Why Cyber Threats Demand a Statecraft Mindset

The intersection of cyber, artificial intelligence, and geopolitics is no longer a future possibility,it is today’s reality. Bharat Thakrar, board director at ISACA’s London Chapter, delivered a stark warning to cybersecurity leaders at Infosecurity Europe 2026: treating security as a purely technical problem is dangerously naive. He compared this mindset to “a turkey concluding its human caretaker is benevolent the day before Thanksgiving,” a vivid reminder that incomplete context can lead to catastrophic outcomes.

Thakrar pointed to the 2014 Sony Pictures Entertainment data breach as a watershed moment. For the first time, the public grasped that state-aligned actors could target a commercial company, leaking sensitive material for reasons far beyond financial gain. “Private firms are geopolitical actors,” he argued, and can become legitimate targets in broader conflicts. More recent attacks, such as the Viasat breach in Ukraine in 2022 and the Stryker incident in 2026, reinforce this trend. He also highlighted a growing concern: covert foreign IT worker schemes, particularly those originating from North Korea, which can create insider access. “How many companies would even spot this?” Thakrar asked, calling for revamped HR vetting, tighter access controls, and pre-delegated authority so executive teams can act without hesitation.

To translate this insight into actionable strategy, Thakrar introduced the Cyber Geopolitical Preparedness and Response (CGPR) framework. Designed to make geopolitical risk operational for boards and security teams, CGPR rests on four pillars:

• Assess exposure: Map where you operate, identify critical assets, vendor dependencies, and associations that could make you a target.Operationally, Thakrar recommended explicit crisis triggers and a “heightened state” that signals when an organization should move from business-as-usual to corporate equivalents of DEFCON 1 and 2-level scenarios. At higher states, priorities shift: organizations must be ready to accelerate critical patching, freeze non-security changes, scale SOC operations, harden identity controls, and accept short-term service tradeoffs. “Be prepared to shift to wartime footing,” he said plainly.Thakrar also urged organizations to run geopolitical stress tests,prolonged, nation-state style tabletops,rather than sticking to short ransomware drills. “When was the last time you ran a tabletop for a prolonged nation-state campaign?” he asked. The silence in the room was telling.These threats are increasingly intertwined with kinetic operations, Thakrar argued. Cyber reconnaissance now often precedes physical disruption, whether through drone surveillance, submarine cable probes, or targeted supplier compromises. Response plans must connect cyber signals with physical indicators, as hybrid threats can cascade from digital intrusions to tangible harm.The takeaway from Thakrar’s presentation was urgent and practical: executives and CISOs must stop treating cyber as only a technical hygiene problem and start treating it as statecraft. He advised the audience to “Start with a geopolitical stress-test this quarter. Prepare a one-page board briefing that maps exposure and response thresholds, and fix HR and vendor controls now.”