This report offers key recommendations for CISOs, based on extensive dialogue with senior cyber security leaders globally.
Organisations across the world have made strides in remote working and collaboration during the COVID-19 pandemic, but the proliferation of digitisation is creating significant new cyber threats that require radical cultural change at boardroom level.
KPMG’s ‘Enforcer to influencer: Shaping tomorrow’s security team’ report calls on business leaders in Singapore and beyond to ensure cyber security specialists are part of the C-suite decision making process, with digitisation at the heart of their future growth strategies.
Seven key recommendations are offered to IT leaders and Chief Information Security Officers (CISOs), following extensive dialogue with senior cyber security leaders across the world, including Singapore:
1. Act like you belong in the C-suite
CISOs must speak the language of the C-suite, building consensus, demonstrating pragmatism and navigating politics, to help leaders understand the cyber implications of their strategic choices. CISOs are also becoming public figures, serving as the face of the firm to help build trust and confidence.
2. Broaden horizons
CISOs’ responsibilities are broadening to include safeguarding data, dealing with disruptive events to maintain operational resilience, managing third parties, handling regulatory compliance, and helping to counter cyber enabled financial crime. This demands they forge strong working relationships with other business leaders including the Chief Risk Officer (CRO), the Chief Data Officer (CDO) and, of course, the Chief Information Officer (CIO).
3. Weave cyber security into the organisational DNA
Today’s CISOs should be sophisticated communicators, working with other business leaders to embed cyber security into the DNA of the organisation. This involves integrating security into governance and management processes, education and awareness, plus establishing the right mix of corporate and personal incentives to do the right thing.
4. Shape the future cyber security workforce
CISOs will have to acquire capabilities from outside the organisation, build new partnerships and look for unconventional and diverse talent. In future, we may even see the cyber function becoming far smaller, taking on a strategic and governance role, with cyber security being truly embedded into the business.
5. Embrace automation as the rising star
Automation can reduce the manual workload and ease skills shortages, bringing in greater efficiency and helping meet growing compliance requirements in a consistent and repeatable way. It can also help embed security and improve the user experience, as well as reduce the time to respond to a major cyber incident.
6. Brace for further disruption
We are heading towards a hyperconnected world in which the IoT and 5G networking will massively increase efficiency and enable radically different business models. But this also opens up organisations to new attack surfaces and raises privacy concerns — demanding a shift to new, data-centric security models such as zero trust.
7. Strengthen the cyber security ecosystem
Organisations are now part of a complex ecosystem of suppliers and partners, tied together through shared data and shared services. Conventional contracts and liability models seem ill-suited to the rapidly evolving supply chain threat, calling for a new partnership approach that brings security to all parties and individuals.
This report also addresses one of the most significant issues facing Singapore today: the critical skills gap in cyber security across a wide range of areas, including cloud security, operational technology (OT) security, data science and analytics, security architecture and engineering, and attack simulation. Looking further ahead, CISOs must find talent to fill new roles that may not even exist today, such as resilience strategist, cyber risk modeller, orchestration manager, behavioural analyst, and AI ethicist.
Whether hiring, retraining or outsourcing, this report touches on some innovative ideas on how to possibly address the skills shortage. To shape a dynamic 21st century workforce, CISOs must constantly assess what capabilities they need, and then source these skills from within and outside the organisation — using a hybrid model of permanent hires, temporary workers and contract models.
At the heart of KPMG’s recommendations is a recognition at C-suite level that digital security experts should be key players in the overall decision making processes, guiding the future direction of the business, developing robust digital infrastructure, embracing innovation and helping to identify potentially critical threats ahead.