Silence Is Not Safety

On 14 January 2018, Carillion — a FTSE 250 construction and services company employing 43,000 people — entered compulsory liquidation. The collapse was the largest trading liquidation in UK corporate history. It was not, however, a surprise. Not to the analysts who had flagged deteriorating margins for two years. Not to the short-sellers who had been accumulating positions for months. And not to the creditors who had been quietly tightening terms.

It was a surprise only to those who had mistaken the absence of a public crisis for the absence of a developing one.

This is normalcy bias in its purest form. And it is the single most expensive cognitive error available to anyone responsible for protecting a reputation.

The Mechanics of Normalcy Bias

Normalcy bias is the tendency to interpret warning signals through the lens of normal experience. It is not denial — it is something more insidious. It is the genuine, cognitively effortless belief that because things have always been a certain way, they will continue to be so.

The bias is well-documented in disaster research. Studies of evacuations consistently show that individuals underestimate the severity of approaching threats — not because they lack information, but because their reference frame is calibrated to normality. The person who has never experienced a flood does not process a flood warning with the same urgency as someone who has.

Applied to digital risk, the bias operates identically. The executive who has never experienced a reputational crisis does not process the accumulation of digital vulnerabilities as urgent. Their reference frame — years of stability, no adverse incidents, a clean Google search result — reinforces the assumption that the current state is the permanent state.

It is not. It is simply the state that has not yet been disrupted.

The Silence Trap

The most dangerous feature of digital risk is that it accumulates silently. Physical threats — a break-in, a legal claim, a regulatory investigation — announce themselves. They produce observable events: a police report, a letter before action, a dawn raid. The absence of these events is, within reasonable limits, evidence that the physical threat environment is stable.

Digital threats do not behave this way. A hostile actor researching your background does not trigger an alert. A journalist compiling a dossier from public sources does not file a notification. A competitor mapping your corporate structure through Companies House and Land Registry records does not announce their intentions. An activist group identifying your involvement in a politically sensitive venture does not send advance warning.

The activity is invisible to the target. The silence is not safety. It is the pre-operational phase.

This distinction is not academic. It has direct consequences for how senior leaders assess their exposure. The question most commonly asked — "Has anything happened?" — is the wrong question. Nothing needs to have happened for a significant vulnerability to exist. The correct question is: "What is currently discoverable about me, and who might have a motive to discover it?"

Why Stable Periods Are the Most Dangerous

Counter-intuitively, the greatest accumulation of undetected digital risk occurs during periods of professional success and public stability. There are two reasons for this.

First, success generates exposure. Every board appointment, media appearance, industry award, and conference keynote expands the digital footprint. Each new data point — a photograph, a quoted statement, a listed affiliation — adds to the corpus of publicly available information that can be assembled, cross-referenced, and selectively presented by anyone with an interest in doing so. The executive at the peak of their career has, by definition, the largest and most complex digital footprint of their professional life.

Second, stability reduces vigilance. When nothing has gone wrong for an extended period, the perceived probability of something going wrong diminishes — regardless of whether the actual probability has changed. Resources allocated to reputation management are redirected to growth priorities. Monitoring, if it existed at all, lapses. The institutional muscle memory for threat assessment atrophies.

The result is a paradox. The period during which an executive's exposure is greatest is precisely the period during which their attention to that exposure is lowest. The gap between vulnerability and awareness widens in direct proportion to professional success.

Breaking the Bias

Overcoming normalcy bias does not require pessimism. It requires methodology.

The bias persists because digital risk is assessed intuitively rather than systematically. An intuitive assessment, operating from a reference frame of stability, will always conclude that the current state is acceptable. A systematic assessment, operating from defined parameters, will identify vulnerabilities regardless of the assessor's personal experience.

This is the function of a structured digital threat audit: to replace intuitive comfort with empirical evidence. Not because the evidence will necessarily reveal a crisis in progress, but because the process of collection forces a confrontation with the actual scope of exposure — which is, in almost every case, materially larger than the subject expected.

The audit itself is not the defence. The defence is the shift in posture it produces — from passive assumption to active awareness, from reactive monitoring to proactive intelligence, from the question "Has anything happened?" to the question "What would I need to know to prevent something from happening?"

The Cost of Comfortable Ignorance

Carillion's board members did not wake up on 14 January 2018 expecting to oversee the largest trading liquidation in UK history. They expected another day of incremental management, another quarter of challenging-but-manageable conditions, another board meeting confirming that the trajectory, while difficult, was containable.

The silence was comfortable. The silence was not safety.

For any senior leader whose digital exposure has not been systematically assessed in the past twelve months, the same principle applies. The absence of a visible threat is not evidence of security. It is evidence that you have not looked.

And if you have not looked, you cannot know what someone else has already found.