The Chief Security Strategist in an Age of Uncertainty
The world is witnessing the decentralization of power structures from a multipolar world to regional powers. Hard power is being replaced by soft power, sharp power, and geopolitical risks, and due to interconnectedness and globalization, geopolitics has become one of the prime challenges for companies.
Diverse transnational threats, including organized crime, cyberattacks, illegal immigration, and climate change, are affecting the world community. Regional powers are destabilizing the Middle East. Social unrest is interrupting companies’ investment plans. Terrorists are switching to smaller scale attacks like those on 26 November 2008 attacks in Mumbai, India, using AK-47s and vehicles instead of aircraft attacks.
Each region has a unique set of risks, which often entangle and overlap with others. These threats create a spectrum of governments from Africa to Asia-Pacific that investors are left to grapple with—from autarkic communism to democracy, with the gaps filled in by capitalist communism, monarchies, aristocracies, and dictatorships. Companies investing in Mexico must mitigate threats like drug wars, kidnappings, extortion, and cartels eroding local governments. The Middle East is mired in anarchy, terrorism, conflicts, social unrest, and insurgencies. Europe is seeing social unrest stemming from illegal immigration. A trade war is brewing between China and the United States. Destabilization based on growing threats and pressure from China is leading to the militarization of the APAC region.
Altogether, the tectonic shifts within the world community create a common facet for the chief security officer (CSO): dealing with the inextricable risks that tie companies and regions. The 20th century CSO was primarily concerned about protecting the physical assets of an organization from threats like theft, pilferage, and robbery. But as issues like emerging risks, regional instability, and local conflicts affect companies, the contemporary CSO must understand the geopolitical dynamics of the 21st century.
Risks are no longer restricted to the physical and tangible; they have expanded to geopolitical and cybersecurity realms. Borderless threats—like cyberattacks, terrorism, disinformation, and more—can result in significant losses for companies. The dangers of increasing political instability, authoritarian rule, and bureaucratic meddling are compounding the worsening global business environment. Geopolitical risk is at a post-Cold War high, and everything is moving faster than before.
According to the CFA Institute, 70 percent of investment returns may be compromised by geopolitical uncertainties. A crisis in one part of the world can have profound cascading effects on organizations on the other side of the globe.
The Changing Role of the CSO
In this rapidly evolving environment, contemporary CSOs must launch themselves into the new role of chief security strategist (CSS). Before investing in a foreign country, a CEO first needs a report on the country’s geopolitical and security climate. Throughout the report, the CSS can provide guidance on risks, vulnerabilities, and mitigation measures. The CSS must analyze the various geopolitical, security, regional, and emerging risks—such as regulatory compliance, disasters, local crime, civil unrest, populism, and terrorism—as well as measure their likely impact on investments and future business plans. The CSS can prepare geopolitical risk analysis scenarios to create and integrate appropriate reactions into the company’s enterprise risk management framework.
Compared to a traditional CSO, the CSS requires a different skill set for risk assessment and mitigation. The CSS must perform research on trends, issues, and scenarios important to company priorities. The key responsibility is keeping the organization ahead of critical security risks, looking beyond the headlines to comprehend world events and their implications for the safety of its employees, processes, and other assets.
The CSS would benefit from a research team, which can provide information on options available to the security department. Skilled in conducting incisive research, providing penetrative insights, and suggesting effective mitigation measures, these analysts should conduct policy analysis at the strategic level and security assessments at the operational level.
Risks and Consequences
Companies face reputational, operational, and legal risks if they don’t have security plans. Non-compliance, negligence, and other risks can lead to fines and revocation of licenses by regulatory authorities, enforcement action by law enforcement agencies, filing of suits by victims and shareholders, loss of profitable business, and loss of employees through death or injury. For instance, in 2019, hundreds of flights were suspended at Gatwick Airport near London, England, due to unauthorized drones near the runway, costing the airlines £28 million and the airport £20 million. Other costs include loss of time as senior management focuses on damage control.
Beyond regulatory pitfalls, adverse geopolitical conditions can also trigger company losses—major upheavals like terrorist attacks, rampant disease, industrial strikes, and natural disasters can greatly affect operations in national and international markets. In 2019, Indonesia announced it would move the country’s capital from Jakarta to Borneo due to rising water levels and climate change. Before that, a 2011 tsunami and earthquake cost Japan approximately $235 billion USD in economic damage, according to a 2011 World Bank estimate. And across the world in Iceland, volcanic eruptions in 2010 disrupted international airline travel.
Geo-Governmental Risks and Unrest
Countries in the Middle East and South America are experiencing political and social instability, some of them for decades. Strains between the government and civil groups in Europe are leading to unrest and mass protests. Around 30 governments or leaders have fallen as a result of about 100 significant antigovernment protests worldwide since 2017, according to the Carnegie Endowment for International Peace. Anarchists and others seeking to cause property damage are intermingling with protestors and taking advantage of volatile situations, which can threaten company assets and employees and disrupt operations.
Beyond civil unrest, some other geo-governmental risks that can disrupt or negatively impact businesses include military coups, domestic or political instability, lack of socio-economic governance, and economic crises.
Compounding the fallout from regional or national issues, foreign companies are in some ways at an even greater disadvantage when competing with public-sector organizations. For example, in China, public-sector companies are provided with subsidies, giving them an edge over foreign companies. Another common problem for foreign businesses operating in socialist democracies is nationalization of assets. In countries like Venezuela, government intervention has resulted in the nationalization of foreign companies, leading to permanent termination of private operations.
South American governmental institutions at the national, regional, and local levels are unable to perform their constitutional and legal functions as they operate in a democratic construct where the president is independent of the legislature. Austerity and low economic growth are producing autocrats like Brazil’s President Jair Bolsonaro. Companies operating in South America are further affected by risks like political uncertainty, court rulings favoring local companies, a lack of due process of commercial law, governance failure, labor laws stifling growth, and more. These risks are leading to uncertain investment climates.
Meanwhile, governments in the Middle East, Africa, and Asia exemplify authoritarianism and populist rhetoric to stay in power. Geo-governmental risks arising out of government apathy and inefficiency will continue to increase in the future.
Corporate Espionage and IP Theft
As in decades past, critical industries in the technology sector and their employees—scientists, researchers, and engineers—are prime targets of commercial competitors and foreign governments. While companies and the media focus on high-profile cyberattacks, the traditional methods of corporate espionage remain relevant in the age of cyber warfare, and social networking and engineering still offer vast opportunities for intelligence gathering.
International conferences, conventions, and tradeshows host a wide array of speakers, presenters, contractors, and attendees. Technology can be accessed with ease and social interaction is common in a permissive environment, making these events key recruiting grounds for foreign intelligence agencies. Confidential information and IP must be safeguarded at international events, and a lack of security culture and awareness remain the biggest threat to any company.
The CSS can either create new or enhance existing security training for all employees, with briefings that will assist in ultimately protecting valuable information and complying with internal security requirements. Security briefings can be fun and engaging, such as during out-of-the-office meetings or get-togethers, and with games that disseminate security strategies and tactics. Security roundtable discussions can include pertinent topics such as geopolitical issues and global security events. It is vital that the CSS brings management into the security program framework so that the company’s top executives understand and support the programs.
The Spanish Flu in 1918 was a global event, and roughly 100 years later another pandemic has disrupted the entire world. Initially, companies were unaware and unable to deal with the onslaught of the COVID-19 pandemic. The business community at large did not have any plan to mitigate pandemic risks. Companies had to protect employees and restart production after a global supply chain disruption while creating SOPs and advisories for employees, vendors, and visitors.
The pandemic led to a decline in global GDP and notably caused enormous losses to the manufacturing, airline, and hospitality industries. Rising populism, protectionism, and anarchy—plus decreasing foreign direct investment, cyberattacks, and online frauds—are only some of the compounding risks associated with the pandemic.
Travel Security and Globalization
Due to globalization, employees are travelling to high-risk countries like Nigeria, Libya, Algeria, Afghanistan, and Iraq. Employees face several risks and threats, like unsafe food and water, travel disruptions from social unrest, disasters, terrorist attacks on soft targets, kidnappings, and local crime. Terrorists have also targeted hot spots and soft targets such as airports, train and bus stations, and stadiums.
A variety of risks affect different countries and regions. The aftermath of the Arab Spring revolutions destabilized the Middle East. Afghanistan remains a high-risk country due to terrorist and insurgent attacks like car bombings, rocket attacks, kidnappings, and hostage taking. In Mexico, there is widespread violent crime—shootings, kidnapping, carjacking, and robbery—thanks to organized criminal organizations.
The CSS must customize general principles of protection and formulate specific protective measures to assist in preventing and preparing for emergencies in high-risk areas.
Cyber threats can have a debilitating effect on company finances. Fifth-generation cyber threats are characterized by large-scale, multi-vector attacks using advanced tools. Cyber criminals are targeting companies through phishing, distributed denial of service, and malware attacks. For companies working in the banking and financial sectors, cybercrime and fraud have increased in the past few years. Terrorists and extremists have improved their handle on emerging technology, and several terrorist attacks have been funded through online transactions. Chinese industrial espionage through cyber domain continues to be a major threat.
Even isolated countries such as North Korea and Iran can attack companies like Sony and Saudi Aramco through cyber warfare, according to The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics by Ben Buchanan. The United States has experienced cyberattacks on its intelligence community and other critical government departments. Technology will replace human beings in promoting disinformation campaigns, causing chaos across industry sectors.
Companies rely on security technologies like facial and voice recognition, which can be compromised by sophisticated face-swap technology and voice alteration techniques. For example, a CEO calls the finance manager and asks him to transfer millions of dollars to an anonymous account. The manager duly transfers the amount. But this was a fraud—the CEO’s voice was mimicked by synthetic speech production using advanced software.
The proliferation of cyber threats has made technology risk a key challenge across industry sectors. Cybersecurity may be handled by the CISO, but the CSS can provide strategic guidance and training to management and employees by preparing policies, developing SOPs, and disseminating information.
ROI as a Barometer for Security
Due diligence must be conducted to estimate the potential losses from geopolitical events and security threats. For four days in November 2008, the Pakistani terrorist organization Lashkar-e-Taiba used urban warfare tactics to carry out coordinated attacks with assault rifles and bombs in Mumbai, India, resulting in the deaths of 164 people, 29 of them foreign nationals. Also among the dead was a chairman of a major Indian bank and other top management members of other companies. The attack on the Taj Mahal hotel caused an estimated loss of $38 million. The attacks affected the local industry, including transportation, finance, and hospitality. The cost of assets must be calculated and a security plan should be prepared based on the total cost of potential losses.
Security management should be built into merger and acquisition deals. The lack of a protection plan may result in in lawsuits for a company if a terrorist attack takes place after a merger. The only way to effectively shield an organization from lawsuits and safeguard its reputation is to conduct a security assessment of the target company and a geopolitical risk analysis of the regions in which it is operating.
The cost of business disruption should be included while estimating the asset value of the company. A small security review up front might cost a few thousand dollars, but an emergency response to an incident and the fallout could run into the millions. The security plan is the manifestation of all the measures to be taken to prevent damage to the company. The ROI is high for an implemented security plan.
The 21st Century CSS
The world has entered an age of power shifts and competition. The CSS must address the diverse and interlocking areas of security and business. A successful CSS requires multifaceted competencies in international security, geopolitics, international business, economics, finance, and sociology. Considering the flux and turmoil in international relations, black swan and gray rhino events have to be factored into security planning. In the 21st century, there is no one-size-fits-all security plan.
Strategic knowledge is a requirement to manage international and national issues vital to companies and national security. Assessing the implications of political, security, travel, compliance, and regulatory risks on the company is crucial. The CSS should be able to grasp complex and fast-changing geopolitical issues and quickly discern key patterns and trends. The CSS must know the likely trajectory of risks in key markets. One of the key responsibilities would be guiding companies in determining how varied risks affect operations in different countries. The security team, as the intellectual engine of company’s security and safety philosophy, should add unequaled value to the cause of organizational security.
Companies are operating from secure and stable democracies to volatile regions. An absence of global security strategy will undermine organizational stability and limit the capacity to respond to a crisis. Companies will have to grapple with geopolitical uncertainties and emerging threats which remain at the forefront of international security. Risks and threats to companies will expand and diversify across regions. Companies will be challenged by geopolitical risks. The contours of the world are changing. This requires a new commitment to strategic security.
Mangesh Sawant is a senior vice president at Riskpro. He created and leads the global security, homeland security, geopolitics, political and country risk analysis, and military studies vertical. Sawant has a master’s degree from Columbia University, New York, where he concentrated in international security policy. He is a subject matter expert on global security, military studies, critical infrastructure protection, and country, political and geopolitical risk analysis. His scholarly works have been published in journals like Small Wars Journal, National Interest, Eurasia Review, E-International Relations, and Modern Diplomacy.