The world is becoming more dangerous and American businesses are increasingly on the front lines. Cyberattacks, terrorism, sabotage, geopolitical tensions, and economic instability no longer remain overseas; they now pose direct and growing risks to the U.S. homeland. In this new era, where private companies must navigate a constant churn of global threats, traditional corporate approaches to security are falling short. To adapt, businesses must rethink their approach to security and resilience, drawing lessons from the U.S. government’s National Security Council (NSC) system, which the government has used to coordinate responses to global instability for nearly 80 years.
Cyberattacks
Last year, the Cybersecurity and Infrastructure Security Agency (CISA) published a cybersecurity advisory on Volt Typhoon, a Chinese state-sponsored hacking group pre-positioning on IT networks to disrupt or destroy U.S. critical infrastructure in the event of a conflict between the two nations. In contrast to many cyberattacks, Volt Typhoon does not seek to steal information or blackmail its victims. Instead, its mission is to plant ticking time bombs in our infrastructure. They happen to be built from code, not TNT. The advisory was one of the first public acknowledgements by the U.S. government that China, our chief geopolitical adversary, has moved beyond using cyberattacks for espionage purposes and into the realm of cyber-sabotage that could cause destruction and death in the physical world.
For those reading beyond the headline, the announcement was a game-changer. It meant that war zones weren’t just overseas anymore; they’re here at home. The Volt Typhoon announcement represented an ontological shift. As of today, the Chinese haven’t shut down the power grid, blown up oil pipelines, and toxified water systems across the United States. However, if they decide to do so tomorrow, there’s a real possibility that they could. And should they choose to do so, the targets would for the most part be private sector assets. Energy and water utilities, financial services institutions, and communications network providers are all viable targets. The failure of any one company in the system to ensure its resilience in the face of such disruption will have national security implications.
Volt Typhoon represents the most concerning element of a broader cyber risk picture. According to Crowdstrike’s 2025 Global Threat Report, China-nexus cyber activity surged 150% in the last year, with some targeted industries experiencing up to 300% more attacks than the previous year. Beyond the China threat, cyberattacks are up across the board. A recent Verizon report found that ransomware attacks rose by 37% since last year. Meanwhile, U.S. defenses are in question. Significant reductions and firings at CISA and the National Security Agency have raised the prospect that even as cyber threats multiply, national countermeasures may be weakened. The result is a U.S. private sector increasingly exposed to global cyber threats of potentially greater destructive proportions.
Terrorism and Political Violence
As cyber threats pose a greater danger of physical harm, they compound more traditional methods of destruction. In the last year, we’ve witnessed a startling number of high-profile acts of terrorism and political violence. President Trump, then candidate Trump, was the target of two assassination attempts while on the campaign trail – the first in July 2024 and the second in September. In December of last year, UnitedHealthcare CEO Brian Thompson was assassinated in broad daylight on a New York City street by the now-infamous Luigi Mangione. On New Year’s Day 2025, Shamsud-Din Jabbar killed more than a dozen people in an ISIS-inspired vehicular ramming attack in New Orleans. And on the first night of Passover in April 2024, an arsonist tried to kill Governor Josh Shapiro by burning down the Pennsylvania Governor’s mansion. These spectacular attacks serve as exclamation points on a broader environment marked by violent politically-motivated attacks on Tesla dealerships, pro-Hamas rallies and demonstrations on college campuses, and other political unrest.
Political violence – and primarily targeted killings – may be on the rise, and businesses are trying to find their footing. In the weeks following Brian Thompson’s murder, UnitedHealthcare lost $63 billion in value. Immediately after the killing, there was a burst of interest in executive protection services and technologies.
As a consultant who advises Fortune 500 and multinational companies, I can personally attest to the number of corporate clients interested in taking a fresh look at their executive protection programs in the wake of Thompson’s murder. The question – still to be resolved – is whether this is a temporary spike in focus on executive protection or the beginning of a longer-term shift toward greater security for corporate leaders. Judging off the threat environment and its likely trajectory, it would be wise for all companies to pursue sustained efforts to build proactive, intelligence-led security and executive protection programs that can contend with a world marked by political violence and assassination.
Geopolitical Tensions
Cyber and physical attacks against companies, executives, politicians, and the general populace are occurring against a backdrop of the most significant geopolitical tensions in more than a generation. I tend to think of 2018 as the year that we moved out of the global war on terrorism and into great power competition against China and Russia. In the words of that year’s National Defense Strategy, “Inter-state strategic competition, not terrorism, is now the primary concern in U.S. national security.” In the seven years since, U.S.-China competition has intensified, Russia invaded Ukraine, the Middle East conflict overflowed, and – since January 2025 – Washington has set its sights on revising the global system in ways not considered since the end of the Second World War.
This geopolitical upheaval compounds risk to businesses. As companies are increasingly caught in the crossfire of great power competition, they become pawns on the geopolitical chessboard. They might have valuable intellectual property that the Chinese could steal. Or they might be manufacturing supplies for the Ukrainian army, leading to a Russian assassination attempt against their CEO. Corporate America, which for the most part has been keen to ignore geopolitics during an age of unabated U.S.-led globalization, has suddenly found itself in a war zone where the Board can quickly get bogged down in a major corporate incident that damages U.S. national security, inviting scrutiny from Congress, regulators, and the press. Moreover, the geopolitical map could be shifting rapidly once again, as some believe the Trump administration may pursue accommodation with China and Russia to manage the world order through a Concert of Powers system with multiple spheres of influence.
There are signs of progress in the private sector’s appreciation of geopolitical risk. A recent report from the U.S. Chamber of Commerce Foundation found that “references to geopolitical risk in Fortune 250 financial disclosures have more than doubled since 2019, with a fourfold increase since 2009.” Hopefully, this growing awareness translates into greater maturity in managing national security and geopolitical issues. In a recent benchmarking study conducted by my firm with the Interstate Natural Gas Association of America, we found that a clear strategy, organizational leadership, and internal coordination processes are critical to a proactive approach to geopolitical management.
Other trends and issues, such as the economy, global health, and crime, can exacerbate the risks of cyberattacks, terrorism, and geopolitical instability. For example, economic downturns can fuel political extremism and civil unrest. Pandemics can overwhelm public health systems, creating opportunities for disinformation or cyberattacks. Rising crime undermines public trust and stretches security resources, increasing corporate exposure to both opportunistic and organized attacks. Taken together, these overlapping stressors create a volatile system. Issues cannot be viewed in isolation but must be assessed through a broader lens that evaluates a business’s position and posture within the wider global threat environment.
The National Security Model
As global threats increasingly impact the U.S. homeland, there is an urgent need for American businesses to understand this rapidly evolving landscape and proactively manage the associated risks. As a veteran of the U.S. national security community, I am aware of how the U.S. government manages these distinct yet compounding global threats. As a consultant advising private sector companies, I know how they try to do the same. I see significant differences between the two, and there is a substantial opportunity for businesses to learn from the government in this domain.
For nearly 80 years, the U.S. government has used the National Security Council (NSC) process to ensure that the President of the United States receives appropriate information and recommendations related to a wide range of national security, foreign policy, military, and homeland security issues. The White House leads this system and provides standard processes for the Departments of State, Defense, Treasury, Homeland Security, the intelligence community, and other federal agencies to collaborate, develop a shared understanding of the threats facing the country, debate potential responses, and ultimately develop national policy and coordinate integrated implementation.
As national security issues have become more multifaceted and complex, encompassing overlapping threats from nation-state militaries, cyberattacks, supply chain risks, terrorism, foreign intelligence operations, pandemics, regional instability, and geopolitical tensions, among others, the NSC’s focus has similarly expanded. While some argue that our conception of what constitutes national security has become too broad in recent years, the fact is that we live in a world where global threats take many forms and can cause harm to governments, societies, businesses, and populations in many ways. The NSC model offers a comprehensive framework for the U.S. government to address these complex threats. The vast majority of companies, however, lack an equivalent tool.
Businesses, for the most part, tend to address the issues discussed in detail earlier in this article in isolation. Offices with primary responsibility for managing various aspects of the global threat environment typically include Corporate Security, Cybersecurity, External Affairs, Finance, Legal, Risk, and Communications, at a minimum. This is not dissimilar to the U.S. government, where the Secretary of State leads diplomacy, the Secretary of Defense is responsible for the military, and the Secretary of the Treasury handles financial issues. However, in the U.S. government, these issues come together in the NSC model. In many businesses, they do not come together in this way.
This is not to say that businesses lack internal governance structures to identify and manage risks. Many large and mature companies operate sophisticated enterprise risk management (ERM) systems and maintain Board-level committees and subcommittees dedicated to cross-functional oversight, risk identification, and informed decision-making. The gap is that, for the most part, companies lack comprehensive governance structures, implementation systems, and accountable action officers to manage holistically the global threats that are the subject of this piece and are currently causing widespread concern across corporate America. And until recently, it always made sense that businesses would not have such processes in place. Global threats were not as abundant and did not have the same capacity to impact the bottom line. But all that has changed.
A logical solution for businesses seeking to better understand and manage global threats, then, is to adopt a governance structure modeled on the U.S. government’s NSC system. Such a governance structure – let’s call it a Global Threats Committee – would provide a cross-enterprise system to monitor global threats that could impact the business, debate potential solutions, obtain decisions from the Board and senior management, and ensure coordinated implementation of agreed actions. My recommendation here is similar to what the U.S. Chamber of Commerce Foundation endorsed in their recently released report High Stakes: A Framework for Geopolitical Risk Management, an early project of the Chamber’s new Global Threats Initiative.
The report recommended that companies establish a Board committee on geopolitical strategy and risk that includes “management-level representatives who will be able to reflect a holistic view of the organization, for example, relevant business, legal, security (including IT), and enterprise risk management personnel.” I agree with the Chamber’s recommendation but note that “geopolitical” may be too narrow a term. Some threats, such as the assassination of executives, may not fall neatly into the geopolitical category but should be considered by a committee with enterprise-wide visibility and a broad mandate for global threats.
The Model in Action – Managing a High-Threat World
Readers may find the creation of more corporate governance structures burdensome and daunting. To simplify the task, I recommend executives focus on a few key areas, all of which can be achieved with relatively minimal corporate buy-in at the outset, and which can set the stage for broader corporate reform to address global threats more effectively.
First, determine which part of the business – such as security, external affairs, or legal – will take responsibility for championing a cross-enterprise strategy on global threats. This should include identifying a specific individual, perhaps the senior security executive or their designee, to lead this effort. This individual must be someone who “gets it” – meaning they have an appreciation for the big-picture global threat environment, they see the value of enterprise-wide coordination, they are prone to multidisciplinary thinking and solutions, and they have the energy and drive to take on big and amorphous challenges.
Second, launch a quick and dirty assessment intended to 1) identify the most significant global threats facing the company, 2) evaluate the company’s current cross-enterprise strategy, governance, and approach to managing these complex challenges, 3) list the key internal stakeholders, and 4) provide some “must-dos” to improve the company’s posture in line with the NSC model discussed above. This should take no more than eight weeks and produce a short document meant to guide immediate action. More thorough strategic reviews can be completed later once there is deeper enterprise buy-in.
Third, establish a working group comprising key internal stakeholders who can meet monthly to track priority items and contribute to the company’s ongoing improvement in managing global threats. Some companies may have pre-existing working groups (e.g., enterprise security risk management, insider threat, or emergency action), which could be expanded or repurposed to accommodate this mission. Once the group demonstrates effectiveness and gains traction, it can serve as the foundation for a more formal governance and committee structure, as appropriate.
By applying this approach, which focuses on achieving quick successes through proactive initiatives and collaboration rather than extensive formal approvals, all companies can start making significant progress in managing global threats more effectively. The international security and political environment are only set to become more volatile and complex. Now is the time for organizations to establish clear strategies and processes to contend with that uncertainty.
