Perspectives

“Let go of certainty. The opposite isn’t uncertainty. It’s openness, curiosity and a willingness to embrace paradox…” – The American writer, Tom Schwartz

Boards face uncertainty and complexity in their critical decision-making like never before. The global geopolitical context in 2024 and for the foreseeable future is volatile – clarity is evasive and certainty is impossible. Executive Directors and senior management will continue to make the critical decisions designed to deliver on their mission and strategic priorities. They are used to dealing with ambiguity – cyber is just one area of this. The challenge now is that commercial organizations, whether they are start-ups or publicly listed enterprises, face an unprecedented and rapidly evolving range of geopolitical risks to their security, supply chains, profitability, and competition. What can be done to mitigate these risks?

One area that has long been under the boardroom and risk microscopes is understanding the threat, assessing the risk, and managing the financial and reputational consequences following cyber-attacks. It’s not a risk that happens only to other organizations – and it can have a material commercial bottom-line benefit if you don’t get attacked and/or respond to any attack appropriately. It is also like no other risk in the way it changes, adapts, and exploits geopolitical circumstances. For example, how our cyber adversaries used the Covid pandemic with its radical increase in ‘home working’ to inflict a new wave of attacks and how they are exploiting conflict and war as reasons to ‘up their game’ against targeted nations and industries.

‘Cyber insecurity’ ranked 4th in the World Economic Forum’s 2024 Global Risks Report. It sits below ‘Misinformation and disinformation’, ‘Extreme weather events’, and ‘Societal polarization’…all of which will provide further fuel for cyber attackers to spread and target their attacks on people and organizations.

But does this geopolitical uncertainty create an opportunity for any organization to change and emerge more agile and robust than ever before? Organizations and boards have learned many things about cyber security and their business resilience over the last decade.

• That cyber security is not a constant – you cannot assume that you’ll ever be safe from attack. Industry, national or international policies and regulations are essential elements of a coordinated resilience strategy, but we know that you need to actively assess and resolve your most critical vulnerabilities, all the time.
• That technology is only one part of their cyber resilience and risk mitigation and that there is no ‘silver bullet’. Cultural and human factors (employee feelings and attitudes, what we believe to be true, and what we believe we are supposed to do) play a significant role in both the success of any cyber-attack on your organization and how we can strengthen our response to the risk.
• We also continue to learn that it’s only through openness and active collaboration and communication with colleagues, partners, advisers, and the whole workforce that you can begin to make a lasting difference in how cyber security can reduce risk and support boardroom priorities.

So here are some ideas for how boards and organizations can exploit this uncertainty and risk to become more robust and secure.

• Be ready to understand the potential ramifications of new and developing geopolitical developments on your business. They may impact your supply chain and logistics planning, offices and employees within affected countries, the demand for your products and services, or planned new product launches and M&A. Set up a small multi-disciplinary team to develop scenario plans to help prioritize issues and design different operational responses. This is a great discipline that can be applied to supporting innovation, competitors, or technology disruption and transformation programs.
• Appreciate the impact and organizational benefits of new and evolving national and international laws, regulations, and policies. There are several evolving EU cybersecurity proposals and regulations that require oversight, legal and governance assessment, and time to ensure they are positively applied rather than becoming a tick-box exercise. For example, the EU Cyber Resilience Act, EU NIS2, an EU Cyber Solidarity Act, and a proposal for an EU Cybersecurity Certification Scheme for Cloud Services (EUCS). These will impact all businesses and boardrooms – it’s vital to be ready and proactive in identifying the implications on your organization.
• Build resilience to geopolitical change by ensuring you have a strong, positive culture across your workforce. Maintaining resilience requires complicated trade-offs between reducing risk and keeping pace with business demands. But there is one constant for all organizations that they can influence directly – their people. Culture often becomes the focus of attention during periods of organizational change – when companies merge and their cultures clash, for example, or when growth and other strategic changes mean that the existing culture becomes inappropriate, and hinders rather than supports progress. Your people typically hold the keys to unlock a wide range of business and cyber resilience challenges so involve them in your change programmes, listen to their ideas, and trust their input.

As Tom Schwartz says, now is the time for organizations to be more open, curious, and willing to embrace paradox.

Reach out to us to have a chat about any of the challenges and ideas outlined above and to learn more about how Trilligent can help you achieve your goals.

The author, Nick Wilding, is a member of the Trilligent Advisory Board. Over the last 10 years, he has advised organizations around the world in developing positive, intelligence-led security cultures and in mitigating human cyber risks that impact commercial strategy and priorities.