Here are some key takeaways from our DX Coffee Chat on key trends in cybersecurity, privacy, and emerging technologies:
Talent shortages and burnout create new risks
The pandemic changed the way we work, accelerating digital transformation and shifting organizations toward permanent remote or hybrid workforces—which has created new security risks. But there’s another factor at play. Starting with the Great Resignation and now with Quiet Quitting, there’s a shortage of talent in the workforce – and those who’ve stayed may be feeling the pressure. This should be a notable concern for leaders. “Employees are feeling overworked and burned-out,” said Ireen Birungi, VP of Information Security and CISO at Interac Corp.
That means they’re more susceptible to making mistakes or becoming a victim of phishing campaigns. “As we start to digitize our data, these distractions are real and can lead to these scenarios,” said Birungi, adding that it’s the job of the CISO to create an ecosystem of protection, including detection, protection, response, and recovery, as well as build a culture of security awareness. Technology leaders can also turn to automation to address staff shortages and repair skills gaps, according to KPMG’s 2022 cyber report.
New technologies require an agile approach
When OANDA started working with agile development processes, they quickly realized that security would be a roadblock. “You can’t spend two months doing a security assessment on a third party. You need to do it in a couple of hours. So that was a big shift in how we work together,” said Andrea Stapley, CISO of OANDA.
Taking advantage of new technologies and lean processes—and do it securely—required a shift in thinking. For OANDA, that meant a shift from on-prem expertise to relying on partners, as they built out a Cloud Centre of Excellence. But they took it a step further and teamed their top people with vendor partners to reskill and upskill them. “We saw a shift in having to rely on our vendor partners and not pretend that we’re the experts,” said Stapley. “We really needed our partners in that transformation journey, and that was a key part of our success.”
Regulatory guidance is evolving and leaders need to adapt quickly
Standards have been quickly evolving since the EU launched General Data Protection Regulation (GDPR) compliance in 2018 to modernize laws that protect personal information. This has inspired governments around the world to enact similar higher standards. “The Canadian government wants to compete on the world stage to be better data innovators, but you can’t really do that with rules that aren’t fit for purpose. So, there’s a huge modernization effort here in Canada,” said Sylvia Kingsmill, Global Cyber Privacy Leader with KPMG in Canada.
Québec was the first Canadian jurisdiction to table Bill 64, now called the Privacy Legislation Modernization Act (Law 25), which has brought about sweeping changes “because the law actually has teeth,” she said. But more is coming with respect to emerging technologies such as AI, biometrics, and digital identities—and it’s an area where organizations will want to stay abreast of regulatory guidance from leading entities such as the European Data Protection Board and take proactive measures.
There’s no silver bullet
KPMG’s CEO Outlook revealed that two-thirds of Canadian business leaders intend to rapidly drive digital transformation to stay competitive. But doing this securely comes back to basics: building robust processes. During the pandemic, most organizations were forced to accelerate their transformation plans, which also provided them with a higher degree of risk protection as opposed to older, legacy processes.
“Technology is moving very fast. But if we have the right processes in place, we can buy ourselves the time to put the right policies, procedures, and resources in place,” said Alexander Rau, Partner in KPMG in Canada’s Advisory Services for Cyber Security. But organizations don’t have to do the heavy lifting themselves—nor should they. Not every CISO is an expert in AI or quantum computing, so reaching out to subject matter experts in those fields can help them be better prepared for these new paradigm shifts.
