Sign in Subscribe
8 min read

Cybersecurity Is No Longer About Whether We Are Secure — But Where We Are Already Losing Agency

Share
Cybersecurity Is No Longer About Whether We Are Secure — But Where We Are Already Losing Agency

A CISO Perspective on Geopolitics, Development, and Cybersecurity

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

I have stopped asking whether organizations are “secure.”

The question has become too small.

The more relevant question today is:

Where are we already losing agency — without noticing it?

Not because one system has been compromised. Not because an audit has identified a nonconformity. Not because one control is missing.

But because geopolitical ambition, technological architecture, and operational reality are no longer sufficiently aligned.

That is the real cybersecurity question of our time.

As a CISO in a globally active organization, I no longer see cybersecurity primarily as a technical discipline. I see it as a reflection of how well — or how poorly — an organization connects strategy, technology, governance, and execution.

This article is deliberately written as an interview.

Not because the answers are hypothetical. But because this is the conversation many organizations still avoid.

Not about controls. Not about frameworks. Not about compliance maturity.

But about the uncomfortable reality in which we now operate: a reality where geopolitical conflict, digital dependency, and operational fragility increasingly converge.

The geopolitical environment is changing rapidly: cyberattacks, sabotage, hybrid warfare. How serious is the situation really?

We need to stop treating cybersecurity as an isolated problem.

What we are witnessing is not simply an increase in cyberattacks.

What we are witnessing is the operationalization of geopolitical conflict through digital and civilian infrastructure.

Europe is no longer adjacent to conflict. Europe has become part of the conflict space.

Critical infrastructure is being tested. Supply chains are being probed. Public institutions, international organizations, development actors, research institutions, energy providers, administrations, and private companies are being continuously observed.

The decisive shift is this:

Cyber is no longer necessarily the objective. Cyber is the instrument.

The goal is not always to steal data or encrypt systems. Increasingly, the objective is to impair agency, weaken trust, disrupt processes, exploit dependencies, and generate political effect through technical means.

That changes the character of cybersecurity fundamentally.

It also means that the traditional separation between “technical security” and “strategic risk” no longer holds.

Cybersecurity has become one of the operating layers of geopolitical competition.

What does this mean for globally active organizations?

Organizations like ours are not neutral in a technical sense.

We operate in fragile environments. We are politically embedded. We depend on globally distributed digital platforms. We work with partners, local structures, public authorities, service providers, and international programs. We operate systems that are not only internally relevant, but also create external effects.

This combination makes us more relevant than we often assume.

Not because we are military actors. Not because we are classic high-value targets in the narrow sense. But because we help stabilize systems that others may have an interest in destabilizing.

That changes the threat model.

Organizations involved in development, cooperation, stabilization, governance, digital transformation, or international programs do not operate outside geopolitical tension. They operate inside it.

And for that reason, cybersecurity in such organizations cannot be understood merely as an IT protection function.

It is part of organizational resilience. Part of strategic steering capability. Part of the ability to remain operational under pressure.

The real question is not only whether we can defend systems.

The real question is whether we can preserve decision-making capability, operational continuity, and institutional trust when the environment becomes hostile.

Where do you see the biggest challenge today?

The biggest challenge is not technology.

The biggest challenge is a structural tension that many organizations do not explicitly manage:

Political ambition, architectural decisions, and operational reality are drifting apart.

This may sound abstract. It is not.

Political ambition often means:

Speed. Visibility. Impact on the ground. Rapid program deployment. Scalability. International reach. Digital modernization.

Architectural decisions then often mean:

Cloud-first strategies. S/4HANA transformations. Platform standardization. Global integration. Centralized identity. Process harmonization. Automation. Data-driven steering.

But operational reality often looks very different:

Unstable connectivity. Local workarounds. Shadow IT. Varying levels of security maturity. Limited capabilities in the field. Inconsistent role models. Unclear accountability. Incomplete asset transparency. Pressure to deliver regardless.

The problem is not that any of these layers is wrong.

The problem is this:

These three layers are often not governed as one risk system.

And that is where insecurity emerges.

What does this mean for cybersecurity in practical terms?

This is exactly where traditional cybersecurity begins to break down.

Controls do not resolve structural contradictions. Audits do not automatically reveal systemic misalignment. Policies do not change operational constraints. Certifications do not replace strategic steering. Maturity models do not answer whether the architecture matches reality.

The result is a dangerous intermediate state:

Organizations become formally compliant — but operationally fragile.

Or more directly:

We design secure architectures for realities that do not exist.

We define global standards while local capabilities remain insufficient. We assume centralized platforms while connectivity is unstable. We demand documented processes while operational routines follow different logic. We expect security by design although key decisions were already shaped under political or delivery pressure. We measure compliance while the real risk sits in the gap between assumption and reality.

This is not a minor issue.

It is one of the central security risks of global organizations.

Because the most dangerous risks are often not created by the absence of rules.

They are created by the mismatch between strategy, architecture, and execution.

Why is this misalignment so dangerous?

Because adversaries understand it very well.

Professional adversaries do not only attack where controls are weak. They attack where systems are inconsistent.

Where assumptions do not hold. Where architecture and reality diverge. Where accountability becomes diffuse. Where local workaround structures emerge. Where central governance believes something has been implemented while the operational reality has already moved elsewhere.

That is where organizations lose control.

Not always spectacularly. Not always visibly. Not always through a single major incident.

Sometimes control is lost gradually:

through exceptions nobody fully understands; through local solutions that never feed back into the risk model; through dependencies that were strategically underestimated; through programs that scale faster than the security architecture; through governance that exists formally but does not influence real decisions.

Cybersecurity is not weakened only by the missing technical safeguard.

It is weakened by decisions that are not connected.

And once those decisions accumulate, they create a form of systemic exposure that no control catalogue can fully compensate for.

What does this imply for the role of the CISO?

If a CISO still believes their primary role is to “implement security,” they are already too late.

Of course, we need controls. Of course, we need frameworks. Of course, we need ISO/IEC 27001, NIST, BSI IT-Grundschutz, cloud security, identity governance, monitoring, incident response, secure baselines, and technical capabilities.

But that is not the core of modern CISO work.

The real mandate is this:

To make systemic misalignment visible.

A mature CISO must ask the uncomfortable questions:

Where are we prioritizing speed over structural integrity? Where does our architecture assume conditions that do not exist? Where are we pushing risk into the field without acknowledging it? Where do political expectations create technical risk? Where does technical standardization create operational shadow structures? Where are we measuring compliance while failing to achieve resilience? Where is accountability formally clear but practically ineffective?

This is not purely technical work.

This is leadership work.

And sometimes the most important task of the CISO is not to demand yet another control, but to reveal that the organization is no longer in control of its own assumptions.

That is where cybersecurity becomes strategic.

Not when it reports more findings.

But when it improves the organization’s ability to understand, own, and govern the risks created by its own decisions.

So cybersecurity becomes a leadership topic?

It already is.

The only question is whether leadership has accepted it.

Cybersecurity today sits at the intersection of:

geopolitical intent, technological dependency, operational reality, regulatory expectation, organizational resilience, and strategic accountability.

That is not an IT problem.

It is a governance question.

And therefore, it is not enough for boards and executive committees to receive periodic risk reports. They need to understand which decisions create security — and which decisions create insecurity.

Not every uncertainty can be eliminated. Not every risk can be avoided. Not every dependency can be removed.

But risks must be consciously owned.

They must not be unintentionally shifted. They must not be delegated into operational units without visibility. They must not be hidden behind architectural language. They must not be softened through compliance terminology.

A board does not need to know every vulnerability.

But it does need to understand where the organization becomes structurally exposed because ambition, architecture, and reality are no longer aligned.

That is the difference between cybersecurity as a technical reporting function and cybersecurity as a strategic governance capability.

What question should a CISO ask the board?

I would not start with controls.

I would not start with a long risk matrix either.

I would ask one question:

Where, in our most critical initiatives, do political priorities, architectural decisions, and operational reality no longer align — and who owns the resulting risk?

If this question cannot be answered clearly, the organization does not merely have a cybersecurity issue.

It has a governance issue.

Because unclear risk ownership is one of the most dangerous forms of organizational insecurity.

Especially in large transformation programs — cloud, ERP, AI, platform standardization, global identity, data integration — risks do not emerge only once systems go live. They are often created much earlier: in the way objectives are defined, architectures are approved, assumptions are accepted, and operational constraints are underestimated.

Cybersecurity must therefore move earlier into the decision chain.

Not as a blocker. Not as a late-stage control function. But as a strategic capability that tests assumptions, exposes contradictions, and protects agency.

What does this mean in the broader global context?

We are entering a world in which conflict increasingly operates below the threshold of conventional war.

Civilian organizations are part of that space.

Technology is simultaneously an enabler, a dependency, and an attack surface.

Digital platforms create efficiency, scalability, and global steering capability. But they also create concentration risks, geopolitical dependencies, legal tensions, and new attack paths.

Cloud is not just technology. AI is not just innovation. ERP is not just process modernization. Identity is not just administration. Data platforms are not just efficiency engines.

All of these systems are architectures of power.

They determine who has access, who can steer, who is dependent, who can respond, and who remains operational in a crisis.

That makes cybersecurity part of strategic sovereignty.

Not sovereignty in the romantic sense of complete autonomy. That is neither realistic nor desirable in globally connected systems.

But sovereignty in the practical sense:

the ability to make informed decisions, maintain agency, understand dependencies, withstand pressure, and recover without losing institutional control.

What is the central point?

Most organizations do not fail because they lack security measures.

They fail because no one connects the decisions that create insecurity.

A cloud strategy here. A transformation program there. A political objective somewhere else. A local workaround in the field. An audit report with green indicators. A formally maintained risk register. An architecture decision made under time pressure. An exception that is never brought back into governance.

Individually, much of this may appear reasonable.

Together, it can create systemic risk.

And that is where the real work of modern cybersecurity begins.

Not with the question of whether a control exists.

But with the question of whether the organization still understands the reality it is creating through its own decisions.

Cybersecurity in 2030 will not be measured only by how well organizations defend against attacks.

It will be measured by whether organizations can preserve agency when assumptions expire.

When geopolitical tensions intensify. When supply chains fracture. When platform dependencies become visible. When local reality challenges global architecture. When AI creates speed but blurs accountability. When regulatory expectations rise while operational capabilities lag behind.

Then it will not be enough to appear secure.

Organizations will need to remain governable.

Final thought

Cybersecurity today is no longer only the art of protecting systems.

It is the discipline of revealing where organizations are already losing agency.

Not every answer lies with the CISO.

But the CISO must ask the questions.

Because if no one connects the dots, no framework will save the organization.

The future of cybersecurity begins where we stop treating security as a control problem — and start understanding it as a question of strategic agency.

Publication Note & Disclaimer
This article was originally published on LinkedIn on June 4, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

Member discussion