Subscribe now

“A few themes consistently emerged across both:

1. Defining what “𝗶𝗻𝘁𝗼𝗹𝗲𝗿𝗮𝗯𝗹𝗲 𝗵𝗮𝗿𝗺” actually looks like

2. Understanding 𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝗰𝗶𝗲𝘀 𝗯𝗲𝘆𝗼𝗻𝗱 𝗷𝘂𝘀𝘁 𝘁𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝘆

3. Scenario testing moving beyond theoretical exercises toward “𝘀𝗲𝘃𝗲𝗿𝗲 𝗯𝘂𝘁 𝗽𝗹𝗮𝘂𝘀𝗶𝗯𝗹𝗲” events

4. Need for 𝗮𝗹𝘁𝗲𝗿𝗻𝗮𝘁𝗶𝘃𝗲 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗰𝗵𝗮𝗻𝗻𝗲𝗹𝘀 during disruption

5. Operational resilience being viewed as a “𝗰𝗼𝗻𝘁𝗶𝗻𝘂𝗼𝘂𝘀 𝗷𝗼𝘂𝗿𝗻𝗲𝘆” rather than a one-off exercise

6. Continuous 𝘁𝗲𝘀𝘁𝗶𝗻𝗴, 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲, 𝗮𝗻𝗱 𝗹𝗲𝘀𝘀𝗼𝗻𝘀 𝗹𝗲𝗮𝗿𝗻𝗲𝗱

7. 𝗖𝗼𝗺𝗺𝗼𝗻 𝗿𝗶𝘀𝗸𝘀 around cyber incidents, connectivity disruption, and third-party dependencies

Interesting to see how resilience expectations across financial services are increasingly 𝗰𝗼𝗻𝘃𝗲𝗿𝗴𝗶𝗻𝗴 𝗴𝗹𝗼𝗯𝗮𝗹𝗹𝘆.”

Share

As I continue to see thought pieces about geopolitical risk, elevating CISO roles, ah ha moments that continuous adaptation is a must, exercises for once unthinkable scenarios, and back up communications for when corporate comms go down, I think of (well - myself!) but all the constant adaptation and innovation businesses in formerly stable markets can draw from, if only they have the right people to find - and apply - it.

Ukraine has already signed 10-year agreements with Saudi Arabia, the UAE, and Qatar, covering drones, air defense systems, and electronic warfare — with requests from 11 additional countries across the Gulf, Middle East, and Caucasus. Ukraine’s National Security Council projects defense production capacity of $55 billion in 2026. (Sources: Euromaidan PressCBS News) Plus the agreements with European markets hastened by drone disruptions and surveillence of critical infrastructure across Europe in 2025.

What’s happening here isn’t conventional arms export. Ukraine is exporting a model — a living proof of concept for how asymmetric, AI-integrated drone warfare can defeat legacy defense architectures at a fraction of the cost. While continuously adapting. Governments from Oslo to Riyadh are buying in.

Meanwhile, in Lebanon, schools went remote again in many places, as schools are not only used for shelters (1/3rd of the total schools in Lebanon), but also destroyed in bombing runs.

The Lebanese Minister of Education emphasized in a speech last week that schools are no longer buildings, but virtual spaces for learning.

And something even bigger.

A space to maintain and remake institutions, to maintain and grow social cohesion, and protected space for aspiration. Without which it will be even harder to move on. To enable tomorrow’s leaders, inventors, community members, parents, to have any agency in their lives and the fate of their region. Or wherever they end up.

But even if Israel’s war on Lebanon ends sometime soon, Hezbollah remains, while non-Hezbollah controlled institutions and infrastructure are also destroyed. Conflict will return. There will be no clear “after” for the foreseeable future. Israelis too will continue to live surrounded by hostile powers, while US support becomes more questionable. Israel has already seen an exodus of tech investment despite its unassailable record as a tech hub, beginning well before October 7, 2023.

Just like there is no “after” in sight for the current instability around the world. We all have to adapt. And I can show you how.

Share

How to govern Readiness at board level

There are multiple possible permutations of ensuring the governance of your whole-of-enterprise readiness capability at board level.

Incorporating readiness into board governance could mean giving the Chief Readiness Officer, a seat at the table with structural authority, not just an advisory voice.

At the board level, this can translate into three concrete changes.

• First, the Chief Readiness Officer reports directly to the board — not through the CEO — regularly, on the organization’s strategic and operational readiness status, including its readiness capability, not just threats identified or incidents managed.

• Second, restructure your Risk Committee to incorporate Readiness Governance by actively ensuring a proactive - not reactive -approach to risk mitigation and readiness. Or form a separate committee, analogous to the Audit or Risk Committee, which holds oversight responsibility for the Chief Readiness Officer implementing the Antifragile Model/your readiness capability, including building the structure, communication channels and information flows needed for effective stress testing, crisis protocols, and decision authority.

• Third, the board’s director recruitment criteria expand to include cross-domain readiness literacy: the capacity to interrogate whether the organization can execute its plans under pressure, not merely whether those plans exist. This means looking beyond a security or business continuity background to professionals with proven, multi market/operational theater knowledge, preferably not carried out in service only of a government, but other types of institutions as well. Someone who’s only experience of challenging operating environments is contained to a base run by their government, will not do. Nor a private sector security professional who has only worked in highly developed countries in one region. Leaders who only have direct and deep experience of two countries tend to have binary biases of how the world operates.

The result is governance that closes the loop between knowing your risks and being prepared to act on them. With some either neutralized or mitigated long before they become real incidents or threats.

And to refresh on the difference between the Chief Readiness Officer and the Chief Risk Officer:

The latter is traditionally risk-avoidant, not risk-facing.

The Chief Risk Officer identifies what could go wrong. The Chief Readiness Officer owns whether the organization can actually respond when it does - or when the risk is identified and can be mitigated before things go off the rails.

That distinction — between risk identification and execution capability — is the governance gap most boards are not equipped to see, let alone close.

Leave a comment

Sovereign Sirens

There has been a lot of noise about European digital sovereignty, and still much debate about what exactly that should mean - fully European, or just more European tech in the mix. Just yesterday the FT ran a story about what it means to your digital life to be sanctioned by the United States.

While not at all confined to Europe, the issue has been repeatedly inflamed by geopolitical events, and discussion of the hypothetical American “kill switch” now seem to be ingrained in policy discussions around tech and infrastructure. I attended a meeting of the Global Space Council in Brussels recently, and sovereignty and market concentration were front and center of the discussion.

Sovereignty is hard

European cloud and workspace providers are not yet up to the quality and reliability of the US majors. This means migration often comes with significant headaches, including incompatible data, migration bottlenecks, and sometimes lower quality cyber security.

Moving to a cloud with fewer data centers and other infrastructure can decrease resilience in the event of a major cyberattack, data outage, power outage, act of war or natural disaster.

It will take billions in investment and decades to create more European alternatives to American providers, particularly in cloud services and AI models.

But what we are seeing now is a real, if still nascent, realignment in the tech industry as well as other global systems. This mirrors US allies looking to non-American defense suppliers, in Europe, the Middle East and elsewhere. Ukraine is benefitting from its hard-won expertise in drone warfare and defense by signing deals with European and Gulf governments. Again demonstrating how severely Ukraine’s Western allies underestimated the country (and the Russian threat) before the full-scale invasion.

Plans and Programs

Europe is moving from declaration to architecture.

Initial discussions and calls for a “EuroStack” in summer 2025 were largely dismissed. But geopolitical developments began to make it undeniable that the world is less stable, that old allies may no longer be reliable. US talk of taking Greenland from Denmark, a NATO ally, even by force, made the issue unignorable.

And now plans and programs are appearing.

Not knee-jerk reactions. Plans. Objectives. Goals. Funding.

When you want to understand what a politician or government’s priorities actually are, look at where the funding and effort are going.

Under the updated eIDAS framework, all EU member states are required to offer at least one certified European Digital Identity Wallet by 2026.

Amsterdam City has developed a long term plan to move off of US tech providers for critical data (healthcare, welfare, etc) for cloud and workspace services by 2035.

Austria is pursuing digital sovereignty by migrating civil servants off Microsoft, partnering with NextCloud, a Dutch cloud provider partnering with other European governments, and pushing to lead digital sovereignty alignment in the European Union.The 2025 Digital Austria Act introduces the “sovereignty compass” to map dependencies.

Proton Mail, headquartered in Switzerland, launched its Born Private program in March 2026. This allows parents to reserve an email address for their child to prevent them from signing up to a major tech company that Proton alleges will immediately beginning extracting data from, with the examples being Google’s Gmail and Microsoft’s Outlook. It also explicitly calls out that these companies are based in the United States, alleging they come with “surveillance laws that allow government access without a warrant, no matter where you live. As a result, your child’s long-lasting digital records can be collected, processed, and shared within a system of weak privacy protections and broad surveillance powers.” Indeed some of my European colleagues have told me they frequently see messages and posts encouring them to move away from US email providers.

The French government has replaced Microsoft Teams and Zoom with Visio. In April, all French ministries were asked to develop soveietnghy plans by fall, according to Politico.

This is a reversal of a trend of moving to full-stack solutions for cloud and workspace. This had theoretically improved security and efficiency. But there was also high market concentration, and some providers make moving data off their platforms expensive and difficult. This creates a growing sense of vulnerability in the current climate. 70% of the EU’s cloud market is on 3 US providers, with 80% of European corporate spending on enterprise software going to U.S. vendors, according to the European Parliament.

Share

What business leaders must consider

2026 is an inflection point.

Future-ready, antifragile decision making requires having an overarching vision for what your business provides to its customers, and making the operational decisions to enable that, with the likely need for pivots and adaptation in mind.

Here are some things to consider.

Tech Procurement

Your business strategy is supported by your tech, and you want to be in control of that.

Europe is making big decisions this year on cloud, AI, quantum, and regulatory simplification. Organizations that position now — on vendor strategy, procurement alignment, and board-level digital risk literacy — will have options. Those that wait will inherit constraints.

Antifragility here means choosing your dependencies before they're chosen for you. This is your chance to influence the future shape of the tech stack.

Map your tech stack, starting with your most business-critical operations, where the providers are headquartered, and determine what needs to change to hedge against geopolitical risks like sanctions. Know also the physical location of your workload. Is it vulnerable to physical attack?

Move to a multi-cloud strategy. The agile businesses don’t depend on one AI model either, they source multiple to prevent lock-in and downtime due to outages. The outages caused by Iranian drones damagining AWS data centers affected millions, if not a billion people, causing outages from primary and secondary customers from the US to Africa and Southeast Asia.

The war has also demonstrated that data centers must now be hardened against artillery. While normally built with very high levels of physical security and redundant power supply, it has not until now been an industry practice to harden those facilities.

Be sensitive to your business (and your customers) and make procurement decisions thoughtfully, based on operational and geopolitical expertise. You don’t need to move off US tech tomorrow. Multi-cloud strategies can provide antifragility, and you can have a mix of US and local providers, depending on what is available in your market.

People

And there are implications beyond the tech stack. Leaders that assume staff can be replaced with AI and payrolls reduced for short-term gains in profit margin risk weakening not only their own company, but the European skills pipeline in tech, cybersecurity, and more. Increasing fragility internally and externally. Not to mention the impact on morale and productivity in your company.

The skills gap is a sovereignty gap.

Just over half of Europeans have basic digital skills, ICT specialist availability remains low, and there is a stark gender divide — particularly in cybersecurity and AI. No sovereign infrastructure holds without sovereign talent. This belongs in workforce strategy, not just IT budgets.

Ensuring you are part of the talent pipeline not only improves your business, plus morale, loyalty and trust among your workers, but also can grant you more influence in policy discussions on workforce development. As well as improving immigration policies to attract and retain talent. Europe is missing the opportunity to capitalize on American brain drain in these critical skills with onerous immigration requirements that leave non-Europeans in precarious circumstances that discourage investment in their communities and host countries, and prevent them from starting their own businesses that create jobs and innovation as they are usually tied to employers.

Leave a comment

Share

Become Antifragile

And of course, ensure you have the simple, lean system in place to be sure your business and staff can respond to any type of risk - emerging or active - and give your board, investors and customers the confidence that you will keep serving them, with agility, no matter what this world throws at you.

You can download a PDF of my services here.

See the Antifragile Model here.

Subscribe now

Often it was saying governments should be able to call the head of a company during an emergency. That is a recipe for chaos.

Those leaders will be busy in a real crisis. So will their staffs. In most cases, none of the parties will even know what to ask for. Their staff won’t know how to cooperate or accommodate capabilities, roles and responsibilities, protocols, have not been identified and maintained prior to the emergency.

Who, contacts who, when, about what, and how.

That is the essence of what is needed both internally and externally for readiness in the private sector, in partnership with the public sector.

Businesses and government must build lean communication structure.

That means:

• simple, commonly accessible tools that work; not an overhyped new product that fails and causes staff to disengage or use shadow IT to work around it (opening more risk)

• simple, easy to understand protocols stored where any designated staff can find them quickly; and

• regular, structured engagement with an annual stress test, which can be moved up or more frequent if a major event is expected

Share

I should also note that alternative apps and methods of communication should be identified in case a server goes down, power is cut, an app stops working or is accidentally blocked by an app Store (I’ve seen this happen exactly when a security team was depending on it). In 2021, Meta engineers could not enter a facility where a bad router update had taken down WhatsApp, Instagram and Facebook simultaneously - as well as the door access system to the facility! It cost several more hours of working to gain physical access because there were no redundant ways to gain physical access.

Critical infrastructure protection depends on sustained, trust-based, cross-sector public-private partnership that can endure administrative priorities and budget cycles, and this kind of partnership requires deliberate investment from businesses as well as government.

There are many reasons why P3s don’t materialize, including reluctance from the private sector and often undue fears of cooperation leading to greater government regulation of the partner, fewer Human Resources and expertise on the government side, and more.

The good news is that we don’t have to reinvent the wheel. There are plenty of models to look at, particularly those focused on cybersecurity.

Examples from Natural Disaster Response to Missile Warnings and Cyber Security

The public and private sector have long cooperated on major natural disasters and cyber vulnerabilities and incidents.

Fusion centers are often set up, some are permanent, with secondees from multiple capabilities and institutions to centrally gather information, synthesize and push it out. In some cases, even planning and directing execution the next actions.

This is what Stanley McChrystal did to fight the insurgency in Iraq, and gave rise to his “team of teams” concept. Notably, he and his team broke down information sharing silos, removing what was literally lethal information gate keeping between US agencies like the CIA and military intelligence, vastly increasing the speed of his operations and therefore their effectiveness at achieving their objective.

This is a similar capability to the Antifragile Model I help businesses build and implement as a whole-of-enterprise readiness capability.

In the United States, natural disasters have always been a regular occurrence, though they are becoming more frequent and intense. .

The Federal Emergency Management Agency (FEMA) has a helpful Information Sharing Guide for public-private partnerships (P3). It confirms that in designing information-sharing capability for disasters, governance structures must establish leadership, a collaborative planning team, and a list of partners. It is critical to establish trust with traditional and non-traditional groups in advance, define partner roles and responsibilities, and formalize them — recognizing that roles may change before, during, and after disasters.

Some P3s establish a virtual or physical Business Emergency Operations Center (BEOC) that facilitates information sharing, coordination, and collaboration, with each model carrying its own legal and ethical considerations around rules of engagement based on local and state laws.

The Waffle House Index

And FEMA demonstrated some creativity in its signal gathering, something that often doesn’t happen. They have an informal tool called the Waffle House Index, in which the severity of a given disaster is determined in part by if local Waffle Houses are fully operational, partially operational, or closed.

Waffle House is a great model to follow in how it handles weather emergencies. As trust becomes more valuable for brands and services in these tumultuous times, businesses should take note.

From the opening of its original location in Georgia, United States, it has operated 24 hours a day 7 days a week - committed to being a safe and welcoming place for its often-working class customers. Its locations are primarily in the southeast and Mid-West of the US, areas prone to hurricanes, severe thunderstorms, flash floods, and tornadoes.

As a road-tripping American, Waffle House was known as a reliable place, and people kind of knew it was a generally a safe place to stop on the road late at night or in the very early hours of the morning.

The company has maintained a commitment to keeping its doors open and kitchen serving as much as possible - and it has invested in this. Buying back-up generators and developing employee handbooks for different scenarios, such as if there is no power but they have gas to cook with, they will stay open and serving. Employees are also trained for these situations.

Side note: As security threats against businesses and executives increase, consider how building a reputation for helping can mitigate and even prevent these threats to your business and personnel. Sometimes your return on investment is diffuse and hard to measure, though you can monitor the threats found on the web and Telegram, but such efforts can pay off enormously in various ways such as customer loyalty and prioritization by local governments for recovery.

Leave a comment

J-Alert and the Japan Bosai Platform

Japan has a highly integrated public warning system for both missiles and natural disasters - with the technical infrastructure and the partnerships to back it up.

J-Alert disseminates urgent warnings for tsunamis, earthquakes, and ballistic missile attacks via municipal disaster prevention radio receivers, broadcast media, and mobile phones — with private satellite operators and telecoms built into the technical delivery chain. Specifically, J-Alert broadcasts via JSAT’s Superbird-B2 communication satellite, while KDDI Corporation provides disaster message boards, emergency email services, and disaster voice messaging when a disaster occurs.

Beyond the alert system, the Japan Bosai Platform is a cross-industry platform utilizing public-private-academic partnerships with over 100 members from diverse industries to support disaster risk reduction. As Japan’s Deputy Director of the Multilateral Development Banks Division Naoki Yamashita put it: “the key of Japanese experiences is the collaboration among residents, businesses, and government.”

DHL & Asian Governments — Pre-Negotiated Crisis Operating Protocols

The 2003 Bam Earthquake in Iran was a turning point for DHL when they witnessed how a flood of relief goods could shut down an airport’s logistics if not professionally and effectively handled. This led to the signing of the 2005 Memorandum of Agreement with the UNDP and the UNOCHA which also focuses on disaster preparedness in addition to relief. DHL has since expanded its involvement by setting up its own global network comprising of three Disaster Response teams, with the first of these in the Asia Pacific. In the event of a major natural disaster, teams comprising of specially trained DHL employees will help manage crucial logistics operations in airports close to the affected area. This focuses mainly on addressing issues related to airport logistics management capability and is a crisis response mechanism in partnership with UN agencies.

The key lessons: collaboration with government and military is crucial; the private organization’s capabilities must be clearly communicated in advance; and ground rules and contact networks must be established early.

Cyber Security

There are numerous examples of successful P3s in cyber security, and these need to be replicated well beyond cyber security.

Information Sharing and Analysis Centers (ISACs) — The Backbone Model

ISACs are the most institutionalized form of this kind of partnership. An ISAC provides a central resource for gathering information on cyber and related threats to critical infrastructure, enabling two-way sharing of information between the private and public sectors. They began forming in 1999 following a U.S. Presidential Decision Directive that asked each critical infrastructure sector to establish sector-specific organizations to share information about threats and vulnerabilities. Wikipedia

The sector-specific structure means communication protocols are tailored to operational realities:

• FS-ISAC (Financial Services): Members benefit from real-time alerts, analysis reports, and critical intelligence feeds that help them respond to and mitigate emerging cyber threats. FS-ISAC also organizes meetings, webinars, summits, and simulation exercises to enhance member preparedness and response capabilities.

• E-ISAC (Energy): The Energy ISAC strengthens cybersecurity defenses for the electricity, oil, and gas sectors. Anomali Critically, while entities may compete with each other as part of their business model, it’s in everyone’s interest to collaborate when one of them is under attack or thinks they may have identified a potential attack.

• European ISACs: The EE-ISAC is an industry-driven, information sharing network of trust, where private utilities, solution providers, and semi-public institutions such as academia, governmental, and non-profit organizations share valuable information on cybersecurity and cyber resilience.

The technical protocols that underpin these are standardized: formats like Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) allow for direct integration into members’ security tools, enabling the proactive sharing of threat indicators before they cause harm.

Rather than delving too far into examples, this 2017 ENISA paper provides a helpful overview of P3 models in cybersecurity in several European countries.

Chile also has a successful example. It enacted the Law on Cybersecurity and Critical Infrastructure in March 2024, which applies to both public and private organizations providing services that impact critical infrastructure, establishing two new regulatory institutions — the National Cybersecurity Agency and the Multisectoral Council.

The Essential Elements for Antifragility

The most effective examples share a few design principles: clearly defining communication methods, channels, and rules — determining who stores the information and how it will be used. Information must be appropriately classified and categorized.

Sequencing matters too. Trust-building and relationship formalization happen before the crisis. Communication roles and escalation ladders are pre-negotiated in legal or institutional frameworks, and the partnerships are stress-tested through regular exercises.

These are exactly the conditions that make the difference between coordination and chaos when an adversary strikes or a disaster hits.

Leave a comment

This is not bad luck. It is structural.

Boards today are, by design, optimized for financial oversight, legal compliance, and strategic alignment.

Not readiness in the sense of “we have a business continuity plan,” but readiness as a living, measurable, dynamic state: the genuine organizational capacity to detect emerging risks, absorb a shock and emerge intact.

This gap is widening. And most boards don’t know it yet.

So they hire a Chief Geopolitical Officer. Or McKinsey. Not realizing that this is just more regurgitated advice from folks who don’t actually know how to build cross-enterprise readiness in this highly dynamic era.

This week, I’m deep diving into some research. And while the research validates the Antifragile Model, none of the incumbent firms that produced the research have developed a coherent, board-level or C-Suite level framework or capability.

Share

The Landscape Has Changed. Governance Hasn’t.

The data is unambiguous. According to the NACD 2025 Governance Outlook, 48 percent of board directors believe crisis-like disruptions are more frequent than five years ago, and over half believe they are more severe.

A Protiviti global survey of board members and C-suite executives found that more than 75% of organizations expect their business model to undergo moderate to significant change in the near term — yet only 15 percent describe themselves as genuinely “disruptive leaders” prepared to respond.

Meanwhile, PwC’s Global Crisis and Resilience Survey found that while 89 percent of business leaders say resilience is one of their most important strategic priorities, a significant gap persists between stated priority and actual capability.

What’s driving this divergence? Part of the answer lies in how boards are composed. A Harvard Law School Forum on Corporate Governance analysis of the 2025 governance season found that boards are actively adding directors with traditional financial and leadership expertise — while skills like information security and technology risk showed little growth. The emphasis on conventional competencies, the report noted, “may result in gaps in board readiness to address emerging risks.”

But how do you know what to do when the “best practice” is traditional risk registers and business continuity plans? When lawyers and physical security professionals, often from law enforcement or national agencies that transitioned to the private sector, don’t know how to adapt? How do you hire for the right skills and proven impact rather than obsolete certifications?

Share

The Accountability Vacuum

You will get a complicated answer. The CISO owns cyber resilience. The COO owns operational continuity. The CRO owns the risk register. Legal owns regulatory exposure. The CFO owns financial reserves. BCM teams own the crisis playbook - usually siloed off from the cross-functional teams that will have to try to keep those operations going.

Each function is doing its job.

But Nobody owns the whole.

When something goes wrong — a cyberattack, a geopolitical shock, a supply chain collapse, a reputational crisis — the question of who is supposed to be watching the whole picture becomes unanswerable.

Because structurally, nobody is.

The best emerging risk and crisis response are simple protocols and communication channels with a lean, cross company structure owned by a single executive. In other words, the Antifragile Model.

These then have to be regularly stress tested, even as they are used on a daily basis - which makes them stronger, which makes them Antifragile.

But testing requires someone to own the process, drive the cadence, and report findings to the board in a form that triggers action. That person rarely exists.

And the absence of a single accountable owner means the crisis plan sits on a server, updated annually for compliance, and never seriously stress-tested.

What Failure Looks Like

Here is what the research — and my field and headquarters experience in high-pressure environments — tells us about how organizations fail in a crisis. It is often not the thing itself that destroys the organization. It is the non-existent, or chaotic response.

McKinsey’s analysis of crisis resilience puts it plainly: in crises, half the impact arises from the crisis itself, while the other half — good or bad — is determined by the response. Organizations with integrated resilience programs identify and correct vulnerabilities before disruption hits. Those without them discover their gaps in real time, under maximum pressure, with the whole world watching.

The consequences are measurable.

Downtime alone costs Global 2000 companies an estimated $400 billion annually, a number sure to be larger in 2026, according to Splunk’s Hidden Cost of Downtime report.

Reputational damage is harder to quantify but often longer-lasting. Over 20 percent of CEOs targeted by activist campaigns — many of which are triggered by crisis mismanagement — resign within a year, compared to an 11 percent baseline turnover rate.

The pattern, when you examine it carefully, is consistent. Organizations that weather crises well share three characteristics:

• genuine situational awareness before the crisis hit; which means they had good information - and that they acted on it

• internal communication held up under pressure; which means there was structure

• they had built trust — internally, institutionally, and publicly — that gave them room to act.

Organizations that fail typically lack all three.

A Framework for What’s Missing

The challenge for boards is that “readiness” is not a natural category in existing governance frameworks. It doesn’t map cleanly onto audit, risk, compensation, or nominating committees.

Readiness spans all of them — and falls through the gaps between them.

What boards need is a diagnostic framework that treats readiness as a measurable, governable state. And a capability. The dimensions of the Antifragile Model dimensions define it:

Information. Can the organization see what’s coming? Most organizations have large volumes of data and limited actual intelligence. Situational awareness at the board level requires not just reporting mechanisms, but an active capacity to synthesize signals into early warning and then response options. Risk registers document known risks. They rarely surface emerging ones.

Communication. When something goes wrong, does the signal reach the right people in time to act? Communication architectures are designed for normal operations. Under pressure, they degrade — sometimes catastrophically. The board’s role is to ensure that a senior executive is responsible for ensuring that escalation pathways for key information, and protocols for communication and coordination, are set up and tested, that external stakeholder communication is also protocoled and tested, with relationships developed before a crisis.

Structure. Is there a cross-enterprise readiness structure supporting, channeling those information and communication flows? Who begins gathering information or triggering protocols when a big event happens? Or something seems to be going wrong? Who centrally owns vertical and horizontal communication and coordination? Is it designed to flex? Operational resilience is a design choice.

Trust. This is the dimension that most governance frameworks ignore entirely, and it is the most decisive. Organizations that have built trust — with and between employees, regulators, customers, and the public — have room to respond to crises without losing the confidence of their stakeholders. Organizations that haven’t find that a crisis becomes an existential test of their legitimacy.

The NACD’s research found that only 59 percent of respondents trust business to manage technological innovation responsibly. Trust is not assumed. It is built — or it isn’t.

The Case for a Chief Readiness Officer

The structural fix is straightforward in concept, though not in implementation: boards need someone whose sole mandate is organizational readiness, with a direct reporting line to the board and genuine authority to test, challenge, and improve the organization’s capacity across all four dimensions.

This is not a CISO with a broader brief. It is not a rebranded business continutty director. It is a new governance function — a Chief Readiness Officer — whose job is to ask, continuously and with organizational authority: are we actually prepared? Is our situational awareness adequate? are we ready to respond to surprise?

Robust crisis readiness, when it exists, is a competitive advantage. Organizations that have stress-tested their plans, identified their gaps, and built genuine capacity across information, communication, structure, and trust don’t just survive disruption better — they emerge with credibility that their competitors lack.

The question for boards is not whether a crisis will come. The data is clear on that.

Anticipation at that level doesn't happen by accident. It's built, on purpose, before crisis hits.

Contact me for to learn more about how you can implement the Antifragile Model, and build your Master Readiness Plan. So your investors, your board, know you got whatever the world is going to throw at you.

Leave a comment

Sources: NACD 2025 Governance Outlook; PwC Global Crisis and Resilience Survey 2023; PwC Board Crisis Preparedness Report; Protiviti Global Board Governance Survey; Harvard Law School Forum on Corporate Governance, 2025 Governance Post-Season Review; McKinsey, Resilience for Sustainable Inclusive Growth; Splunk, The Hidden Cost of Downtime.

Leaders shaped by stable growth cycles default to optimization and system preservation when pressure arrives — minimizing visibility, avoiding hard conversations, and waiting for calm.

But turbulent times demand the opposite instinct.

Silence from the top is never neutral in uncertainty; it fills with the worst assumptions. The leaders who perform in crisis treat uncertainty as the job itself, not an interruption to it — a disposition built through adversity, not leadership programs.

The shift required is from protecting what worked to actively navigating what’s breaking.

Organizations that wait for crisis to surface this capacity will find there’s no time left to develop it.

The people you lead need to know you got this

That banner photo on my LinkedIn was taken not long before the Kabul airport was bombed.

11 people died that day, not long after we took off to visit the UNAMA office in Herat. We couldn’t return as planned that evening because the runway was damaged.

I was prompted to write a post on LinkedIn, and dig deeper here, because of seeing a LinkedIn post about Israelis scattering from an online event due to air raid sirens, then all of them returning and exchanging messages about what had just happened and what they had done (choose which form of shelter to go to and why, choosing to stay put because any shelter was too far to reach in time, etc),.

The poster said it felt like they had seen something important, not realizing that they were witnessing the natural, and necessary, human reaction to living through life threatening situations. It made more urgent one of my key Antifragile messages:

Leaders must show up to their staff and stakeholders to cultivate a culture of trust in tumultuous times,. This requires: leaders to:

• show up

• acknowledge what has happened,

• a reminder of the mission and key priorities

• and allowing space for staff to gather and talk through what happened.

Leaders that hide are not leading. They should take a step back to understand what is happening and decide what the priorities are. But then that has to be communicated.

Internal comms have to go out, with an acknowledgement of what has happened, and staff reminded they can take a few moments to process, gather, they may consider doing so after work to, and but in any case, to focus on critical priorities - which it is your job as leader to communicate.

Preventing the processing part, not making space for it, not acknowledging what has happened, even if you have to be careful in your wording, makes the trauma, the fear, the lack of trust, fester.

It will reduce the effectiveness of your staff because they don’t trust that you see what is happening, how it is impacting the business and workers, or that you care. Which will make them question your decisions more, and demotivate them on execution of their jobs. Especially if their jobs require any kind of adaptation or new work due to what has happened/is happening.

Share

Why do people gather and talk after a life threatening incident?

People have an innate need to gather after a life threatening situation.

And an innate need to verbalize what they were doing when it happened, and how they responded.

Even if no one died or got hurt.

Because their flight, fight, or freeze reactions were triggered, or in other words, their central nervous systems. And that happens at a level below the conscious mind. It’s your body responding to try to keep you alive.

And then you need to allow that alert state to dissipate, the central nervous system to calm.

And one of the best things to calm it is to gather, in person if possible, because this will literally calm your nervous system. Safety in numbers. Human beings are evolved from tribes, from hunter-gatherers and farmers that had to be vigilant for predators. Being in a group means more eyes, more forewarning, and your nervous system can relax a little.

How do I know? because I’ve experienced so many such incidents in Turkey, Afghanistan, South Sudan, even in Europe, not to mention some terrifying flights.

I’ve worked with people who have been on the front lines, have lived through multiple terrorist attacks, acts of war, natural disasters, whathaveyou. And they respond the same way.

No matter how jaded or fatalistic, as many of my UN colleagues were in Afghanistan, accepting the danger that was part of the job, they still demonstrated the innate instinct and need to gather, and verbalize what had just happened. And then we went right on with our jobs.

Share

Is your business ready?

Below is a short checklist of basic requirements for whole of enterprise readiness.

Some of what I discussed above can be supported by protocols, like clear communication. If you need help, let’s talk!

Readiness Checklist

___ Information collection and intelligence systems

E.g. social media monitoring, paid intelligence reports. Data is only what is shared. OSINT is only what is on the news,

___ Cross-functional communication protocols

Eg. Teams know who to contact when they notice an operational problem, or damaging social media, or a major incident in the news that could impact the company.

___ Crisis leadership and decision-making:

E.g. is there someone responsible for assembling team leads in 20 min?

___ Delegation and Empowerment

E.g Does an executive have to activate initial response, or do teams know when to act without executive guidance?

___ Defined alert and prioritization levels

E.g. Teams have escalation and prioritization criteria at their fingertips, with clear protocol for what to do at each threshold

___ Defined preparedness and response triggers identification of risks. Scheduled or unscheduled.

E.g. When an emerging risk triggers preparation work,

___ Ready-to-use crisis response plans Protocols

E.g. Do you have the protocols set up and teams trained on them for when those triggers are pulled?

___ Ready-to-use crisis response document templates

E.g. Are there pre-approved templates that teams can copy and quickly populate under pressure?

___ Confident leadership during crises

E.g. Are your team leads and executives confident in leading staff during a crisis? Do they know how to get staff to focus on response, cooperate, and make priorities clear?

Thousands of miles away, a European-American start up’s AI platform, on which it based a customer facing tool, became unavailable. I spoke to the founder. It turned out that workload was located in the data centers of AWS, hit by Iranian drones in UAE. Multiple businesses were impacted not only in the Middle East, but much further afield.

Before affirmatively declaring that the offices and assets including cables and data centers were legitimate targets, 3 AWS data centers were targeted in UAE and Bahrain. Amazon reportedly told customers to consider moving workloads off data centers in the Middle East.

Businesses have to bake in cybersecurity to remain resilient, but they also need to be conscious of their digital infrastructure and where workloads are housed. How resilient their digital infrastructure is. Does the platform distribute data across data centers? Is it housed on premises or in one place? This can raise the risk of wholesale losing your data in major outage or act of war that impacts digital infrastructure. Recovery is much faster if you can get your data. Some Eastern European governments have sovereign cloud servers in Luxembourg for this exact reason.

Payments and other platforms with workloads housed in the Middle East went offline in Asia and Africa. Banks in Dubai - which were still having employees come into the office amid drone strikes (I don’t know if this was required or voluntary) were hastily told to return home when Iran declared US financial institutions legitimate targets. Tech officers were already on work from home.

And schools across the Gulf are on remote learning, making resilient cloud-stored data even more important to enable teaching and learning in this unpredictable war.

Share

Beware the second- and third-Order effects

Now the second- and third-order effects of the war are starting to show up.

Not only is there a squeeze on global oil supplies, driving up energy costs, this also drives up prices of everything, because everything needs fuel. From factories to data centers.

As I wrote two weeks ago, where this all stops, nobody knows.

Sulfur, helium, fertilizer supplies, are all being hit by the war. Oil infrastructure is being damaged and will require millions if not billions of dollars worth of repairs. NVIDIA chips deliveries are threatened. Not to mention the losses in tourism and business travel throughout the region, now impacting Cyprus as well following drones sent to attack one of two UK military bases there.

Hundreds of thousands of workers across the Middle East are out of work or attempting to work from home.

While construction and billions of daily business transacitions and operations are halted. There are 17 subsea cables crossing the Red Sea and the Strait of Hormuz that could be damaged in the war, deliberately or incidentally. They can’t be repaired safely right now.

“The security frameworks underpinning the U.S.-UAE AI partnership appear to have focused on supply chain control and geopolitical alignment, not on physical defense during high-intensity conflict,” Ali Bakir, an assistant professor of international affairs at Qatar University.

Meta has now paused the Middle Eastern section of a major cable that will improve connectivity in Africa.

Food supplies in Africa, the UK and elsewhere are likely to be reduced as fertilizer supplies are held up.

NATO may be undermined by this war, as the US requested NATO Allies to send ships to escort oil tankers through the Strait of Hormuz, a request which was rebuffed, prompting a warning from the US president that NATO could face “a very bad future”. But France and the UK have deployed military assets to the region, even European military bases in Iraq and Cyprus have been targeted by Iran and its proxies. A French soldier was killed and 6 others were wounded in a drone strike.

The US is repositioning assets, including air defense, from Asia to the Middle East, reducing defense for Japan and the Republic of Korea. Turns out Europe has more minesweepers than the US, another concern in the Strait.

And regionally militias are both being drawn into the conflict and trying to sit it out. In some cases its unclear who is attacking who as the opportunity to take advantage of the chaos presents itself.

Iraqi and Iranian Kurds have been called on to fight Iran, but for now seem to be reticent as the regime remains intact, and the US, from today and going all the way back to the administration of George Bush senior, doesn’t always back up those it has encouraged to rise up.

So what?

The unpredictability of this war was predictable. Geopolitical analysts have been writing about the risk of the Strait of Hormuz being cut off for decades. There are numerous scenarios that could play out here, and I wonder if this will break NATO, or strengthen a rump-NATO. Consumers are already pulling back on spending as costs rise, which is bad news for business across the board, coupled with increasing costs of inputs and operations.

The US and Israel governments have said this war will last a few more weeks at least, but the repercussions will reverberate for decades.

Leave a comment

What business leaders should do now

Here is what every leadership team and board needs to be working through. Not just for this conflict, but the world we live in now.

1. Subsea cables: the most underestimated risk

Subsea cables carry roughly 95% of international internet traffic. The Red Sea corridor — passing near Yemen and within reach of Houthi-controlled territory — routes cables connecting Europe, the Gulf, South Asia, and East Asia.

What leaders should assess:

• Which of your cloud providers, data transit paths, and SaaS platforms route through the Red Sea or Persian Gulf corridor?

• Do you have contractual SLA protections that account for geopolitical force majeure on cable damage? (Most don’t.)

• What is your recovery time objective if a key cable route is severed for weeks — not hours?

Mitigation actions: Demand a routing transparency report from your ISPs and cloud providers. Engage providers with redundant Atlantic and Mediterranean paths. For critical operations in the Gulf or Asia-Pacific, negotiate failover SLAs now, not after an incident.

2. Data centers: physical and cyber threat convergence

Iran and its proxies have demonstrated both physical precision strike capability (ballistic missiles, drones) and sophisticated cyber operations (APT33, APT34, Charming Kitten).

What leaders should assess:

• Where are your primary and backup data centers located, and are any of them in conflict-adjacent geographies?

• What is your blast radius if a regional cloud availability zone goes offline — not just one, but an entire regional cluster?

• Are your incident response playbooks written for peacetime cyber events, or do they cover infrastructure loss at scale?

Mitigation actions: Architect for geographic redundancy outside conflict zones. European and US east-coast availability zones should serve as active, not passive, backups for Gulf-adjacent operations. Apply zero-trust architecture so that a compromised perimeter doesn’t cascade inward.

3. Cloud and SaaS disruption: BGP, DDoS, and intelligence exposure

Iranian state actors have a documented record of BGP hijacking (rerouting internet traffic), large-scale DDoS operations, and signals intelligence collection. In a hot-war context, these capabilities get deployed more aggressively and with less concern for attribution consequences.

What leaders should assess:

• Are your crown-jewel systems — financial data, personnel records, IP — sitting in environments with adequate encryption at rest and in transit?

• What is your third-party risk exposure through vendors and partners who may be far less resilient than you are?

Mitigation actions: Commission a third-party vendor risk assessment with a conflict-scenario lens. Enforce end-to-end encryption on all sensitive data paths. Subscribe to BGP monitoring services that alert on anomalous routing. Run a tabletop exercise simulating a sustained DDoS against your customer-facing infrastructure.

4. Supply chain interdiction: hardware and logistics

The semiconductor and hardware supply chain runs through geography now threatened by conflict escalation: Taiwan Strait risk compounds with Red Sea shipping disruption. If your organisation depends on just-in-time hardware procurement — servers, networking equipment, edge devices — you are exposed.

What leaders should assess:

• What is your hardware replacement lead time if procurement routes through Asia are disrupted for 60–90 days?

• Are critical hardware components sourced from single-country suppliers?

• Does your MSP or colocation provider have stockpile resilience?

Mitigation actions: Dual-source critical hardware suppliers. Build a 90-day strategic reserve for tier-one infrastructure components. Review contracts with data center and managed service providers for supply chain representations.

5. GPS, GNSS, and satellite timing disruption

This is the risk most boards don’t know to ask about. Iran and its proxies are active GPS jammers and spoofers across the Middle East, as do other actors in the region including the US and Israel. Financial systems, logistics platforms, telecoms networks, and critical infrastructure all depend on GNSS for timing synchronisation. Disruption is not speculative — aircraft and shipping have already experienced significant spoofing events in the region, as they have in the Baltic for some time.

What leaders should assess:

• Does your financial trading infrastructure, network synchronisation, or logistics platform depend on GPS/GNSS timing?

• Have your technology teams assessed fallback to terrestrial timing (PTP, NTP from hardened sources) if satellite signals are degraded?

Mitigation actions: Audit GNSS dependency across operational technology and financial systems. Implement multi-constellation receivers (GPS + Galileo + GLONASS) as a minimum. For critical timing, invest in atomic clock-based local references that don’t require satellite input.

The strategic frame: IT is an existential risk

The meta-failure I see across organisations is that digital infrastructure risk is still sitting in the CISO’s remit rather than on the board agenda. In a conflict that is actively targeting undersea cables, data centers, and satellite systems, this is existential business risk

The Antifragile Model lens here is straightforward: the organisations that emerge stronger from this period will be those that have invested ahead of crisis in information (real-time threat intelligence and internal organizational signals), communication (cross-functional response capability), and structure (resilient, redundant, geographically diversified infrastructure). Trust — with customers, regulators, partners, and your employees — is what you’re ultimately protecting.

The question for every board isn’t whether their digital infrastructure could be disrupted. It’s whether they’ve built systems that get stronger under this pressure rather than collapsing.

Share

If you need help getting your enterprise ready for anything, send me a message or check out www.antifragileprogram.com.

Thank you for reading.

-Dixie

Subscribe now

The Shadow and the Storm:

Mapping the “Permanent Hybrid War” of 2026

The joint U.S.-Israeli military campaign that commenced on February 28, 2026, represents a "fundamental rupture" in the established security architecture of the Middle East, signaling a definitive transition from grey-zone competition to a high-intensity regional war. While the world’s attention has been captivated by the roar of jet engines and the destruction of strategic sites, a parallel and arguably more significant conflict is being waged in the digital realm. This war is defined by the Iranian Hybrid Doctrine, a calculated strategy that has evolved since the brief 12-day conflict of June 2025 into a permanent state of being where the lines between state spies, soldiers, and cyber criminals have been completely erased.

The Illusion of the “Great Digital Silence”

In the opening week of the war, many observers were surprised by the apparent lack of large-scale Iranian cyberattacks compared to the noisy hacktivism seen in late 2025 [Conversation History]. However, this “Great Silence” was not a sign of weakness, but a byproduct of a deliberate “Tactical Self-Denial” strategy. To protect remaining leadership and command structures from precision kinetic strikes, the Iranian regime throttled its own internet connectivity to a mere 1% to 4% of normal levels. This self-imposed blackout was designed to deny external intelligence agencies access to Iranian networks and disrupt Coalition command-and-control (C2) signals that rely on signal intelligence (SIGINT).

Simultaneously, the regime utilized military-grade jammers to successfully interrupt up to 80% of civilian Starlink traffic, effectively creating a “kill switch” for satellite-based communications. This digital isolation has introduced significant operational latency in Iran’s own offensive cyber units because commanders ordered all senior officials to abandon network-connected mobile devices to avoid targeting by the Coalition’s “near-complete air superiority.”

Decapitation and the Collapse of Command

The relative quiet in cyberspace is also a direct result of the decapitation strikes that occurred in the first hours of the conflict. The confirmed death of Supreme Leader Ali Khamenei and over 40 senior military and intelligence commanders caused a profound loss of central command and control. President Masoud Pezeshkian later acknowledged that these strikes led to a significant "miscommunication in the ranks," forcing Iranian military and cyber units to operate with unprecedented and dangerous levels of autonomy.

The Pillars of the Iranian Hybrid Doctrine

Despite the disruption to its central leadership, the Iranian regime has continued to execute a sophisticated asymmetric doctrine that prioritizes “soft” civilian targets over hardened military ones. This strategy rests on four key pillars:

• Deep Access and Espionage: Long-term “network prepositioning” allowed Iranian actors like Lemon Sandstorm (Pioneer Kitten) to maintain access to critical national infrastructure for nearly two years before the war began.

• Economic and Social Disruption: Iranian-linked groups have targeted the “soft underbelly” of society, such as the “Kindergarten Hijack” operation, where the PA systems in 20 Israeli schools were compromised to broadcast sirens and pro-terrorism songs to induce panic.

• Hybrid Kinetic Warfare: In a definitive example of digital tools serving physical bombs, Iranian operators hacked thousands of unsecured home security cameras across Israel. These were used as a live battlefield intelligence network to perform real-time Battle Damage Assessment (BDA), allowing Tehran to see exactly where its missiles landed.

• Tactical Evolution via AI: The regime has pioneered the use of Generative AI to automate “hack-and-leak” campaigns and craft flawless phishing lures. The FBI reported a 4,500% increase in AI-driven phishing attempts over the last year, including a highly sophisticated PDF lure disguised as an official report from the RAND Corporation.

The March 8 Escalation: From Bytes to Brine

The war reached a deadly new phase on March 8, 2026, when Iranian forces The war reached a deadly new phase on March 8, 2026, when Iranian forces carried out a missile strike on a critical desalination plant in Bahrain. This attack represents the physical culmination of the asymmetric doctrine, targeting the literal life-support systems of the Gulf. Iranian Foreign Minister Abbas Araghchi justified the strike as a direct retaliation for a U.S. airstrike that reportedly damaged a desalination plant on Qeshm Island, disrupting water for 30 villages.

Araghchi’s warning that “the U.S. set this precedent” signals a shift where civilian water infrastructure is now a primary theater of war. This has catastrophic implications for regional stability, as desalination is not only vital for drinking water but also essential for the cooling functions of the data centers that underpin the Middle East’s emergent AI infrastructure.

A New Business Model for Global Conflict

Perhaps the most dangerous evolution in Iran's strategy is its shift to a "State-as-Access-Broker" business model. Groups like Pioneer Kitten now breach corporate networks and sell that access on the dark web to criminal ransomware syndicates like BlackCat (ALPHV). This partnership provides the regime with untraceable funding and plausible deniability, as it can frame state-sponsored aggression as purely criminal activity.

The Road Ahead: The Permanent War

As the conflict grinds on, experts warn that the digital and physical fronts have fully merged into a single, asymmetric machine. The “Great Digital Silence” was merely a prelude to a more covert and lethal state of being [Conversation History]. With Russia providing real-time intelligence to Iran and China hedging its support, organizations must recognize that the tactics tested today in the Gulf will likely be repurposed against allies in North America and Europe.

The question for 2026 is no longer when the war will end, but whether our collective vigilance can match the permanence of a hybrid battlefield where undersea cables, desalination plants, and data centers are as much on the front line as any military base. The March 8 attack on Bahrain confirms that silence in cyberspace is often the loudest warning of the next physical strike.

Leave a comment

Sources Used for Analysis

• CBS News: Live Updates: Eighth day of the U.S.-Israeli war with Iran: https://www.cbsnews.com/live-updates/us-iran-war-israel-strikes-regime-targets/

• AP News: Iranian drone damages desalination plant in Bahrain: https://apnews.com/article/iranian-drone-damages-desalination-plant-bahrain-659

• Iran International: US hit desalination plant on Qeshm Island: https://www.iranintl.com/en/202603071423

• ZENDATA’s Cyber Analysis of the Iran-Israel Conflict: https://zendata.security/2025/06/24/zendatas-cyber-analysis-of-the-iran-israel-conflict/

• CSIS: Would Regime Change Solve the Iran Challenge?: https://www.csis.org/analysis/would-regime-change-solve-iran-challenge-state-play

• FBI: Ahead of the Threat Podcast - Episode One: https://www.fbi.gov/video-repository/ahead-of-the-threat-podcast-episode-one-aron-ain-102324/view

• The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI: https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.html

• Iran International: Iranian hacker group targets Israeli kindergartens’ PA systems: https://www.iranintl.com/en/202501265679

• Risky Biz News: Iranian APT moonlights as access broker and ransomware helper: https://news.risky.biz/risky-biz-news-iranian-apt-moonlights-as-access-broker-and-ransomware-helper/

• Trends Research: AI and the Evolution of Asymmetric Cyber Warfare: https://trendsresearch.org/insight/ai-and-the-evolution-of-asymmetric-cyber-warfare-insights-from-the-2025-israel-iran-conflict/

• Institute for the Study of War: Iran Update Evening Special Report, March 6, 2026: https://understandingwar.org/research/middle-east/iran-update-evening-special-report-march-6-2026/

• Water Online: Persian Gulf Desalination Plants Could Become Military Targets: https://www.wateronline.com/doc/persian-gulf-desalination-plants-could-become-military-targets-in-regional-war-0001

• Manara Magazine: Resistance as Ideology: Why Iran’s Regime Will Remain In Power:https://manaramagazine.org/2026/03/why-irans-regime-will-remain-in-power/

• Geopolitical Instability and Systemic Collapse: A Comprehensive Analysis: Santiago Holley’s Notes.

Regime change is always unpredictable

That action was coming against Iran was clearly indicated by the military build up - (how was Russia’s build up next to Ukraine so strongly dismissed?).

It was always possible, though to a diminishing degree, that a deal could happen, but I’m not sure that was ever really an outcome the US government was seeking.

Iranians today are joyfully celebrating the death of Ayatollah Khamenei, with several members of his family, including possible successors, also dead.

But remember that when the people revolted against the Shah Mohammed Reza Pahlavi in 1979, it was not at all clear the Islamists would ultimately take control. There was clear national consensus against the Shah amongst nationalists, secularists, laborers, ethnic minorities, moderate and extreme Islamists, he had completely lost legitimacy, and Ayatollah Khomeini was able to capitalize on the chaos - and existing parallel institutions - to become the ultimate victor. His movement overthrew the newly elected government and purged even moderate Islamists by spring 1981.

His son, Reza Pahlavi, does however appear to have some legitimacy among the diaspora, and potentially at home. Whether he will prove to be an effective uniter leader of a diverse diaspora and Iranians at home - and how much Israel and the US will be involved in backing or influencing who ultimately emerges to rule Iran - is impossible to tell right now. Politico has a recent analysis here.

That backing could undermine the legitimacy of the next ruler. It didn’t help the Shah’s father.

And non-profit news outlets and democracy support programs have largely been defunded or profoundly weakened.

I very much question how realistic it is to think a democracy will emerge out of this, but let’s not let pessimism stop the effort.

Share

Leave a comment

The example of Ashraf Ghani

There are plenty of examples of Western leaders backing the wrong horse. In Afghanistan, Western leaders long supported Ashraf Ghani, a World Bank economist. Why? Because he sounded like us. He knew how to talk to us. But, as I warned NATO leaders in Afghanistan way back in 2012, he was not legitimate in the eyes of Afghans. He could not communicate effectively with them at all. His communication skills in Dari had been hobbled by decades away. He had left Afghanistan long before the Taliban took over in the 1990s, after finishing his grade school education there then moving to Lebanon and the US.

Many Afghans resented those who left. And at the very least, it takes a lot of emotional intelligence to relate to people who have been through something you never experienced. But Ghani lacked charisma and emotional intelligence. The first election he ran in in 2009, with tacit Western backing, he was a non-issue. Ghana won the next election in 2014 as the Pashtun candidate, but governed poorly, led his administration poorly, certainly without emotional intelligence of any kind. This was not helped by the dual-headed monster that government became thanks to Tajik candidate Abdullah Abdullah’s insistence he had won the election and would fight the government if not given power. The US then negotiated a position for him as the Chief Executive Officer, and the relationship between himself and Ghani never became functional. Afghans were bitterly disappointed in this foreign intervention and Frankenstein of a government.

All the while, the Taliban were closing in.

Current impacts to business

Previous Israeli and US bombing runs and retaliation have been characterized by proportionality. For example, Iran warning the US and Qatar it would target a US base there, allowing for evacuation. Or lobbing missiles at Israel while knowing they will be intercepted. This caused very little disruption to business and life as usual.

Though Israel bombing in Doha, Qatar during negotiations with Hamas in September 2025 was exceptional.

Logistical Disruption

After it appeared Iran was focusing missile barrages on US bases in regional countries, drones are impacting international airports in their capitals and even residential buildings, notably one of those fantastically expensive places on The Palm. Roberto Lafforgue on LinkedIn describes the sea change well:

“The Shahed-136 is designed to fly low and slow, to evade traditional radar logic and saturate defenses through volume. Its purpose is not precision but inevitability: enough launches that one will get through. In Dubai, one did. And the proof exists in high definition.

Tonight, every expatriate in that building is calling relocation advisors. Every investor who bought property on the Palm is recalculating exposure. Every global insurer underwriting Gulf real estate is convening emergency committees to reprice sovereign and urban risk. Lloyd’s of London does not care whether the intended target was military or symbolic. It cares that a drone hit a residential structure—and that the world saw it.

For three decades, #Dubai built its reputation on a single geopolitical argument: proximity to #Iran did not matter. You could erect the tallest towers, the most luxurious artificial islands, and the busiest airports just 150 kilometers from missile batteries of the Islamic Revolutionary Guard Corps, and it would remain irrelevant to daily life and global finance.”

Needless to say, those days are over.

Billions are being lost in business operations, the costs of employees and goods stranded across the Middle East, unable to fly, unable to move through the Straight of Hormuz or the Red Sea.

Will any internet cables be damaged, whether intentionally or unintentionally?

We have no way of knowing when this will be over, and the US has indicated further operations, and the deaths of American soldiers, are a possibility.

Humanitarian and migration pressure

Airports may closed but land routes will be teeming with refugees in Iran and out into neighbouring countries. If chaos ensues inside Iran, refugees that may only now be temporarily fleeing where the bombs are falling will seek to leave entirely. This will create new migration pressures, and will likely impact Lebanon, Turkey, Egypt, Syria, Libya etc, with Turkey expected to keep waves of human migration away from Europe.

Cyberspace

Human traffickers and other criminals will seek to take advantage of the situation and are likely already doing so online.

As diverse disinformation spreads online, cyber criminals will already be active alongside state actors.

Cynthia Kaiser has a great post on LinkedIn describing Iranian cyber operations, I recommend reading the full post. In the coming days and weeks Iranian cyber operations, depending on if the capabilities remain in tact, will include:

• Deploying ransomware before wiping an organization’s data.

• Leveraging long-term espionage access and data exfiltration from different threat actors for destructive attacks.

• Hiding behind fictitious cybercriminal groups.

• Engaging in online harassment of victims, including the release of stolen data.

I truly hope we get through this to a peaceful and stable Iran.

But that result is far off, and anything but guaranteed.

Share

How the Antifragile Model can help your business

INFORMATION | See the leading indicators.

When conflict escalates, the information environment degrades fast — markets move on rumors, official channels lag, and noise overwhelms signal. The Antifragile Model builds always-on information architecture: Structured internal and external information collection for real-time threat indicators calibrated to your business. You don’t wait for headlines. You act on leading indicators.

COMMUNICATION | Clarity cuts through the noise.

Retaliation strikes don’t follow business hours. When your teams are dispersed across time zones, when clients are demanding answers, and when your leadership is operating under pressure — communication either holds or it breaks. The Antifragile Model installs pre-agreed protocols, clear decision authorities, and tested escalation pathways before the crisis hits. Your people know exactly who says what, to whom, when and how.

STRUCTURE | Flexibility is strength

Rigid organizations shatter under shock, but unstructured or siloed crisis response creates chaos. The Antifragile Model provides the flexible structure necessary to enable your leadership and operations at speed, enabling rapid operational pivots.

FOUNDATION: TRUST | The force multiplier no one budgets for.

Every pillar depends on it. Teams that trust leadership act faster and with less friction. Leadership that trusts teams can focus on strategy. Clients that trust you stay through turbulence. Partners that trust your protocols engage rather than retreat. The Antifragile Model builds trust as infrastructure — not a byproduct of good intentions, but a designed feature of how your organization operates under pressure - and sets itself apart from the rest.

Leave a comment

US threats to take Greenland until Davos two weeks ago seem to have been the final gong needed to wake Europeans out any delusions of the world they now live in.

One defined by instability. One where China is only too happy to present itself as the anchor of a new world order and the only true source of stability. Which might be fine if it weren’t intent on global power projection that means any person anywhere could be punished for running afoul of the Chinese state, for any reason.

We are all in the same boat, we need to row together

I attended a dinner hosted by JEDI, “the European ARPA”, where the question was put to serving European generals, civil society leaders, ambassadors, scholars and CEOs - what was missing at Munich this year.

My answer? one of the key factors that has brought us to where we are now on both sides of the Atlantic - a lack of vision and effort to bring along our populations, with something inspiring and hopeful.

The failure to address housing, affordability, social mobility, and the clear disinformation push from bad actors, allowed bad actors to exploit the situation to their benefit. Undermining social and national cohesion.

NATO did not “do” strategic communications until far too late, clinging to an outdated belief that that would be propaganda. It failed to tell its own story, so Russia began telling it for NATO. Millennial NATO workers in their early 30s were warning NATO leaders about this in the early 2010s. You can read some about the internal controversies here.

Grand speeches by world leaders are all well and good, sending signals to each other and governments around the world. But what are you giving Europeans to rally around? They are faced with mounting anxiety, and one reason key information is often not shared with the public is so that one doesn’t induce panic. But then they need to trust you are doing something about the problems.

And public trust in business has greatly eroded.

And in some cases governments are, but again fail to communicate it.

I’m not talking about nationalism, the kinds often based on a very artificial idea of who ethnically belongs to country. But the civil society of each nation-state, the citizens and residents, to know we are all in this together, and that we need to work together to preserve the independence of our nations, and this can only be done effectively, especially in a more Hobbesian world, with Allies and Partners.

The United States stayed out of World War I, because it did not have a dog in the fight, until the Lusitania was sunk.

The US President Woodrow Wilson set up the League of Nations to prevent the biggest war the world had ever seen, after a massive arms build up among European nations. This fell apart, with a new global war starting just 20 years later. When Hitler determined Germany required “Lebensraum”, all the surrounding land and resources to support the superior German race. An echo of the new era of empires we seem to be entering.

The United States then stayed out of World War II, until the bombing of Pearl Harbor.

In both cases, the war did not stay “over there”. It came to the US. And may well do so again.

Europe provides strategic depth to the United States, and its destabilization will allow the metaphorical crocodiles to get closer to the American boat.

Which is not to say that Europe does not need to reinvigorate its defense capabilities. It does.

Many governments, businesses and organizations large and small are working on this the very problem. Like JEDI. Though I fear for coherence, strategy, the froth in the defense start-up sector - anyone who served in Iraq and Afghanistan knows the massive grift that took place by many contractors, which not only undermined the legitimacy of the mission, but the operation of the mission itself.

We need strategy, we need coherence, we need common goals, and circling back to the opening idea of this post, the communicate and inspiring, hopeful, empowering vision to our populations.

The talent is there, it just needs to be focused and supported.

It’s not just cyber anymore

I also attended the fantastic Munich Cyber Security Conference, and I was just bubbling over with thoughts.

The panels were genuinely engaging and full of real experts and practitioners, not just talking heads.

Something I heard across panels there was the need for better communication between the private sector and the government.

But that this is often hindered by fears over this bringing scrutiny to compliance.

My friends, we need to move past this.

The private sector often defaults to opacity to protect IP, which I understand. But especially large corporations also tend to have a risk-avoidant, lawyer-driven approach to these things that seeks to protect the status quo.

This approach is harming all of us. The status quo is gone. Adaptation is the name of the game.

I also continue to see folks in the private sector, in government saying CEOs need to trade phone numbers for emergencies.

Friends. No.

That is how you get a big chaotic mess.

What needs to happen is structured communication and information set up before a major incident. Then the incidents become exercise that works the muscles. The system becomes stronger - and that is Antifragility.

Who communicates what, when, and how.

That is what you need.

Which will require governments and businesses setting this up. Which I can help with.

Individual business will also need to implement the Antifragile Model internally, to better sift the internal and external signals from the noise, channel that information correctly internally with structure, and build the trust to empower staff to act when needed and keep senior leadership informed.

A panel on hybrid warfare and protecting the energy grid discussed exactly this, with a Ukrainian general talking about the exact, simple protocol I mentioned above and constantly re-iterate in the private sector - who communicates what to who, when, and how.

Simple protocols like that are absolutely essential to the Antifragile Model.

Share

We can look to the Nordics and Baltics for the best examples of whole of society readiness, but I’m unsure how integrated businesses large and small are. Sweden has released a version of its crisis preparedness pamphlet specifically for businesses. The previous one is for civilians.

But readiness isn’t a document. It’s a capability.

Antifragility is a deterrent

There was a lot of talk about deterrence during both MSC and MCSC. And the necessity of a whole of society approach.

Let’s start building Antifragility into our societies by putting the information and communication structures in place to enable businesses at an individual level to respond to complex risks and events, and be good partners to governments and our populations in protecting our homelands.

This will mean adversaries have to invest much more to disrupt our societies than they currently do.

Let’s not make it easy for them. Let’s make it hard.

Leave a comment

And even then, to actually act on the information once you’ve identified. Sometimes, more often than you would think, very clear information is ignored because “that can’t happen”.

My friends, anything can happen. When you think that, ask yourself - why couldn’t it? What actually would prevent it from happening? Assumptions about the environment? Are those assumptions updated with current information or based on old information?

Something may be unlikely, but you need to look at the evidence, the signals, the potential constraints, to judge that likelihood.

We have entered an age of volatility and disruption. A return to empires. Maybe even colonialism.

It is impossible to predict specifically where our current trajectory is headed. So the best answer to get prepared, shed old assumptions, build trusted relationships with customers, users, regulators, other companies, communities you operate in, and make your operating model as antifragile as possible.

If you would like to talk through what the latest developments mean for your business, and what you can do about it, send me a message.

Digital Sovereignty

Digital sovereignty is back with a vengeance following the continued push for US ownership of Greenland.

The now walked-back threat of US military action there following the removal of former president Maduro from Venezuela prompted a sea change. Uncertainty over potential US actions in Iran and how that will cascade is driving further contingency planning.

Europe remains bereft of large homegrown cloud providers, but governments are beginning to take small but concrete actions.

Those are early warning signals.

France last week announced it will roll out French video conference platform Visio across all government departments by 2027. This will replace Zoom, Microsoft Teams and Google Meet. While France is looking to French platforms above all, it is in particular seeking to reduce dependencies on American tech.

The Dutch government, and many businesses, organizations etc, have been nervous since the International Criminal Court suspended the Microsoft 365 Enterprise account of its Chief Prosecutor Karim Khan last summer. The ICC has since ditched Microsoft for an open source email platform.

Also in The Netherlands, an American company has acquired Solvinity, which serves DigiD, the ubiquitous Dutch online identification tool to book a doctor’s appointment, buy or rent a house or access online public services.

“that’s prompting concerns that the Netherlands is giving away critical technology at a moment of heightened sensitivity around the country’s wholesale use of American services.”

The acquisition has been receiving public attention since November, prompting a group of experts to send a letter to the Dutch government, saying “Putting vital digital infrastructure in American hands “raises Dutch vulnerability for outages, manipulation or even blackmail”. A petition signed by 140,000 calling on the government to suspend the deal was sent to parliament.

According to Politico, two-thirds of Dutch domain names for government agencies, schools and other critical services rely on US cloud providers, particularly Microsoft.

The Ministry of Economy is now looking into the deal.

Electronic payments are also vulnerable, and underpin the vast majority of financial transactions today. With some individuals recently sanctioned by the US, they can have their bank accounts frozen and be barred from standard international payments systems, including Visa and Mastercard. The EU is looking at the “digital euro” project to become a sovereign European payment system.

The invisible complexity of the tech stack

But the tech stack is incredibly complex. Cables, data centers, hardware like chips, servers, etc, and then getting into the software layer, where platforms and tools are interwoven. You may use a European platform but is it hosted on an American, or Chinese, cloud? Who provides its cybersecurity? Who provides the software the cybersecurity firm relies on? Is there Chinese hardware in the telecoms equipment?

Sometimes these layers of interdependency, and concentration in the market, are revealed when something goes wrong. Like the Crowdstrike incident in July 2024. A bad update - not a cyberattack - caused tens of thousands of flights to be cancelled and snarled airport operations across Europe and the US. Delta alone said the outage has cost $500 million - and that is just one airline. Paris Olympics operations were mildly disrupted - press passes couldn’t be printed. Multiple platforms did not know at some level in their tech stack was a dependency on Crowdstrike. A customer may not have been a Crowdstrike user themselves, but a key piece of software either that customer or one of their suppliers or providers used was dependent on was a Crowdstrike customer.

Trust never goes out of style - but it may become a rare and precious commodity

Share

Indeed it is the foundation of the Antifragile Model.

Trust is rapidly becoming the defining trait customers big and small are looking for. American tech, which represents a trade surplus with Europe, will struggle to convince customers and governments it can continue to be blindly trusted.

I believe customers in general will continue to be won over by convenience regardless of headlines. However there may be a turning point. The threat of sanctions or disruption to services caused by geopolitical issues may reduce that convenience advantage.

Some companies have cultivated more trust than others, depending on how they apply privacy and safety policies in particular, as well as how they work with, or don’t work with, governments about their concerns.

The old adage that trust is hard earned, and easily lost, holds true.

There is no mass exodus from US tech just yet. There are few alternatives with the scale, and the cybersecurity (of varying efficacy) that comes with it. Europe does not have the infrastructure on its own to develop its own major AI models off of American platforms, or to run models completely of them for the use of businesses, governments, workers and consumers.

So how can businesses navigate this environment?

Information

• Map your tech stack dependencies systematically - Document your tech stack components from cables to cloud and software providers to understand where American (or other foreign) dependencies create vulnerability points for your business critical operations.

• Decide trigger points for migration decisions - Assess risks of waiting and seeing vs. proactive risk mitigation - it will be much harder to migrate during an emergency. Migrating once you’ve identified tools that can meet your needs rather than waiting may be prudent to minimize disruption.

• Monitor early warning signals actively - Track government policy shifts (like France’s Visio rollout), regulatory investigations, and public sentiment changes as leading indicators of disruption.

• Challenge “that can’t happen” thinking - Question assumptions about platform stability and access; stress-test scenarios where trusted providers become unavailable for any reason - geopolitical, cyberattack, product failure, natural disaster.

• Implement custom infrastructure intelligence gathering - Don’t rely solely on vendor assurances; develop independent capabilities to assess platform reliability and sovereignty risks. Invest in frameworks that identify meaningful sovereignty trends versus temporary political rhetoric.

Communication:

• Establish clear escalation protocols - Define who makes decisions when a trusted platform faces restrictions, and ensure decision-makers understand both technical and strategic implications

• Keep staff informed - Ensure there is clear and timely communication with staff in the event a migration is needed, or if there is a need to quickly exit a platform.

• Build transparent stakeholder communication - Prepare messaging for customers, regulators, and employees about a major service outage due to geopolitical, and other, causes.

• Create shared language across functions - Ensure technical teams, legal, compliance, and leadership can discuss sovereignty risks using common frameworks and language.

• Document decision rationale in real-time - When choosing vendors or platforms, record why you’re accepting specific dependencies so you can revisit those assumptions as conditions change.

Structure:

• Design for optionality, not optimization - Build architectures that allow platform switching even if it costs efficiency; the ability to move may be more valuable than marginal cost savings.

• Diversify critical infrastructure strategically - Avoid single points of failure in authentication systems (like DigiD), cloud hosting, and communication platforms. Have backup apps and methods identified in case corporate comms become unavailable.

• Develop modular capabilities - Structure systems so components can be replaced without complete redesign if a provider becomes unavailable

• Invest in interoperability - Prioritize open standards and portable data formats that reduce lock-in to any single vendor ecosystem. Ensure vendors enable fast and easy data transfer off their platforms before you purchase their services. Many either hold your data or charge exit fees and make moving off-platform difficult. This environment can help you negotiate these terms.

• Build crisis response capacity - Establish teams that can execute rapid platform migrations under pressure, with playbooks already tested

  Share

The Antifragile Approach

The key is not eliminating dependency - that’s impossible - but creating agile structures that can adapt quickly. When sovereignty concerns force platform changes, organizations with modular systems, clear protocols, and diversified options will capture opportunities competitors miss while others scramble to maintain basic operations.

Trust isn’t just being earned or lost—it’s being redistributed. Position your organization to benefit from that redistribution.

We won’t know how exactly the saga over Greenland will play out until it happens. Will the US negotiate an agreement? Will Denmark agree to something to avoid a possible military confrontation? Will the US use force against Danish soldiers? Will the US military carry out that order against an ally? What will happen to transatlantic payments? The analyses I’ve read this morning are focused on the EU’s Anti-Coercion Instrument, which could result in spiraling tariffs and even sanctions. But things could go downhill from there. Or come back from the brink.

Businesses need to prepare for this uncertain world that will regularly disrupt supply chains, financial flows, utilities and business operations. Even if the crisis over Greenland is resolved peacefully, we are not returning to a world of stability any time soon.

And AI can’t navigate this for you. Though it can help you (so long as you have access to it - what happens if the power goes out in your area? If cables are severed? if a cyberattack compromises the AI system you rely on? Or just your systems?).

Share

This fascinating piece published by Eli Talbert at War on the Rocks gives the clearest breakdown of where and how decision making can be limited or removed by AI command and control systems, and where human judgement needs to be baked in, in the military domain.

This is equally true for businesses trying to automate as much as possible, particularly if they provide life-critical systems, or systems people rely on for daily activity like banking, commerce, navigation, data storage, communication, etc.

Analysis and Context

Good analysis requires not just gathering information against consistent bench marks, but recognizing and including outlier data points that may not normally be collected against.

The AI won’t have the wisdom to do that in many cases. For example when I have written about confirmed events over the past 6 months, and I had Claude proof read an article I wrote, it flagged actual actions by the US government as “implausible”.

This is because AI lacks a great deal of context, depending on the domain it is analyzing. This is why models usually have to be trained on use-case specific data to be highly effective.

Context is everything with AI, just like in human judgement, but the effects are amplified.

I have correctly predicted events throughout my career because I have intuition backed by years spent in multiple countries, cultures, sectors, built environments, natural environments, that allow me spot both patterns and key outlier signals. I have a natural tendency to look at facts on the ground rather than normative narratives.

For example, decision-makers, analysts around the world were shocked when the current Trump administration implemented tariffs. I heard many say “nothing really happened” during the first Trump administration. The latter was false, there was quite a lot of disruption, but there were more constraints. The composition of the Supreme Court was different, but reshaped by the end of the first term. The system of checks and balances was stronger. Those constraints are no longer there, and the executive branch has been able to act with far more freedom. This should not have come as a surprise to any good analyst or any business relying on the United States to uphold the international order that the administration has shown it does not support.

When observing an actor that will affect your operating environment, you have to look at both what they say and what they do. Determine unstated interests, and where stated objectives were not achieved, why? Because it was not actually the objective, the objective was not important, or they were unable to achieve due to constraints?

Monitoring Your System

Earlier I wrote about a lower stakes cascading AI mishap that was potentially very damaging for an AI coding platform - not to mention its valuation. ALL of the cascading effects were foreseeable from the simple fact that generative AI is non-determinative.

Your systems have to be designed with that in mind, and even more so if they are recommending decisions.

Share

Handing over any critical function to generative AI comes with risks that have to be proactively mitigated. Such as:

• System alerts to humans,

• Performance monitoring, and

• Human decision points inserted into the workflow.

Therefore it is imperative to have monitoring and mitigations in place at launch.

So much of what Eli Talber writes in his article on military command and control decisions can be baked into business protocols too.

Speed is important and can mean your organization “wins” tactically for a short while, but judgement can protect you from potentially irreversible consequences if that speed isn’t coupled with judgement. It can help you make sure your decisions are aligned with your strategy.

First mover status is one thing, but moving quickly with wisdom is another.

Speed is a weapon. Judgment is a shield, as Eli Tablet wrote. The Antifragile Model ensures organizations can preserve both.

Here’s how you can use the Antifragile Model to do that.

(The Antifragile Model is a set of simple systems businesses can tailor for whole-of-enterprise readiness in these tumultuous times. I can help you integrate it into your business.)

Foundation: Trust

The foundation of the Antifragile Model is Trust.

The Challenge: Leaders and staff must be able to trust each other and the integrity of their tools and systems. AI-produced decisions should not be free from scrutiny and judgement. AI may be used to help formulate decision options, but a qualified human, not an AI agent, should make the decision.

In a crisis or with a novel emerging risk, AI will almost certainly lack context. And not anticipate the second and third order effects of its decision.

The Antifragile Solution: Trust must be deliberately rebuilt around the principle that human judgment is not a bottleneck to eliminate but a capability to preserve. This requires:

• Transparency about AI limitations – Documenting and acknowledging where systems filter options and what alternatives are excluded upstream

• Psychological safety for questioning – Creating explicit permission to challenge and edit AI recommendations

• Demonstrated commitment to judgment – Leadership modeling deliberation even under time pressure, treating articulated rationale as professional obligation rather than compliance theater

Trust becomes the institutional foundation. When teams trust that judgment is valued over speed, they create the space needed for awareness of what AI systems present - and what they don’t.

Pillar One: Information

The Challenge: The risk begins when AI determines which information reaches decision-makers. Alternatives that never appear on dashboards effectively don’t exist. Decision-makers approve recommendations without realizing data competing hypotheses were eliminated earlier in the analytical pipeline. An explicit requirement and practice of critically engaging with the AI output is required.

The Antifragile Solution:

Information Architecture

• Mandate competing hypotheses presentation – Establish protocol requiring AI systems to surface alternative scenarios, not just optimal recommendations. Critically engage with how you have characterized “optimal” to the AI system.

• Make uncertainty explicit – Build systems that reveal confidence levels and data gaps rather than projecting false certainty

• Preserve access to source data – Ensure analysts and decision-makers can examine underlying evidence with minimal friction, making challenge as easy as acceptance, preserving the ability to detect hallucinations and opportunities to improve the model.

Information Flow Protocols

• The Central Team – checks AI-recommended decisions with relevant cross-functional teams

• Separate find from evaluate – The analyst building AI-enabled recommendations should not be the same person authorizing action on high-stakes decisions. Here the central team presents options to senior leadership, as in any major crisis management.

• Create information checkpoints – Define specific decision points where you survey the available data points and what they indicate about the situation and next steps.

• Red team analysis – Regularly test whether AI systems miss important patterns or can be manipulated by sophisticated actors

• Audit information filtering – Periodically review what AI systems eliminate upstream to verify alignment with strategic priorities

The Information pillar prevents the silent limitation of choice by making decision space construction visible and deliberate rather than automated and invisible.

Pillar Two: Communication

The Challenge: High-tempo operations create pressure to treat AI recommendations as decisions rather than inputs. The phrase “the AI already checked that” becomes shorthand for avoiding real evaluation. Organizational incentives reward throughput while punishing anyone who slows things down to question whether alternatives were considered.

The Antifragile Solution:

Communication Protocols

• Cross-functional communication channels – Maintain human communications channels to ensure analysis and recommended decisions by AI are cross-checked with experts. This is will also highlight the second and third order effects of the decision.

• Require articulated rationale – Before approving any AI response recommendation with significant consequences, decision-makers must state in plain language why this option meets criteria at this moment.

• Normalize challenge language – Explicitly encourage questioning of AI outputs, discourage perception of this as obstructing operations (”What alternatives did the system filter out? What do we need to be sure was considered?” become standard questions).

• Build deliberation into tempo – Communication protocols that explicitly include pauses for judgment, treating productive friction as feature rather than bug.

Escalation Pathways

• Clear criteria for human override – Define specific conditions where AI recommendations must be elevated for broader review

• Low-friction challenge mechanisms – Make it as easy to question a recommendation as to approve it, removing procedural barriers to independent evaluation

• After-action learning loops – Systematic review of alternative decisions that would have been superior, treating these as institutional learning moments rather than failures

Cross-Functional Alignment

• Shared understanding of AI role – Consistent messaging across the organization about where AI assists judgment versus where it constructs decision spaces

• Interdisciplinary input for critical decisions – Communication structures that bring cross-functional data and perspectives to decisions with irreversible consequences

• Clear ownership of judgment – Explicit assignment of responsibility for exercising independent evaluation, not just approving algorithmic outputs

The Communication pillar ensures that the capability to exercise judgment survives operational pressure, making deliberation a protected activity rather than an obstacle to overcome.

Pillar Three: Structure

The Challenge: Organizational structures can reward speed and throughput without accounting for judgment preservation. Evaluation criteria, career incentives, and performance metrics can optimize for decision volume or speed rather than decision quality. The erosion of judgment is silent because no dramatic moment announces when human authority has been displaced.

The Antifragile Solution:

Organizational Design

• The Chief Readiness Officer and the Central Team

  • The Central Team – Coordinate information gathering and communication horizontally and vertically, produces analysis and response options with AI outputs and triggers protocols according to criteria, including convening of senior leadership for extraordinary events (interstate conflict, mass civil unrest, natural disaster, major product failure).

  • The Chief Readiness Officer is accountable for maintaining this system and ensuring the response options are presented to the C-Suite.

Incentive Alignment

• Redefine performance metrics – Evaluation criteria that account for judgment quality, not just decision throughput or execution speed

• Reward productive friction – Recognition systems that value deliberation and alternative analysis, not just rapid consensus

• Empower questioning (but not endless debate) – Don’t punish leaders who slow operations to verify key data points and that alternatives were considered

Resource Allocation

• Staff for judgment, not just throughput – Adequate, experienced personnel to enable structural critical evaluation of AI outputs and performance. Too few staff leads to decision fatigue, burnout and loss of critical thinking.

• Invest in cognitive breaks – Build pauses into workflows where AI speed might otherwise overwhelm careful evaluation. Critically evaluate the personnel need to for optimal workflow in a crisis, not extreme efficiency that becomes brittle the moment there is strain.

• Continuous evaluation – Dedicated resources for analyzing how AI systems construct decision spaces and whether that construction aligns with strategic intent

The Structure pillar transforms judgment preservation from an individual responsibility into an institutional capability, encoded in organizational design rather than dependent on heroic efforts by conscientious leaders.

Practical Implementation

Organizations applying this framework should:

1. Audit current state across all three pillars – Map where AI systems currently construct decision spaces, what communication about those systems actually occurs, and whether organizational structures preserve or punish deliberation

2. Identify critical decision points – Ensure the AI tooling is aligned with protocol to enable critical evaluation of data and AI analysis and recommended response options

3. Policy – Establish clear institutional policy about AI’s role before scaling deployment, making judgment preservation an explicit requirement rather than an assumed outcome

4. Build decision space into pathways – Accept that some operations will run slower than AI could enable, treating that slowdown as strategic investment rather than inefficiency

5. Measure what matters – Develop metrics that capture judgment quality alongside decision speed, creating visibility into the preservation of organizational capability. Evaluate where you got lucky as well as what went wrong and what went right.

The Antifragile Model works without AI, but this is some of how you would ensure AI-enabled command and control systems are governed by this model.

I am not an expert on Latin America or Venezuela. But I have decades of experience watching local and geopolitical dynamics play out across the world and its infrastructure. Of observing long time leaders and personalities as they move in and out of power. Of strategic cultures. And many events analysts and world leaders said were “unforeseen”.

I was shocked to see a long time geopolitical analyst say many consultancies and analysts had not expected this.

Not shocked they missed something obvious - this is normal. But shocked they were surprised by this particular development.

Below:

A look at the global context

Risks to businesses

How the Antifragile Model can help businesses for this new era of instability

So much of what analysts describe as “unforeseen” or “unpredictable” is rarely that. Even for expensive consultancies. It is how exactly the effects will cascade into second and third order effects that is unpredictable, though you can make some guesses that improve your general readiness, rather than over-preparing for overly specific risks - or not preparing at all.

Only the exact nature of US intervention and timing were unforeseen. But US intervention was clearly coming, and depended in part on Maduro’s actions: e.g. making a deal with the US government, or refusing.

We know from open sources the US administration was in discussions with the regime, but Maduro was uninterested in making a deal or to leave power without force. It was unpredictable without intelligence that the capture operation would happen when it did, but the military build up in the region far beyond what was needed for the boat strikes, documented in open sources, was more than enough of an indicator something was going to happen either by coercion or through force.

Not to mention the desire to unseat the regime during the first Trump administration that were forestalled in part by Russian operations. That constraint is no longer present as Russia focusses on Ukraine.

US forces will remain in the region, though for now not on Venezuelan soil. This could divert resources - men, materiel, intelligence - from other parts of the world.

All of which to say this is why leaders should be ready for anything, with simple systems to make your whole enterprise antifragile.

It’s not magic. Its strategy operationalized in a lean, adaptable way that conforms to your business. No fancy, useless tools that your employees hate.

A Deeper Look at the Global Context

Tl;Dr: This operation should leave you in no doubt, we are returning to a world of empires. This will not necessarily lead to stability.

Hybrid, cyber, information, regulatory, financial and potentially kinetic threats will directly and indirectly impact everyone.

Leaders need to be ready.

This world will not revert to a clear status quo, as we had during the Cold War, where conflict was contained in peripheries with the great powers fighting through proxies and espionage, alongside the arms race.

The US National Security Strategy

The operation to remove Maduro is a concrete example of the new US National Security Strategy that seems to divide the world into spheres of influence, a tacit return to a world of empires, as was further indicated by the US president’s remarks that the US will “protect” Venezuelan oil. You can also see this interesting piece about the lobbying firm of former US government officials that worked on Venezuela, which seeks to facilitate business there.

It did not take long for the remaining government, now headed by the former Vice President, to show defiance, even as the US president had claimed she had pledged to work with the US. Further military action and American boots on the ground have not been ruled out. She struck a more conciliatory tone on Sunday.

Even as it remains unclear if the US will place military on the ground or only dictate governance from afar.

So the biggest immediate question for me: will this turn into a long, low-intensity conflict?

Cuban intelligence is reportedly integrated into the state security apparatus, and is unlikely to leave. Venezuela could be a playground for sabotage of US activities, whether government or business.

Then, how will governance of US companies moving into Venezuela work?

Will Venezuelans see an improvement in their civic freedoms, in economic opportunity, almost non-existent thanks to Maduro and his predecessor Hugo Chavez? That will take time, but there is no guarantee either will happen.

This is not Iraq

If the rest of the old regime remains in place, its unlikely repression will stop. Some analysts have said this is why there are not large-scale celebrations happening among the remaining population. Leaders who have harmed their subjects know they become more vulnerable when they leave power. It’s part of why they cling to it so strongly. The US does not want to repeat the disaster of de-Baathification in Iraq, where all Iraqi civil servants were dismissed - and military with their weapons. This left the government bereft of experienced civil servants, leaders, including military, who offered to align with the US were rebuffed - and so many went to work with militants and terror groups instead.

It is unclear if any Venezuelan leaders have privately pledged to work with the US. Senior figures should leave government, and maybe they will in time. But civil servants could be left in place.

Drug Trafficking

US operations to date have had no discernible effect on drug trafficking into the United States. Those routes out of Venezuela are more focused on Europe - which is experiencing a serious problem with cocaine trafficking, use, and violence and corruption caused by gangs vying for control of markets in Europe, particularly Belgium and The Netherlands.

I’ve been surprised that Hezbollah, yes the Lebanese Hezbollah, was belatedly mentioned in justifications of US actions. It is a US-designated Foreign Terrorist Organization, and deeply involved in trafficking drugs from Latin America to Europe and Africa in particular. It was passingly mentioned by US government officials on Saturday, but I remain surprised it is not being used more in justification for the operation. Former Israeli officials such as Benny Gantz did note the connection with Iran, Venezuela, terrorism and drug trafficking.

It is unclear if a US takeover of Venezuela will reduce drug trafficking. Will Venezuela be used as a spring board for other operations in Latin America? Colombia was also threatened on Sunday, Mexico was mentioned, with Cuba mentioned during the Saturday press conference about Madura’s capture.

Deterrent or Distraction?

Some analysts are saying this operation is a strong deterrent to Russia and China. I’m not so sure.

The US government currently seems content to be reducing its presence in Europe, and increasing it in Latin America. It is unconcerned with Chinese and Russian influence in Africa, where drug trafficking and terrorism are deeply intertwined, and more concerned with the near abroad - Canada, Greenland, Latin America - with the occasional warnings to Iran more bombings could happen. The National Security Strategy (NSS) did not designate Russia as a threat and emphasizes dialogue and de-escalation - a complete departure from the national security strategies of the first Trump administration and Biden administration.

China is framed as a competitor for resources and influence rather than threat. The NSS still pursues containment, but the administrations actions have been somewhat contradictory, while the US president has not been consistent on US commitments to defend Taiwan. Much as commitment to NATO has been repeatedly declared, yet the US seems to see itself as a neutral party between Moscow and NATO/EU with regard to Ukraine.

China may lose out on oil shipments from Venezuela, and its interest in some oil fields there and in the region. Or will US companies sell to China instead? Reuters reports the US will allow some oil exports to China to continue.

While China hawks remain in congress and the administration, the president seems less worried about Chinese technological advancement in the AI race, demonstrated by recent export licenses for Nvidia chips and TSMC chip manufacturing equipment. But then as recently as this weekend, the US blocked a firm run by a Chinese national from acquiring chip technologies. This group of data points indicates geopolitical trade risks will remain highly dynamic.

What are the risks to Businesses?

Tl;Dr

• Increased cyber attack risk of all kinds that can disrupt business operations and civilian life.

• Greater geopolitical and regulatory risk including highly divergent sanctions regimes by different countries against different types of actors, organizations and businesses.

• Violence and vandalism against businesses engaging under US terms in Venezuela, or US companies in other countries by Maduro supporters, provocateurs.

• Sabotage of operations in Venezuela or in the region.

• Attacks on Venezuelan and US and US-headquartered business critical infrastructure that will impact civilians and businesses. Attacks on supply chains.

• If US troops are deployed, potential for violence against them. Collateral damage to civilians and businesses in their vicinity.

How would the Antifragile Model help?

Information collection strategies that synthesize and analyse internal and external information. Allow for novel data points - if you only observe the same data points every cycle, you will miss something notable. Don’t dismiss “unlikely” scenarios out of hand - examine what the data tells you. An analyst who says “that’s unlikely because it hasn't happened yet” is not a good analyst. Yes I have heard this many times over the years.

Communication channels to flag vertically and horizontally risks to business functions. Quick action if something - expected or not - impacts a business function, be it cyber operations, public relations, the supply chain, etc. And what is hitting across siloed functions.

Structure ensures the first two pillars are built to purpose and maintained. A C-suite level decision maker is responsible - perhaps your Chief Readiness Office - for making sure these systems are set up and maintained, and surfacing to the rest of the C-suite emerging risks, readiness and response.

Trust and a proactive mentality are requirements for true readiness. Otherwise you’re just checking boxes for compliance with standards that are no longer relevant.

If you’d like to see how to apply it to your business, take a look at my services, and get in touch!

Leave a comment

*all opinions my own

And welcome to all the new subscribers that recently signed up.

The last week before Christmas week was a special one in cozy Brussels. Amid the 5,000 holiday receptions and parties, and warmly lit spaces of the dark evenings, we had the farmers’ protest, where farmers from all over Europe drive their tractors into the European Quarter to demand better conditions.

And the European Council meeting that went all night to decide on how to fund Ukraine - the outcomes of these types of decisions correlates with which countries and entities are cyber-attacked by Russia or groups linked to it.

The resulting security around the European Quarter, including barbed wire across blocked streets, made for some cautious navigation on my way to the office in the morning (you don’t want to get bumped into barbed wire by some distracted car, scooter or pedestrian). And a memory of walking back to our compound in Kabul after a reception, narrowly missing a bank of much more menacing barbed wire laid out on the road, as darkness fell, mercifully illuminated by the headlights of a truck coming up behind us.

The farmers’ protest, with fires, fireworks, honking horns, and later, thrown objects, did get loud enough for me to actively listen for actual sounds of distress (I spent years deployed in active conflict zones), but where I was, the blocked streets made for an island of peace, as I checked for the outcome of the European Council meeting, which would not come until the wee hours of the next morning.

Belgium would have likely have been hit hard in cyberspace, had the frozen Russian assets been used to pay for Ukraine. The head of Euroclear, where they are held, has had a bodyguard for a year due to credible threats. It also sounds like Russia may have threatened Belgian Prime Minister Bart de Wever personally.

Why do I write about this? Because many are unaware of the escalating hybrid conflict in Europe.

And that is driving an increase in cyberattacks, sabotage and other factors that affect private businesses and critical infrastructure. One of the many factors that demand a readiness mindset from today’s business and government leaders.

For the newbies

A brief note about what I explore in this newsletter for the newbies.

I’ve spent years navigating opaque, dynamic environments in multiple countries, driving change in big international public and private organizations, very different built and natural environments, advising military, civilian and private sector decision-makers, and managing real world and online crises and risks. Building readiness for them. And some start-ups too.

I write about world events and what they illustrate about the need for readiness.

Because the relatively stable world built on structures put in place after World War II, and then the Cold War, is evolving into something else.

Right now it looks like a return to empires.

This, coupled with exponentially faster technological evolutions that are themselves amplifying instability in the cognitive space, in critical minerals, in energy resources and operations, means the stability many incumbent leaders came to expect is simply gone. But I can help business leaders implement the Antifragile Model, adapted to your unique risk profile.

Is there an aspect of whole-of-enterprise readiness you’d like to learn more about? Or a particular type of risk? Want to write a guest post? Let me know!

Leave a comment

What will 2026 look like?

2026 will follow the trajectory of ever-increasing instability, in the power grid, in geopolitics, defined by great power competition and efforts to control critical resources and technologies. It will also be defined by new risks created by rapidly evolving technology released into the consumer space with varying degrees of safeguards depending on how developers are held accountable, or not, or choose to be.

As AI agents become more widespread, what safeguards and product monitoring will be put in place? What havoc will be wrought be AI agents accessing schedule, personal information, financial information?

Will the AI bubble burst or has the financial risk been sufficiently spread? Will relaxed financial regulation allow a crash? If so, don’t expect the United States to bailout businesses and banks that way it did in 2008. If at all, it will be much more selective. Decision-making will be opaque.

The US appears likely to take military action in Venezuela. The administration may have been hoping President Maduro would simply flee with enough pressure, but that appears unlikely. The US may be forced to act. Conflicts that seem easily winnable often turn into years-long quagmires and cause many unintended effects.

The Russo-Ukrainian War will likely grind on. It is not in President Putin’s interest to stop the war. If there is a peace agreement, it’s not likely to hold.

One indicator of this from recent history: The Minsk Agreements (Minsk I in 2014, Minsk II in 2015), were ceasefire and peace protocols for the Donbas war, mediated by the OSCE, France, and Germany, involving Russia, Ukraine, and separatists, aiming for a ceasefire, withdrawal of heavy weapons, OSCE monitoring, greater autonomy for Donbas regions, constitutional reform in Ukraine, and eventual border restoration. Both agreements ultimately failed.

And even if the peace agreement did hold, many European governments expect Russia will re-orient its ire to the rest of Europe, with some actively cultivating among their publics and business communities.

My first post of 2026 will likely be about power outages - how to be antifragile in a blackout, which can be caused by a failing grid, cyber attack, natural disaster, bad software, and so many factors.

San Francisco just had a serious and cascading blackout, which affected real-world operations like Waymo’s self-driving taxis as data towers also went down and reduced bandwidth. Waymos blocked intersections but didn’t cause any accidents or injuries. Check out this article to see some of the design considerations Waymo has taken into account, and the questions being asked of how they will behave in a major earthquake or fire.

Do you have protocols and safeguards in place to ensure your internet-enabled product doesn’t cause harm during a data outage, slowdown or civil emergency?

You can’t be ready without rest

But I do hope all of you will be getting some rest this holiday season. You may not have time for a reset with all the family and year-end obligations that come with this time of year.

But taking a step back is incredibly important for your readiness. It lets you see the bigger picture, make adjustments according to what really matters, and experience joy. These are necessary for resilience.

I can tell you from deep experience if your emotional reserves are not regularly replenished by good people and good times, you cannot be resilient, and then you cannot be ready.

The difference it made when we became very constrained moving around Kabul when I would gather folks and plonk a bottle of whiskey on the table. We could laugh about the absurdities of civil-military deployments. Process the tragedies. When I missed a week colleagues would ask when the next one would be. The point was not to drink, but to gather.

No matter how mission-driven you are, if you don’t replenish your physical and emotional reserves, decision fatigue will set in. Demoralization will set in. You will burn out. Your decision-making will suffer. And so will your organization.

If you’re a leader, remember your people need rest, and to know they are valued, in order to stay ready, no matter how self-motivated they are. They need a rested and resilient team.

They need your trust, and to trust you.

And with that, see you next year!

Read on to see examples of what and how in a case study of an unsupervised AI customer service chatbot.

Subscribe now

Sam Goes Rogue

Cursor AI is a great case study for why you can’t give over whole functions to unsupervised generative AI. Now we see that humans remain indispensable in customer service - they can be augmented by AI, but not replaced.

In April 2025, Cursor’s customer support chatbot “Sam” went rogue, in a very predictable way.

Generative AI hallucinates. That’s a fact we should all know innately at this point. No developer has solved this problem yet. The more responsible developers constantly work to ground, train and fine tune models, and ensure quality training data.

Yet Cursor AI, an AI coding assistant start-up that is growing fast, decided to give their entire customer service function over to AI without any supervision or monitoring. At least none that worked.

And the inevitable happened during valuation talks.

What Happened

A product update created a bug that caused developers using the platform to be signed out of their accounts when switching devices.

This led to a cascade of issues. There were several points where they company could have had monitoring and communications in place to catch the problem before it affected a large portion of its user base, went viral, and resulted in international news coverage during valuation talks.

Problem 1: There was apparently no monitoring in place to catch the original product performance issue.

Best practice is not only to test the product before release, but have readiness in place for business-as-usual product monitoring, as well as product and feature launches, and major product updates. For example, having a standing chat room open with key cross-functional staff to alert each other if there is a serious problem, or something goes viral.

When users went to customer service, available through email, their emails went to Sam.

Problem 2: No disclosure customers were interacting with an AI chatbot.

Nowhere on the email, or website did Sam say that it was an AI. This should be standard practice, which builds trust with users.

Problem 3: Sam hallucinated a policy.

Sam said that the unwanted account sign-outs were in line with policy - when no such policy existed, creating a frustrating dead end for users. Many users began cancelling their subscriptions. Was there any mechanism that would flag a spike in subscription cancellations? Would a team that would get that alert know who to contact internally to figure out what was causing the problem?

Problem 4: There was no way to escalate to a human.

Because there was no disclosure Sam was a chatbot, users assumed Cursor only had very unhelpful customer service. When the chatbot couldn’t solve their problem, they had no way to get to a human to try to resolve it, raising the likelihood of customers cancelling their subscriptions. This also harms situational awareness, customer service agents could have alerted product to the problem.

Problem 5: No system monitoring in place to ensure Sam was working as intended.

There was not mechanism to flag a spike in escalations to customer service so a human could examine the problem and determine if intervention was needed. Or to offer a path to a human if a problem was not resolved, or was an edge case - there are always going to be edge cases.

Problem 6: No social media monitoring.

Code developers are very online people. As more users were affected by the account sign outs, and Sam was proving unhelpful, users took to Reddit and Hacker News to complain.

Social media monitoring would have caught this, and could have flagged it to the product and PR teams - before international news outlets noticed the chatter.

In some companies, it is only PR or an open-source intelligence function that would see the social media reports. Companies have to ensure different teams can 1) automate alerts well to the interested teams 2) that teams are empowered and enabled through clear communication channels how to contact and alert each other to a problem like this.

This was a product engineering problem, then a customer service problem, that turned into a PR and business problem.

In Summary

A core product was not working as intended, the customer service chatbot was not working as in intended, and a PR crisis arose, threatening the company’s valuation, out of failure to detect these issues in a timely fashion.

There were multiple points where the proper readiness posture and systems would have detected the problems early and prevented the waves of cancellations and bad PR:

1. Monitoring product performance, of both the core product and the customer service chatbot, would have caught the problems early and prevented further escalation and reputational damage.

2. Having humans in the customer service loop would have alerted the company to the problem.

3. Social media monitoring would have detected the online chatter so the company could take action before international news outlets started calling.

Share

AI is an Augmentation, Not a Replacement

More mature, and responsible, companies seem to be realizing that keeping humans in the loop is essential.

The FT ran a special report last week on AI in Practice, with an article specifically looking at the necessity of humans in customer service.

Because AI struggles to deal with edge cases and complex scenarios, humans have to remain on hand. Chatbots can deal with more straightforward escalations, but leaving edge cases to them is a big risk.

AI can also help make human agents more efficient, while taking straightforward cases, to allow more human involvement with edge cases. All of this improves the user experience and trust, while heading off potentially costly headaches.

Gartner released a report “Agentless Customer Service Should Not Be Your Goal” concluding that fully-automated customer service is “both unlikely and undesirable”. Gartner, and I, believe a hybrid approach is optimal.

Human override, analog backups, product performance and social media monitoring - these are essential for readiness in these tumultuous times. For both mundane and more serious problems.

There are certainly impacts being felt across workforces from AI, particularly at entry level for some white collar jobs. But Gartner predicts that by 2027, 50% of organizations are expected to significantly reduce their service workforce due to AI will drop these plans.”

Leave a comment

Readiness News

Turning back to world events that underscore the need for readiness and active public-private partnership, we have more indications this week of escalating hybrid warfare from Russia, and clear reprioritization by the US of its security relationship with Europe.

On December 1st, large drones were spotted in the vicinity of Ukrainian president Zelensky’s plane as it was approaching Dublin airport. Zelensky was early, so the drones failed to intercept it, but moved on to monitor an Irish navy ship there for security operations around the visit.

The ship had no capability to engage the drones, which had their lights on to ensure they were seen. They were there to make a point, and potentially test capabilities, rather than attack, it seems. Underscoring the lack of Irish defense capabilities I wrote about in my previous post.

Vilnius Airport in Lithuania has been disrupted several more times, and Sweden reports detecting Russian submarines almost weekly in the Baltic Sea.

All while Europe continues scrambling to develop anti-drone capabilities as well as collective defense in the absence of the United States.

Its Official, The US Will No Longer Guarantee European Security

The new US National Security Strategy was published on December 4, making absolutely clear the new reality that so many have dismissed or refused to admit - the US will no longer guarantee European security. And the US has said Europe must lead NATO and be ready to defend itself by 2027, an unrealistic timeline.

Perhaps it will focus the minds of leaders, who are actively engaging on defense initiatives?

Which comes as Russia declares it is ready for war with Europe.

Share

What does this mean for you?

Cybersecurity

Businesses must audit their cybsersecurity posture and purchase protection if necessary. Work with cloud and enterprise software providers with high cybersecurity ratings a few reported breaches.

Readiness Systems

You need them anyway. You need them more now.

Ensure all staff know how to contact your security team and your escalation teams according to clear prioritization. Can your product affect users in a crisis? positively or negatively? How will you address these situations?

Have communication channels in place, send reminders to employees about where they are and where to find them. Ensure they are easy to find for all employees. Include guidance on when and how to use them.

Conduct Exercises

This is the only way to build muscle memory for emergencies.

Conduct whole-of-enterprise exercises so there are at least 2-3 members of each team who have participated. These exercises will also help you discover gaps and ideas you would only discover during an emergency otherwise.

And reduce single points of failure. You don’t want to train one employee who then becomes ill, goes on vacation, has a family emergency, and then is unavailable be your only incident commander or POC for a critical function.

These steps will also cut down on employee and leadership anxiety.

Stand Up a Central Coordination Team and Appoint a Chief Readiness Officer

This is how you get ready for complex or whole-of-enterprise crises. You can have all the information and communication in place, but with no structure, it won’t work.

An action-oriented decision-maker in the C-Suite should be appointed the Chief Readiness Officer, with a central coordinating team or capability reporting to the. The team sets prioritization and coordinates all relevant functions, proactively gathering and curating information to send vertically for decision-making and horizontally for action.

Reach Out to Your Local Government

Your organization likely has information and/or assets that are of value to any local government preparedness and response. Identify emergency response and other points of contact to be able to share information, identify where you can help and what you can expect from the government. Make a plan according to possible scenarios and exercise it.

The time to build trust is before a crisis, not during it.

Share

Thanks for reading! All opinions and statements are my own, and do not reflect those of any organization with which I am affiliated.

Businesses absolutely need this knowledge. However most fail to hire someone that can actually operationalize that knowledge and direct how the company prepares for risks, detects emerging ones, and responds to actual complex risks, incidents and crises.

You may say “But we have a Chief Risk Officer”. But they tend to manage compliance, risk registers and check lists, with no way of ensuring actual readiness for any type of shock, let alone a complex one like civil unrest, disinformation and cyberattacks occurring simultaneously.

Why?

The Geopolitical Officer and Chief Risk Officer are usually not attached to any actual response operations. They don’t see the live signals the responding teams do.

Many large multinationals already have intelligence functions that can detect geopolitical changes and risks. But they are not necessarily connected to a decision-maker in the C-suite.

And they are not necessarily connected enough to other functions themselves to see crucial signals from the company’s own operations, change behavior or avert risk. Often the don’t direct a staff that can centralize internal and external information, and recommend concrete actions or direct mitigation.

For complex risks, you need a Team of Teams

- to paraphrase retired general, and veteran of multiple deployments, Stanley McChrystal.

He built an incredible cross-functional team to take on Al Qaeda in Iraq that could adapt as fast as the terror cells with strong lateral bonds and no onerous approval processes.

He also had to take into account rapidly changing tech and a rapidly changing information environment that made strictly compartmentalized intelligence counterproductive at best, and a lethal.

In today’s large companies, an intelligence team, a cyber incident response team, a Trust & Safety enforcement team, a physical security team, a PR team, a Government Relations team, Site Reliability Engineers - these all tend to work in silos.

Even when they work cross-functionally, those connections are often dependent on personalities and leadership. They change with attrition, fluctuating company priorities and finite leadership attention.

That means you need structure

Every institution struggles with silos, and few seem to overcome them. Often the reprieve is temporary, and silos re-emerge as soon as personalities in the relevant roles change.

To stop this, you have to build lean, living structures that are not dependent on individuals and take little maintenance. Designated communication channels like email aliases and chat rooms. Clear criteria for when and how to communicate and take action.

Staff empowered with easily discoverable, lean materials to know who to call and when, and get after the problem before it hits news headlines or panicked executives start sending staff scrambling. Not giant files or binders that are impenetrable in peace time, useless in a fast-moving emergency.

Which means you need an accountable leader to ensure those systems are put in place, maintained and functioning.

And a Leader: The Chief Readiness Officer

You can do all this without a Chief Readiness Officer.

But who will ensure the structures built are maintained? That they don’t dissolve as soon as leadership attention is drawn elsewhere? That information and options from response teams actually reach leadership and are communicated effectively?

A Chief Readiness Officer has to have a bias to action, and must be risk-facing, not risk avoiding. They are anti-complacent.

Too many times over the last two decades I’ve seen leaders, particularly in the West, ignore clear signals of what is coming, often due to complacency, sometimes due to fear of admitting the threat is real, which is a very common human response. Something a Chief Readiness Officer is there to mitigate.

And to be sure, s/he also has to be frank when there is nothing the can be done. But to make that conclusion, you need the structures in place to surface the information necessary to draw that conclusion. And decide which risks to prioritize. Which incidents must be addressed, where to allocate increasingly scarce resources.

Conclusion

The gap between knowing your risks and actually being prepared to handle them is where companies fail during crises. You’ve done the assessment, you know the vulnerabilities, but when the incident hits—whether it’s a cyberattack, supply chain disruption, or geopolitical shock—your teams freeze because no one’s been drilling the response. They don’t know who to contact.

This is the readiness gap

A Chief Readiness Officer closes it. They own preparation and execution capability. They ensure:

• Crisis protocols actually work (not just exist in a binder)

• Teams know their roles before the emergency

• Decision-making processes are tested under pressure

• Your organization can adapt when the plan inevitably breaks

There’s a saying in the military - no plan survives first contact.

That’s why you need capability.

Leave a comment

If you need help with setting up your readiness capability, get in touch!

A Readiness News Essay

The two issues I can’t help but follow keep showing up in the news: Venezuela and Russian hybrid warfare in Europe. So this is more of an essay on why an end to the Russo-Ukrainian War will not mean peace in the West.

The US is reportedly moving closer to taking action in Venezuela. Is this why the administration was so quick to leverage a very Russia-friendly peace place for Ukraine? To get that conflict off its plate and focus on the Western Hemisphere?

And what are US defense plans for the Arctic besides potentially acquiring Greenland?

Some governments are very concerned that if there is a peace agreement ending the war in Ukraine, Russia will redirect military attention north and west of its borders.

Which is not to say a continuation of the war is in their interest either.

European governments continue to struggle with drone disruption of civilian and military airports, and apparent surveillance over critical national infrastructure. Even as Russia intensifies attacks on Ukraine.

With an end to the war in Ukraine, Russian activities in the far north are likely to heat up, impacting Scandinavia and Canada. One study found that the Ukraine War actually reduced tensions between the US and Russia in the Arctic. (Before the August and September 2025 provocations in the Alaskan Air Defence Identification Zone).

The good news is that the war on Ukraine has strained and used up precious resources for resource-intensive conventional military actions. The bad news is you don’t need a lot of resources for effective hybrid warfare.

“Peace” in Ukraine will not be the end of the conflict

Already, headlines indicated stocks of European defense companies falling with news of the draft peace plan.

The short-termism Western governments and businesses now habitually look at the world through has created incredible vulnerability. Not helped by increasing weaponization of polarizing issues like migration.

Governments previously tended to think longer term, but the complacency of the 1990s-2010s, which coincidentally is when Europe’s economic productivity began to lag, and the austerity after the 2008 global financial crisis that undermined stable employment, also coincided with a marked shift to a language of helplessness by many Western leaders I found befuddling. Warning signs on housing and cost of living were ignored, reating fertile ground for exploitable political polarization, and grave security threats on Europe’s fringes festered, but were ignored.

It was dismaying to hear even professional diplomats express shock at Russian tactics in Ukraine - so many of them had been used in Syria, ultimately causing the 2015 migration crisis in Europe and its political lurch to the right, allowing ISIS to become a serious threat, and emboldening Russia. US Secretary of Defence Robert M. Gates calls for other members NATO to shoulder a greater share of the burden went unheeded. And now European leaders, some of them only now, see that the US is increasingly acting as if it not a part of NATO. And certainly not the guarantor of European security.

Both governments and businesses need to get on top of critical infrastructure and cyber security

Meanwhile, the continued lack of readiness for cyberattacks and critical national infrastructure across economies is stunning.

The Record reports that British lawmakers are getting fed up with the lack of cyber preparedness by private businesses following the incredibly expensive, preventable cyber attacks on Jaguar Land Rover and Marks & Spencers. Both of these national institutions were shockingly and inexcusably ill-prepared, costing billions in economic damage.

The FT has an excellent (paywalled) piece this morning on Ireland’s exceptional lack of security capabilities across the board. With half its Navy ships unserviceable, no air defense (the UK’s Royal Air Force is responsible for defending Irish airspace), no radar or sonar, no civilian intelligence agency, and not even a security clearance system or secure communications above “secret'“, the state is starting from as near zero as could be possible on national defense. Yes there is an Irish military, but due to Ireland’s principled commitment to neutrality, it has used these forces mostly for peacekeeping.

Ireland is a chokepoint for international subsea cables that power both Europe and North America. But it has no means of protecting them.

Meanwhile Russian ships have increasing traversed Irish waters over the years, another strong, ignored signal of the growing threat. This threat was also signaled by an highly disruptive hack of its health service in 2021.

Irish fisherman managed to thwart kinetic Russian naval exercises in 2022 around the start of the war, but that’s not much of a deterrent and Russia becomes increasingly emboldened.

Ireland is taking steps, but more will need to be done, alongside a change in popular Irish attitudes to security. True security comes from trust and cooperation. Ireland has trusted its neighbors would have no reason to attack it, but this sadly does not provide protection from threats originating from further afield.

Leave a comment

It felt appropriate to attend an alumni event at a military club in Brussels last Thursday night, when for the second time in a week Brussels airport halted flights due to drone sightings. The UK and Norway are conducting joint military exercises. The UK Royal Air Force is also dispatching experts to Belgium.

And it’s not just the civilian airport. Belgium’s strategic military bases have also been overflown by drone formations after dark. Germany is still observing drones over critical infrastructure. This is far from over. And Germany, so long so reluctant to acknowledge the threat, is warning Allies that “…Russia is already today capable of carrying out a regionally limited attack on NATO territory.”

“After the end of Russia’s war against Ukraine, and if its rearmament continues unchecked, a large-scale attack on NATO could become possible — and soon,” he said. “That means we have to deal with the possibility of an attack against us, whether we like it or not.”

There has long been a correlation between actions by governments Russia views as harming its interests, and an increase in hybrid threats. For example, cyber attacks against banks in a particular country when it has announced new aide to Ukraine.

Share

This latest spate of intense drone disruption in Belgium occurred amidst heated debate on using frozen Russian funds to help Ukraine. And less reported, a meeting of Russian opposition in exile early this week in Brussels, who have recently been working with the Council of Europe. The FSB recently announced a terrorism investigation against this group for plotting to overthrow the Russian government.

Ominous given many dissidents have been murdered in Germany, Spain, the UK, and elsewhere over the years. Which makes it all the more frustrating that much of Europe has not maintained readiness for evolving threats. Even though the Finns have.

What can you do?

Making your organization antifragile in the face of these disruptions not only means you will be ready for these disruptions, but by reducing their impact, you help your country deter these hybrid attacks.

The Finns understand this. Rather than using the looming threat to fan nationalist flames, the country has built numerous bunkers and maintained them over the years. The civil and recreational facilities in them can be removed and made ready for sheltering civilians in 72 hours.

Preludes and Risk Avoidance

Small drones appeared on battlefield years ago.

I remember the first time a drone flew over the NATO-led mission HQ in Kabul in 2017, in broad daylight. We sheltered in place, not knowing if it was armed, would fly into something, if it was recording. If it was simply a toy.

Eerie is the best word to describe how it felt in my containerized accommodation, waiting for it to leave. or explode. or drop harmlessly. It was a different kind of feeling than waking up to a complex attack or the C-RAM alarm in the middle of the night.

But NATO still lacks effective, low cost drone defences. After small drones became a battlefield problem a decade ago in several theaters. After 3 years of open warfare in Ukraine.

Poland and NATO allies did respond promptly and forcefully, showing they are ready and willing, when the more brazen, deliberate drone incursions began in September.

However, after the grinding wars in Iraq, Afghanistan, the impact of the Oct. 7 Hamas attack Israel, there is little excuse for missing the opportunity to prepare.

One of the principle causes is mentality - a reluctance to acknowledge novel threats and risk. Without which you cannot prepare effectively.

NATO has enabled innovation with Diana, and there are numerous small defence start-ups that have been working in Ukraine to great effect. Ukraine is able to shoot down 80-90% of drones in much larger swarms, according to Politico.

I remember how underestimated Ukraine’s will and ability to fight was, not just by Russia, but by most in the West as well.

Now Western leaders eager to learn from the Ukrainians, with a Ukrainian detachment deployed to Denmark to help them counter the new drone threat.

All leaders must adapt a risk-facing mentality, rather than risk-avoiding. The former does not mean you recklessly take risks, it means you examine risks head on, and decide strategy and implementation accordingly. This has the additional antifragile benefit of reducing stress and cognitive load when - and before - a crisis hits. It can even prevent the crisis through deterrence or quick mitigation. Because you were ready.

In these tumultuous times leaders in the public and private sectors have to accept that nothing is outside the realm of possibility, in order to be adaptive - and ready for anything.

Fancy Tech Alone Doesn’t Win the War

Just because a tool is fancy, or super advanced, doesn’t mean its the right tool for the job.

Just because you have a big military equipped with expensive gear doesn’t mean you will win.

You still need strategy, then operational and tactical execution, which also require the appropriate logistics and materiel.

It’s a bit triggering for me, this talk of cheap tech and Western militaries countering it with multimillion-dollar equipment that could make continued action unsustainable, draining already stretched budgets. This happened in Vietnam, Iraq, Afghanistan. Will, morale and persistence, with some creativity, can bring a far technologically superior power to its knees.

Russia cannot keep its war effort up forever, but it does have persistence, a high tolerance for civilian and military losses, and Russian tech has long been highly resilient in tough circumstances. There is a reason the Kalashnikov is such a ubiquitous weapon. In Afghanistan, and other remote places, simpler, easier to maintain Russian tech was more reliable than complex, high-tech American military gear that required a very long logistics chain.

Why this sustained hybrid warfare? Because it is draining and distracting to the economies and governments of Western allies. It helps strain their cooperation, cause anxiety among civilian populations, and creates space to inflame politicized issues like cost of living and migration.

Leave a comment

Readiness News

What is the impact of the drone disruptions?

This is more than an inconvenience. It exhausts and delays workers. It costs more fuel. It delays cargo and therefore economic activity, causing businesses to lose money. It increases cognitive load and physical stress on air traffic controllers, air and ground crews, and raises the risk of accidents.

What you can do:

For personnel, you can mitigate disruptions for travel by prioritizing train travel where possible, and video calls when in-person meetings are not absolutely necessary. Although there are definitely trade-offs in relationship building and productivity when we have to scale back too much on in-person collaboration. Ensure you have back-up communication apps enabled in case corporate comms go down. Ensure all employees have the one you’ve identified downloaded on their devices and activated. Update employee contact information. If your organization is large enough to have support mechanisms for traveling employees, ensure they are reminded of how to contact that support.

For operations, examine your energy requirements. Do you have a business that would make investing in electric generators for 24-48 hours of power if the local grid goes down worth it? Do your employees know what to do in the event of a major power outage? Are there critical business or operational processes that can switch to analog? If so, ensure there are easy-to-find protocols and supplies for employees to switch to analog operations quickly, and conduct a drill to get them familiar and identify possible bottle necks. For example, during the cyber attack affecting air travel check-in systems, manual check-ins had to be performed. Some hotels have abandoned key cards following ransomeware attacks that locked all hotel rooms, halting operations and causing safety issues.

Share

Venezuela

Indicators the US will take some kind of military action in Venezuela continue to grow.

The US began operating attack aircraft out of El Salvador in October, according to the New York Times. 10,000 US troops, drones bombers and Navy warships are already in the region and soon there will be an aircraft carrier.

Some of the potential impacts to business include?

Supply Chain Disruptions

• Oil supply volatility affecting global energy prices, particularly heavy crude

• Shipping route disruptions in Caribbean affecting logistics between Americas

• Regional transportation infrastructure damage impacting cross-border trade

Market Access & Operations

• Asset seizure or nationalization risks during conflict

• Banking and payment system failures isolating Venezuelan counterparties

Regional Instability

• Refugee flows straining neighboring economies (Colombia, Brazil, Caribbean)

• Potential spillover affecting operations in Colombia, Guyana border regions

• Political polarization impacting business climate across Latin America

Financial & Commodity Volatility

• Oil price spikes (Venezuela holds world’s largest proven reserves)

• Currency volatility across Latin American markets

• Gold and commodity price fluctuations

Regulatory & Compliance Complexity

• Expanded sanctions regimes requiring enhanced due diligence

• Secondary sanctions risk for non-US entities

What can your business do to be ready?

Audit for any dependencies on Latin American supply chains and their proximity to Venezuela. Find ways to reduce those dependencies. Obtain political risk insurance for Latin American operations. Prepared and disseminate contingency plans with personal in areas that could be impacted by military operations or refugee flows. Monitor for triggers such as US troop movements, emergency meetings of the Organization of American States, or evacuation of diplomatic personnel.

Share Readiness Radar

Intellectually, I’m enjoying the diverging and converging lines of inquiry posed by the race towards Artificial General Intelligence (AGI), itself increasingly showing parallels to the nuclear arms race and prompting calls for control treaties.

Now, as one part of a greater shift in the strategic landscape, not only is there a real risk of renewed nuclear proliferation, alongside the growth of the modular nuclear reactor sector for powering data centers, but we are grappling with the risk of generative AI in the military domain and its potential to escalate to nuclear war, as mentioned in my previous post.

Cue the Russian test of the Burevestnik, a new nuclear-powered, nuclear capable missile last Tuesday, which Russia says it will deploy.

But don’t run for the bunkers yet. The Burevestnik has been in development for years, and it remains to be seen how many can be built, how long the infrastructure to maintain and launch them will take to build, etc.

If you want to scratch this itch some more, check out this Rand paper on the idea of preemptive strikes to prevent acquisition of AGI by another power, or maintain an AGI monopoly. Will it be an AGI model that makes the decision?

Leave a comment

Before we get to protocol and communications in a crisis, some readiness news.

Subscribe now

Readiness News

Will the AI Bubble Burst?

Investors are diversifying to beneficiaries of the AI infrastructure boom to hedge against a possible bubble burst. And if this bubble does, we will probably see a lot of chaos as the governance of the international financial system, and that of the United States, are in a very different condition and environment than was the case in 2008.

So What? Don’t assume there will be bail outs like in 2008. Western governments are far more heavily indebted than they were then. The US national debt is nearing the levels of Greece and Italy for the first time in a century, according to the FT, for example. And many governments simply have less legitimacy, support and consensus to act. See: France. Public anger could be directed at major AI and finance brands, as well as migrants and foreigners, thus raising physical and cybersecurity risks.

What you should be ready for: Apart from a sudden burst of the bubble, stock market crashes, immediate tightening of credit and contraction of business operations - Expect amplification of political extremists and bad actors seeking to inflame public anger and cause civil unrest. Public anger could be directed at businesses, most likely AI providers, financial services providers, and other major business names associated with the AI boom. Major brand names and service providers should already have robust social media monitoring tied to physical and cyber threat monitoring. And likely, anyone perceived as foreign.

Sweden to issue guidance to businesses “In Case of Crisis or War”

The Swedish Civil Contingencies Agency will publish a new edition of its previously civilian-focused “In Case of Crisis or War” leaflet, this time aimed at businesses.

So What? Today’s operating environment makes public-private partnerships in intelligence sharing and preparedness imperative. Especially as the fog of war or crisis will be thicker amidst AI-powered disinformation and misinformation, with domestic and state actors looking to fan the flames. That will make situational awareness far more precious. Without it, can you cannot make the right decisions to protect your business or your people.

What you Should be ready for: Among other things, every business should be prepared for power disruptions by any cause. Some actions to consider now include:

• Identify the most critical operations to maintain power supplies for, and which operations can be allowed to go offline to preserve power and minimize disruption and distraction.

• Identify back up systems like solar and gas powered generators. How long can you run them while the grid is down?

• Identify what can go analog ahead of time, if you need additional supplies to make this happen, and create a clear, easy to follow protocol for staff. Conduct an exercise to run through it.

• Do you have major clients that you may need to reassure in the event of a major crisis? Identify them now, consider setting up time to talk through your protocols, to reassure them that they are safe with your business to the extent you believe you can more or less guarantee. This will increase trust and reduce the potential of panicked calls and distraction from keeping your critical services online. A further trust building measure would be to co-create contingency plans based on plausible scenarios

And think beyond the immediate business case. Do you operate large venues? People may need to shelter there. Work with local authorities to develop a plan, and demonstrate how you will show up for the local community in a crisis, which also have good reputational effects for your business.

Hybrid Warfare, Russia, and Venezuela

And in previously mentioned readiness news subjects, we continue to see drone disruption and airspace violations in Europe alongside broadening surveillance and sabotage operations. Japan scrambled fighters in response to Russian strategic bombers flying near its coast. The US declined to supply Ukraine with Tomahawk missiles to strike inside Russia, while imposing sanctions on Russian oil companies, even as a Russian envoy traveled to Florida for talks on the US-Russia relationship and economic potential of trade. The US continues to loom over Venezuela, deploying the world’s largest aircraft carrier, while US Senator Lindsay Graham “thinks the administration’s strikes in the waters off Venezuela will expand to land, he said in a Sunday interview, adding that President Trump will brief lawmakers on “potential future military operations against Venezuela and Colombia.”

I don’t remember hearing about potential operations against Colombia before.

So What? Instability is here to stay. The war in Ukraine will not end any time soon, but the US may be interested in exploring renewed economic ties with Russia, further complicating and obscuring what may be sanctioned and non-sanction economic activity with and by Russia. European governments remain far from consensus on how to approach the problem as the collective of European Union Member States. Some will be underprepared when a crisis or major hybrid attack hits, while others are actively preparing now. A US operation against Venezuela appears increasingly likely, but its scale and scope are unclear.

What you Should be ready for: Hybrid warfare will continue against Europe, disrupting transport and business operations with drones, cyberattacks, arson and other forms of sabotage, creating further anxiety among some in the public and creating costly disruptions for some businesses. Start working with your local and national governments now to ensure critical infrastructure is hardened, and learn how you can help. Any action against Venezuela will increase instability in surrounding countries in the short term if people flee. Criminal groups and state actors will take advantage of any resulting chaos.

Share

Maintaining Calm in a Crisis

Swinging back to nuclear arms, watching A House of Dynamite this weekend reminded me of something I care deeply about and that is something more leaders must think about proactively - the importance of protocol and training.

Share Readiness Radar

Its hard to predict how individuals will react to crisis

No one knows how they will react in a crisis. I had no idea I had a talent for crisis management until I was doing it.

It’s a good feeling to know you are calm when others don’t know what to do. And not so good when you realize the people you thought you would look to don’t.

The film reminded me of that flat, chilling feeling when you realize something truly dangerous is happening.

Then you have to instantly assess and act. For me, it’s a 1/2 second of instant assessment.

What is happening? What do I know? What do I hear? How do I find the most trustworthy information quickly? Is the threat close to me or is it happening elsewhere and threatening my team, my stakeholders, civilians, end-users? Do I take shelter? Do I begin head count? Do I direct or re-direct operations? Who do I need to inform?

After some years in conflict zones, certain alarms and anything where I can feel a pressure wave, like a ceremonial canon, causes that instant 1/2 second of assessment to activate. Where am I, do I hear screaming and/or gunshots, what do I need to do right now? No fear or racing heart, just an instant physical pause with a rapid-fire checklist in my head.

The Escalade canon in Geneva made for an adrenaline-fueled but otherwise lovely, and certainly memorable, evening with a friend, no stranger to the deep field herself, amidst the warmth of the Christmas market in Parc des Bastions.

The assessment was only triggered by the first cannon burst. I had been walking up to the park entrance, and on feeling the first pressure wave instantly crouched halfway down, performing my internal assessment, listening for a panicked crowed. Thankfully I had read about the cannon, and remembered this. I was in Geneva. Everything was fine. I had the information I needed.

The rest of the evening, I knew what it was, and therefore was only startled a little each time the cannon fired nearby. There might have been an expletive or two uttered.

Knowing what you are dealing with can be incredibly useful in tamping down panicked responses.

The Parc des Bastion above, the Escalade Canon, fired over several hours, below.

What felt so authentic about A House of Dynamite, was that there was no ridiculous, exaggerated drama.

*mild spoilers*

Although you might say the complete lack of anyone going totally off the rails might be slightly unrealistic. I was once stuck with a panicking, armed colonel in the back of a troop carrier, among other experiences.

In the film, people largely get on with their jobs. Nervousness, shaking voices and hands, as military and civilian personnel realize they need to enact a protocol they had trained on for a real threat. The normal rush of adrenaline when you’re doing something important. An officer encourages his subordinate, reminds her she knows what she’s doing because she’s trained.

One major becomes ill and cognitively paralyzed, unable to command. But there was no grand standing, no fist fights, no screaming women, no rogue hero.

Instead, quiet calls, some more emotional than others, to loved ones, violating cell-phone bans in classified areas. Colleagues steadying each other. Staff managers setting a tone of calm professionalism. Tears while doing what needed to be done. Moments of grief and sadness bursting through and then collecting oneself to continue the work.

No one can know in advance how they or anyone else will react in a crisis until they’ve been in one. Never assume the people who you think will break will, and the people you think will be rock solid will remain so. You only find out in the moment.

But even light protocols and training can go a long way to preventing panic and scramble.

Protocol:

Here are reasons why clear protocols keep staff calm during crises:

• Speeds Response and Removes guesswork - People know exactly what to do instead of freezing or second-guessing

• Reduces decision fatigue - Staff don’t waste mental energy figuring out next steps

• Creates predictability - Clear steps provide structure when everything feels chaotic

• Prevents conflicting actions - Everyone moves in the same direction instead of contradicting each other

• Builds confidence - Knowing there’s a plan makes people feel prepared, not helpless

• Keeps focus forward - Attention stays on executing the protocol rather than spiraling into worry

The mistake that often gets made is over-engineering the protocol. Incident Response is often characterized by lengthy playbooks for specific types of incidents. These become obsolete quickly, and are often unusable in a crisis. Or performance evaluation values the creation of these huge, time-intensive but low-value playbooks, rather than a demonstrable, exercised, readiness posture with clear, flexible protocols.

Threats, like tech, are evolving at an ever increasing pace, so your protocols must be simple, easy to follow, easy to find, and adaptable to different types of crisis.

Plans never survive first contact. But failing to plan is planning to fail. To mix some sage wisdom.

And your protocols will have to be built with clear communication channels.

Share

Communication:

Now we have more communications tools and redundancy than we know what to do with, which is great for resilience and management, so long as you make sure employees know:

• which tools to use

• for what

• when

• and how they should communicate.

This includes standing and ad-hoc chat rooms, escalation tools and platforms, email aliases, alongside escalation and communication protocols.

As well as pre-identified back ups for if your corporate communications are down.

You must account for communication:

• with your staff

• between staff

• with critical partners like suppliers, utilities and governments.

• with your customers.

The time to set up and test those communication channels is now. This applies to any type of crisis, from a major failure of your SaaS product to a blackout to a natural disaster to an armed attack.

Flexibility is key

You can’t rely on over-engineered playbooks written for every specific type of incident. You need simple, flexible protocols, supported with designated communications channels, that can kick in for any type of incident and be activated by any team that may need to respond. Specialized teams continue to handle discreet incidents on their own, like cyber incident response teams, but more complex crises demand cross-functional responses and communication.

The more these systems are exercised and used, the more antifragile your business will be.

They will also help staff get on top of emerging issues early, preventing issues from spiraling in the first place.

If you need help to make your business antifragile with simple systems, just reach out!

After multiple AI events in Brussels, I spent a few days in Paris, a hub of activity around generative AI, even as the country seems to become increasingly ungovernable.

My visit was peaceful, walking all over the city, engaged in exciting conversations around AI and the world.

And I saw the Eiffel Tower slightly evoking Mordor.

The crisis of faith in democracy across the West has been a long time coming, driven by many factors and signals that leaders could have taken more seriously.

We don’t have to make the same mistake. A readiness mindset can help you see the right signals to prevent, prepare and respond to risks and threats. And even work with your government for resilience, stability, and innovative approaches.

Below, I look at the emerging challenges of deploying generative AI in military and defense contexts, underlining the imperative to deploy it thoughtfully in your business operations, with the appropriate monitoring to prevent errors that damage both user and investor trust.

First, some readiness updates:

The Evolving US Military Focus

There were no major announcements per se in the US Secretary of Defense Pete Hegseth’s grand speech to America’s general officers, but a marker in the culture changes that will affect the US military, and how it conducts war.

So what? The US is both focusing its security capabilities more inward and more on the Western Hemisphere. The rhetoric around a military that “wins” again, small decisive wars, suggests kinetic conflicts are coming, and echoes preludes to wars that were supposed to be quick that turned into years-long quagmires.

What you should be ready for: Continued and escalating tensions in Europe, the Pacific and Latin America. This will continue affecting supply chains, major investment decisions, flow of skills and unskilled labour. Defense tech everywhere will see more investment. Examining your readiness for power and data outages, supply chain disruptions, and how you may re-orient your business strategy is the responsible thing to do now, so you are not blindsided and scrambling in a real crisis. Be the business your clients and investors can count on.

If you need help readying your business, contact Antifragile Strategies.

Hybrid Warfare against Europe Continues

More drone sightings occurred over German airports and critical infrastructure, characterized by Chancellor Merz as surveillance, an ominous indicator. Norway as seen increased drone surveillance as well. Cyber attacks continue, for example against Polish critical infrastructure.

So What: While there the US is reportedly in talks with Ukraine about strikes into Russia, and more air defense assistance, the lack of overtly decisive action has likely not deterred Russia from intensifying hybrid warfare against Europe. Intensification of support for Ukrainian attacks on Russian energy infrastructure do not yet appear to be sufficient to deter Moscow from further attacks on Ukraine or hybrid warfare in Europe. The US is considering supplying Ukraine with Tomahawk missiles for long range strikes into Russia if it does not stop the war, but Russia has responded that this will be an escalation.

What you should be ready for: Travel, supply chain, data and electricity outages that can affect your staff and business operations. Increased anxiety among staff and leaders. Ensure your staff know what to do in the event of a major disruption, hold table top exercises if there is a scenario in which any of these outages could seriously impact your business operations. This will also increase readiness for natural disasters.

If you need help, contact Antifragile Strategies for the simple systems that will make you ready for anything.

Some Businesses Continue Deploying Generative AI Irresponsibly

We continue to see strikingly irresponsible use of generative AI by business leaders who should know better, with Deloitte refunding the Australian government nearly half a million Australian dollars for delivering a report with AI hallucinations.

So what? While this did not endanger any lives, generative AI will be used in more and more systems that, when they fail catastrophically, can cost lives and billions in physical damage.

What you should be ready for: Internal governance and oversight of generative AI. Issue concise guidance to employees about how they can use generative AI in their work, and expectations and simple processes for quality control. You don’t want the reputational damage, or reduction in investor confidence, that goes with an embarrassing and preventable AI mishap. Especially if you provide Software as a Service. Do due diligence on service providers touting AI in their products, meaning check if they have had recent embarrassing AI-induced product failures, cybersecurity failures, or a history of irresponsible governance. You can also checkout this new playbook for AI governance in business, from the World Economic Forum.

If you know folks who would benefit from guidance on readiness for product failures, consider sharing this post.

Share

Generative AI in the Military Domain

Something I find befuddling is the tendency to forget that generative AI is not deterministic - meaning, not reliable.

Therefore, it is not something you can leave completely unsupervised.

In a future issue I will look at the preventable cascade of problems arising from Cursor AI’s unsupervised customer service bot during valuation talks.

Why can’t you leave it Unsupervised?

Non-generative AI is more reliable, if less powerful, and has been used across industries for some time, but still needs occasional interventions when the algorithm needs to be updated or produces something problematic in a particular context.

Generative AI is designed to mimic, though potentially surpass, human intelligence. It is modeled on neural networks. It uses statistics, which also make it fundamentally non-determinative - something that should worry anyone deploying generative AI where it can affect critical life systems or weapons. It is trained with data on human behavior and imagination, and synthetic data derived from this. Which also means human biases are baked in if training data is not rigorously curated, and safeguards added.

Or it can be trained to optimize for those biases, if that is what the developer or deployer desires.

There are efforts to address these challenges.

Mira Murati’s Thinking Machines is working on definitively preventing hallucinations and making LLMs deterministic. Others are developing strategies on mitigating entrenched biases in medical AI training data, for example.

The Oppenheimer Moment

The emergence of generative AI has often been likened to the discovery of nuclear energy and the development of nuclear weapons. Technologies that can create enormous benefits for humanity, yet are capable of destroying it - either deliberately, through irresponsible governance, or escalation.

So it was fascinating to see Mieke Eoying, talk about some of the security risks of AI in defense. A conversation that has to happen now, because:

“experts and policymakers are already experimenting with large language models that can aid in strategic decision-making in conflicts and autonomous weapons systems (or, as they are more commonly called, “killer robots”) that can make real-time decisions about what to target and whether to use lethal force.”

She also notes something that will be key in successfully deploying generative AI in decision-making, command and control - a human behavioral bias towards escalation.

Chinese experts are concerned generative AI will make it more difficult to “control and benefit from military crises.” This is currently a key part of China’s military doctrine - '“managed escalation” of military crises from which it can extract political dividends. It is unclear if the regime itself is considering this possibility as it continues to escalate military tensions in the Pacific and Indian sub-continent, and in trade wars with the US. They also consider the likelihood of military conflicts surpassing the nuclear threshold if AI is introduced into the equation. It is noteworthy that Responsible by Design report released at the UN General Assembly last month has as it’s second Core Recommendation: “Agree, at a legally binding level, that the decision to authorize the use of nuclear weapons should remain under human control”.

Conversely, perhaps there is an optimistic scenario.

Whereas in the Cold War nuclear deterrence was built on mutually assured destruction and game theory, could AI actually lead to greater geo-strategic stability and incentive for negotiation when AI could lead to uncontrolled escalation?

Perhaps not if domestic and interstate conflict continue to be amplified and facilitated by generative AI, causing voters and publics to support governments that optimize for immediate, short-term self-interest, in the understandable hope for more stability in their own lives and systems, rather than forming stabilizing, flexible political and economic structures for the long term.

General Purpose vs Dedicated Models

Most commercially available general purpose LLMs are designed to be supportive, and validate the user. Sycophancy that reinforces wrong information, analysis, or even conspiratorial thinking or self-harm in the worse cases, are something the big consumer chat bot providers are grappling with, even as they have become suppliers to the Department of Defense and other ministries of Defence.

Conversely, guardrails for safety on consumer chatbots can bleed into those used in military contexts when the same general purpose models are used, where lethality is necessarily part of the conversation. We should note that generative AI-enabled scientific breakthroughs were done with specialized, not general purpose, models, that would not work well for other problem sets.

This raises so many fascinating questions for me:

How does one ensure the quality of the data for training models in the military domain? How does one use generative AI at the various levels? Do models need to be separated for optimization for specific tasks? Could data from the battlefield leak into decision-making data at the strategic level in a harmful way, influencing decisions that must take into account the strategic context and not just the battlefield? Will human factors on the battle field and in strategic decision-making be appropriately accounted for? How will we know who made a decision - a bot or a person?

There will always be a tension in the security of data, which AI is making more fraught - how much to you fuse for the best overall situational awareness and decisions making, and how much do you keep separate to protect that information? From both internal and external threats?

Moving Fast and Slow

Then there is a fascinating, if ominous, tension of the human tendency to path dependency, to entrench courses of action or governance models, colliding with light-speed AI innovation:

‘To quote Air Force iconoclast John Boyd, “what is doctrine on day one becomes dogma forever after.” The truth is that this year’s law doesn’t just set the amount the Pentagon will receive for swarming demonstrations. It will also set the initial AI defense policy trajectory for the next quarter-century.’

Institutions necessarily require bureaucracy to operate. Human decision making and political and policy negotiations and decisions take a least a some time, if done with care and a focus on outcomes.

War on the Rocks lays out nicely some of the choices policy makers are faced with.

In sum, don’t let your bots run wild, whatever the context.

Leave a comment

Share Readiness Radar

Until next time!

*All statements and opinions are solely those of the author.

More signals emerged since I began drafting.

Is it coming tomorrow? Probably not. Is it inevitable? No.

You can’t know anything for sure until it happens.

But you sure can monitor the signals, talk to the right people, and look critically at real world developments.

And that way, you can get ready.

Subscribe now

The Signals - Russia & NATO

Russia is actively testing NATO’s ability and willingness to respond.

Yes, drones and munitions have strayed into NATO territory before since the 2022 invasion of Ukraine, but all previous reported incidents were deemed accidental.

These ongoing incursions are not mistakes. Multiple drones do not accidentally take an unnecessary path over NATO territory to attack Ukraine. Some of them were reportedly on a direct trajectory to a NATO base in Poland.

Coordinated overflights of large drones (as opposed to small ones that could be passed off as an a-political nuisance or local radical or hooligan) directly over Danish and Norwegian civilian airports disrupting their operations, and now Danish military bases, and possibly one deep inside France is not an accident. Russian fighters in Estonian airspace for 12 minutes is not an accident. These episodes also have the psychological effect of creating fear and anxiety among the public.

Does this mean Russia is about to attack a NATO? Not necessarily (though leaders - public and private - who dismiss the possibility out of hand do so at their peril).

Even if Russia continues to only test NATO responses, the time, resources and attention required to monitor and respond can direct attention away from other nefarious activities and as well as badly needed strategic planning and investments, create anxiety among the public as news headlines are generated, while other efforts to sow division in Europe and NATO continue.

What to do?

Here are 5 things leaders can start doing now, that can help in any complex event:

1. Strengthen peer security posture exchange: Business leaders, particularly - but not only - Chief Security and Information Security Officers need to ensure their peer networks are communicating. Major multinationals’ security officers routinely benchmark with industry peers and maintain contacts in times of peace - because if you only reach out during a crisis, folks may not include you in their ruthless prioritization.

   1. If your organization is not doing this now, it should be. If there is no mechanism in your sector or locality for businesses to benchmark preparedness and response, consider setting one up. Your local government may be able to connect it with a civil defense initiative.

2. Internal Communication - Both horizontally and vertically, ensure all relevant teams know how and when to communicate with each other and begin exercising that capability now. Identify back-up apps if your corporate software goes down, and other alternatives if there is a local data or power outage, like this recent one in Luxembourg.

3. Data Resilience - Examine the resilience of your data network. Is your organization’s data stored on a multi-cloud that will enable resilience and survivability, and ease recovery, in the event of a local power or data outage?

   1. Remember that the physical location of your data does not increase its defense against cyberattacks in any way.

4. Conduct cross-functional table top exercises with realistic scenarios - These should not be carried out only by cyber incident response, or physical security, but bring all important business functions together that would have to react in a complex crisis. Including communications, Human Resources, Trust & Safety, product, logistics, etc, as the specific configuration of your company and its mission requires. If you struggle with this, Antifragile Strategies can help.

   1. Record lessons learned from the exercises and track remediation of gaps discovered to reduce organizational fragility.

5. Actively cultivate public-private partnership - Private sector business leaders can lobby governments to take these threats seriously and outline plans to make critical infrastructure underpinning life and business more resilient. Business leaders should also be actively considering how they can help the government and/or civil defense in such a scenario, depending on their capabilities, skills, assets and services.

Share

The Department of War

The United States adding the “Department of War” as a secondary title to the Department of Defense, is another signal that (more) war is increasingly likely.

It signals moving from defense to offense.

It is unclear exactly what the strategic plans are of the current US administration, regarding armed conflicts it may participate in.

It remains unclear at the time of writing if the US will take action against Russia for its growing incursions in NATO airspace, and the recent flight of military aircraft into the Alaska Air Defense Identification Zone - a zone just outside US and Canadian sovereign territory where aircraft are required to identify themselves, which the Russian aircraft did not do. This came a day after the US president said European NATO countries should shoot down Russian aircraft.

The administration is however, reportedly, preparing plans to conduct at least drone strikes inside Venezuela.

“The 4,500-member force currently aboard eight warships is too small to invade Venezuela or any country harboring traffickers. And it is not operating in the main body of water to carry out a major drug interdiction campaign. That would be the eastern Pacific Ocean, regional experts say. The clandestine deployment of elite Special Operations forces suggests that strikes or commando raids inside Venezuela itself may be in the works, experts note.” - NYT

Is this part of why the US is not yet reacting to Russian incursions over NATO airspace? To preserve attention and resources for Venezuela? It is unclear if the goal is regime change or merely strikes to degrade alleged drug smuggling operations.

Hundreds of US generals around the world are traveling back to the Washington, D.C. area, an unprecedented event, to attend a meeting today convened by the Secretary of Defense, reportedly on the “warrior ethos”. It has the air of being a prelude to something big, which could be domestic, overseas, or both.

Returning to a World Governed by Spheres of Influence?

It’s no secret the US government is pivoting away from a big focus and investment in European security. That transition has been underway, though now accelerated, for more than a decade and over several US administrations.

However a return to the world being governed loosely via spheres of influence seems to be occurring. The US sees China as a threat, however its relationships with allies, such as Japan and the Republic of Korea, concerned about Chinese dominance of the Pacific (and beyond), are under strain. US commitment to defend the independence of Taiwan is no longer clear.

But the US does seem intent in acting more forcefully in Latin America, exerting greater influence, while Russia’s reach militarily, though not in the grey zone/hybrid space, is greatly limited by its war on Ukraine.

Russia and China were not favorable to possible US actions against Venezuela and the Maduro regime during the previous Trump administration, but the calculus may well have changed. The US turning its attention to Latin America may be something they both welcome, allowing them to act more freely across Europe and Asia. Although China maintains oil & gas interests in the region.

So what?

The new world (dis)order is here to stay. It is impossible to predict if things will settle into a more navigable set of spheres of influence and trade with easily navigable economic and political systems. For the foreseeable future there will be continued disruption and redirection of supply chains as geoeconomics becomes a stronger driver of trade patterns.

More conflict will mean large displacements of people, supply chain disruption, higher operating costs, and greater geopolitical risk.

All the more reason to ensure you put antifragile systems in place to mitigate your exposure, detect emerging threats, reduce surprise and scramble, and make changes to your business strategy to take advantage of new opportunities and avoid being rendered paralyzed by the new world order.

What signals are you seeing?

Overwhelmed? No need to be

Don’t throw up your hands and say there is nothing I can do. Especially if you’re a leader. Now is the time to face these risks and get your staff prepared.

You don’t want them seeing warning signs and then feeling unable to flag them or mitigate the risks. You can instead issue guidance on how, when and what to escalate.

You can’t predict exactly how events will play out in the real world. No need to painstakingly analyze how an incident could manifest in detail. That just takes up time and attention.

It’s better to put loose, clear structures and guidance in place that can be used in any situation, and become stronger - antifragile - with use. Making your whole organization not only more resilient, but more agile.

Antifragile Strategies can help.

Share

*All opinions are my own and do not reflect those of any employer or organization I am a part of.

Subscribe now