''What security issues should we be aware of?'' This well-intentioned client inquiry regarding operations in a foreign country recently gave me pause as I struggled to understand exactly what the client wanted. Was the client looking for an on-the-ground review of major violent risks, like crime and terrorism? If so, did that mean the client was not interested in the more strategic geopolitical risk of interstate war? What about environmental and health concerns — did the client care about infectious diseases, natural disasters and other threats? Or could it be that the client really cared about cybersecurity in terms of protecting IP and other sensitive data?

Of course, we could answer all of those questions, but running through that checklist in my head made me realize a more foundational question: what exactly does ''security'' mean today? As analysts, we must always consider situations from various points of view and, especially when considering client questions, properly scope our responses. But the truth about ''security,'' no matter how straightforward it may seem, is that it may be just as difficult to define as it is to truly achieve complete safety.

A Shifting Paradigm

As students of international relations theory will be quick to highlight, in its traditional sense, ''security'' is a realist concept that refers to a state's ability to protect itself from foreign attack. For realists, the global environment is a dangerous place and, as the most important actors in the international system, states at their most fundamental level must survive. In this conception, security is defined in opposition to external attack and there is no need to consider what happens within states themselves.

While a neatly-organized concept, over time many other theories have chipped away at realism's dominance. For instance, it is obvious that security within states can matter just as much as security between them, as evidenced by the violent toll of civil war, insurgency and other internal conflicts. Even this external versus internal distinction is an incomplete picture amid the rise of a wholly new environment like cyberspace as a zone of not just competition but outright conflict.

Moreover, as recently highlighted by our analysts, it is clear that ''security'' does not affect everyone equally, but rather some groups (such as women) often suffer disproportionately. Similarly, this focus on the individual illustrates that states are far from the only relevant actors: witness the lethal violence conducted by terrorist groups, criminal syndicates and other non-state actors. Even some private companies could find themselves listed here.

Perhaps most structurally: is ''security'' only about safety from physical violence? Following the darkest days of the COVID-19 pandemic, I do not think anyone would deny that ''health security'' needs to be a bigger priority. Meanwhile, in the wake of Russia's invasion of Ukraine, the concepts of ''economic security'' and, especially, ''energy security'' are back in vogue. And if you ask many companies, you would probably hear that ''data security'' or ''supply chain security'' are at the forefront of their concerns. Amid these different interpretations, what gets labeled as ''security'' (in some cases, now synonymous with ''self-sufficiency'') has thus become much broader over time — a process known (and at times critiqued) as ''securitization''.

What Is Old Is New Again

Despite the expanding concept of ''security,'' realists have always argued that their fundamental contention about a state needing to prevent external attack has stood the test of time. In this respect, Russia's invasion of Ukraine seemed to be tragic vindication and has duly inspired a flurry of headlines arguing various versions of ''realism is back.'' There is no debating that the return of land war to Europe (and growing concerns over Chinese predations on Taiwan) shows that territorial integrity, the basis of the traditional realist idea of ''security,'' cannot be taken for granted in the 21st century. But while realists are right to point out that a state's most basic duty remains to protect itself, there is no reason to think that interpretations of ''security'' will not continue to expand in its environments, key actors and basic conceptions.

First, a future shift in what counts as a security environment is already coming into focus. Outer space — once a merely theoretical area of competition and, in turn, potential conflict — is coming closer to reality every year. This will add to yet another domain to monitor beyond the already contested land, air and sea realms here on Earth, and more recently the rise of cyberspace (which still has a long way to develop before it is as well-defined as those other three).

Meanwhile, for all the powers that states have, it is also clear that they are far from the only key players. The recent past has seen the introduction of new non-state actors with disproportionate impact. In addition to the rise of cybercriminals, there has also been a re-emergence of mercenary groups — a relic some had thought was left behind centuries ago, illustrating the dynamism in what actors matter for security. Looking ahead, new threats can be sure to arise from other actors, such as individual hacktivists (whose capabilities seem to be only growing) and multinational companies (the largest of which have arguably supplanted many states in their power).

Finally, the future broadening of ''security'' beyond just physical violence is also easy to conceive. Once seen as relevant only to poorer countries, ''food security'' is another example of ''security'' as ''self-sufficiency'' that has become more widely resonant over the past year amid the Ukraine-related shocks to global food supplies and prices; and it is a focus that will likely endure long after the fighting in Ukraine ceases as governments seek to mitigate future crises, including those brought on by climate change. Relatedly, ''environmental security'' will also only grow in tandem with the impacts of climate change. And from a corporate perspective, something akin to ''reputational security'' may in fact be the greatest threat many firms face.

All or Nothing

As the concept of ''security'' comes to mean ever more things, it consequently becomes much harder to achieve. After all, in trying to do everything at once, we often risk doing nothing particularly well. This will create obvious challenges for governments that must decide how to prioritize resources, particularly as there will be inevitable tradeoffs. For instance, as seen over the past year, a clear tension is playing out in real time between short-term ''energy security'' and long-term ''environmental security.'' There will also be inevitable debates over whether to invest in defenses against future threats that may not emerge for many years compared with more immediate ones. Indeed, despite the staggering toll of COVID-19, most governments are loath to make major new investments in fundamental ''health security'' now that the most acute period of the crisis is over. Finally, investing in some forms of security, such as that regarding the emerging domain of outer space, will simply be out of reach for many poorer states, which will cede their ability to control events there. Magnifying all of these challenges is that what may be strategically wise could also be politically unpopular or divisive; after all, partisan politics often lurks amid many security threats.

If leaders within states struggle to agree on priorities, global coordination will be even more challenging. For instance, what some states see as a truly existential threat (like climate change) may benefit others; low-lying island nations are seeing their territory erode amid rising sea levels at the same time northern nations like Canada and Russia are seeing theirs expand amid the thawing ice in the Arctic. Similarly, what some states see as a security threat (such as cyberattacks) may also be a deliberate part of other states' strategies that they seek to amplify, not contain. Moreover, even if states desire to work together to prevent conflict, fundamentally differing interests (such as those over outer space) may still inhibit cooperation. And of course, all of these challenges are magnified in an emerging multipolar world in which the mechanisms for global collaboration are quickly fraying, if not already decisively split.

If the challenges for governments loom large, those for businesses may loom even larger. After all, the public sector is expected to deal with weighty security matters every day, whereas such matters are generally (at best) a secondary concern in the private sector compared with the business of business, so to speak. But companies are increasingly being pressured to do far more than their basic business functions, from taking a stand on high-profile political issues to being leaders in reducing carbon emissions and, in some cases, even being the primary defenders against certain security threats (such as those in cyberspace).

Looking ahead, organizations should only expect more of these responsibilities to pile on. As the post-World War II liberal international order continues to erode and the global system becomes more chaotic and uncertain, companies will increasingly be asked to do more as competing states struggle to coordinate. This will raise uncomfortable questions in boardrooms and challenge corporate leaders to rethink the scope of their activities. They may no longer be just an industrial firm or a services provider, but also an ostensible provider of security (whether it be cyber, health, environmental or another form of security). And what happens inside those boardrooms will increasingly have impacts elsewhere — in some cases life or death ones.

Corporate Security Is Everyone's Business

To return to the original client question, then, asking what security considerations companies need to know may require a much more expansive answer than originally intended. Businesses no longer can only consider common threats like crime, but must also remember that every employee is an ambassador for their corporate reputation, the first line of defense for their cyber networks and a potential vector for disease (on top of the many other security-linked responsibilities that are unlikely to be part of their formal job requirements).

This reality will make the jobs of corporate security officers that much harder as they become responsible for preventing an ever-growing list of threats for the sake of not only their companies but, in some cases, their countries. In this new, more complex security environment, merely taking a business trip may have much weigher implications that require we, as analysts, to adjust our focus accordingly to ensure our clients are as prepared as possible.