Every quarter, executives hear from their CISOs about their company’s current “state of security” or “risk posture.” CISOs present internal vulnerabilities such as weak access controls for IT to fix or exploitable code for Development to remediate, and external threats such as new malware on the scene or an upsurge in a particular type of phishing. Along with that of cybersecurity risk, discourse around financial risk and legal risk has become commonplace among business leaders with established – albeit far from bulletproof – methodologies.
Imperfect as they may be, the ever-maturing metrics and processes (compliance-mandated in part) help assure executives that their likelihood of being blindsided by financial, legal, or cyber trouble has been reduced to some degree. At the very least, these processes are a marker of a company making an active effort to understand and mitigate their threats, but there is a crucial piece of the puzzle missing.
Except by large multinational corporations at the top, Geopolitical Risk (GPR) is largely ignored – but not for the reasons you may think. It is not because smaller companies are immune to, or are absolved of, geopolitical risks, but because there is a fundamental misunderstanding around the role of GPR and its interconnectedness with other threats about which C-Levels are accustomed to hearing.
We all know that responsible cyber risk analysis does not stop at internal factors but also leverages threat intelligence to stay abreast of the external risk landscape for your organization. In the same vein, GPR is not an isolated category of risk reserved for MNCs, but rather a zoomed-out macro view on the very threat landscape we are already examining.
Financial, legal, and cybersecurity risks are often functions of geopolitical risks, with GPR underlying— and frequently even foreshadowing—the more tangible threats that warrant mitigation. In essence, GPR analysis is meant to help organizations understand how they may be inherently susceptible to certain direct threats (financial, legal, cyber, etc.) due to their geopolitical footprint.
To understand how geopolitical risks can serve as causal factors for concrete and direct risks to information security, we can walk through one of the most straightforward examples of GPR’s significance: hacktivism. Hacktivism epitomizes the irrefutable impact of socioeconomic and cultural factors on Cybersecurity.
A huge body of literature has been written by academics, intelligence analysts, and InfoSec practitioners alike on the rise and roots of hacktivism as an act of protest or retaliation against political oppression, economic depravity, and injustice. Sometimes the hacktivism is subsumed as part of the geopolitical event itself (think Anonymous’ “Operation Tunisia” DDoS attacks during the 2010 Arab Spring), and sometimes hacktivists take advantage of the world’s attention on a geopolitically-charged event (think OpOlympics). It’s easy to understand why geopolitical events often provoke hacktivism, and interestingly enough, (h)acktivists perpetrate twice as many incidents as state-sponsored actors or terrorists in most of the world. What may come as a surprise is that based on historical precedent, SMBs affected by hacktivist attacks actually end up suffering more as a result than larger companies do.
Following this theme, corporate leadership must prepare strategically and operationally for anticipated hacktivism during international sporting events and vigilantly track the precipitating regional social tensions that have historically given rise to hacktivism.
If executives and the experts they hire to educate them on risk would recognize this type of interconnectedness in hacktivism and the many cases which are more nuanced, they would be able to weave together a more comprehensive risk picture and anticipate risks earlier and with more profound and precise insight, saving the company time and money and avoiding reputational damages.
Acknowledging this gap is an important step, but even the most seasoned members of the cybersecurity community and the risk management community at large have a limited grasp on Geopolitical Risk. This is understandable as international affairs are not only highly complicated, but much of the information we have access to can be opaque at best and misleading at worst. We cannot expect business leaders to be able to navigate through the confusion of digesting raw geopolitical information alone.
Executives need to know that there are reputable methodologies, robust indices, and qualified analysts who are in fact looking to GPR for the causal factors behind direct business threats. However, even the best analysis can only go so far in helping you understand your company’s own risks without becoming proficient in your specific business context. To be more precise, proper InfoSec risk analysis begins with absorbing the scope of your company’s IT footprint by enumerating assets and assessing the organization’s security culture, which includes gauging the leadership’s risk tolerance.
Similarly, GPR analysis begins with assessing your company’s geopolitical footprint by asking what assets you have and where, understanding your risk appetite, and deducing the relevant forces or “risk sites” to which you are most susceptible. In both, the ultimate goal is for you as an Executive to be informed of your strengths and weaknesses, so that you go into making decisions and crafting strategy well-armed.