KPMG has identified eight key cyber security considerations for 2022
Expanding the strategic security conversation
The last 2 years have redefined how we live, govern and conduct business. Securing and protecting critical assets, systems and, most importantly, sensitive proprietary and customer data is no longer exclusively an issue for security and IT professionals. Rather, handling and mitigating risk to help the strategic viability and operational sustainability of the entire organization is a shared responsibility that starts with the business.
Achieving the x-factor: Critical talent and skillsets
Perhaps the biggest change we’ve seen, in terms of the security team’s relationship with the rest of the organization — certainly in the age of COVID, but even going back several years before the onset of the pandemic — is an increased need for speed-to-market, albeit with an acknowledgment of the risks involved.
Adapting security for the cloud
While digital transformation propels cloud adoption and usage forward, it also puts institutions and businesses at greater cyber risk. Lack of cloud security skills means the business of protecting the organization operates at a distinct trust deficit. Cloud may be everywhere, but so are hackers and other criminal actors.
Placing identity at the heart of zero trust
With tens of millions of employees working at their kitchen tables and in their home offices, and billions of consumers purchasing goods on their phones from anywhere and everywhere, protecting mission-critical and other sensitive data within a complex ecosystem of suppliers and partners has never been more essential. In an environment where cybercriminals are often just a click away, organizations should adopt a zero-trust mindset and architecture, with identity and access management at the heart of it.
Exploiting security automation
Companies are successfully automating the security function and freeing up resources by applying automation to routine, repetitive tasks. Work that was previously performed by highly trained professionals, such as vulnerability scanning, log analysis and compliance is being standardized and automatically executed. This can boost the analyst’s productivity, speed up incident detection and reaction times and can provide an opportunity for scalability. Automating lower-level threats and routine transactions augments the security operations center by enabling it to prioritize tasks more effectively and respond more quickly to threats that require human intervention.
Protecting the privacy frontier
At many companies, cyber security and data privacy are seen as different disciplines that often operate in silos. In an environment where so much sensitive data is captured and utilized, the review of third parties, new systems and new applications requires a multidisciplinary approach to privacy risk management — one that includes both privacy and security from the design phase through to organizational change management.
Securing beyond the boundaries
Most organizations are no longer the single, monolithic entities many customers have long believed them to be. They’re deeply operationally dependent on a robust supply chain, as well as a myriad of traditional and non-traditional partners that often have direct access to business systems and data. Although regulatory standards and mutually agreed-upon security frameworks can help minimize the impact of third-party cyber threats, there are situations where the participants in these complex ecosystem structures — cloud providers, SaaS companies, Internet of Things (IoT) device manufacturers, etc. — may not have clear obligations for establishing adequate controls to protect their partners’ data, leaving the entire network vulnerable to cyberattacks.
Reframing the cyber resilience conversation
When CEOs are asked how they approach the possibility of a cyberattack, most say, “There is a plan” and “It’s high on the board’s agenda.” Experience from the last few months suggests the more pertinent questions are: How prepared are you as a business to face a four- to six-week outage as a result of a cyberattack? How would it impact customer service? What would it mean for your call and distribution centers? Would you be able to cover the next payroll? Could you pay suppliers? How might an outage impact the company’s regulatory and legal requirements? Resilience demands an assessment of the key operational processes of the business and a strategy for protecting them.
Going forward, the hyperconnected smart society will likely face increased cyber risks on multiple global fronts via numerous evolving threat vectors. Clearly, the technological advances powering business, communications and entertainment bring with them new perils. In this report, we’ve explored such timely topics as the evolving security team, automating the security function, data privacy and securing the ecosystem. Now, we take a look at several emerging cyber security challenges. While none of these topics are new, we believe they’ll soon become major areas of focus for cyber professionals across virtually every industrial sector.
The excerpt was taken from the KPMG Thought Leadership publication Cyber security considerations for 2022.