As 2024 unfolds, organizational leaders face many challenges, from sustaining growth to navigating emerging technologies and talent acquisition and retention. The role of the Chief Information Security Officer (CISO) is evolving, and they are increasingly being seen as proactive partners in managing ongoing business needs rather than just being called upon to rescue the organization during times of crisis.

The KPMG annual Cybersecurity considerations report identifies eight key considerations that CISOs should prioritize in 2024 to help mitigate risk, drive business growth and build resilience.

Explore the eight key cyber considerations and uncover the key actions organizations can take as they seek to accelerate recovery times, reduce the impact of incidents on employees, customers, and partners and aim to ensure their security plans enable — rather than expose — the business.

Download PDF

Cybersecurity considerations 2024

Discover how to balance cyber priorities to build a resilient future.



Download the report (2.27 MB) ⤓



Explore the eight key cybersecurity considerations for 2024


Consumers, employees, suppliers — every corporate stakeholder — expect businesses to pursue growth and profits. But increasingly, organizations are expected to operate socially responsibly, as well. Organizations should heed this call and strengthen the connection between security and privacy and environmental, social and governance (ESG) factors. This bond is increasingly recognized across the business ecosystem, particularly by ESG rating services, as they search for greater transparency in measuring and comparing organizations.




Security, from the CISO down through their entire team, is a very different role today. Cyber is becoming more embedded in core business processes. That reality is being reflected in a move away from a centralization of cybersecurity in the CISO role to a federated model, in which the CISO is the conductor of the orchestra, establishing the frameworks, assessing risk, and providing implementation support. Security is integral to every function across the organization, from front office to back, and many leaders now acknowledge the value of integrating a security mindset into their very different business cultures and processes.




Global businesses are operating within an increasingly complex cyber and privacy regulatory space. National interests are playing out, leading to diverse regulatory requirements over information sovereignty, supply chain security, transparency of cyber controls compliance, incident reporting, and, of course, privacy. Businesses should seek to calibrate their regulatory reporting for an increasingly borderless world but also maintain security controls that can be tailored to local requirements. Organizations should be prepared to respond quickly to changing geopolitics and diverse sanctions requirements.




Many organizations’ current approach to third-party and supply chain security does not align with the reality of today’s complex and interdependent ecosystem of partner organizations. Traditional models were built around the assumption that third parties provide services on a transactional basis. That view does not reflect today’s intricate network of APIs and processes tethered by a complex set of software-as-a-service dependencies. Organizations are encouraged to establish more strategic supplier partnerships focused on continuously monitoring and managing the evolving risk profiles of these suppliers to strengthen operational resilience.




With careful planning and execution, artificial intelligence (AI) has the potential to transform how, when, and by whom work gets done. All the talk is currently about generative AI, but many other branches of AI, from robotics to machine learning, continue to transform business. Calibrating the security, privacy, and ethical implications inherent in these technologies is challenging, and organizations are looking to establish frameworks that provide both risk management and governance when implementing AI.




Businesses are increasingly moving systems to the cloud, the volume of data that needs protection is skyrocketing, and more people are working remotely and accessing corporate networks with their own devices. As a result, the cyberattack surface is expanding, creating more alerts, false positives and triage events for CISOs to manage. There’s a lot of noise in security operation centers (SOCs), and there aren’t enough panes of glass or humans to deal with the volume. How can CISOs keep detecting threat after threat and feel they're not missing something? They need to collect, correlate and escalate the signals that require a response — and it must be done rapidly. The only way to do that is through automation.




Every organization with which consumers interact assigns them a unique digital identity, and just as usernames and passwords vary, authentication methods do as well. From a cybersecurity perspective, the identity model is evolving. Most identity and access management (IAM) models were originally devised to manage digital identities and user access for single organizations. Many are now being reconceptualized to encompass a level of resilience suitable for federated, private, public or multi-cloud computing environments. This will eliminate the need for individuals to ensure the exhaustive, time-consuming and intrusive process of identity-proofing every time they interact with a new institution, either as a customer or employee.




During a cyber incident, organizations need a response measured in minutes and hours, not days and weeks. In today’s volatile environment, resilience has become a common theme for organizations across critical infrastructure sectors such as energy, communications and transportation, with executives focused on recovery if preventative controls fail. Resilience should seamlessly align with cybersecurity, emphasizing protection, detection, and rapid response and recovery. Cyber resilience is vital for maintaining business operational capabilities, safeguarding customer trust, and reducing the impact of future attacks. These disciplines must work in tandem to help organizations manage risk.



Key contacts