Cybersecurity is once again a top priority in the C-suite—as it should be. In an era characterized by disruptive technologies and digital-first operations, CEOs are increasingly, and rightly, sensitive to the fact that strong cyber strategies and controls are fundamental to managing business risk across all domains. This awareness rings clear throughout our 2024 CEO Outlook, which shows that Canadian and Global leaders are making a concerted effort to keep up with—and ideally ahead of—today’s evolving cybersecurity demands.
Return to norm
Cybersecurity was last perceived as a top-three risk to organizational growth in 2020 at the onset of the Covid-19 pandemic, when every organization that could quickly adopted remote work as a matter of public health necessity. This made organizations newly reliant on individual employees’ private systems, leading to an increase in emphasis on cybersecurity awareness and vigilance.
As remote work became the new normal and the challenge posed by varying levels of security controls was sufficiently addressed, cybersecurity faded from CEOs’ attention. Now it’s back: in 2024, the threats to growth that cybercriminals pose are ranked No. 2 and No. 3 among Canadian and Global CEOs, respectively. Unfortunately, only half (52 per cent Canadian and 48 per cent Global) feel “well prepared” to defend their organizations against potential attacks.
For the leaders of Canadian small and medium-sized businesses (SMBs), on the other hand, cyber threats are No. 1, as they were last year. Indeed, KPMG’s Private EnterpriseTM Business Survey reveals that small and medium-sized businesses are currently more cyber-confident than larger organizations. Fully 80 per cent say they are prepared for a cyberattack and 79 per cent are confident their organization’s cybersecurity can keep up with rapid AI advancements.
Cybersecurity returns as a top threat to organizational growth
Source: KPMG Canadian CEO Outlook 2020-2024
How do we square this with the fact that 70 per cent of SMB leaders also say their company doesn't have the skilled personnel to implement cybersecurity or monitor for attacks? It’s probable that many are outsourcing or co-sourcing their cybersecurity function. Alternatively, they may simply be less aware of the broad and constantly evolving nature of the threats and trends that keep the CEOs of larger organizations on their toes. In this sense, it’s good to keep in mind: "The more you know, the more you realize what you don't know." For this reason, cyber strategy and governance need to be priorities at the most senior levels of the organization.
Swimming upstream
Several factors can explain this renewed focus on cybersecurity among CEOs.
First, cyber threats are constantly evolving and becoming more sophisticated, putting relentless pressure on organizations to stay one step ahead—or at least not two steps behind. Attackers, after all, have access to the same potentially game-changing technologies as their targets, such as generative AI.
Second is a rise in the involvement of nation-states in large-scale cyberattacks. The challenge here is that once one of these attacks is in the wild, it’s available for other threat actors to exploit. Additionally, because part of warfare has become cyber-based, critical infrastructure can be a target, including for companies seen as aligned with one side of a conflict or the other.
Third is that regulations around data privacy and resilience are evolving in different ways and at different paces around the world. This dynamic only adds to the cost and resource demands on organizations looking to do business beyond their borders.
Other factors are more internal. For example, hybrid workforces have given rise to complex cyber needs and considerations, which may be part of the reason large organizations have been pushing to get people back into the office, where security controls can be more easily managed. At the same time, an insufficient supply of cybersecurity talent and skills has organizations feeling more open to the relative convenience of outsourcing.
Ultimately, concerted cyber investment and preparation is an ongoing imperative. Put another way, constantly having to adapt our cyber strategies to keep up with potential financial, regulatory and reputational consequences is simply what it takes for organizations to ensure resilience.
Trends that will negatively impact your organization’s prosperity over the next three years
Source: KPMG Canadian CEO Outlook 2023, 2024
Generative AI’s double-edged sword
The latest multifaceted factor is generative AI, which is bringing dramatic change, including to cybersecurity—for better and worse. On the up side, organizations can use generative AI to strengthen their cyber posture through more advanced attack detection, monitoring and assessment. It’s also proving to be a valuable tool for improving processing speeds, providing nuanced information and facilitating informed decision-making.
These are all promising applications. But here’s the downside—cybercriminals also reap the very same benefits.
Taken together, the result of these competing implications is an AI arms race that is keeping both sides up at night—and not for the same reasons.
Benefits and challenges of implementing Generative AI
Benefits
Challenges
Source: 2024 Canadian CEO Outlook
Supply in demand
The advantage will go to those who have the best people. Unfortunately, this remains a struggle for many Canadian organizations. Only 52 per cent of Canadian CEOs (59 per cent global) say they are confident their organization can access suitable cybersecurity talent and solutions to defend specifically against AI threats. While the federal government has come to their support with skill-building initiatives, many are still grasping for experienced people to put their plans into action.
All of this is likely to remain a struggle, especially as competition for talent continues across borders. For some, the answer may be to leverage managed services for cyber security and rely on the external skill sets of cybersecurity professionals. For others, it may be to find a balance between that kind of outsourced expertise and their own in-house teams. Whatever the response, the value of skill and experience in delivering a robust cybersecurity program should never be underestimated.
Encouragingly, 73 per cent of Canadian and global CEOs are increasing investment in cybersecurity to protect their operations and intellectual property. This spending is being allocated across several priorities, from reducing technology debt and meeting rigorous regulatory requirements to enhancing cyber processes and, crucially, both recruiting and upskilling people.
A portion of cybersecurity investments are also being reserved for incoming technologies. Quantum computing, for example, is evolving quickly and may require a whole new approach to fundamental controls, such as encryption.
Strengthening the foundation
Given all of this, what should organizations do? As is often the case, building on the fundamentals is rarely a mistake.
- Understand the business risk: Determine where your organization is most vulnerable to cyberattacks and how various scenarios tie to your business strategy and key imperatives. Use this assessment to inform how and where you invest in cybersecurity solutions and controls.
- Map your strategy: Work with organizational leaders and cybersecurity professionals to chart your cybersecurity goals and objectives for the next few years. This will ensure the organization is taking the right steps and hitting the right milestones in the right ways and at the right times.
- Make talent a priority: Develop a plan to address the cybersecurity skills gap that covers all the bases, including insourcing, outsourcing and co-sourcing strategies. Cybersecurity as a managed service option should be especially attractive to SMBs.
- Cultivate your cybersecurity culture: A strong cyber culture is one where managing cyber security isn’t seen as an “extra” part of the job, but a bare minimum—including at the Board level. This culture is shaped through consistent cybersecurity training, ensuring people within your organization know what to look out for and what is expected of them.
Explore more insights from the CEO Outlook series
How we can help
Whether you are looking to assess your existing cyber strategy and response, align it to your business priorities, develop and/or implement advanced solutions, monitor ongoing risks or help you respond effectively to cyber incidents, KPMG’s team of cybersecurity professionals can help.
Connect with us
Stay up to date with what matters to you
Gain access to personalized content based on your interests by signing up today
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia
About our surveys
The 10th edition of the KPMG CEO Outlook, conducted with 1,325 CEOs between July 25 and August 29, 2024, provides unique insight into the mindset, strategies, and planning tactics of CEOs. All respondents oversee companies with more than US$500 million in annual revenue and a third of the companies surveyed have more than US$10 billion in annual revenue. The survey by KPMG International included CEOs from 11 key markets (Australia, Canada, China, France, Germany, India, Italy, Japan, Spain, the U.K. and the U.S.) and 11 key industry sectors (asset management, automotive, banking, consumer and retail, energy, infrastructure, insurance, life sciences, manufacturing, technology, and telecommunications). NOTE: Some figures may not add up to 100 per cent due to rounding.
KPMG Private Enterprise™ surveyed 735 business owners or executive level C-suite decision makers at small-and-medium-sized Canadian companies between August 13 and Sept. 4, 2024, using Sago's premier business research panel. Thirty-seven per cent helm companies with more than C$500 million and less than C$1 billion in annual revenue, a quarter have more than C$300 million and less than $500 million in annual revenue, 26 per cent have between C$100 million and C$300 million in annual revenue, and 13 per cent have between C$10 million and C$50 million in annual revenue. No companies were surveyed under C$10 million.