Intelligence-driven responses to geopolitical risk, espionage threats and cyber-attacks

An interview with Tim Bosch, CEO of the Birdwatcher Group

After more than two decades with the Dutch General Intelligence and Security Service (AIVD), Tim Bosch co-founded the Birdwatcher Group, an intelligence-driven security firm supporting governments and companies in addressing geopolitical risk, espionage threats and cyber-physical vulnerabilities. We spoke with him about what keeps CEOs awake, how businesses should adapt to the ‘weaponised’ world of trade, and why resilience has become the new operating system for business.

What keeps business leaders awake at night? Have these fears changed since a few years ago?

Something has definitely changed. There are currently three dominant issues. The first is what we call the geopolitical whiplash. Sanctions, export restrictions, supply chain disruptions: it’s coming from all sides. Geopolitically, the world is on fire.

The second is the cyber-physical convergence. Attacks start with IT, Information Technology, but end with the OT, Operational Technology that is at the heart of many systems such as factories, ports and networks. This is a very new model whereby the threat is substantially increased. A well-known example is the incident at the Bremanger dam in Norway in April this year; Russian hackers opened a flood gate that discharged 500 litres of water a second for four hours before the attack was detected.

The third point is about talent and trust, in particular the insider threat that comes from within companies. This involves leaks of company secrets, or simply hostile states that are deliberately trying to access people inside the company.

What has changed compared to five years ago is the sheer speed and volatility of events. In 2020 we had well-established scenario thinking. But in 2025, it’s more a question of positioning options in advance. In fact, I dare to say that ‘scenario thinking’ is almost no longer possible. Things are moving so fast that your scenario is almost no longer valid before you start.

If the scenario thinking is no longer possible, can businesses anticipate shifts before they become crises?

In the past, supply chains were busy lobbying tariffs. At the moment, however, where trade is being used as a weapon, you won’t out-lobby geopolitics; you can only out-prepare for it. So how do you do that? Here are a few pointers.

1.       Map your exposure to risks every quarter. This includes markets, regimes, sanctions, export controls.

2.       Identify what is strategically irreplaceable. Components, logistical routes, cloud regions, routing channels: you have to assume that at least part of your operating model will fail.

3.       Build licensing muscle. Have dossiers pre-prepared for export-control or sanctions-related applications. Treat licensing as a continuous process.

4.       Establish external intelligence loops. Look beyond newspaper headlines, create an intelligence loop of everything that happens in the outside world. This is an iterative process of structured monitoring of policy signals, data handling, regulatory calendars and draft rules that you can constantly act on.

Cybersecurity: how big a threat is it? Are Dutch businesses well protected?

Cybersecurity is now – after liquidity – the biggest operational risk category for companies. This has shifted away from just the prevention of incidents to ensure continuity under an attack. Everyone is under attack – all the time. With cybersecurity, there are also cross-border implications. This is very important for the cloud: where is your data? Which jurisdiction has the keys? Companies also have to look at extraterritorial requirements and inspections. Minimum-necessary data per jurisdiction is crucial; you shouldn’t replicate everything everywhere. And crisis interoperability: systems and people must be able to work together internationally during an incident. This requires cross-border practices and rehearsals – not only focusing on the national crisis – to keep on testing the international incident response with partners and insurers.

Are Dutch businesses doing enough? Most are still catching up, but I don’t blame them – this is a new phenomenon.

What is the one blind spot most organisations underestimate?

There are many blind spots, I’m afraid. But the one I want to highlight is the insider and the near-insider risk. Think of contractors with excessive privileges, or the joint-venture partner system administrator. System admins in particular are an excellent insider threat because they have the ability to manipulate, to harm the company. There are ways to mitigate the risk: awareness programs, ‘least-privileged-by-design’, constant reviews of access rights, focused screening for sensitive roles, and continuous monitoring of security events and credentials.

ICC works to keep trade open and predictable through the WTO, standard-setting and digitalisation. With declining trust in global institutions, is there still a role for ICC?

I firmly believe in strong public-private cooperation. In this period of hybrid warfare, companies are on the front line. They may not wear uniforms, but they are under attack every day. The ICC certainly has a role, not only for the practical predictability, but by creating effective soft-law frameworks and depoliticization. The ICC can align sectors on baselines, like cyber due diligence for trade finance or supply chain integrity attestations. ICC is uniquely placed to align sectors globally: it keeps markets functioning while politics recalibrates.

If you could give one piece of advice to business leaders in 2026, what would it be?

Institutionalise the option value. Design your company so it can pivot in days and not in quarters – whether changing suppliers, cloud regions, banks or legal options. And remember: resilience is no longer a project. It is an operating system. Make somebody at the highest level responsible for not only risk but also the geopolitical thinking throughout your organisation.

Looking back at the recent Dutch elections – and the upcoming coalition formation – does the Dutch political system give enough attention to the challenges facing businesses nowadays, specifically on these issues?

Sadly, my answer would be no. I think it’s safe to say that there’s not a single political party that really goes into great depth on Ukraine, the hybrid attacks on Europe, supply chain risks, China’s ambitions as a world power. In general, my goal is to help companies with these dilemmas – and to be a constructive, realistic sparring partner in an unpredictable world.