Cybersecurity an enabler; not a hindrance: KPMG’s Cybersecurity considerations 2022

In the last two years, we have seen an expansion in the threat landscape. Cybercriminals are no more individuals working in silos; they are organized, with an entrepreneurial mindset, and are using sophisticated tools and technologies. Chief information security officers (CISOs) can no longer think about making cyber threats merely an IT issue. They need to think long term, making cyber risks a firm-wide issue.

KPMG’s Cybersecurity considerations 2022 report finds that CISOs need to look at cybersecurity through the lens of enablement, and less so as a mere means to prevent oncoming threats. The key to mitigating such risks lies in empowering them with the knowledge about what they can do securely.

Speaking about the report, Majid Makki, Director – Head of Management Consulting and Technology Advisory said, The KPMG 2021 Kuwait CEO Outlook found that cybersecurity risk is the no. 1 threat against growth for the organizations in the coming three years. Cybersecurity is not an IT issue anymore and the C-suite is taking notice of the financial and reputational damage it can do to organizations. CISOs need to evolve and think of a firm-wide solution, which comprises threats toward HR, operations and supply chain. Our Cybersecurity considerations 2022 report provides insights and comprehensive solutions for the security teams to deal with the evolving threat landscape, and how they can become flag bearers in this matter for the whole organization.

A total of eight considerations emerged from the report, adhering to which could help organizations dampen the impact of cyber risks. We have listed them below:

Expanding the strategic security conversation

The focus for CISOs should be to move past the traditional security mindset and approach it as a means to drive integrity and resilience. The onus is on them to help organizational stakeholders understand the impact robust data protection and risk management measures can have on their business goals. Instead of a cost- and speed-based security architecture, they should eye one that is effective and improves business value on top of consumer experience. By considering artificial intelligence (AI) and machine learning (ML) coupled with security tools, businesses can single out any risk exposures and vulnerabilities, and automate the resolution and remediation process. 

Achieving the x-factor: Critical talent and skillsets

Cybersecurity is not a hindrance; instead, it is an enabler. Security teams must strive to put across this message in a compelling manner and aim to motivate others about the significance of digital security. While incorporating scenario-based thinking, safety drills and testing is important, making those activities engaging and interactive could be key in helping colleagues understand the role of cybersecurity, and even urge them to be more compliant. This can be done through the use of various means such as augmented reality (AR) and virtual reality (VR), or through gamification, among others. 

Adapting security for the cloud

Building on cloud security capabilities and meeting regulatory and compliance factors, driven by the Directive on Security of Network and Information Systems (NIS Directive), General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI DSS), among others, should be on top of the agendas. Digital security teams should not only work toward embedding automation in cloud security from the deployment, monitoring and recovery perspectives, but also to ensure that cloud security is the responsibility of the entire organization and not just theirs. 

Placing identity at the heart of zero trust

As identity risks continue to be on the rise, scalability continues to be a challenge, creating the need to consider zero-trust architecture and passwordless authentication. While adopting and implementing the said approach may be time consuming, business institutions are likely to benefit from it. In the interest of enhancing user and consumer experience, CISOs, chief information officers (CIOs) and Heads of Infrastructure (HoI) should work toward devising seamless authentication, and identity and access management (IAM) models. It is their responsibility to ensure that they have automated security systems in place, and that skilled professionals are devoting their time more to strategic activities.

Exploiting security automation

Leveraging security automation, organizations are eliminating the need to use manpower and cognitive ability in mundane areas so it can be channeled toward crucial activities. The approach in installing such processes, however, should be gradual, simple and focused more on key threats rather than incidents. In addition to that, there is a need to integrate security automation in every critical level of the software development life cycle (SDLC), making it easier to build in security in the SDLC. Organizations should strive to tap into the advanced automation capabilities present in their current technology stack and resources before resorting to outside means. They must look to push their boundaries and be agile enough to learn from the areas they fall short in.

Protecting the privacy frontier

Businesses are rapidly shifting toward an approach where data security and privacy are highly prioritized. It is no longer about meeting the regulatory requirements alone; it is about having a culture that fosters trust both inside and outside the organization. The ask is to embrace a privacy-by-design mindset and fill any holes in the management related to data collection consent and its impact on business. Organizations need to assure consumers and regulators that they are deeply committed to the cause of respecting consumer rights and protecting data. 

Securing beyond the boundaries

Regulations relating to cybersecurity will likely continue to tighten and expand, as exemplified by executive orders from the US White House on supply chain, as well as the European Union’s continuously evolving Network and Information Security (NIS) Directive, which has drawn clear lines around how member states, industries and organizations should enhance their inward and outward cybersecurity policies, especially in a post-pandemic world. A strong risk management framework that looks both inward and outward is key especially for high-risk industries, such as financial services, energy and healthcare. A future-proof approach should also be applied across key industries around the world in an effort to help ensure that all ecosystem partners follow a clear path in protecting their own organizations, as well as the broad ecosystems within which they operate.

Reframing the cyber resilience conversation

With digitalization surging, the need for resilience is more pertinent than ever. As cyber incidents continue to proliferate, organizations need to assess their operational processes and have a plan of action in place to safeguard them. Recognizing a security breach alone is not sufficient. Additional measures must be taken to ensure that such incidents are detected and dealt with quickly, and that the impact is mitigated. CISOs must see to it that cyber risks and their consequences are well conveyed across their organization, particularly in the C-suite.CISOs, chief data officers (CDOs) and chief risk officers (CROs), especially in Europe, are navigating toward a broader role — chief digital resilience officer (CDRO) — that houses the blanket agenda comprising shared security, technology risk and business continuity priorities. This is indicative that putting together robust cyber resilience is a far-fetched goal for CISOs and their teams to achieve on their own. It requires collective buy-in coupled with constant support from across the organization as well as stakeholders. 


Technological advancements and digitalization are kicking open new doors for business institutions, yet they are somehow making it more habitable for the threat scenario. The report points out that while topics such as industrial internet of things (IIoT), 5G networks and AI may not be pertinent in terms of cybersecurity now, they will soon come to the fore.

Reach out to us

Connect with us