As a cybersecurity professional, you may have come across the term “geopolitical risk” from time to time, and it’s possible that you dismissed it as something too nebulous or esoteric to be applicable to your everyday work.
It’s easy to make this judgment as the field of geopolitics tends to be perplexing and opaque, especially since its academic roots in Political Science are not exactly on the radar of the those with a technical background, the group that comprises a large part of the cybersecurity community.
Through client work, threat intelligence gathering, and listening to the market diligently, our team has determined that for the majority of organizations, risk management activities are actually incomplete without geopolitical risk considerations.
Let’s take a few steps back to clarify concepts around Geopolitical Risk, simplifying what can be justifiably perceived as convoluted by many InfoSec practitioners who have traditionally focused on other types of risk.
Geopolitics as a Concept:
Geo = earth (Greek)
Politics = pertaining to citizens of the State; public life (Latin “politikos”)
The literal meaning of geopolitics is how the politics of a nation are affected by its geography. This encompasses location, topography, climate, natural resources, wealth, and of course, positioning in relation to significant forces such as bodies of water and most prominently, neighboring nations.
Generally, the study of geopolitics looks at the ways that physical location influences how citizens relate to one another.
With growing global access and interconnectedness over the course of history, geopolitics considers how people across nations relate to each other as well through international relations (war/conflict, diplomacy, competition, etc.), governance, institutions, trade, and the coalescing of cultures.
While proximity is still an essential factor, today’s geopolitical landscape is not limited to neighbors.
In fact, an event or trend taking place in one nation frequently has far-reaching consequences, and often times, the effects can be much stronger onto a nation on the other side of the world than onto neighbors.
The most discernible example of this is the Cold War between two powers far from one another geographically, and the proxy warfare – physical and ideological – that ensued as a byproduct.
Especially with the proliferation of fast and easy communication and travel, plus interstate ballistic capability, international security and relations – geopolitics – are unbound by adjacency and analyze forces on a fundamentally global level.
Taking the above conceptual definition of geopolitics combined with the practical role of risk in business, it’s easy to see how the need for geopolitical risk arose.
For our purposes, a good way to think about geopolitical risk is the potential for political, socioeconomic, and cultural factors (events, trends, developments) to affect businesses’ vitality (stability and health/well-being).
Events or trends happening in and between nations or the institutions representing them have effects on companies, and responsible leaders want to understand what those effects may be.
All of us in InfoSec are familiar with the formula for risk and have seen lots of colorful risk matrices and various methods to quantify risk.
While there is debate around how directly methodologies employed by cybersecurity practitioners can be applied to geopolitical risk, it’s at least a good starting point to widening our traditional exposure to cyber risk to include geopolitical risk.
At the most primitive level, looking at risk means trying to understand adverse things that could happen. Companies and investors use risk management to make decisions, prepare for potential problems, form strategies and develop backup plans to those intended strategies.
These risk-based decisions may be as pragmatic as determining how much insurance coverage to purchase, or as scaled as long-term plans to expand the business onto a new continent.
Political Risk and Geopolitical Risk are used interchangeably but vary slightly.
Political Risk usually refers to considerations (especially changes or volatility) within a nation. Depending on the context, analysts may use the term Country Risk, which is often the case in emerging markets.
Political risk analysis involves taking deep dives into the microeconomics of the nation, specific governmental or regulatory decisions, and studying historical, socioeconomic, and cultural factors that may or may not be conducive to a foreign entity’s engagement in that country’s local environment.
Geopolitical Risk can subsume all of the above but generally takes a broader view via cross-border macroeconomics, interstate relations and movements, and Great Power Politics.
Great Power Politics is an international relations theory concept apropos of the relative influence between “hegemons” (or powerful nations) and the major power dynamics that shape the global landscape.
It is critical to recognize that there are positive upshots to global political activity in addition to the potential detriments. This notion is often mentioned as an afterthought though opportunity should be an intrinsic part of impactful Geopolitical Risk analysis.
Analyst and author Milena Rodban is on a mission to remedy this discrepancy by coining and popularizing the term “Geopolitical Flux” to reflect both the negative and positive dimensions – risks and opportunities respectively.
To understand the full picture of your company’s risk posture, socioeconomic and political activity — macro global trends writ large — should be factored into analysis and decision-making.
Until now, Information Security and Geopolitical Risk may have been seen as disparate fields at face value, however these two worlds are not as far away from each other as is commonly assumed.
We approach security from a holistic risk management perspective, understanding security from business and attacker perspectives.
Our approach goes beyond assessing security controls. We examine credible threats to understand the likelihood of a real-world abuse case and measure the magnitude of business impact if a breach should occur.
By developing a holistic business risk view, security decisions become business decisions. Explore Security Offerings →