Cyber security has quietly become a geopolitical risk function inside modern organisations.

One of the more interesting threads that ran through conversations at The-C2 this year was not a new idea, but a reframing of something many already sense.

Cyber security has moved. It is no longer sitting neatly within technology teams or even risk functions. It now sits alongside geopolitics, economic competition, and questions of national resilience.

That shift is easy to acknowledge in principle. The challenge is that most organisations have not yet adjusted how they think about security in practice.

For a long time, cyber risk has been treated as something that can be managed internally. With the right controls, the right investment, and the right people, exposure could be reduced to an acceptable level. It was, broadly speaking, a problem you could contain within the boundaries of your organisation.

That model is starting to show its limits.

The nature of the threat has changed. Many of the most capable actors are no longer driven by immediate financial return. Their objectives are slower, more strategic, and often shaped by national interests rather than commercial ones. Campaigns can run quietly for extended periods, with a level of patience that does not fit neatly into traditional risk models.

For cyber leaders, this creates a subtle but important tension. The frameworks used to assess risk are still largely built around likelihood and impact in a commercial sense. They are less well suited to adversaries who are prepared to invest time and resources without a clear short term payoff.

Alongside this, there is a growing gap between how cyber risk is discussed at board level and what is actually happening in operational environments.

Boards are more engaged than they were even a few years ago, which is undeniably positive. But the conversation is often still framed in terms of compliance, maturity scores, or high level ratings that lack context. Without a clear view of why an organisation might be targeted, or how attacks against its sector are evolving, the discussion risks becoming abstract again.

And when it becomes abstract, it becomes harder to make the right decisions about where to invest and where to accept risk.

Another area that drew consistent attention was the role of supply chains. Not as a secondary concern, but as the primary route through which many attacks now unfold.

Modern organisations are deeply interconnected. They rely on a web of providers, platforms, and services that extend far beyond traditional organisational boundaries. This interconnectedness brings efficiency and scale, but it also introduces a form of systemic exposure that is difficult to fully map.

Attackers have recognised this. It is often more effective to target a supplier, a managed service, or a widely used software component than to approach a well defended organisation directly. The result is that risk is no longer confined to what an organisation owns or controls, but is distributed across an ecosystem.

That raises uncomfortable questions about accountability and visibility. It also challenges the idea that security can be fully achieved through internal controls alone.

Perhaps the most pragmatic shift discussed was a move towards resilience as a central principle.

There is an increasing acceptance that, against certain adversaries, prevention on its own is not a realistic objective. That does not diminish the importance of strong defensive measures, but it does change the emphasis.

The organisations that perform best are not necessarily those that avoid incidents entirely. They are the ones that detect issues early, respond effectively, and continue to operate under pressure. In other words, they are designed with the expectation that things will go wrong, and they are prepared for that reality.

This has implications not just for technology, but for culture and leadership.

It requires a different kind of conversation with the board, one that is grounded in real scenarios rather than abstract risk scores. It requires a clearer understanding of dependencies, particularly those that sit outside direct control. And it requires stronger relationships beyond the organisation, because no single entity has complete visibility of the threat landscape.

What emerges from all of this is a shift in mindset.

Cyber security is no longer just about protecting systems or managing compliance obligations. It is about understanding the environment in which an organisation operates, including the political and economic forces that shape that environment.

For leaders, that means stepping slightly outside the traditional boundaries of the function. It means engaging with risk in a broader sense, and recognising that some of the most significant drivers of cyber exposure sit beyond the organisation itself.

That is not an easy adjustment to make. But it is increasingly a necessary one.