KPMG’s Cyber Security Considerations 2022

As we enter the year of 2022, it is vital for organizations and people alike to reassess the current technological landscape, particularly in the area of cyber security. According to KPMG’s CEO Outlook report, 75% of Chief Executive Officers (CEOs) believe that a strong cyber security strategy is critical to instill trust with key business stakeholders. Cyber security as a field is one that is constantly evolving, with that comes both challenges and opportunities.  KPMG as an organization has assessed the landscape in cybersecurity and has published “Cyber security considerations 2022: Trust through security” in which they identified eight key cyber security considerations that Chief Information Security Officers (CISOs) should consider in the year 2022. Prior to exploring each consideration in more detail, it is vital to point out that CISOs require an overall paradigm shift. CISOS should place themselves in an organization as influencers rather than enforcers of cybersecurity measures and practices. Inspiration is often a more long-term effective way for people to take action rather than enforcement. This aforementioned principle applies to cybersecurity also. CISOs should influence colleagues to do things securely rather than tell their colleagues what they can and cannot do in relation to their organization’s cybersecurity posture.

Eight Cybersecurity Considerations for 2022

Cybersecurity nowadays encompasses and affects almost all aspects of any technological business. Cybersecurity is no longer an issue that only security and IT professionals deal with. There must be a shift from cybersecurity being solely the responsibility of IT professionals into an understanding that it is a shared responsibility of an enterprise. A CISO must be able to wear multiple hats and be able to align a companies business strategy with their cyber one. Thus, it is essential that security is incorporated into the business process. CISOs should help business leadership in making this conversion possible.

Accelerated by the COVID crisis, yet present before is an increased need for speed-to-market, coupled with an acknowledgment of the risks involved. In the present economy, the amount of skilled cybersecurity professionals strongly lacks. KPMG recommends looking into alternative solutions for addressing this gap of professionals by incorporating gig economy workers and cybersecurity automation, for example. Additionally, CISOs are urged to attract a wider range of talents in cybersecurity, in order to break down barriers of inclusion and attract a larger group of talents to the field.

As cloud adoption has skyrocketed within organizations, the cybersecurity landscape has changed. The processes and skills required for ‘traditional’ cybersecurity may no longer apply to cloud cybersecurity. According to KPMG’s report, 90 percent of organizations may be vulnerable to security breaches related to cloud misconfigurations. CISOs need to work with their team to understand the cloud specific cybersecurity requirements and adopt security for the cloud. This should be done within the regulatory framework and take into account how regulations such as the GDPR or HIPAA would affect cloud security.

As millions of employees shift to remote work and purchase goods from anywhere in the world through their phones, it is increasingly important to place identity management and zero trust at the heart of business processes. Zero trust should no longer be viewed as a technology or feature, but rather a security standard. CISOs should make zero trust an approach to security, with identity being the central component of any zero trust model.

Automation often helps with freeing up resources that may be better spent than on mundane, repetitive tasks. This also applies to the field of cybersecurity, where vulnerability scanning, log analysis and compliance are being automatically executed rather than done by a highly skilled professional. Automation can help security professionals concentrate on truly critical assets rather than spend time on lower level threats that can be handled using automation. CISOs are encouraged to leverage automation to the full advantage. 

At present, cybersecurity and data privacy are disciplines that seen as different and often operate separate from one another. As more awareness and recognition exists for data privacy there is an ever increased need to view privacy not as a standalone legal discipline but as a multi-disciplinary field. Privacy should be intertwined with security, where companies incorporate a privacy by design approach to their business. 

Companies nowadays are more often dependent on robust supply chains and multiple business partners. Such dependencies result in 79% of cyberteams to recognize that protecting a business’s partner ecosystem and supply chain is just as important as building their own cyber defenses. This creates a network of businesses operating together and requiring an adequate controls to protect their own and partners’ data simultaneously. It is necessary to create a strong risk management framework that addresses the cyber risks within and outside the organization. This requires a proactive role by CISOs, using automation, continuous monitoring and zero trust models to help in achieving security beyond boundaries of their enterprise. 

CISOs are encouraged in the KPMG report to initiate conversation with senior leaders within an organization on the assumption that a company is ready for a cyberattack. A company resilient to cyberattacks is one that assesses the key operational processes of business and strategy. CISOs should reframe the cyber resilience conversation to encompass a company-wide effort to mitigate cyberattacks and identify the greatest risks.

Hopefully, this article brings thoughtful recommendations for you as an organization or CISO serving an organization. For a detailed overview, access the full report here.