India-Pakistan conflict underscores your C-suite’s need to prepare for war

This week began with UK Prime Minister Sir Keir Starmer ordering government officials to update their contingency plans in the event of all-out war. He noted that current plans are some 20 years old and “badly out of date.”

Then the next day, we witnessed the kinetic confrontation between India and Pakistan experience a major escalation, with the very real possibility the two nations may continue to escalate to a more geographically widespread conflict.

C-suites need to be asking their teams: Are we prepared for any event, including war, that may impact on our personnel, infrastructure, supply chain, customers, and other facets of our business?

Prudence reigns

Starmer’s call to update contingency plans is prudence. C-suites should be demanding briefings from risk management, business continuity, crisis management, and cyber resilience teams on the current state of preparedness in general and specifically with respect to geographic areas where conflict is present and the entity has equities.

At the RSA Conference in April, Tom Cross, strategic advisor to WitFoo, and Greg Conti, co-founder of Kopidion Cybersecurity, presented “War Planning for Technology Companies.” They minced no words: Companies should “create a war plan” as the notion of a “great power conflict is no longer an unimaginable threat,” they explained.

Cross and Conti asked, “How would your organization respond,” and pointed to the hot spots around the globe as evidence of the increasing need for answering such a question formally in terms of processes and procedures. The Russian invasion of Ukraine caught many companies flatfooted. They found themselves with assets and personnel in locations which now were aflame or within an aggressor’s geographic footprint.

Companies are now faced with decisions on how to turn off their lights and ensure privileged and protected data is effectively removed and destroyed onsite. A task that few incorporate into their emergency response plans.

How the India-Pakistan conflict raises the stakes

Should the conflict between these two nuclear powers escalate and become a full-blown war, the disruption to supply chains, research and development, and support services has the potential to be significant. Pakistan’s technical hubs in Karachi, Lahore, and Islamabad will be placed in jeopardy. India’s technical hubs in Bengaluru, Hyderabad, Chennai, Pune, Delhi, Mumbai, and Kolkata may be targeted.

Take into consideration that large portions of India’s 1.45 billion and Pakistan’s 255 million citizens may be on the move, and one can easily picture the possibility of societal chaos and infrastructure interruption. And with India still leading the world in IT outsourcing and captive centers, accounting for 17.58% of the global market, direct business impacts of a wider conflict will be significant.

Is my company ready for war?

At the Berlin Security Conference in November 2024, Admiral Rob Bauer, then chair of the NATO Military Committee, spoke frankly to industry leaders in the context of Russia’s illegal war being waged against Ukraine, asking two central questions of business leaders:

• Is my company ready for war?
• What can my company do to prevent war?

Bauer acknowledges the second question might take some by surprise, but not those who have been keeping an eye on geopolitical events. I touched on this following the February 2022 invasion of Ukraine, and the West began to issue sanctions, urging those not affected by sanctions to remove themselves from the Russian Federation. At that time, I noted that companies had choices to continue doing business as usual, to withdraw from Russia, or to do nothing. All three were choices, and all three carried with them the consequences of each specific action.

There were a great many cyber clues that war was coming, including advisories from both government and commercial entities. I discussed this in “Russian cyberattacks on Ukraine raise IT security concerns.” Immediately after the Russian invasion, more advisories were shared and analysis on supply chain interruption followed.

“War is on the European continent,” Bauer bluntly stated. He noted, the Eurobarometer in September 2024 “stated that 58% of respondents did not consider themselves well prepared for a crisis in the area where they lived. And almost two-thirds feel that they need more information to prepare for disasters and emergencies.”

Since that time, we’ve seen Russia engaged in low-intensity conflict throughout Europe. In this regard, recruiting citizens sympathetic to Russia to engage in sabotage and disruption. We’ve seen disinformation and misinformation used as a weapon against democracies across the globe, but with greater frequency and focus on nations that are supporting Ukraine in defending its sovereign territory.

When a conflict involves population sets the size of India and Pakistan and includes their diaspora, the potential for companies to be inadvertently pulled into a conflict by their own employee’s taking an action using company resources in support of their nation is not improbable.

Bauer continued, “Business leaders in Europe and America need to realize that the commercial decisions they make have strategic consequences for the security of their nation. Businesses need to be prepared for a wartime scenario and adjust their production and distribution lines accordingly.”

Every CISO needs to be asking whether they and their companies are ready for war. Do your network communications rely on one means of communication for corporation communications and another for commerce? Do the operational technologies use network communications that may become vulnerable during conflict and thus turn out the lights on production? What is the contingency plan when communications degrade to nil?

How CISOs can make a difference

Furthermore, as Bauer noted, “The world can be a dark place. And over the last years, it certainly grew even darker. But there is light as well. And they have been shocked by the united response from NATO, the EU, and other democratic nations around the world.”

He continued, “The fact that the global security climate is becoming ever more complex and volatile does not mean we should slip into lethargic pessimism and think that these circumstances are beyond our control.”

In addition to having a plan, companies must recognize that they have the ability to make a difference when making purchasing and implementation decisions, Bauer said. He recommended one do so with an eye on the potential for preventing conflict. Ask the uncomfortable question: Will this decision help the belligerent? This should include those allied with the belligerent and those supplying the belligerent. If the answer is yes, don’t do it.

At RSA Conference 20225, Cross and Conti urged companies to think about “whether your organization may have direct or third-party exposure to regions of the world that may be exposed to conflict.” Leadership should then follow this up with a self-assessment to lay the groundwork to “develop specific plans to mitigate operational, infrastructure, and human resource impacts.”

Final recommendation: Exercise your plan and update regularly. As Starmer noted, Britain’s plan is over 20 years old; your plan should be less than 12 months old.