Five Minutes With: A Head of Geopolitical Risk

Megha Kumar makes a call on who is ultimately responsible for getting the AI challenge right, and explains how a blurring of lines between statecraft and cyber conflict is intensifying today’s cyber risk landscape

How are geopolitical threats playing into today’s cyber risk landscape?

Geopolitical threats are intensifying today’s cyber risk landscape by blurring the lines between statecraft and cyber conflict, with nation-states and state-sponsored actors increasingly targeting critical infrastructure, supply chains, and private sector networks to gain strategic advantage. Heightened tensions, such as those involving Russia, China, Iran, and North Korea, have led to more sophisticated and persistent cyber attacks, including espionage, ransomware, and influence operations.

These threats are not confined to direct attacks, but also manifest through supply chain compromise, data exfiltration, and manipulation of emerging technologies like AI. As geopolitical rivalries become increasingly complex, businesses must now consider nation-state motivations, sanctions exposure, and regional regulatory divergence in their cyber risk strategies, thereby elevating the need for threat intelligence, geopolitical monitoring, and cross-functional resilience planning.

Who is responsible for getting the AI challenge right?

Getting the AI challenge right is a shared responsibility that spans governments, tech companies, researchers, civil society, businesses, and the public. Governments and regulators must set clear legal boundaries and enforce frameworks that ensure AI development aligns with public interest, safety, and fairness. Industry leaders and developers, who hold the technical capabilities and resources, are responsible for embedding safety, transparency, and accountability into AI systems. Researchers and academics contribute by surfacing long-term risks, informing policy, and advancing critical areas like alignment and ethics. Meanwhile, civil society and the media play a vital role in holding institutions accountable, advocating for digital rights, and amplifying the voices of those who might otherwise be overlooked.

Businesses using AI must consider its impact on jobs, privacy, and decision-making, ensuring they use AI responsibly and support employee upskilling. The public also plays a crucial role by demanding transparency, questioning AI outputs, and making informed ethical consumer choices. On the global stage, multilateral institutions such as the UN and OECD are essential for establishing cooperative, cross-border governance to prevent fragmentation and harm driven by competition. Ultimately, those with the most power—governments and developers—bear the greatest responsibility. Inclusive, multi-stakeholder collaboration is the only path to building AI that truly serves society.

What risks does the increasingly fragmented supply chain present?

The increasingly fragmented supply chain presents a growing set of risks that threaten operational resilience, security, and strategic competitiveness. As organisations rely on a broader, more global, and multi-tiered network of suppliers, they often lose visibility beyond their immediate partners. This obscures critical dependencies and introduces blind spots, making it harder to detect vulnerabilities such as cyber threats, geopolitical exposure, regulatory misalignment, or ESG compliance failures that may be deep within the supply chain. Fragmentation also slows response times in crises, complicates traceability, and undermines confidence in delivery continuity.

“Fragmented supply chains are more susceptible to cascading failures”

Additionally, fragmented supply chains are more susceptible to cascading failures. As evidenced by cases such as CrowdStrike, M&S and Blue Yonder, a disruption affecting a single supplier, whether due to political instability, natural disaster, cyber attack, or financial insolvency, can ripple across tiers, compounding delays, inflating costs, or halting production altogether. This complexity also increases the challenge of managing data flows, IP protection, and contractual accountability across jurisdictions. Ultimately, fragmentation raises the stakes for due diligence, third-party risk management, and supply chain intelligence, demanding more sophisticated tools and collaboration to safeguard business continuity and reputation.

What’s the biggest as-yet-unsolved problem in cybersecurity?

Securing the software supply chain at scale. As organisations rely on vast networks of third-party code, open-source libraries, APIs, and cloud services, it has become nearly impossible to fully understand and secure the origin, integrity, and behaviour of every component in use. High-profile attacks, such as SolarWinds and Log4Shell, exposed how a single compromise deep in the chain can ripple across governments and industries. Despite growing awareness, there’s still no universally adopted, real-time way to track, validate, and manage software dependencies across complex environments. The challenge lies in balancing speed and innovation with verification and transparency, without halting development. Solving this problem will require global collaboration, new standards (such as Software Bill of Materials, or SBOMs), automated trust frameworks, and a cultural shift toward security-by-design across the entire digital ecosystem.

What industry or sector do you think cyber could learn from?

The aviation industry, particularly in its approach to safety, risk management, and incident response. Aviation has developed a deeply ingrained culture of rigorous standards, continuous training, and transparent reporting, where even minor incidents are analysed openly to prevent future accidents. The use of standardised protocols, simulation-based training, and cross-organisational collaboration has created one of the safest industries globally despite operating in a high-risk environment. Cybersecurity could adopt similar principles: normalising the sharing of threat intelligence, embracing a “no blame” culture for reporting vulnerabilities, and investing in ongoing, realistic training exercises. This mindset shift would foster resilience, enhance coordination among diverse stakeholders, and ultimately reduce the frequency and severity of cyber incidents.

What’s the best thing about your job?

The exceedingly rare opportunity to simultaneously pursue my commitment to economic inclusion and sustainability, and professional work in the digital economy. They are the same thing at CyXcel – I do not take this for granted.

And the worst?

The worst thing is my inability to switch off from work – that takes me many hours after I have shut down my laptop.

What has been your most challenging role to date?

Being a working mother and being a partner to someone with an equally vibrant career. The juggling act is complex, relentless, but also fun.

If you could hire anyone in the cybersecurity industry, who would it be and why?

We already have a world-class team, so we would only be adding to my ultra-high-performing colleagues. However, Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC), would also be a fantastic hire.

What’s the biggest misconception about cybersecurity?

That it’s purely a technical issue best left to IT teams. In reality, cybersecurity is a strategic business risk that touches every part of an organisation, from finance and legal to supply chain, HR, and the boardroom. Focusing solely on firewalls and software ignores the human, operational, and geopolitical dimensions of cyber threats. Attacks often exploit process weaknesses, poor governance, or third-party gaps, not just code. Until businesses treat cyber resilience as a cultural and leadership priority, rather than just a technical function, they will remain vulnerable despite heavy investment.

What advice would you give to industry newbies?

Stay curious, stay ethical, and don’t be intimidated by how much there is to learn. Cybersecurity is vast, and nobody knows everything. Focus on building strong foundations (networking, risk, threat landscape), then explore specialisms like cloud security, GRC, incident response, or AI. Get hands-on experience where possible, such as in labs, CTFs, and home labs, and combine that with learning the underlying “why,” not just the “how.” Surround yourself with diverse voices, ask questions fearlessly, and seek mentors who value inclusion and integrity. Finally, remember that soft skills, such as communication, problem-solving, and critical thinking, are just as valuable as technical ones.

What’s your one (as yet) unfulfilled career ambition?

This is more of a creative ambition – to have an artwork exhibited in a gallery.

Tell us a guilty secret?

I can eat popcorn all day, every day.