KPMG’s Cyber Security Considerations 2022

Expanding the strategic security conversion

Cybersecurity nowadays encompasses and affects almost all aspects of any technological business. Cybersecurity is no longer an issue that only security and IT professionals deal with. There must be a shift from cyber security being solely the responsibility of IT professionals into an understanding that it is a shared responsibility of an enterprise. A CISO must be able to wear multiple hats and be able to align a companies business strategy with their cyber one. Thus, it is essential that security is incorporated into the business process. CISOs should help business leadership in making this conversion possible.

Achieving the x-factor: Critical talent and skill-sets

Accelerated by the COVID crisis, yet present before is an increased need for speed-to-market, coupled with an acknowledgment of the risks involved. In the present economy, the amount of skilled cyber security professionals strongly lacks. KPMG recommends looking into alternative solutions for addressing this gap of professionals by incorporating gig economy workers and cyber security automation, for example. Additionally, CISOs are urged to attract a wider range of talents in cyber security, in order to break down barriers of inclusion and attract a larger group of talents to the field.

Adapting security for the cloud

As cloud adoption has skyrocketed within organizations, the cyber security landscape has changed. The processes and skills required for ‘traditional’ cyber security may no longer apply to cloud cyber security. According to KPMG’s report, 90 percent of organizations may be vulnerable to security breaches related to cloud misconfigurations. CISOs need to work with their team to understand the cloud specific cyber security requirements and adopt security for the cloud. This should be done within the regulatory framework and take into account how regulations such as the GDPR or HIPAA would affect cloud security.

Placing identity at the heart of zero trust

As millions of employees shift to remote work and purchase goods from anywhere in the world through their phones, it is increasingly important to place identity management and zero trust at the heart of business processes. Zero trust should no longer be viewed as a technology or feature, but rather a security standard. CISOs should make zero trust an approach to security, with identity being the central component of any zero trust model.

Exploiting security automation

Automation often helps with freeing up resources that may be better spent than on mundane, repetitive tasks. This also applies to the field of cyber security, where vulnerability scanning, log analysis and compliance are being automatically executed rather than done by a highly skilled professional. Automation can help security professionals concentrate on truly critical assets rather than spend time on lower level threats that can be handled using automation. CISOs are encouraged to leverage automation to the full advantage.

Protecting the privacy frontier

At present, cyber security and data privacy are disciplines that seen as different and often operate separate from one another. As more awareness and recognition exists for data privacy there is an ever increased need to view privacy not as a standalone legal discipline but as a multi-disciplinary field. Privacy should be intertwined with security, where companies incorporate a privacy by design approach to their business.

Securing beyond the boundaries

Companies nowadays are more often dependent on robust supply chains and multiple business partners. Such dependencies result in 79% of cyberteams to recognize that protecting a business’s partner ecosystem and supply chain is just as important as building their own cyber defenses. This creates a network of businesses operating together and requiring an adequate controls to protect their own and partners’ data simultaneously. It is necessary to create a strong risk management framework that addresses the cyber risks within and outside the organization. This requires a proactive role by CISOs, using automation, continuous monitoring and zero trust models to help in achieving security beyond boundaries of their enterprise.

Reframing the cyber resilience conversation

CISOs are encouraged in the KPMG report to initiate conversation with senior leaders within an organization on the assumption that a company is ready for a cyber-attack. A company resilient to cyber-attacks is one that assesses the key operational processes of business and strategy. CISOs should reframe the cyber resilience conversation to encompass a company-wide effort to mitigate cyber-attacks and identify the greatest risks.

Hopefully, this article brings thoughtful recommendations for you as an organization or CISO serving an organization. For a detailed overview, access the full report HERE.