Professional Documents
Culture Documents
Cybersecurity Considerations
Cybersecurity Considerations
considerations
2023
The golden thread
KPMG International
kpmg.com/cyberconsiderations
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Foreword
Foreword
Our future is dependent on data and digital the interest from those looking to attack and exploit existing processes. Treating every business function
infrastructure. The COVID-19 pandemic accelerated those infrastructures. as a customer and designing security controls with
our shift to digital channels and brought these issues experience in mind can encourage responsible and
With these changes comes a global drive toward
into sharp focus. As global economies, and supply secure behaviors and can benefit the business hugely.”
greater cybersecurity regulation. This increases
chains were disrupted, organizations had to rethink
concern among organizations over the growing burden CISOs will likely also play a major role in activating
their dependencies on goods, services and the digital
of regulation and the diversity of various reporting and shaping a broader dialogue around the resilience
infrastructure that underpins them.
requirements. As a result, businesses are putting of business to digital disruption, helping companies
Breakthrough technologies are expected to shape that more and more emphasis on embedding privacy and better understand the evolving nature of the assets
future — artificial intelligence, blockchain, biometrics, security into how they operate, both in response to the and digital services companies need to protect and
hyperconnected systems and virtual reality, to name changing threats and the need to comply with trans- providing the basis for trust in those systems.
just a few. And all can pose new security, privacy and border regulatory requirements.
The report explores the actions CISOs, specifically,
ethical challenges and raise fundamental questions
Cybersecurity should be integral to every business and the broader business generally, can take in the
about our trust in digital systems. Consensus on
line, function, product and service. Organizations year ahead to demonstrate to boards and senior
tackling those issues can be hard to arrive at with
must aim to ensure that cybersecurity is ubiquitous management that digital trust can and should be
diverse national and cultural views; nonetheless, this is
across the digital enterprise and woven into strategy, a competitive advantage. See page 22 for specific
the environment in which global commerce needs to
development and operations across the board. As people, process, data/technology, and regulatory
thrive, and we need to address concerns now as we
Lisa Heneghan, Chief Global Digital Officer, KPMG recommendations.
innovate, not retrospectively when it’s too late.
International, says:
The list of industries we consider systemically important
“Organizations need to start thinking about
is also changing. In the past, we focused on utilities,
cybersecurity as the golden thread that runs throughout Akhilesh Tuteja
telecommunications and financial services. Now we
their organization. It should be put at the heart of Global Cyber Security Leader
have a complex tapestry of public-private partnerships,
business and used as a foundation to build digital trust. KPMG International
connected ecosystems, and information infrastructures.
But the Chief Information Officer (CISO) and their teams
One look at financial markets shows a hyperconnected
cannot do this alone; it should be the responsibility
world of financial institutions, market infrastructure,
of everyone. This isn’t easy — first, people should
data and managed service providers — all of whom
understand how it relates to them — and then you
are now systemically important. As the degree of
must think about how you can integrate security into
interconnectedness and dependency increases, so does
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 2
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
03 04
data-centric future How can organizations keep security,
With the security perimeter all but gone, how privacy and resilience at the forefront in an
can organizations pragmatically and realistically environment where outsourcing and managed
transition to a zero trust approach that protects services are a growing priority?
every aspect of their ecosystem?
05 06
What can organization do to help ensure What are the implications for security and
robotic process automation (RPA), machine privacy teams as companies shift toward a
learning (ML) and other forms of artificial smart, hyperconnected product mindset?
intelligence (AI) are implemented and
managed effectively, sensibly, and securely?
08
where — it matters
07
How can security teams keep up with the
pace of the changing threat landscape and the Why is it important to think beyond response
increasingly aggressive tactics of attackers? and proactively plan for recovery?
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 3
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 1
Value and trust
Digital trust: Digital trust covers so many topics that
touch every aspect of an organization
and is inherently linked to corporate
Trust is key to success — and is not just
about reputation. Boosting trust can create
competitive advantage and can add to the
A shared
bottom line.
strategy — not just because it can create
a competitive advantage, but because
it is simply the right thing to do for the More than 1/3 of
responsibility
broader industry and society. organizations recognize that
increased trust leads to improved
John Anyanwu
profitability.
Partner, Cyber Security Services
KPMG in Nigeria
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 4
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Businesses are starting to care and Board why this is such an important topic and how
digital trust depends on clearly articulated, business-
Growing numbers of senior leaders recognize the focused strategies.
benefits of digital trust, with 37 percent seeing
As the World Economic Forum (WEF) suggests, Transparency means different things to
improved profitability as the top commercial advantage
companies are beginning to acknowledge that different audiences. While retail consumers
of increased trust.1 Digital trust encompasses a
cybersecurity is as much a strategic business element
wide range of disciplines. Cybersecurity is a major
as enterprise risk, product development and data
demand transparency when incidents
part of that broad spectrum of closely linked digital occur, organizations must know in advance
management. In its report, Earning digital trust:
trust-related issues — reliability, safety, privacy and how the suppliers and partners they
Decision-making for trustworthy technologies, the WEF
transparency. These areas impact how companies
writes, “digital trust requires a holistic approach, where work with protect information. This is
conduct business and pursue values; the products and
cybersecurity is one dimension of trust among many.”3 because organizations have a much higher
services provided; the technology used; how to collect
and use data; and how to protect the interests of obligation to customers and need to be
customers, employees, suppliers, and all other third- What digital trust means to customers certain they can deliver trust in terms of
party partners and stakeholders. information protection.
While the typical retail consumer may not care
By contrast, 65 percent continue to view information about the nuts and bolts of a company’s formal data
protection program, the moment customers learn Henry Shek
security as a risk reduction activity rather than a business
Partner, Cyber Security Services
enabler.2 Many organizations still view cybersecurity of a breach, they want to know what action is being
KPMG China
primarily as a cost and not necessarily as an investment taken and that their interests are at the heart of the
in the future, which is misguided. CISOs should embrace response. The organization can re-establish trust over
the concept of digital trust and demonstrate how security time by responding to the incident expeditiously and
as an enabler for the business will securely support an transparently.
organization’s digital growth agenda.
Today’s consumers understand that breaches happen
CISOs have a significant role in helping their and, gradually, most come back if the company
organizations build digital trust, but they cannot do it offers solid products and services at a competitive
alone. They should invest sufficient time in encouraging price point, there is a consistently positive customer
other critical internal and external stakeholders with experience, and the details around the response to and
respect to their respective roles on the digital trust recovery from a cyber event are clearly communicated
journey. Indeed, CISOs must demonstrate to the C-suite and reassuring.
1
KPMG International, KPMG Cyber trust insights survey, “Building trust through cybersecurity and privacy,” 2022.
2
Ibid.
3
World Economic Forum, Earning Digital Trust: Decision — Making for Trustworthy Technologies,” November 2022.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 5
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Digital trust strategies that work CISOs must help drive decisions around the right
partners and suppliers. Qualifying criteria must Learn more
It’s vital to embed the concept of digital trust into be established covering transparency regarding
corporate strategy, product development, and the information protection practices and the organization’s
company’s overall market presence and relationship ability to demonstrate adequate recovery and
with corporate and retail customers. Thinking broadly response resilience.
about what digital trust means across different
Make no mistake, regulatory obligations are expected
stakeholder groups can help underline the importance
to grow regarding the components of digital trust, and
of cybersecurity and the other disciplines that
so can expectations over the levels of transparency
contribute to establishing and maintaining digital
and accountability regulators expect from companies
trust, as well as encourage a holistic approach
across disciplines.
in this regard. A principle-based and holistic approach
to meeting the diverse and increasingly complex
Cyber trust insights 2022
Trust is a function of specific technologies developed or regulatory landscape can pay dividends and avoid Building trust through cybersecurity and privacy.
deployed, and the decisions leadership makes. CISOs creating costly compliance-driven silos.
must continually support a narrative for the Board and
It starts at the top and filters down — if leadership
C-suite to clarify why and how cybersecurity is an
accepts and lives this narrative, so should the rest
integral building block for digital trust.
of the organization. That means making it a tangible
feature of the company’s annual report, in which the
company’s philosophy and strategy around digital trust
by design are outlined in detail. With 34 percent of
corporate leaders concerned about their businesses’
Simply put, companies that are able to ability to satisfy reporting requirements for greater
establish trust among all stakeholders transparency over cybersecurity and privacy, KPMG
in their products and services, and how professionals advocate a proactive approach.4 Earning digital trust, together
they operate and protect the business, are Why trust matters more than ever in this
hyperconnected world.
more likely to see positive commercial and
reputational impacts.
Annemarie Zielstra
Partner, Cyber Security Services
KPMG in the Netherlands
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 6
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 2
Confidence in the CISO
Unobtrusive Ultimately, unobtrusive and intuitive
security controls are a positive for users,
who are your best firewall.
Organizations display high levels of
confidence and strong belief in the CISO's
ability to deliver on crucial tasks.
secure behaviors
accurately map where critical
data is across the enterprise.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 7
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 8
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 3
Data security is a key issue for
Securing a The traditional perimeter security
approach is obsolete in our
interconnected, digital world. CISOs have
stakeholders
In a perimeter-less environment, concerns
perimeter-less and
over how data is protected, used and
to protect a much broader attack surface shared are the leading factors undermining
across public and private infrastructure stakeholders’ trust in an organization’s ability
and a distributed user ecosystem. As a to use and manage its data.
data-centric future
result, CISOs must strive to enable the
business by providing security from
anywhere, with any device, and in a
28% of executives identify ‘a
lack of confidence in the governance
trusted manner. mechanisms in place’ as a leading
factor undermining stakeholders’
trust in an organization’s ability to use
It’s no surprise that business operating models have Natasha Passley and manage its data.
Partner, Cyber Security Services
fundamentally changed over the last decade — becoming
KPMG Australia
more fluid, data-centric, connected ecosystems of
internal and external partners and service providers.
In this distributed computing world, to help reduce
32% also identify ‘a lack of
clarity over why data is required for
the blast radius of any potential outages or breaches, a particular service and the benefits
CISOs and security teams must adopt very different of sharing or providing data’ as
approaches, such as zero trust, Secure Access Service another factor.
Edge (SASE) and cybersecurity mesh models.
Today, the clear business imperative is to enable employees, 36% are concerned over how
their data is protected.
customers, suppliers and other third parties to connect
seamlessly, remotely and securely. The accompanying security
challenge is that, in a perimeter-less environment, organizations
are no longer able to trust every user and device.
35% are concerned over how
their data is used or shared.
Zero trust for perimeter-less businesses
Zero trust approaches can help reduce the blast radius in the
Source: KPMG Cyber trust insights 2022.
event of an outage or breach and limit the impact so the incident
can be better managed and contained.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 9
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 10
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 4
Trusted communities
New partnerships, Although many organizations
outsource certain business
processes to third-party vendors,
External partnerships are expected to also
be vital to success in hyperconnected
ecosystems, but practical barriers stand in the
new models
way of collaboration.
data security and identity and
access management — and
the related controls — remain
internal responsibilities.
79% say constructive
collaboration with suppliers and
clients is vital, but only
Markus Limbach
Gone are the days when security teams focused solely
on the security of their organization’s IT systems.
Partner, Cyber Security Services
KPMG in Germany
42% report doing so.
CISOs need to understand when to hit the brakes,
when to press go on outsourcing cybersecurity efforts
and determine what skills to keep in-house today
and in the future. Security has become a business
60% admit their supply chains
are leaving them vulnerable
priority, delivered through a shared responsibility model to attack.
between the organization and service providers.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 11
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Knowing what to retain Finding the right blend of skills Learn more
Just as companies cannot simply outsource security, It's crucial — and easier said than done — for CISOs to
they also need the right talent and skills in-house. It takes understand their internal and external responsibilities,
specialized knowledge to set up a repeatable control and navigate the gray area between different models
measurement framework under which internal staff and and disciplines, and manage those complexities by
third-party providers can operate effectively. One of the establishing the appropriate controls.
keys is understanding what to retain in-house in terms Working with outside security providers requires
of security responsibilities and then identifying the most a unique skill set, focusing on management and
effective sourcing strategy for talent in those areas. governance skills rather than technical skills.
Using the cloud as an example, strategically, CISOs have Regardless of the amount of work outsourced,
organizations need to retain solid in-house security
Third-party risk management outlook 2022
to embody multiple personas — broker, orchestrator Time for action.
and integrator — to align the necessary staff and third- knowledge and capabilities. It's also essential that
party skills and manage risk, governance and reporting. dialogue between parties is clear and regular to
That can’t be outsourced fully. Organizations might be ensure implemented controls and KPI reporting are
able to outsource preparation and planning, but, ideally, properly managed. Furthermore, it's crucial to agree
someone in-house who understands the business and on clear incident response processes and run relevant
simulations to test the system.
security environments — and the potentially broad
impact of a cyber incident — should manage the CISOs need to assess their skills base regularly
organizational overlay and quality control. and aim to ensure the organization is equipped to
be an intelligent, collaborative customer of cloud
and managed security services. Doing so requires
understanding the business’s future infrastructure
needs and determining what the security function Evolving vendor, operational and strategic risks
Architecting cyber controls in a cloud should look like to provide the best support. The key Third party risk management.
ecosystem is a different skillset relative word is ‘future’ — look three to five years out and
to more traditional security engineering work back, rather than solely looking at the company’s
skills. The ability to manage cyber across security needs today.
organizations, APIs and disparate technology
sets at business speed requires a level of
sophistication that many organizations lack.
It’s a capability CISOs should aspire to.
Matt O’Keefe
Partner, Cyber Security Services
KPMG Australia Third party and cloud: Regulatory challenges
Companies are forming more frequent and complex
relationships with third parties, introducing new or
elevated risks.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 12
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 5
Challenges of AI/ML
Trust in Knowing how the business is thinking
about the use of machine learning is
really important for the security team
There are growing societal and business
concerns over the ethics, security and privacy
implications of adopting AI and ML solutions for
automation
big data analysis.
to add value. Once they have that
understanding, the security team can
look at the systems they’ll use, identify
the right input data, and then work to
78% agree that AI and ML bring
unique cybersecurity challenges.
handle the adversarial risk around using
In the race to innovate and harness emerging technologies, their AI systems.
concerns over security, privacy, data protection and
ethics, while gaining more attention, are often ignored
Michael Gomez
Principal, Cyber Security Services
3 in 4 say AI and ML raise
fundamental ethics questions.
or forgotten. Left unchecked, this negligence could lead KPMG in the US
businesses to sabotage their potential, especially with
new AI privacy regulations on the horizon.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 13
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Building trustworthy and credible Machines, like DevOps, are beginning to assume a role
in shortening the development lifecycle and ensuring Learn more
AI models continuous delivery. And if businesses don’t bring
security into that machine-powered environment, it may
Are companies utilizing AI appropriately and getting never achieve scale because people simply won’t trust it.
the most productive output? With the insurance use To that end, 76 percent of executives agree that AI/ML
case, there are instances where the algorithm makes adoption requires additional safeguards around how AI/
decisions about applicants' who live in specific areas. ML systems are trained and monitored.5
Those who live in less-affluent neighborhoods were
rated differently than those who live in more upper-class
neighborhoods. As a result, premiums would differ based AI and data privacy
on the applicant’s address. AI bias can be viewed as
discriminatory and needs to be reined in.
AI elevates many core privacy principles — empowering
security teams to analyze customer data more deeply,
Is my AI secure?
for example — but organizations need to think about Understanding the cyber risks of artificial intelligence
Historically, applications were developed to run uniformly to your business.
— the relationship between the inputs and corresponding proportionality with respect to the amount of data it
outputs was not supposed to change. That was what collects relative to the data minimization requirements
developers tested against. The end user decided if they in certain regulations. Similarly, considering AI has
liked using the application and whether or not they the potential to embed existing biases, there must be
wanted to continue doing business with the developer. transparency around the output.
ML and AI tools are designed to learn and evolve. And Regulators, governments and industry must work
that evolution represents a massive transformation in together. AI regulation isn’t just a privacy issue. It
how companies must now think about these systems, requires data scientists to work with privacy specialists
how they've been trained and their fit for purpose. to determine what requirements should be built into
the technology to make it safe, trustworthy and privacy
People have mixed feelings and understanding of AI. And sensitive. And governments need to set the tone and
many companies simply don’t have many professionals
who understand AI, let alone how to secure it.
establish an overarching digital agenda to inspire the Trust in artificial intelligence: Global insights 2023
industry to put budget behind innovation.
Global survey exploring people’s trust in AI and benefits and
While various government bodies sometimes seem to risks for business and society.
approach AI as a competition, regulators are also starting
to try to limit intrusive and high-risk applications of
AI is powerful but can be harmful to emerging AI capabilities.
individuals if the automated decision-making
Following the G20 adoption of principles for trustworthy
is inadvertently biased or discriminatory. AI, there have been major developments in AI risk
management and regulation. Singapore was fast off the
Sylvia Klasovec Kingsmill mark with its AI security standard, the National Institute
Partner, Privacy of Standards and Technology (NIST) has published its AI
KPMG in Canada risk management framework and the EU AI act will follow
later in the year. Regulation in this space is expected to
5
KPMG Cyber trust insights survey. Op cit.
ultimately have an impact as significant as GDPR has had
on privacy. Many companies need to prepare.
The path to transparency — and trust
Corporate data responsibility survey.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 14
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 6
CEO cyber outlook
Securing a smart The pace of technological innovation is
not slowing down, and it often forces
regulators and security teams to play
Growing experience of the challenges
of cybersecurity is also giving CEOs a
clearer picture of how prepared — or
world
underprepared — they may be.
catch-up. CISOs should neither wait for
the next wave of regulations, nor rely
on regulation alone and instead take a
proactive and pragmatic approach to
24% of CEOs recognize they’re
underprepared for a cyberattack,
implement security controls throughout compared to 13 percent in 2021.
Businesses across almost every industry are shifting to the product lifecycle and supply chain.
a product mindset — focusing on developing network- This is no small feat, and success will
enabled services and managing their supporting devices. likely depend on how well CISOs engage
CISOs and their teams are getting pulled into discussions with other functions across the business. 56% say they’re prepared.
with engineering, development and product support teams Walter Risi
as organizations realize product security matters too. Partner, Cyber Security Services
KPMG in Argentina
In today’s smart-product-focused environment, some emerging 3/4 say their organization
has a plan in place to deal with
drivers or enablers dominate:
ransomware attacks.
5G Quantum computing
Offers speed, Massively cuts
hyperconnectivity
and reduced latency.
processing and
calculation time. 3 in 4 CEOs say that protecting
their partner ecosystem and supply
Trust architectures Software 2.0 chain is just as important as building
their organization’s cyber defenses.
Help to ensure that Rapid, AI-written code that
data and identities are can reduce complexity
secure and trusted while increasing
from one connected development speed from
device to another. months to weeks.
Applied AI
Real-world fundamental application of artificial intelligence Source: KPMG 2022 CEO Outlook.
as a developmental wrapper around smart products.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 15
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 16
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 7
Cybersecurity teams are
Countering agile Attackers are going to gain access — that
has to be accepted. It's about reducing
dwell time. What’s critical is whether
struggling to keep up
Cybersecurity teams are under pressure
adversaries
to keep up with evolving threats, with
their presence and actions are detected talent shortages frequently undermining
within hours, days, weeks or months. security efforts.
Charlie Jacco
Principal, Cyber Security Services
KPMG in the US
Over 1/2 of organizations
admit they are behind schedule with
their position on cybersecurity.
The time from initial compromise to enterprise-wide
ransomware activation is shrinking. Increasingly, rogue
and state-sponsored attackers can penetrate systems
with automated tooling and accelerate the exploitation More than 50% are
either very or extremely confident
of systems. Security operations should be optimized and
in combatting various cyber threats,
structured to fast-track the recovery of priority services
including from organized crime
when an incident occurs, which can reduce the impact on groups, insiders and compromised
clients, customers and partners. supply chains.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 17
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 18
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Consideration 8
The regulatory outlook
Be resilient when — It’s critical for CISOs to engage with the
business early and often to help ensure
a clear, yet flexible resilience strategy is
Lawmakers and regulators are paying
greater attention — increasing demands for
transparency and oversight. Many organizations
and where —
are concerned about navigating an increasingly
properly set ahead of time, rather than complex global regulatory landscape.
testing it in the middle of a crisis.
36%
it matters
Dani Michaux
worry about their
Partner, Cyber Security Services
ability to meet existing or new
KPMG in Ireland
cybersecurity regulation when
activities are outsourced to digital
service providers.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 19
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Also, many organizations have yet to truly consider recovery — the components of resilience — require
what they need to do proactively to be resilient. They coordination. This can be achieved through a small
assume they have a backup plan and sufficient security ‘crisis board’ comprising the CISO, the CEO, CFO and
controls. What if they don’t have a plan for a particular the chief legal counsel.
scenario, and business operations halt? This has severe
Unfortunately, this important group doesn’t formally
There must be a structure in place and an
financial and reputational ramifications, let alone understanding of the potential trajectory
exist at many companies because they don't think it
regulatory. There's also a psychological component. of a cyber event. Having a plan and a clear
will happen to them. And if it does, they believe their
CISOs need to have ongoing conversations with their
C-suite colleagues and the Board about the nature
business continuity plan — which in many cases is approach for marshaling resources can be
several years old and aligned to an outdated set of use the difference between a 60-day nightmare
and motivations of attackers: the harder they hit you,
cases — is sufficient. It’s not. and a 30-day nightmare.
the more likely you are to pay, and they know it. Most
organizations still struggle to understand what they’re
really up against. Recovering to your minimal viable Jason Haward-Grau
Principal
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 20
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 21
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 22
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
How KPMG
professionals
can help
KPMG firms have experience across the continuum — from
the boardroom to the data center. In addition to assessing your
cybersecurity and aligning it to your business priorities, KPMG
professionals can help you develop advanced digital solutions,
implement them, monitor ongoing risks and help you respond
effectively to cyber incidents. No matter where you are in your
cybersecurity journey, KPMG firms can help you reach your
destination.
As a leading provider and implementer of cybersecurity, KPMG
professionals knows how to apply leading security practices and
build new ones that are fit for purpose. Their progressive approach
to cybersecurity also includes how they can deliver services, so no
matter how you engage, you can expect to work with people who
understand your business and your technology.
Whether you’re entering a new market, launching products and
services, or interacting with customers in a new way, KPMG
professionals can help you anticipate tomorrow, move faster and
get an edge with secure and trusted technology. That’s because
they can bring an uncommon combination of technological
experience, deep business knowledge, and creative professionals
passionate about helping you protect and build stakeholder trust.
KPMG. The Difference Makers
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 23
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Akhilesh Tuteja Kyle Kappel Dani Michaux Matt O’Keefe Prasad Jayaraman
Global Cyber Security Leader Cyber Security Services EMA Cyber Security Leader ASPAC Cyber Security Leader Americas Cyber Security Leader
KPMG International Network Leader Partner, KPMG in Ireland Partner, KPMG Australia Principal, KPMG in the US
Partner, KPMG in India Principal, KPMG in the US E: dani.michaux@kpmg.ie E: mokeefe@kpmg.com.au E: prasadjayaraman@kpmg.com
E: atuteja@kpmg.com E: kylekappel@kpmg.com
In addition to serving as the As the US Leader of KPMG’s In more than 22 years in Matt is responsible for driving With more than 17 years of
Global Cyber Security practice Cyber Security practice, Kyle cybersecurity, Dani has worked KPMG’s cyber strategy within experience in identity management
leader, Akhilesh heads the IT has more than 20 years of with government agencies on the 12 KPMG member firms practice, Prasad is an intuitive
Advisory and Risk Consulting experience in the information national cybersecurity strategies in Asia Pacific. He has more and results-oriented leader with a
practices for KPMG in India. systems field and a diverse and with international regulatory than 25 years of technology, strong track record of performance
He is passionate about how background in cybersecurity, data bodies on cyber risk. She has finance, assurance and advisory in technology-related professional
developments in information privacy, regulatory compliance, extensive experience working experience, focusing on financial services organizations. He has
technology can help businesses risk management, and general services industry clients. Matt superior interpersonal skills and
with clients to improve Board-level
drive smart processes and technology issues. While he has specializes in technology advisory, can resolve multiple complex
understanding of cybersecurity
effective outcomes. Akhilesh strong technical skills, Kyle utilizes particularly in superannuation and challenges in all aspects of
matters. She has built and
has advised over 200 clients a business-centered approach wealth management, banking and business, from sales, human
on cybersecurity, IT strategy to solving technology problems managed cybersecurity teams as insurance, and provides a range resources and legal to finance and
and technology selection and by addressing root causes rather a CISO at telecommunications of services across technology operations. He has directed cross-
helped them realize the business than technical symptoms. He's and power companies in Asia. governance and risk, cybersecurity, functional teams with motivational
benefits of technology. He is a trusted advisor to numerous Dani advocates for inclusion project management, IT strategy leadership and a personal touch that
also knowledgeable in the area Fortune 500 organizations, and diversity and women’s and performance. He is deeply inspires loyalty and a willingness to
of behavioral psychology and is working with senior executives, participation in computer interested in using technology give 100 percent.
enthusiastic about addressing the including Boards of Directors, audit science and cybersecurity. She to advance organizational goals,
IT risk issues holistically, primarily committees, Chief Information previously led the Cyber Security enabling clients’ digital strategies
through the application of user- Officers, Chief Financial Officers, and Emerging Technology Risk and operating models, and
behavior analytics. Chief Operating Officers, Chief practices for KPMG in Malaysia protecting data, assets and
Technology Officers and Chief and the ASPAC region and also led systems.
Information Security Officers. KPMG’s global IoT working group.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 24
Digital trust: A shared Unobtrusive security Securing a perimeter-less New partnerships, Trust in Securing a Countering agile Be resilient when — Cyber strategies
responsibility drives secure behaviors and data-centric future new models automation smart world adversaries and where — it matters for 2023
Acknowledgements
This report would not be possible without Our Global collaborators
the invaluable planning, analysis, writing
and production contributions of colleagues
around the world. John Anyanwu Prasad Jayaraman Walter Risi
Partner, KPMG in Nigeria Principal, KPMG in the US Partner, KPMG in Argentina
john.anyanwu@ng.kpmg.com prasadjayaraman@kpmg.com wrisi@kpmg.ar
The Global cyber considerations team Jonathan Dambrot Sylvia Klasovec Kingsmill Motoki Sawada
Principal, KPMG in the US Partner, KPMG in Canada Partner, KPMG in Japan
Jessica Booth
jdambrot@kpmg.com skingsmill@kpmg.ca motoki.sawada@jp.kpmg.com
David Ferbrache
John Hodson David Ferbrache Markus Limbach Henry Shek
Billy Lawrence Head of Cyber Innovation Partner, KPMG in the US Partner, KPMG China
KPMG International mlimbach@kpmg.com henry.shek@kpmg.com
Leonidas Lykos
david.ferbrache@kpmg.com
Michael Thayer Deepak Mathur Julia Spain
Jayne Goble Principal, KPMG in the US Partner, KPMG in the UK
Director, KPMG in the UK deepakmathur@kpmg.com julia.spain@kpmg.co.uk
jayne.goble@kpmg.co.uk
Dani Michaux Eddie Toh
Jason Haward-Grau Partner, KPMG in Ireland Partner, KPMG in Singapore
Principal, KPMG in the US dani.michaux@kpmg.ie eddietoh@kpmg.com.sg
jhawardgrau@kpmg.com
Matt O’Keefe Akhilesh Tuteja
Lisa Henegan Partner, KPMG Australia Partner, KPMG in India
Global Chief Digital Officer mokeefe@kpmg.com.au atuteja@kpmg.com
KPMG in the UK
lisa.heneghan@kpmg.co.uk Natasha Passley Annemarie Zielstra
Partner, KPMG Australia Partner, KPMG in the Netherlands
Charles Jacco npassley@kpmg.au zielstra.annemarie@kpmg.nl
Partner, KPMG in the US
cjacco@kpmg.com
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 25
Contact us
Akhilesh Tuteja Kyle Kappel Dani Michaux
Global Cyber Security Leader Principal, Cyber Security Services EMA Cyber Security Leader
KPMG International and Partner Network Leader and Partner
KPMG in India KPMG in the US KPMG in Ireland
atuteja@kpmg.com kylekappel@kpmg.com dani.michaux@kpmg.ie
Some or all of the services described herein may not be permissible for KPMG
audit clients and their affiliates or related entities.
kpmg.com/socialmedia
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
KPMG refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity. KPMG International Limited is a private English company limited by
guarantee and does not provide services to clients. For more detail about our structure please visit kpmg.com/governance.
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.
Designed by Evalueserve | Publication name: Cybersecurity considerations 2023 | Publication number: 138614-G | Publication date: February 2023
© 2023 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved. Cybersecurity considerations 2023 26