You Cannot Mandate Compliance. You Have to Earn It.
There is a version of security leadership that operates on authority. You write the policy. You enforce the policy. You report exceptions. You escalate violations. Compliance is measured. Boxes are checked.
This version does not work at a company like NIKE.
At a brand built on culture, performance, and athlete identity, no one follows security direction because it is written down somewhere. That is not how influence works inside a strong-culture organization. The people who need to act on your guidance — engineers, product teams, finance leaders, legal partners — are capable, motivated, and genuinely not waiting for a security policy to tell them what to do.
If security wants to be heard, it has to earn the right to be heard.
What Earning It Actually Means
The shift is from security as enforcement to security as partnership. That sounds straightforward. It is not.
Partnership requires understanding what the business is actually trying to accomplish — not at the summary level, but at the level of detail where you can see the real tradeoffs. What is the product team building, and why does it matter to them? What is Legal trying to solve for, and what constraints are they operating under? What does Finance actually need out of the governance process?
When security understands those things, it can stop showing up with a compliance checklist and start showing up with something more useful: a perspective on how to accomplish the business goal securely. Not “you cannot do that.” But “here is how we can do that in a way that works.”
That framing changes everything. It changes who wants to be in the room with you. It changes whether people call you early in a project or late. It changes whether the business sees security as a partner or a speed bump.
The Partnership with Legal: A Test Case
The clearest proof point from my tenure at NIKE is the relationship with our VP of Privacy Counsel.
When the SEC introduced new cyber disclosure requirements in 2023, requiring public companies to disclose material cybersecurity incidents within four business days, there was no industry playbook. The rules were new. The stakes were real. And the work required legal interpretation and technical implementation to happen simultaneously, under live pressure.
We had to rebuild NIKE’s entire incident response framework from the ground up, together. She had to trust our technical judgment on what constituted a material incident under NIKE’s capabilities. We had to trust her legal judgment on what the disclosure obligations actually required. Neither team could do their job without the other doing theirs with excellence.
That kind of trust does not emerge from a governance framework. It was built over years of working together on investigations, regulatory responses, and difficult situations where both teams had to show up and deliver. By the time the SEC rules arrived, we had already done the work of building genuine peer trust. The framework was hard to write. The relationship that made it possible had been built long before.
In those moments, when a regulator is potentially waiting and the clock is running, you find out very quickly whether you actually trust each other — or whether you have just been cordial.
What This Means for Security Leadership
The practical implication is this: the effectiveness of a security program is not primarily a technical problem. It is a relationship problem.
The security leader who invests early in understanding what each business partner is trying to accomplish, who shows up for difficult situations and proves reliable under pressure, who disagrees directly and then unifies publicly — that leader builds a security program that the business actually wants to execute. Not because they have to. Because they trust it.
Policies still matter. Governance still matters. Controls still matter. But none of them are substitutes for the credibility that makes people want to engage with security instead of routing around it.
You cannot mandate that. You have to earn it.