As 2024 unfolds, organisational leaders face many challenges, from sustaining growth to navigating emerging technologies and talent acquisition and retention. The role of the Chief Information Security Officer (CISO) is evolving, and they are increasingly being seen as proactive partners in managing ongoing business needs rather than just being called upon to rescue the organisation during times of crisis.
The KPMG annual Cybersecurity considerations report identifies eight key considerations that CISOs should prioritise in 2024 to help mitigate risk, drive business growth and build resilience.
Explore the eight key cyber considerations and uncover the key actions organisations can take as they seek to accelerate recovery times, reduce the impact of incidents on employees, customers, and partners and aim to ensure their security plans enable — rather than expose — the business.
Cybersecurity considerations 2024
Discover how to balance cyber priorities to build a resilient future.
Read the full report (2.27 MB) ⤓
Explore the eight key cybersecurity considerations for 2024
Consumers, employees, suppliers — every corporate stakeholder — expect businesses to pursue growth and profits. But increasingly, organisations are expected to operate socially responsibly, as well. Organisations should heed this call and strengthen the connection between security and privacy and environmental, social and governance (ESG) factors. This bond is increasingly recognised across the business ecosystem, particularly by ESG rating services, as they search for greater transparency in measuring and comparing organiSations.
Security, from the CISO down through their entire team, is a very different role today. Cyber is becoming more embedded in core business processes. That reality is being reflected in a move away from a centralisation of cybersecurity in the CISO role to a federated model, in which the CISO is the conductor of the orchestra, establishing the frameworks, assessing risk, and providing implementation support. Security is integral to every function across the organisation, from front office to back, and many leaders now acknowledge the value of integrating a security mindset into their very different business cultures and processes.
Global businesses are operating within an increasingly complex cyber and privacy regulatory space. National interests are playing out, leading to diverse regulatory requirements over information sovereignty, supply chain security, transparency of cyber controls compliance, incident reporting, and, of course, privacy. Businesses should seek to calibrate their regulatory reporting for an increasingly borderless world but also maintain security controls that can be tailored to local requirements. Organisations should be prepared to respond quickly to changing geopolitics and diverse sanctions requirements.
Many organisations’ current approach to third-party and supply chain security does not align with the reality of today’s complex and interdependent ecosystem of partner organisations. Traditional models were built around the assumption that third parties provide services on a transactional basis. That view does not reflect today’s intricate network of APIs and processes tethered by a complex set of software-as-a-service dependencies. Organisations are encouraged to establish more strategic supplier partnerships focused on continuously monitoring and managing the evolving risk profiles of these suppliers to strengthen operational resilience.
With careful planning and execution, artificial intelligence (AI) has the potential to transform how, when, and by whom work gets done. All the talk is currently about generative AI, but many other branches of AI, from robotics to machine learning, continue to transform business. Calibrating the security, privacy, and ethical implications inherent in these technologies is challenging, and organisations are looking to establish frameworks that provide both risk management and governance when implementing AI.
Businesses are increasingly moving systems to the cloud, the volume of data that needs protection is skyrocketing, and more people are working remotely and accessing corporate networks with their own devices. As a result, the cyberattack surface is expanding, creating more alerts, false positives and triage events for CISOs to manage. There’s a lot of noise in security operation centers (SOCs), and there aren’t enough panes of glass or humans to deal with the volume. How can CISOs keep detecting threat after threat and feel they're not missing something? They need to collect, correlate and escalate the signals that require a response — and it must be done rapidly. The only way to do that is through automation.
Every organisation with which consumers interact assigns them a unique digital identity, and just as usernames and passwords vary, authentication methods do as well. From a cybersecurity perspective, the identity model is evolving. Most identity and access management (IAM) models were originally devised to manage digital identities and user access for single organisations. Many are now being reconceptualised to encompass a level of resilience suitable for federated, private, public or multi-cloud computing environments. This will eliminate the need for individuals to ensure the exhaustive, time-consuming and intrusive process of identity-proofing every time they interact with a new institution, either as a customer or employee.
During a cyber incident, organisations need a response measured in minutes and hours, not days and weeks. In today’s volatile environment, resilience has become a common theme for organisations across critical infrastructure sectors such as energy, communications and transportation, with executives focused on recovery if preventative controls fail. Resilience should seamlessly align with cybersecurity, emphasising protection, detection, and rapid response and recovery. Cyber resilience is vital for maintaining business operational capabilities, safeguarding customer trust, and reducing the impact of future attacks. These disciplines must work in tandem to help organisations manage risk.