Dominic Bowen: Geopolitical Risk Planning & Management Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Dominic Bowen: Geopolitical Risk Planning & Management

April 04, 2025 • Tim Freestone and Patrick Spencer • Season 3 • Episode 42

This insightful Kitecast episode features Dominic Bowen, Partner and Head of Strategic Advisory at 2Secure in Stockholm, Sweden. With over 20 years of experience supporting business leaders, boards, and executives, Dominic brings valuable perspective from his work across cybersecurity, generative AI, risk management, and crisis response. His background spans strategic leadership positions in humanitarian organizations, military service with Special Operations Command, and law enforcement—providing him unique insights into risk management across diverse environments.

Many risks facing organizations today are predictable, not "black swan" events. Dominic emphasizes that effective risk management begins with understanding the business environment before identifying, analyzing, and mitigating threats. Companies that neglect this approach face potential disruptions, as demonstrated by European and North American businesses that expanded into China without adequate risk assessment or those slow to withdraw from Russia after its invasion of Ukraine. Businesses must recognize that events like inflation spikes, terrorist attacks, or regional conflicts aren't unpredictable—proper planning and preparation can help organizations navigate these challenges.

Cybersecurity represents one of the most pressing concerns for business leaders globally. Dominic notes that cyber threats have evolved into warfare weapons, with European officials warning businesses and citizens to prepare for heightened threats. This reality is demonstrated by the Russian attacks on Ukrainian financial institutions before the 2022 invasion and ongoing attacks against energy infrastructure throughout Europe. For businesses, this necessitates not just regulatory compliance but leveraging security frameworks as competitive advantages that enable boards and executives to move forward confidently despite increasing threats.

Artificial intelligence offers transformative benefits for risk management—when properly implemented. Organizations can gain significant advantages through AI-powered predictive analytics, automated threat detection, improved decision-making capabilities, and scenario development. Those organizations leveraging AI for fraud detection, identifying insider threats, and recognizing suspicious transactions position themselves ahead of competitors who fail to adopt these tools.

Effective risk management requires methodical approaches regardless of organizational context. Whether operating in conflict zones, developing humanitarian responses, or expanding business operations, Dominic emphasizes that the process remains consistent: understand the environment before attempting to identify or mitigate risks. Organizations that invest time in thoroughly understanding cultural, linguistic, political, and historical contexts before implementing risk mitigation strategies achieve substantially better outcomes.

LinkedIn Profile: https://www.linkedin.com/in/dominic-bowen/

2Secure: https://2securecorp.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:01.208)
Hey everyone, welcome back to another Kitecast episode. I'm your host for today's show, Patrick Spencer. Joining me, it's going to be real treat, is Dominic Bowen. He's over in Stockholm, Sweden. We haven't, we've done a few with international guests. It's been a while since we had someone from Europe. So Dominic, welcome. Looking forward to this conversation.

Dominic Bowen (00:08.312)
the real treat is Dominic Bowen. He's former in Stockholm, Sweden. haven't we've done a few with international guests. It's been a while since we had someone from Europe. So Dominic, welcome. Looking forward to this conversation. for having me on the podcast today, Patrick.

Patrick Spencer (00:24.526)
So I'll let you introduce yourself, but I'll give our audience a quick rundown on your background so they know a bit about who you are. You're the head of strategic advisory and a partner at the two secure in Stockholm, Sweden. It's a large consulting technology firm. let you give the introduction to the company, what you guys do here in a second. You have over two decades of supporting business leaders, boards and executives. Those on the podcast want to check out.

Dominic Bowen (00:49.988)
business leaders, boards and executives those on the podcast want to check out your LinkedIn profile to see all the cool things that you have done as well as

Patrick Spencer (00:53.87)
LinkedIn profile to see all the cool things that you have done as well as are doing today. Advising them on business decisions involving everything from cybersecurity to generative AI. We'll talk a little bit about that. Risk management, crisis response, among other areas. You're the host of the International Risk Podcast. Some of our audience may actually subscribe to your podcast. If not, definitely check it out. There'll be a link included.

with all the postings on the podcast channels that you can click on to access it. Launched about three or four years ago. We'll talk a bit about it. Actually curious to hear about what prompted you to start it and how you run the podcast program. You've held a number of strategic leadership positions, advisory positions, as we mentioned, in various humanitarian and NGO organizations, which is kind of an interesting angle that I'm hoping to explore with you today.

Dominic Bowen (01:41.976)
Yeah, Thanks very much, Patrick. That was a kind introduction. So I'm currently as you said, I'm a partner and I'm the head of the strategic advisory business unit at to secure

Patrick Spencer (01:51.79)
So maybe a starting point, Dominic, is talk a bit about your current role. been over there a while. What does the company do and what do you do?

Dominic Bowen (02:10.258)
And what we do really is exactly that. We make sure that businesses can achieve their strategy. Most of the business leaders we work with in Europe's got some fantastic business leaders, some great universities, and the businesses are fantastic at pursuing their objectives, defining their objectives, surrounding themselves with good teams, good capital, and running forward. What we see that businesses are less good at is considering what are the things that are going to punch them in the side of the face on a Tuesday afternoon?

And that's where we come in. It's helping them identify what are the risks of going into a good market. You know, we saw companies from North America and Europe flood into China, you know, one and two decades ago, and not enough of them considered the risks. We saw, you know, lots of companies be slow to exfil from Russia after their invasion of Ukraine without considering the risks. And we see that every day. We see that every day in a variety of different issues.

And it's amazing how often I meet with business leaders and they're like, I mean, who would have guessed that inflation would go up? Who would have guessed that there'd be another terrorist attack? Who would have guessed there would have been conflict in the middle East? All these things, which, you you're laughing and I'm laughing, but these things were predictable. You know, people say, Oh, you know, COVID, COVID was a black swan event. Who could have predicted it? I don't know. The world economic forum predicted it 10 years before it occurred. Not only them, but many, many others.

Patrick Spencer (03:29.208)
Yep. For the others.

Dominic Bowen (03:31.624)
So many risks are predictable. So that's what we do. We sit down with businesses, we help them work through their risks, help them mitigate them, help them prepare for crisis and really just make sure that they can focus on what they're good at, which is pursuing their strategies.

Patrick Spencer (03:41.646)
Interesting. How long does an engagement last typically when they bring you in? it a couple month long engagement? How much face time do you spend? How much is all virtual? Kind of curious on those fronts.

Dominic Bowen (03:54.733)
I mean, ideally most of it is face to face, but what we really want to do is develop long-term partnerships. It's probably less profitable, but it's much more enjoyable. So a classic example was I was in Ukraine in October two years ago when Hamas did their deadly and horrible attack in Israel. And my phone was ringing off the hook from business leaders just going, what is the impact going to be on my business? And for most of them, my answer was today, the impact.

will be nothing on your business. The impact in the Middle East will be catastrophic and this is gonna be a long issue. But for right now, and then I gave them a few things I needed to look at about their workforce, some of the software that they were buying from Israel and things like that. But generally speaking, I said nothing right now. But what that did tell me is that the business leaders and the people that we're working with are comfortable just calling all the time. They see something big on the news and they jump on the phone. They call me, they call my colleagues and they say,

What do we need to consider? And that's really what we want to be doing. We want to having these long-term relationships. And I think the best part of my job is when I'm just going and having coffee, having coffee with CEOs, having lunch with board members, having dinner with chairmans of different company, and just talking about what's happening and then just continually giving them little tidbits of advice, little tidbits of trends we're seeing. And then, yes, at some point we need to get paid as all of us do, we're all business people.

But that just comes naturally when they need crisis management training, when they need someone to do some geopolitical analysis, when they need business intelligence. Well, then of course they come to us and then we support them with that. But generally speaking, most of my work is just really enjoyable. It's just engaging and talking with business leaders and sharing the knowledge that we're seeing. know, Europe and we'll talk about this today. Europe's you know, some days I just go, wow, this should be in a Tom Clancy spy book. What's happening?

Patrick Spencer (05:46.702)
There's nothing happening in the world right now, right? It might be a cause for someone to pick up the phone and call Dominic to find out what they should do. So you talked about lack of planning in many organizations or lack of strategic foresight to anticipate. And some of these things are unpredictable. You don't know in some cases that

Dominic Bowen (05:50.57)
Nothing at all, nothing at all.

Patrick Spencer (06:14.306)
these events are on the horizon. And other instances is, gee, you should have been planning for this for the last 10 years. Technology. You talk about just not thinking through the potential risk. Do organizations do that well today when they're using different technologies as to where in the world is the development team? What are the security capabilities that are built into it? If it's talking about data, how do you control?

that data and then report on where it's sent, who accessed it, when, where, why, and all those different types of things.

Dominic Bowen (06:47.992)
all those different types of things. Yeah, I think I always draw back and I think this was a really a pivotal moment in my career. I was in Timor-Leste or East Timor as some of your listeners might know, with a small country in Southeast Asia. And there was really significant riots, very significant riots. And most of the country was in lockdown and the airport was closed quite a significant amount of time. And I wasn't in charge of that mission. I was there just as an advisor and we had the leadership team around the table.

And the meeting was about to wrap up and we hadn't considered all the contingencies. And I just said, look, you know, boss, I just think we need to have a conversation about what if the airport closes and we don't have access to healthcare, there's an emergency, because we need to fly someone to Australia. It was very quick by air. said, we'd lose access to healthcare and we'd lose access to evacuation. And he just said, oh my gosh, put his hand on the desk. And he said, that doesn't even beg a belief. That would just be so catastrophic. And then at the of the meeting, and as people were standing up, went.

But isn't that exactly why we need to be planning for it? Because it is so catastrophic. And I think it's these things that really prompt me to ask these questions are a little bit uncomfortable. So what if, what if there was maybe not world war three, but what if there was a significant invasion of Europe? If I'd said that three or four years ago, people would have talked, think I'm crazy. And yet of course, now we've seen Russia invading a country in Eastern Europe. Now we're seeing Russian espionage in major capital cities, every

single day we're massive attacks against energy infrastructure in Europe in land and on sea that are directly attributable to Russian assets. And so really asking these questions is, you know, it was uncomfortable three or four years ago. I couldn't have these conversations with boards and CEOs three or four years ago. Today, it happens all the time, just yesterday, a very large financial, European financial institution is asking us to do analysis on India. India.

We know that Europe does not have enough IT talent to provide all the work that we need. We know that some of the world's largest IT consulting firms are outsourcing and utilizing talent from India. Now India obviously, largest or second largest population in the world has a lot of IT talent and that's fantastic. And I know India refers to itself as a balancing power. I'm not sure that's the term I would use.

Dominic Bowen (09:07.404)
but it's certainly a country that will swing towards America when it needs F-35s. It'll swing towards Russia when it needs cheaper energy. And it's certainly that way. And I think companies and many companies need to be compliant with different security legislation, different security protection acts, and even just their own, you know, in Europe, we've got the GDPR, the data protection. Can you maintain that when your systems are being managed in a country

Patrick Spencer (09:14.467)
Yeah.

Dominic Bowen (09:34.338)
who's not necessarily aligned with your values or your strategic interests. And if you're a bank, you're a financial institution, you're an engineering company that has access to sensitive issues, sensitive items like bridges, buildings, government buildings, maybe buildings that host police stations, know, those sorts of things. Well, all of a sudden, is it appropriate for your information, for your building plans, et cetera, secret cabling to be managed in India where they're so reliant on Russia? so I think

Companies are starting to ask these questions. And my answer as a risk advisor is never no. I never say no. But my answer is always yes. And we need to consider how we're going to manage these risks. We can do it. We can definitely do it. But there's going to be a safe way to do that.

Patrick Spencer (10:19.224)
Now we have some team resources we leverage regularly on the marketing front in Bangladesh, for example, and due to last year's political unrest, they metered down the internet. you know, they were willing to work, able to work, but they didn't have internet. Well, guess how you communicate without any internet, you're shut down. So you need to have those contingency plans.

Dominic Bowen (10:27.191)
Yep.

Patrick Spencer (10:46.478)
in place, and that's just the microcosm of a much larger issue. But just in our instance, because of our strategic video editing, we had to postpone some projects as a result and work around, thankfully things have calmed down to a certain extent there. But you look at all the changes that have happened in the world, especially in the last three years after COVID kind of waned and even due to COVID.

Dominic Bowen (10:47.736)
the old microcosm of MSN.

Dominic Bowen (11:11.18)
to COVID, that cybersecurity you've seen change in the risk management associated with cybersecurity. And what have you seen happen?

Patrick Spencer (11:12.51)
Cybersecurity, you've seen change in risk management associated with cybersecurity. What have you seen happen on that front over the last couple of years?

Dominic Bowen (11:23.928)
Yeah, I mean, cyber security is a big one. I, and a common question I ask certainly to people that I'm developing new relationships is what are the risks that concern you the most? What's the thing that causes you the most headaches and unquestionably political instability and cyber risks are number one and two consistently, um, consistently. And so to your question about, uh, cyber security risks, think cyber security as a warfare weapon.

as a tool of war is something that is increasingly common. The Swedish government actually released a report several years ago and it talked about the phases of war. And for your listeners, phase one is all at peace. Phase five is complete war. And at the time of the report being released, we were comfortably in phase one, no doubt about it. And the idea of being in phase five was completely unrealistic. Today in Sweden, we have politicians, ministers of defense, ministers of civil service,

telling businesses and individuals saying, you must be prepared. They're sending booklets or have sent booklets to every single household about what to do in case of this is Sweden. I've lived all over the world. I've lived in every major war zone. I've lived, you know, on every continent in the world. I have never lived in a country that is so peaceful. That is so if it had a fault, it would be that it's incredibly boring. It is so peaceful. And yet this is a country that is telling everyone they have to prepare for war now.

Patrick Spencer (12:30.496)
I wrote the mardicas on this. Yeah.

Dominic Bowen (12:52.364)
And we are unquestionably, we're in the middle. We're in about phase two, phase three, when it comes to the phases of war. And a big part of that is hybrid warfare and cyber warfare is a huge part of that. And if you're unsure what that looks like, have a look at Ukraine in January and February, 2022, and look at all the government institutions, the banks, the financial assets that were being attacked, attacked online and being taken down. And we look at the U S treasury department, the U S treasury department, you would have to assume.

that the US Treasury Department would be one of the most secure, one of the most secure sites in the world. Nope, they were attacked. They were attacked. So we know that these, we know these things are occurring. Now in Europe, I think in America, you're a little bit better. And I think that's probably only going to improve over the coming months, but you've got much less regulation. Now I know that many of your business leaders in North America are saying you've still got too much regulation or come to Europe. Europe is massively regulated. And whenever there's a problem,

The solution is 10 new regulations. So there's a lot more regulations. Now part of that is good. But in Europe, we have the NIST too, and we also have another regulation called DORA. These are putting heavy, heavy pressure on businesses and increased costs. So, you know, not only are the businesses suffering from the increased weaponization of information and cybersecurity, they're now being burdened by the added pressure of regulation that they have to comply with. Now I get why we have regulation. It sounds like I'm just anti-regulation.

Patrick Spencer (14:00.343)
door.

Dominic Bowen (14:19.788)
But it's certainly these are these are big issues that you have to consider. I mean, you mentioned before that that I've got a podcast that I host and you're right. And it's a, a fantastic podcast. love it. Anytime we do an episode on Ukraine, anytime we do an episode on Russia, it's at the website to tact. It's, it's amazing. It's amazing how, often it's attacked just as sure as night follows day. you know, and we get attacked most days, like I guess most, most websites too. but

Patrick Spencer (14:35.924)
user.

Dominic Bowen (14:47.298)
but the days we release podcasts on Russia or Ukraine, it just skyrockets. It just skyrockets. And we're not important, ultimately. We're not important. We're not a bank. We're not a government institution. And yet there's still enough resources out there that you can attack us. So you can only just imagine for your listeners that don't work for government or that don't work in the financial sector, how much they are getting hit every single day.

Patrick Spencer (14:50.54)
You see a spike in attack.

Patrick Spencer (15:08.558)
Fascinating. So, Henry, while we're on the topic, you started this podcast, three or four years ago? You know, what gave rise to it, and what are some of the topics that you typically cover? And for our listeners, there's a link at the bottom of the show that you can click on to access it.

Dominic Bowen (15:24.78)
Well, it's quite interesting. it was started before, so was about five years ago and, I was, I was listening and I was doing more risk management work. you know, really dedicated risk management work, crisis preparedness. I always listen to podcasts, living and traveling around the world. I can't always travel with books. They're heavy and they're cumbersome. so I listened to a lot of podcasts when I'm traveling and at the time it's different today, but at the time there wasn't any great podcasts on risks and

geopolitics. Now there's a lot more podcasts, podcasts are increasing in number. And I was really disappointed. And then I was talking to a friend who's got some amazing stories. He's an author and works overseas as well. And I said to him, I said, you know, we should, we should do a podcast in jest. And I said it in jest. And he goes, I, I'm actually surprised you haven't started one already. And I said, I don't even know how to do it. And we finished our phone conversation. I was out for a walk. And then as I was walking home, I'm like, how do you even do that? How do you get your voice onto

thousands of people's phones. And like all problems, when I see a problem, I'm like, well, I need to work out how to fix this one. And then I was also thinking, who would I even interview? And in the space of 10 seconds, I thought of 20 friends. It would be amazing. It would be amazingly interesting. So much more interesting than me. And it wasn't that hard. And I worked it out, know, bought a microphone and then it just started. Then people started contacting me and then friends of friends started reaching out. And you know, I work seven days a week. I work 12 to 16 hours most days.

And I'm always looking for things to cut. always looking for ways to streamline my life and be a bit more efficient with my hours. And the podcast often comes up. doesn't, it's not an income generating activity. do. And I'm always like, maybe I should cut away the podcasts. But then I think about all the amazing people I get to speak to. And honestly, they really, really are amazing people. People that are working in just some fantastic areas around policy, around politics, around think tanks, people all around the world. I'm like, there's no way I would give that up. These people.

you know, if you got half an hour with them at a conference or a dinner party, you'd be like, yes, I got to sit beside that person. So no, it's a fantastic tool. The guests often, you know, thanking me. thanks for having me on the podcast. No way. Thank you for giving me an hour of your time to have a conversation. It's great. I love it. Really, really fun.

Patrick Spencer (17:22.85)
You don't know a lot, just post it on podcast, right?

Patrick Spencer (17:37.346)
Yeah, I agree. I have the same experience with this podcast and I've brought up with a former colleague, League of Mine at Berkeley, we were having coffee a couple months ago and in jest, I told him, yeah, we should do a podcast together and he took it seriously. So I think we're going to have to launch another podcast, but that's a story for a day. So he brought up compliance regulations.

Dominic Bowen (17:55.81)
Fantastic. That's great. Do it.

Patrick Spencer (18:03.726)
You know, Europe has this too, has GDPR, has DORA, as you mentioned, the US has HIPAA. In fact, there's some new HIPAA amendments. So we've published a few little things on it ourselves. The last couple of weeks, the HIPAA amendments are out for review. Can you regulate cybersecurity and risk management? Is that possible? That's what we're trying to do with some of these regulations. Is it successful? Is that the best way to approach the problem?

Dominic Bowen (18:24.306)
to do with some of these regulations. Is it successful?

Dominic Bowen (18:33.944)
When I was, when I was in the police academy, I, and one of our first days, I remember my instructor asked me, or he asked the entire room, why do people follow the law? And I thought, young, young guy, because you meant to, that's just the rules. You follow the rules. That's how the world works. You follow the rules. Uh, and he's like, no, no, people follow the rules. Most of the time, not always, but most of the time because of fear of getting caught. And I thought that's right. And I just didn't believe him.

He was, he was actually a brilliant instructor. This guy, Stephen as Arnicoff, Sergeant Stephen as Arnicoff, a fantastic instructor. But I didn't believe him on that point until I started working as a police officer, initially on the, on the streets, then a prosecutor. And then I was a federal agent posted overseas. And I realized that, yeah, sadly there is a large portion of the population that only complies with the rules because they don't want to get caught. And I think.

Regulation serves a great purpose. It really does. It really does. I'm a good driver. I've done lots of driving courses, lots of pursuit courses, and it's very easy for me to do 140, 160 kilometers an hour and not lose any sleep. But I don't. But I don't because there's rules in place. Because there's rules in place. I'm a good driver. I drive a car that's serviced and well maintained and it's in good condition. And I know I can do it safely, but I don't because there's rules in place and I don't want to get caught.

I think the legislations like Dora, like GDPR, like ESG reporting, AML, anti-money laundering directives, corporate governance reforms, they're a pain and they're expensive for companies to be compliant with. But I think, you know, compliant, it's not just a legal requirement. I think if you can really turn your company around to see these as tools for mitigating financial risks, for mitigating reputation of risks, you are putting yourself in a much better spot.

recognizing that the compliance and enterprise risk management is not just a standalone function, but these are tools that you can use to equip your managers to be able to step forward into risk that they might not otherwise be able to take. In today's environment, there's so many risks and a lot of leaders are very risk averse. But if you can assure them as the head of IT or the head of operations that no, we're addressing these risks.

Dominic Bowen (20:51.586)
We've got these governance frameworks. We've got these legislation we're complying with. Maybe we don't even need to comply with them, but we're going to to make sure that we're safe. Then your board and the audit committee, then maybe the executive team is going to be much more comfortable giving you the high five and giving you the thumbs up to move forward. So if you can get past the regulation and if you can, regulation serves a purpose, but if you can turn that into, okay, this can be our value add, this can be our company's competitive advantage over our peers, then you are in a new spot. Then you're looking at it in a new lens that your competitors probably aren't yet.

Patrick Spencer (21:21.708)
Yeah, now we've seen that with FedRAMP, for example, we've been FedRAMP moderate for eight years now, I think it is. And it is a competitive advantage for us. You have some who claim they're FedRAMP-like. Well, they don't go through the 425 controls every year and go through audits with a 3CPA. right. So there's an advantage from a business standpoint for us on that front. You know, we've seen the...

Dominic Bowen (21:24.024)
you

Patrick Spencer (21:48.718)
fines and penalties go up a bit the last couple years. GDPR, even the first half, I think, was the equivalent of what the previous three years of 19, 20, and 21, or something like that. I forgot the exact data point. But the first half was the equivalent of three aggregate years a couple years back. HIPAA, it's a little harder to find all the data points in terms of where we're at there. But those fines and penalties have gone up.

You think those are the driving factor that will force organizations to comply or, you know, from your standpoint, is it more of that brand impact? You know, we don't want to have our brand solid in the marketplace because we look like we don't care about cybersecurity. We don't care about data privacy and so forth.

Dominic Bowen (22:30.488)
brand solid in the marketplace because we don't care about cybersecurity. you really, I'm the last person to advocate for fear based selling or, but, sometimes you really do have to, you know, the very crude saying, but you know, you've got to stick the knife where it hurts. Um, and as crude as that is, I think that that really is the case. mean, there is a lot of regulatory uncertainty and there's a lot of new regulations coming in and with these geopolitical shifts, economic instability,

Patrick Spencer (22:39.598)
you

Dominic Bowen (23:00.578)
and you know, lot of the cases, industry specific regulations emerging, there is a lot of compliance fatigue and it's difficult for companies to manage all the multiple regulatory requirements they have to be compliant with. And you know, failure to comply with them does lead to heavy fines and does lead to reputation damage. And I think what you really need to be doing is speaking to what matters to leaders. And I think you're right. Reputation matters. You know, you can go through a crisis. That's fine. And I often say that I often say this to crisis management teams.

I much prefer to work in a preparatory manner with companies to prepare for crisis and to avoid crisis. But often I get that phone call like we need you to come down now. We're pulling the crisis management team together for different types of crisis. And one of the things I often say to the crisis team, if they're, if they're a new team, if they're not looking particularly confident is there's a positive line and there's a silver lining coming out of this. And that's that this is your opportunity to make changes in your organization that you can never normally make so quickly. So you can come out of this with

with new policies, new regulations, new practices internally that you can't make in a normal day, but you can do that today because of the crisis. And companies that navigate successfully through crisis, if we look at listed, publicly listed companies, their share price is higher after the crisis has been successfully resolved than companies that didn't go through a crisis. Now, of course you want to avoid the crisis, but if you have to go through it and you successfully manage it, the data says that your share price will probably actually go up. You'll actually be in a better position.

Patrick Spencer (24:01.634)
Very true.

Dominic Bowen (24:29.016)
So there's lots you can do, but you would need to be prepared and you need to make sure that your reputation is going to survive and you're not going to get these hefty fines. I mean, many business leaders, was talking to a business leader yesterday and he was talking about a 15 million euro fine that one of his companies had and he was able to shrug it off. He was able to shrug it off as just one of those things. Not many companies can, not many companies can shrug off a 15 million euro fine and just keep on walking down the street.

So understanding really what will happen if we mess this up, our reputation and what would the impact be on our sales and our trust and raising further capital, but then also what sort of regulatory fines and what sort of customers will we lose? Especially if you're working in the finance or the defense or the energy sectors, you might lose a lot of your clients if you're failing to be compliant with these things as well.

Patrick Spencer (25:17.688)
Do you find on the, you know, speaking of defense sector and regulations with CMMC now going into effect here in the U S with the defense industrial base, you know, while the U S does have a large portion of its, D I B here in the United States, there's a lot of suppliers and contractors in Europe. Are you having conversations with organizations that are talking about CMMC and the risks that that may pose to their business?

Dominic Bowen (25:48.463)
No, no, right, right now, European businesses are just they're really insulated, they're they're worried about Trump. And right now, at the time of recording this, my advice to businesses is, you don't have to like Trump, it's irrelevant. He's not your he's not your president. But what he was elected to do is what he's done. What he promised voters he would do he's doing, except

Patrick Spencer (26:08.014)
Mm-hmm.

Dominic Bowen (26:08.824)
implementing the tariffs and that's what you're worried about as a business leader in Europe. You're worried about the tariffs and he hasn't done those yet. So far they're just a threat. He wants you to come on board and do some of them things or the tariffs are coming. So right now business leaders are just worried in Europe, just worried about tariffs and whether they're to come from America if there's going to be a trade war between the US and China and what that will do. You think the US is heavily reliant on China for your supply change. Have a look at European businesses.

So that's their main worry. And then of course, they're just so busy with regulation coming out of the EU right now.

Patrick Spencer (26:43.342)
Thanks, thanks a lot. So now your backgrounds with NGOs, or chunk of your career anyway, you spoke a bit about your public sector experience and how you started off your career. I assume that's how you ended up working with NGOs. It's a unique perspective. And when you talk about risk management with NGOs, is that a different conversation than if you're talking to a private sector organization?

Dominic Bowen (27:08.58)
completely different, completely different. It's really interesting, Patrick. So obviously, I was in the police and then ended up going overseas as a special agent to a few different islands in the Pacific, which was which was very, very interesting. And then I did a couple of tours as a captain within Special Operations Command to Afghanistan and then to Southeast Asia.

which is again, completely different. Special operations command, there is no shortage of money and there is a lot of freedom, a phenomenal amount of freedom in order to do what you need to achieve in the battle space. But then coming out of the government and then going into the non-government sector, there is equally an amazing amount of space. You're going into other countries we worked in, Pakistan, Indonesia, Lebanon, Sudan, Haiti, Bangladesh.

Patrick Spencer (27:29.462)
Interesting.

Dominic Bowen (27:54.492)
in some amazing, amazingly beautiful spots in Yemen and in Huthi controlled areas in Liberia and the jungles during Ebola. And it's amazing. You're, know, you've got millions of dollars to spend. and on the other end of the phone, you just say, I need a hundred doctors. need 200 nurses. need 50 logisticians. we need to build 20 hospitals, you know, Northern Syria. look, we've got a cave. We can build a hospital in. I think we could set up 20, 20 beds in here. So we need, you know, three doctors, 40 nurses.

And these things just start flowing in. know, the public is amazing. And I've got to say, if you're American listeners, the American listeners beyond doubt are some of the most generous, generous people when it comes to supporting people overseas. The Trump administration is getting a lot of grief now for ending foreign aid. And I hope that doesn't occur. But the Americans as a population are so generous and the doctors and nurses from America are the first to get on a plane when something's happening in the Middle East, in Africa, in Asia.

They are the first to get on a plane and just walk away from their jobs and just say, Oh, I need to go over there for a couple of months and provide life-saving assistance. so risk management in those environments, whether it's the working for the government, whether it's for the military or whether it's for an NGO or for a corporate actor, all completely different, but the processes are exactly the same. was a, I was, I was a captain in, uh, in a special operations commands. When we hit the grounds, the first thing you had to do, whether you're jumping out of a helicopter or whether you're going on a long range mission.

is you stop, you take a breath, and you understand the environment. Now you've done all this before you've even got on the helicopter, but when you hit the ground, you don't just start running away, you stop for 30 seconds. Sometimes you might sit there for two hours and just let everything go dead silent. You assess the environment. And it's exactly the same with an NGO when you're setting up a health clinic in Yemen, in Houthi controlled territory. And it's no different when a business leader comes to me and says, we're thinking of opening up operations.

or shifting operations from China to Vietnam. What do we need to do? First thing you need to do is understand the environment. And I think these concepts are really critical. You've got to understand the environment and only then, don't try doing it beforehand. Once you understand the environment, the culture, the language, the people, the politics, the history, the history, then, and only then can you start to identify the risks. And then you can analyze the risks and then you can prioritize them.

Patrick Spencer (30:11.074)
Yeah.

Dominic Bowen (30:18.688)
And only then once you've gone through that long process, then you can start to mitigate them. Too often we go, we're gonna go from China to Vietnam and this is how we're gonna mitigate the risks. Rubbish, rubbish. You won't do it as well. Take the time to do it properly. And throughout all those environments, really understanding the environment has gotta be the first step.

Patrick Spencer (30:35.288)
Hmm, that's fascinating. When's the book and movie coming out?

Dominic Bowen (30:39.459)
You know, I haven't written a book but I've always thought running a marathon and writing a book, they're two things that I would just love to do so I'm gonna have to do at least one of them at some point.

Patrick Spencer (30:47.918)
I think you have some stories that would be fascinating to tell for sure in a book. Get the book and then I'll turn it into a movie. If you want to Clint Eastwood's next movies, you never know.

Dominic Bowen (30:53.174)
I've been very blessed. I've been very, very blessed.

only if Fred Pitt's available.

Patrick Spencer (31:03.138)
Ha ha ha ha ha!

So every podcast nowadays, you can't avoid this topic, generative AI and risk management. And then we've had just recent news with DeepSeek, Alibabi had an announcement yesterday with an AI tool that they're taking to market. You know, how do you, you know, working with an organization, are they thinking about the risk that AI, there's a lot of advantages.

Dominic Bowen (31:32.888)
Thank you.

Patrick Spencer (31:36.142)
that AI offers to organizations and anyone who's not using it's absolutely crazy in my opinion. You gotta be head first into the water. You need to be thinking about it obviously. But are organizations thinking through the risk and do they have the right risk strategies in place to mitigate the potential threats that AI poses?

Dominic Bowen (31:58.966)
You know, we all know and we all recognize that early adopters are usually the generation below us. They're normally the younger generation, not always, but early adopters, they're generally not people in their sixties and seventies. They're generally people in their twenties and thirties, generally speaking, generally speaking, not always, but generally speaking. And yet the people setting the direction for the companies and setting the policies and the guidelines and deciding where money should be spent on training, research and development, are people in their fifties and sixties.

Patrick Spencer (32:22.99)
That's the generation.

Dominic Bowen (32:27.384)
Now that's not wrong. get that. There's reason why people with gray hair are driving most companies, uh, cause they've got the wisdom and the insight, but we're not the early adopters. And I think there is a failure to consider this double-edged sword. And I think that creates a fear. And I think that's a thing I see with a lot of business leaders, great business leaders, people I consider mentors and people I learn from, but there's that fear. And when we're scared of something, we don't normally step into it. We're not normally open to it.

When I'm fearful of something, I'm not sitting there going, tell me more guys, tell me more, I'm open to it. I generally close down and I get nervous when I'm fearful of something. But AI really is, it's transforming risk management. If we look at enhanced predictive analytics, if we look at automation of threat detection, the ability to improve decision-making, and I think my favorite use case is around developing scenarios and potential scenarios.

But there are so many new risks that come with it, you know, including biases, including security vulnerabilities, the regulatory challenges, there's ethical and legal issues, but these can all be mitigated if you're having discussions about them. But if you're not confident on the topic, if you don't know about the topic, then I think it makes it much more difficult to have conversations about using AI to proactively identify patterns about using it and employing it to do real time threat intelligence.

But my gosh, imagine if you had you and two or three of your competitors lined up, but only one of you knew about an emerging threat. What a huge advantage that one company would have. Imagine you and and two mates at a bar having a few too many beers and one of you, one of you having an realization that you're about to get into a fight. Imagine what an advantage that that guy's got. That's exactly what's happening in the business environment. If you can have this real time threat intelligence, this advanced analytics, predictive modeling, better scenarios,

That's exactly what it is. You're that one guy at the bar who hasn't been drinking, who can see that a punch is about to be thrown. He's not going home with a black eye. The other two guys are. And, know, I think if we can have better AI driven simulation scenarios that are based on data that are reflective and specific to your industry and to your company, tools that can help us with better fraud detection, help us identify insider threats within our own companies, identifying suspicious transactions, suspicious behavior.

Dominic Bowen (34:46.498)
My gosh, what a huge advantage that we'd have as companies. But we need to be considering the opportunities, but also the risks that come with it.

Patrick Spencer (34:54.316)
No, I agree. And we found when it comes to data that that's particularly helpful using AI enabled anomaly detection. Dominic never sends files to China. Now he's sending files to China tonight. Something is going on. You flag it. You may even want to stop it until it can be investigated. You never edit certain documents. Suddenly you're editing those documents or touching and viewing those documents. So, yeah, there's a lot of

Dominic Bowen (35:21.077)
Exactly.

Patrick Spencer (35:23.832)
proactive activities organizations can take when it comes to their private data, which we have, as we know, just growing and growing mountains of that data. And AI creates even more and bigger mountains over time. This has been a fascinating conversation. So one, how can folks find your podcast? One, we have a link at the bottom of the show, but just in case folks don't have access to that.

Dominic Bowen (35:24.728)
active.

Dominic Bowen (35:38.092)
Yep.

This has been a fascinating conversation. So one, how can folks find your podcast? We have a link to part of the show, but just in case you have access to that. Yeah, fantastic. Thanks, Patrick. If anyone wants to listen, you can just type in The International Risk Podcast. The International Risk Podcast on Spotify, iTunes, anywhere you listen to your podcasts, and hopefully you'll find it. yeah, there should be some interesting conversations for most people in there.

Patrick Spencer (36:08.354)
That's great. Now folks who want to engage with you or maybe a consulting engagement with TwoSecure, they obviously have your LinkedIn account with today's podcast, but other ways that they should get in touch with you.

Dominic Bowen (36:21.706)
Always happy to have conversations with people. Reach out on LinkedIn. You can reach out via the 2Secure website and you can find me, know, dominic.bowen at 2secure.se. Always happy to have a chat with people. I think it's the best part of my job.

Patrick Spencer (36:35.35)
Yeah, that's great. I thoroughly enjoyed today's conversation and look forward to taking a look at the transcript because there's some bits and pieces that we talked about that were quite fascinating. Well, Dominic, thanks so much for your time today. Thanks to our audience for listening to another Kitecast episode. You can check out other Kitecast episodes at kiteworks.com slash Kitecast.

Dominic Bowen (36:59.554)
Fantastic.

People on this episode