Leadership & Executive Communication
,
Training & Security Leadership
Scenario Planning Must Model Disruption, Strengthen Cyber Basics, Build Redundancy
IT organizations know how to plan for unexpected outages, but even the most rigorously designed strategy is vulnerable to the shifting winds of geopolitics. CIOs and technology leaders need to know how their organizations will respond to geopolitical disruptions, and scenario planning needs to be a priority.
See Also: How AWS-Qualys Alliance Powers Risk-Aware Cloud Security
William Dixon, senior associate fellow for cyber and international security at British think tank Royal United Services Institute, advises CIOs to adopt a “chief geopolitical officer” mindset, integrating geopolitical intelligence into the technology life cycle. Practical steps include scenario planning that simulates the total loss of access to specific regions or vendors, and building “exit readiness” into vendor contracts.
“The IT department can treat geopolitical disruption as an expected operational variable rather than an unforeseen catastrophe. Good and tested enterprise risk management frameworks, investment in government affairs partnerships and ongoing board engagement should start to manage and prepare for this,” Dixon said.
CIOs need to do scenario modeling around the risks facing their enterprise, and evaluate how IT is teaming with business units, security teams and the CISO on a cohesive tech strategy that builds security, including artificial intelligence security, in from the ground up, said Sean Joyce, global cybersecurity and privacy leader at PwC U.S.
CIOs should be planning tabletop exercises that have a realistic but over-the-horizon view of potential threats. He recommends asking: If this happened, do we have redundancy? Are we actually a resilient organization? If this was critical to our operations, how would we shift to another part of the world, or what would we do? How do we deal with our workforce, and how are we actually going to help them?
Planning doesn’t slow transformation. It prevents panic, especially when it comes to the balance between rapid AI deployments and governance. CIOs must map which regulations apply to the business, suppliers and the digital supply chain. They also need to know dependencies and risks.
“You do that analysis so that you can understand where the pressures are, where the risks are and it’s not only geopolitical risk, but competitive pressure, cost, optimization and talent,” said JoAnn Stonier, president at The Cantellus Group, an AI and emerging technologies consulting firm.
It’s all part of having a clear vision of your brand. “Executives are going to need to have that core of their vision, their mission, their strategy, their values, to make decisions against, because all these things are going to include tradeoffs,” Stonier said. “If you can’t figure out your why, I think it’s going to be really hard to understand a decision six months from now, when the winds keep changing.”
In addition to outlining values and “knowing your why,” CIOs need to be cognizant of the ways that geopolitical unrest can amplify cyber risk, and make sure they have a solid cybersecurity foundation. “The biggest risk is cyber risk,” Stonier said. “When legitimate business attention is elsewhere, that’s when cybercriminals are most successful.”
That foundation rests on the basics. “The old is new. We can’t forget about the foundational aspects of cybersecurity, and they’ve become more important now than ever,” Joyce said.
Teams should focus on identify and access controls, multifactor authentication, continuous monitoring and “continuous defense,” partnering with members of your ecosystem, such as your cloud providers, third-party vendors and supply chain, to make sure that the fabric is as secure as it can be. And when it comes to AI, Joyce said CIOs need to be thinking about the security of AI and how AI can be used for security.
“You’re as strong as your weakest link,” Joyce said. “As geopolitical risk becomes more prominent, you’re going to see tools like cyber being leveraged by countries, particularly those that don’t have stronger military or other capabilities. For some, it may be the only tool they can leverage.”
Physical infrastructure, geography and power supplies are also now areas of risk CIOs need to consider, and infrastructure strategy must align with sustainability, energy realities and geopolitical stability.
“A lot of the data that we’re talking about sits on servers, and I know that we talk about the cloud a lot, but that cloud becomes real hardware at some point,” said Matt Kelly, chief technology officer and vice president of standards and technology at the Global Electronics Association. “Because without that data sitting on actual physical hardware, you don’t have data.”
Running and maintaining that hardware requires significant power. When you factor in the need for redundancy, power consumption increases. “The biggest challenge for redundancy is management of all this redundant hardware and the energy draw that the world is not equipped for,” he said. “The electrical grid can’t handle the loads.”
AI adds to the strain, from energy consumption to the raw materials that are being used to build more semiconductors. “These are a very, very expensive material base to cultivate, to then get into our chipsets,” Kelly said. “We don’t have enough materials on this planet to do what we’re going to say we’re going to do.”
While it’s impossible to anticipate every contingency, successful CIOs will be able to design systems and put teams in place that are built to withstand disruption.
“How do I look at which vendors are the highest risk, the most critical to my ecosystem and to the operations of my company, and then make sure I have redundancy or some mitigating factors in place?” said Joyce. “If this happens, if there is an outage, a breach or some other disruption, you have the ability to keep operating and functioning as a company.”