visible measure, the company has security. Walk into the boardroom where capital gets allocated and strategic risk gets ranked, and that same security is usually not in the room. The department exists. The function does not.
I want to be precise about the distinction, because it is the entire argument. A security department is an operational unit: it guards premises, runs cameras, manages badges, responds to incidents after they start. A security function is something else. It is security treated as a lens on enterprise risk, present where the company decides what it is willing to lose, what it will spend to protect, and which threats reach the level of board oversight. The first is a cost centre that does tasks. The second is a way the organisation governs itself. Having the first is not having the second, and most companies have only the first.
The numbers say this is not a fringe failure. The ASIS Foundation, studying physical security, cybersecurity, and business continuity across the United States, Europe, and India, found that only about one in five organisations had fully converged the three. Convergence is the weaker test: just getting the security disciplines to work together and close the gaps between them. Just over half had converged two of the three, and of those that had not converged at all, most reported no plans to. Integration into enterprise risk governance, the higher standard, is rarer still. The department is nearly universal. The function is the exception.
What “a function” actually means
The clearest external benchmark for what security-as-a-function looks like is Enterprise Security Risk Management, the approach ASIS International formalised in 2016 and codified in its 2019 guideline. The core move is deceptively simple. Security stops being a list of protective tasks and becomes a structured way of identifying assets, assessing the risks to them, and prioritising mitigation in line with the organisation’s strategy. The business unit owns the risk. Security identifies it, frames it, and helps the organisation decide. That is a governance posture, not a guarding posture.
To see why this matters at the top of the company, look at what a board is actually for. A board does not run the business. It exercises judgement, and the unit of that judgement is a single relationship: value against risk. Every initiative that reaches the board carries both, and they tend to move together. The more value an initiative promises, the more risk its pursuit usually carries, and not only financial risk. The board’s job is to weigh the two and decide whether the value is worth the exposure. That is the whole of oversight, compressed into one trade-off, repeated for every major decision.
A board can only weigh a risk it can see. And here is where the distinction between department and function stops being academic. To price the value side of the trade-off, a board has instruments already in the room: strategy, finance, the market read. To price the risk side in full, it needs an equivalent instrument for the exposure side, and a security report delivered after the fact is not that instrument. A report is an output. What the board needs is the way of thinking that produced it, present in the judgement itself, before the decision is made. That way of thinking is the security function. Without it, the board still weighs value against risk, but it prices value in full and risk by half.
ISO 22316, the international standard for organisational resilience, points the same direction from a different angle. Its principles for a resilient organisation explicitly name good governance and coordination across all areas, not a strong guard force. Resilience, in the standard’s logic, is a property of how the whole organisation is wired, not of a single defensive unit bolted to the side of it.
Read together, both say the same thing. Security earns the name “function” when it sits inside the machinery of decision. When it sits outside that machinery, however large its budget, it is doing important work, but it is guarding, not governing.
Why the department is not the function
There are four places to look, and the gap shows up in each.
First, where risk decisions get made. Enterprise risk gets ranked somewhere: a risk committee, an audit committee, a quarterly review where leadership decides what the company is genuinely worried about. The test is whether security is a voice in that ranking or a recipient of its output. In most companies it is the recipient. It learns the priorities after they are set, then resources itself against them. It does not help set them.
Second, capital allocation. Budgets are where priorities stop being rhetoric. A security department defends a line item, usually framed as overhead, and usually first to be trimmed. A security function shapes where protective capital goes across the business, because it is treated as the discipline that understands what is exposed and what an exposure would cost. The difference is between asking for money and being in the conversation about where money should go. Almost every department is in the first position.
Third, board oversight. This is where the value-risk trade-off gets its sharpest test. Boards now sit on top of a risk landscape they cannot ignore. Cyber incidents have ranked as the single top global business risk in the Allianz Risk Barometer for five consecutive years, holding their highest-ever score and a ten-point lead over every other peril, while business interruption, after fifteen years at first or second, has slipped to third. These are board-level concerns by any reading. Yet the discipline that understands them most directly is, in most companies, two or three layers below the board, reporting up through facilities or IT, summarised into a status update by the time the agenda reaches the directors. So the board prices the value of its biggest initiatives in full, with strategy and finance in the room, and prices the matching risk through a report that arrives after the thinking is done. The most valuable decisions are usually the most exposed, which means the board is weighing its highest-stakes trade-offs with the risk side of the scale only half-lit. That is not a failure of the security department. It is a gap in the board’s own instrument for judgement.
Fourth, what happens in an incident. This is where the absence of a function stops being abstract. When security is only a department, a serious incident triggers improvised coordination: finance, communications, legal, and operations discovering in real time that no one owns the cross-functional response, because the only unit with “security” in its name was scoped to guard doors, not to coordinate the enterprise. When security is a function, that coordination is already designed. The incident does not invent the response. The same logic runs through the resilience literature: the gaps that hurt are the spaces between functions, and only something positioned across those spaces can close them.
The perception problem
Here is the part that keeps the gap alive. Because the department is visible, leadership believes the function exists. The org chart shows a box. The budget shows a line. The KPIs show activity. All of that is real, and all of it measures guarding, not governing. A company can score well on every metric its security department reports and still have security entirely absent from the decisions that determine whether the company survives a bad year. The presence of the department is precisely what hides the absence of the function. It is the most comfortable kind of governance gap, because nothing looks wrong.
There is an economic edge to this that boards underrate. The World Economic Forum’s Global Cybersecurity Outlook 2025 describes a landscape getting structurally more complex, where the line between regulated and unregulated, and between large and small organisations, is widening into a resilience gap, and where the organisations that cope are the ones aligning security with governance structures rather than treating it as a technical bolt-on. The market is moving toward the function. Most boards are still funding the department and calling it the same thing.
The line
Security without governance is just guarding. Guarding is necessary. A company that does it well is safer at the perimeter than a company that does it badly. But guarding is not the same as having security inside the way the organisation weighs value against risk, and the gap between the two is invisible precisely because the guard is so visible.
So the question is not whether your company has a security department. Almost all of them do. The question is narrower and harder. A board’s entire job is to weigh what an initiative is worth against what it risks, and the most valuable moves are usually the most exposed. When your board last made a decision of that size, did it price the risk with the same instrument it used to price the value, or did it see the value in full and the risk through a report that came afterwards? Because a board that can only see half the risk is not weighing the trade-off. It is guessing at it, and calling the guess oversight.
The next part of this series turns to the consequence boards feel first: a function this far outside the decision machinery is also a function almost no one can measure.


