‘Trust’ Must Guide Cyber Risk Management During Geopolitical Incidents

Upcoming Forrester keynote: Maintaining customers’ trust, maintaining employees’ trust, and implementing a zero-trust architecture are all essential to the cybersecurity and risk decisions during war and other geo-political crises.

Sara Peters, Editor-in-Chief, InformationWeek

October 26, 2022

5 Min Read
symbol of war and geopolitics in the world with chess pieces. Russia vs EU and ukraine. 3D illustration
the lightwriter via Alamy Stock

Close operations in one country? Cease business with another? End a relationship with one service provider and rearchitect your IT infrastructure around it? These are the questions executives must answer and act upon in the hours and days following major geopolitical upheavals. Russian missiles hitting Ukraine impact IT leaders on the other side of the globe; and this type of event will be a growing challenge for CIOs, CISOs and their companions in the future. At Forrester’s upcoming Risk and Security Forum -- in Washington D.C. and online Nov 8 and 9 -- analysts will address this. (Those interested in attending Forrester’s Security & Risk Forum, taking place November 8–9, 2022, can register with voucher code FORRIW.)

“When you are evaluating geopolitical risk, when you are making decisions on how to approach geopolitical risk, everything should be looked at through the lens of trust,” says Forrester senior analyst Allie Mellen. “And we find that trust is one of the most important things that businesses can focus on in the next decade.”

When hearing “trust,” many IT professionals will leap to the idea of “zero-trust.” However, Forrester’s definition is not just about technology.

Trust is More Than Tech…

Mellen explains that Forrester’s definition of trust is “confidence in the high probability that a person or organization will spark a specific positive outcome in a relationship.” Levers to obtain trust, they say, include accountability, consistency, competence, dependability, empathy, integrity, and transparency.

During geopolitical unrest, providing this “feel it in your bones,” sense of trust is essential she says. Trust, “is deeply important to human experience, and especially in moments where we experience a lot of change, where we experience a lot of difficult situations. Being able to inspire through trust is really, really powerful.”

Mellen points to all the companies that chose to leave (or not to leave) the Russian market when the war with Ukraine began. Many of these companies had infrastructure and employees in Russia to consider.

“One of the reasons why this is so challenging and why this is going to be such a priority for businesses,” she says, “is that it comes down to, ‘What does your business stand for? What are your values?’ Because your values tie back to everything that you do. So, if you have a strong set of values that you and your organization live by, that needs to be your guiding principle for these types of decisions.

“This is not a situation where you can wait to see which way the wind blows and then go whichever way your customers are telling you to go,” she says. “Not if you want to be seen as a leader in the market, seen as trusted.”

…But Zero-Trust is Still Critical

It’s not simple though. Abruptly closing an office in objection to a government’s actions might adhere to a company’s values, but it would also leave staff unemployed.

“The aspects of trust don't just extend to customers, they also extend to employees,” says Mellen. In some cases, she says, companies may help employees escape risky situations, set up remote work functions, or more.

And when that isn’t possible or desirable, that’s where zero-trust architecture comes in handy, says Mellen.

Leaving behind hundreds of unemployed, potentially disgruntled ex-employees with corporate devices has the makings of a major cybersecurity risk. The abilities to cut off network access and remotely wipe devices are essential to defending against malicious insiders or any other threats that a device may be prone to when an office is closed, or the device is in an active combat zone.

“One of the challenges with geopolitical risk is that it forces resiliency and adaptability and agility, ultimately, because you don't know when your organization will have to break down or stand up operations in various countries or due to various cyber-attacks,” says Mellen. “Limiting scope of access as much as possible will help prevent any of these rather chaotic situations from potentially getting even worse.”

Who’s Responsible for Geopolitical Risk?

The entire C-suite must be involved in preparing for and responding to geopolitical risks, says Mellen. However, Forrester points to the chief security officer or chief information security officer as the natural leader in these matters, with the partnership from a well-staffed, well-funded, risk management department.

The security officers, Mellen explains, more so than other parts of the organization, generally have an understanding of nation-state attackers and geopolitical interplay between nations. They also often come from backgrounds in government, military, and intelligence agencies.

Mellen says she and her fellow keynote speakers will break down recommendations on how security professionals can lead their organizations through these crises more deeply at the Forrester event next month.

“It's taking a lot of the incident response and incident planning that we see within cybersecurity and applying it to the broader business in the event of a geopolitical incident,” she says. “So not only do you have to make sure that the confidentiality, availability, and integrity of data is protected, but you also need to ensure that the same is true for the people. That situation for the individuals that are in these conflict zones, you need to make sure that you have incident response plans in place.”

Mellen also says that the companies Forrester has seen have the most success in times of nation-state conflict have the strongest, best-funded risk management teams -- whether they are in-house, or external partners. She urges IT and security leaders to work more proactively with risk management -- not just cyber risk, but other risk specializations as well.

“Certainly, for multinational teams you need someone who is managing, identifying, understanding [geopolitical] risk on staff … If you don't have anyone with the expertise to measure and understand risk, then you don't have anyone with the expertise to manage risk.

“You know you can’t just pull it out of a hat,” she says. “It’s actually quite difficult.”

Those interested in attending Forrester’s Security & Risk Forum, taking place November 8–9, 2022, can register with voucher code FORRIW.

What to Read Next:

Global Tech Policy Bulletin: From Turmoil in Iran to Biden’s Big Tech Impasse

Cloud, Data, and Political Protests Mark the 2022 AWS Summit

Kremlin’s Aggression Divides Digital Ecosystems Along Tech Trenches

About the Author(s)

Sara Peters

Editor-in-Chief, InformationWeek , InformationWeek

A journalist for over 20 years, Sara Peters has spent most of her career covering cybersecurity and enterprise IT, with a dash of basketball on the side. Before joining InformationWeek, she was senior editor at Dark Reading and a featured NBA columnist for Bleacher Report. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights