KPMG Romania: Cyber considerations CISOs should prioritize in 2023
Trust is key to success and is not just about reputation. Boosting trust can create competitive advantage and can add to the bottom line. The results of the latest KPMG study “Cybersecurity considerations 2023” show that more than one third (1/3) of organizations recognize that increased trust leads to increased profitability.
Our future is dependent on data and digital infrastructure. We now have a complex tapestry of public-private partnerships, connected ecosystems, and information infrastructures. And as the degree of interconnectedness and dependency increases, so does the interest from those looking to attack and exploit those infrastructures.
Breakthrough technologies also pose new security, privacy and ethical challenges and raise fundamental questions about trust in digital systems. This is the environment in which global commerce needs to thrive, and we need to address concerns now as we innovate, not retrospectively when it’s too late.
The annual Cybersecurity considerations report identifies eight considerations that CISOs (Chief Information Security Officer) should prioritize in 2023 as they seek to accelerate recovery times, reduce the impact of incidents on employees, customers and partners and aim to ensure their security plans enable — rather than expose — the business. The report also explores the key actions CISOs should take to meet the challenges ahead and to help ensure security is the organization’s golden thread, woven into the business across the board — providing the basis for trust.
“We can say without any doubt that cybersecurity has become a market differentiator and its influence in any corporate governance will become more and more significant” states Gabriel Mihai Tănase, Partner, Technology and Cyber, KPMG in Romania. “And it is not just about corporate governance” he continues. “Regulators all over the world (also in Romania in the past couple of years) are more and more interested in the (cyber) security of IT systems and networks regardless of whether they are located on the company premises or outsourced”, he concludes.
The last three years have brought new challenges to the world (and to our region, in particular): first we had a pandemic (that moved a lot of the work force into a hybrid working environment, thus expanding the potential for cyber attacks) and then the Ukraine war, which led to increased attacks focused mainly, but not only, on critical infrastructures. The probability of success for cybersecurity incidents has therefore increased substantially, resulting in growing ransomware attacks. And this trend will continue if security professionals don’t make it harder for the attackers. But this is easier said than done: the KPMG Cyber Considerations study emphasized that the #1 internal challenge in achieving cybersecurity goals is the lack of skills.
“Lack of skills is the main challenge regardless of whether we are talking about IT or cyber security”, states Gheorghe Vlad, Director in the Cyber practice of KPMG in Romania. “Although we see a trend on the market in which people are more and more interested in a cyber security job, the fast pace of technology development and growing cyber risks will make it virtually impossible for the skills offer in this arena to cope with the demand” he continues. “Awareness among employees combined with the development and retention of technical cyber expertise should be the main priority for businesses in the coming years” Gheorghe concludes.
External partnerships are expected to be vital to success in hyperconnected ecosystems although practical barriers stand in the way of collaboration. The days when security teams focused only on the security of their organizations are long gone: today we can talk about borderless security. But although 79% of organizations say that constructive collaboration with suppliers, clients and third parties in general is vital, only 42% of them report doing so. So, as always, there is a difference between knowing the path and walking the path. Most executives are placing the responsibility for the job on the CISO’s shoulders, but this is rather a joint effort: business users explaining what services they are about to acquire, and the CISO identifying the information security risks as well as what measures and controls are the most appropriate to address those risks while the legal and compliance officers ensure that contracts include relevant, binding provisions that will protect the company’s systems and data.
The KPMG study identifies a number of strategies in relation to People, Process, Data and technology, and Regulatory that the CISO should consider in the near future such as:
People – prioritizing a robust cyber security culture that is interesting and engaging for employees that will encourage them to do the right thing and act as human firewalls
Process – Building consistent approaches to cyber risk management with an understanding of threat scenarios and attack paths to help inform attack surface reduction and prioritize control improvements.
Data and technology – Considering cybersecurity and privacy issues up front when exploring emerging technologies, including the evolving risks associated with adopting new technologies (such as AI systems).
Regulatory – Aligning security and privacy compliance strategy with the company’s broad business strategy to help ensure stakeholders from across the organization are on the same page.
For more information about the KPMG study and to download a full copy of the results, please visit Cybersecurity considerations 2023 – KPMG Global