Cyber, AI and geopolitics are now inseparable, according to Bharat Thakrar, board director at ISACA’s London Chapter.
Speaking to an audience of cybersecurity leaders at Infosecurity Europe 2026, Thakrar warned that treating security as purely an IT problem is like “a turkey concluding its human caretaker is benevolent the day before Thanksgiving,” – a vivid reminder that incomplete context can be catastrophic.
Thakrar used the 2014 Sony Pictures Entertainment data breach as a milestone, where the wider public realized that state‑aligned actors could target a commercial company, leak sensitive material, proving that “private firms are geopolitical actors” and can become legitimate targets for reasons far beyond finance.
He emphasized that the more recent attacks against Viasat in Ukraine in 2022 and Stryker in 2026 underscored this trend.
He also warned about growing covert foreign IT workers schemes, notably coming from North Korea, that can create insider access.
“How many companies would even spot this?” He argued for revamped HR vetting, tighter access controls and pre‑delegated authority so executive teams can act without delay.
ISACA’s Geopolitical Preparedness and Response Framework
To translate that insight into action, Thakrar proposed a pragmatic four‑step framework he called Cyber Geopolitical Preparedness and Response (CGPR).
Designed to make geopolitical risk operational for boards and security teams, CGPR is built around four pillars:
- Assess exposure: map where you operate, critical assets, vendor dependencies and associations that could make you a target
- Evaluate readiness: test how quickly you can shift operations, relocate data, scale security operations centers (SOCs) and accelerate patching or recovery
- Plan response: define playbooks, authority lines and a war‑room composition that includes legal, finance, HR and operations
- Continuous monitoring: run horizon scans across threat intelligence, dark web chatter and social media so you can detect early signals and refine controls
Preparing for a DEFCON 1 and 2-Level “Heightened State”
Operationally, Thakrar recommended explicit crisis triggers and a “heightened state” that tells an organization when to shift from business‑as‑usual to corporate equivalents to DEFCON 1 and 2-level scenarios
At higher states, priorities would change with organizations ready to accelerate critical patching, freeze non‑security changes, scale SOC operations, harden identity controls and be prepared for short‑term service tradeoffs.
“Be prepared to shift to wartime footing,” he said plainly.
Running Regular Geopolitical Stress-Tests
Thakrar also urged organizations to run geopolitical stress tests – prolonged, nation‑state style tabletops – rather than replaying short ransomware drills.
“When was the last time you ran a tabletop for a prolonged nation‑state campaign?” he asked. The silence in the room spoke volumes.
These threats are also increasingly intertwined with kinetic operations, Thakrar argued. The hybrid threat landscape, where cyber reconnaissance precedes kinetic or OT disruption, demands updated incident playbooks, he stated.
Reconnaissance by drones, submarine cable probes or targeted supplier compromises can cascade into physical harm, so response plans must connect cyber signals and physical indicators.
The takeaway from Thakrar’s presentation was urgent and practical, executives and CISOs must stop treating cyber as only a technical hygiene problem and start treating it as statecraft.
“Start with a geopolitical stress-test this quarter,” he advised the audience. “Prepare a one-page board briefing that maps exposure and response thresholds and fix HR and vendor controls now.”
