As featured on BusinessMirror: Cybersecurity considerations in 2023
Our future is dependent on data and digital infrastructure. We now have a complex tapestry of public-private partnerships, connected ecosystems, and information infrastructures. And as the degree of interconnectedness and dependency increases, so does the interest from those looking to attack and exploit those infrastructures.
Breakthrough technologies also pose new security, privacy and ethical challenges as well as raise fundamental questions about trust in digital systems. This is the environment in which global commerce needs to thrive, and we need to address concerns now as we innovate, not retrospectively when it’s too late.
This interconnectedness and reliance on data and digital are also happening in the Philippines where we saw rapid digital adoption during the pandemic with the need to conduct activities and business online. Going cashless, storing and accessing data in the Cloud, and implementing remote and flexible working conditions are just some of the practices that were made possible by technology. However, with rapid adoption comes a plethora of risks.
As we rely on technology to thrive and adapt to the changes brought about by the new normal, malicious forces are also taking advantage of these same developments to exploit and cause harm. Hence, strong data security measures and proactive recovery methods must be prioritized to ensure sound and healthy digital presence.
Frits Gerald Enriquez
Advisory Director and Cybersecurity Lead
KPMG in the Philippines
The annual Cybersecurity considerations report identifies eight considerations that CISOs should prioritize in the year ahead as they seek to accelerate recovery times, reduce the impact of incidents on employees, customers and partners and aim to ensure their security plans enable — rather than expose — the business. The report also explores the key actions CISOs should take to meet the challenges ahead and to help ensure security is the organization's golden thread, woven into the business across the board — providing the basis for trust.
Eight key cybersecurity considerations for 2023
1. Digital trust: A shared responsibility:
Are organizations thinking broadly enough about how to protect the interests of employees, customers, suppliers and partners?
2. Unobtrusive security drives secure behaviors:
How do security teams effectively integrate security into business processes, agile development programs and disparate operating models?
3. Securing a perimeter-less and data-centric future:
With the security perimeter all but gone, how can organizations pragmatically and realistically transition to a zero-trust approach that protects every aspect of their ecosystem?
4. New partnerships, new models:
How can organizations keep security, privacy and resilience at the forefront in an environment where outsourcing and managed services are a growing priority?
5. Trust in automation:
What can organizations do to help ensure robotic process automation (RPA), machine learning (ML) and other forms of artificial intelligence (AI) are implemented and managed effectively, sensibly and securely?
6. Securing a smart world:
What are the implications for security and privacy teams as companies shift toward a smart, hyperconnected product mindset?
7. Countering agile adversaries:
How can security teams keep up with the pace of the changing threat landscape and the increasingly aggressive tactics of attackers?
8. Be resilient when—and where—it matters:
Why is it important to think beyond response and proactively plan for recovery?
Cyber strategies for 2023
What actions can CISOs, and the broader business lines take in the year ahead to help ensure security is the organization’s golden thread? Following is a short list of tangible steps CISOs should consider as they seek to accelerate recovery times, reduce the impact of incidents on employees, customers, and partners and aim to ensure their security plans enable—rather than expose—the business.
- Prioritize a robust cybersecurity culture that is interesting, engaging and, where appropriate, fun to inspire employees to do the right thing and function as human firewalls.
- Build a security team with the skills mix needed to manage a perimeter-less organization, including cloud and third-party dependencies.
- Communicate broadly and clearly. Ask leaders in other organizational functions about their pain points and how automated processes might help.
- Take a multidisciplinary, cross-culture approach. Establish a security ecosystem comprising internal business line specialists, security professionals, data scientists, privacy-oriented attorneys and external policy and industry professionals.
- Embed yourself in the organization and act as a peer, a sounding board and an advisor.
- Build consistent approaches to cyber risk management with an understanding of threat scenarios and attack paths to help inform attack surface reduction and prioritize control improvements.
- Focus on fit-for-purpose security processes that feature consistent user experiences.
- Establish strict identity controls and work to achieve a mature state of identity governance and services.
- Segment legacy environments to limit the attack surface and help contain any breaches.
- Have a proactive recovery plan focusing on the organization’s most critical workflows with a communication structure and stress test it often.
Data and technology
- Embrace the inevitable automation of the security function—trust the latest tools, such as robotic processes, to security orchestration, automation and response (SOAR), and extended detection and response (XDR) systems.
- Work with cloud providers to help ensure broad visibility into how products and services are configured to avoid inadvertent vulnerabilities.
- Consider cybersecurity and privacy issues up front when exploring emerging technologies, including the evolving risks associated with adopting AI systems.
- Assign responsibilities and establish accountability around how critical data is processed and managed and how it supports critical business processes.
- In the interest of speed, scalability and trust, a transition to identity as a service in the cloud needs to happen sooner than later.
- Be aware of changing regulatory trends and drivers and what they could mean for the company’s future technology strategy, product development, and operations.
- Consider the regulatory impacts vis-à-vis AI and automation—establish a clear concept of what the business can and can’t do in these arenas and be alive to public concerns and changing expectations.
- Explore automating compliance monitoring and reporting and task a team member to serve as a regulatory monitor to stay on top of privacy and security regulatory trends.
- Align security and privacy compliance strategy with the company’s broad business strategy to help ensure stakeholders from across the organization are on the same page.
- Look beyond the letter of the regulation—and be prepared to ask yourself more fundamental questions about digital trust and how you make that central to your strategic thinking.
The excerpt was taken from the KPMG Thought Leadership publication: https://kpmg.com/xx/en/home/insights/2023/02/cybersecurity-considerations-2023.html.
© 2023 R.G. Manabat & Co., a Philippine partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
This article is for general information purposes only and should not be considered as professional advice to a specific issue or entity. The views and opinions expressed herein are those of the author and do not necessarily represent KPMG International or KPMG in the Philippines.