Skip to main content
Geopolitics & DefenseNational Security

CISOs Warned to Treat Cyber Threats as Geopolitical Statecraft

Cybersecurity leaders gather in a bright conference room with a city view.

"Treating security as purely an IT problem is like 'a turkey concluding its human caretaker is benevolent the day before Thanksgiving,'" Bharat Thakrar told an audience of cybersecurity leaders at Infosecurity Europe 2026, framing cyber risk as a matter of statecraft as much as technology.

Bharat Thakrar's core warning at Infosecurity Europe 2026

Bharat Thakrar, board director at ISACA’s London Chapter, argued that cyber, artificial intelligence and geopolitics are now inseparable. He used historical incidents to underline the point: the 2014 Sony Pictures Entertainment data breach marked a public realization that state‑aligned actors could target commercial firms; more recent attacks against Viasat in Ukraine in 2022 and Stryker in 2026 were cited as further evidence that private companies can be targeted for geopolitical reasons beyond finance.

ISACA’s Cyber Geopolitical Preparedness and Response (CGPR) framework

To translate that strategic insight into operational practice, Thakrar proposed a four‑step framework he named Cyber Geopolitical Preparedness and Response (CGPR). He framed CGPR as a way to make geopolitical risk actionable for boards and security teams. The four pillars he outlined are:

  • Assess exposure: map where you operate, critical assets, vendor dependencies and associations that could make you a target
  • Evaluate readiness: test how quickly you can shift operations, relocate data, scale security operations centers (SOCs) and accelerate patching or recovery
  • Plan response: define playbooks, authority lines and a war‑room composition that includes legal, finance, HR and operations
  • Continuous monitoring: run horizon scans across threat intelligence, dark web chatter and social media so you can detect early signals and refine controls

Explicit crisis triggers and a corporate "heightened state"

Thakrar urged organisations to define explicit crisis triggers and a "heightened state" analogous to DEFCON 1 and 2, so executive teams know when to move from business‑as‑usual to an elevated posture. In those higher states he said priorities must shift: accelerate critical patching, freeze non‑security changes, scale SOC operations, harden identity controls and be prepared for short‑term service tradeoffs. He also argued for pre‑delegated authority so executive teams can act without delay.

Geopolitical stress‑tests and the hybrid threat landscape

Rather than frequent short ransomware drills, Thakrar recommended "prolonged, nation‑state style tabletops" to reflect the pace and persistence of state‑aligned campaigns. He asked the audience, "When was the last time you ran a tabletop for a prolonged nation‑state campaign?" and highlighted silence as telling. He linked cyber reconnaissance to kinetic and operational technology (OT) disruption, warning that reconnaissance by drones, submarine cable probes or targeted supplier compromises can cascade into physical harm — and that incident playbooks must therefore connect cyber signals with physical indicators.

What this means for technologists, boards, and HR/vendor managers

  • Technologists and security teams: Run geopolitical stress‑tests and revise incident playbooks to cover prolonged, nation‑state style campaigns; be ready to accelerate patching, scale SOCs and harden identity controls during a "heightened state."
  • Boards and executives: Prepare a concise briefing that maps exposure and defines response thresholds; establish pre‑delegated authority and clearly defined war‑room composition including legal and finance so decisions can be made under pressure.
  • HR and procurement/vendor managers: Revamp HR vetting and tighten vendor controls; Thakrar warned of covert foreign IT worker schemes, notably coming from North Korea, that can create insider access and asked bluntly, "How many companies would even spot this?"

The practical tenor of Thakrar’s remarks was unmistakable: stop treating cyber as only a technical hygiene problem and begin treating it as statecraft. He closed with specific, immediate steps — "Start with a geopolitical stress‑test this quarter," prepare "a one‑page board briefing that maps exposure and response thresholds" and "fix HR and vendor controls now" — leaving the question of executive follow‑through as the next measure of corporate seriousness.

Original story