error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      For Chief Information Security Officers (CISOs) in government and public sector (Gov/PS), the challenges of securing sensitive data and critical systems have never been greater. The unique nature and volume of data these organisations handle leave them particularly vulnerable. The potential impact of a breach extends far beyond financial losses. In many cases, the well-being of citizens, public safety, and even national security are at stake.

      CISOs in government and public sector organisations face a complex web of challenges. Over the last five years, rapidly changing geopolitical developments and increasing tensions have resulted in an increase in cyberattacks on critical infrastructure. The sector is now focusing on improving resilience and reducing the associated risks with legacy IT infrastructures opening the door to an array of vulnerabilities for adversaries to exploit. Despite efforts to modernise and secure these systems, the sheer complexity and scale of the task remains overwhelming. In fact, according to KPMG research, a lack of understanding of, or trust in, new cyber technologies has made 65 percent of government and public sector organisations less confident about investing in these tools. [1]

      In addition to the perpetual balancing act of addressing legacy systems, CISOs in this sector must also keep up with the rapid pace of emerging technologies, such as artificial intelligence (AI), blockchain, and quantum computing.

      Nicholas Fox
      Nicholas Fox

      Partner, Head of Government (Justice)

      KPMG in the UK

      The reality that CISOs are already dealing with budget constraints and resource limitations, making it even more challenging to attract and retain skilled cybersecurity professionals presents a perfect storm of cyber challenges for organisations to navigate. The regulatory landscape is also becoming increasingly complex. In Europe, for example, upcoming cybersecurity regulations, such as Digital Operational Resilience Act (DORA), the NIS2 Directive, and the Cyber Resilience Act, will affect thousands of companies and government organisations in the coming months and years. This regulatory fatigue can be overwhelming. Amid these challenges, CISOs must find ways to bolster resilience and prepare for inevitable cyber incidents. This requires a shift in mindset from a purely preventative approach to one that also factors in detection, response, and recovery.

      This report explores challenges, opportunities, and action points for security leaders across this broad sector. By understanding the unique risks and requirements, and by taking a proactive approach to cybersecurity, CISOs can help protect the critical assets and data that underpin public institutions.

      Key cybersecurity considerations for CISOs

      Resilience by design – Cybersecurity for businesses and society

      The critical infrastructure that powers our society, from energy grids and transportation systems to water treatment plants and healthcare facilities, is increasingly vulnerable to sophisticated cyberattacks. Given the growing frequency and complexity of these threats, CISOs must shift their focus from solely preventing incidents to building resilience—the ability to respond, recover, and adapt quickly with limited impact. It is not only about technological solutions but also about people, processes, and governance frameworks.

      CISOs need to be able to locate and identify their assets to secure them effectively. This includes not only data center assets but also critical systems and endpoints outside of traditional IT, like those in factories, transportation networks, and energy grids—considered operational technology (OT).

      With organisations relying more and more on third-party providers for software and services, and attackers targeting suppliers directly, the risk of weak links in the supply chain is increasing. This growing ecosystem also expands the attack surface, affording threat actors additional entry points with each new external relationship.

      Robust incident response plans, regular testing and drills, and cross-functional collaboration can minimise the impact of inevitable breaches and ensure the continuity of critical services. By cultivating a culture of resilience throughout their organisations, CISOs can empower employees to become active participants in the defense against cyber threats. 

      Embed trust as AI proliferates

      The rapid proliferation of AI across critical Gov/PS areas has unlocked unprecedented opportunities for innovation and efficiency. However, as organizations eagerly embrace AI, they also must confront growing trust concerns, particularly when it comes to security and privacy. The massive volume of sensitive data that fuels AI systems is an attractive target for malicious actors, increasing the likelihood of data breaches and privacy violations. The complex and often opaque nature of AI algorithms can also lead to unintended biases and inaccurate predictions. This can erode public trust and cause reputational harm.

      CISOs need to think beyond traditional reactive measures and focus on embedding trust throughout the entire AI lifecycle. They must work closely with governance colleagues to address the challenges of data quality and classification, and ensure the information used to train AI models is accurate, unbiased, and properly secured.

      It is similarly important to collaborate with IT and business stakeholders to develop robust security frameworks that keep pace with the threat landscape, closing the gap between innovation and protection. On an encouraging note, KPMG research has found that in 76 percent of government and public sector organizations, cybersecurity is typically involved from the earliest planning stages of decision-making process for technology investment and has a significant influence. [2]

      The digital identity imperative

      As organisations embrace digitisation to enhance service delivery and improve efficiency, the need for secure and reliable digital identity systems has become paramount. Digital identities serve as the foundation for secure access to a wide range of critical services, from banking and healthcare to government functions. By enabling individuals to verify their identity online, these systems facilitate seamless and secure interactions.

      However, the rise of sophisticated threats such as deepfakes, identity theft, and digital fraud has exposed the limitations of traditional authentication methods. Organisations are increasingly concerned about the rise of machine identities, especially privileged non-human service accounts that have access to sensitive data for specific applications. As the Internet of Things becomes more prevalent, managing machine identities is also becoming a major challenge.

      For CISOs in the Gov/PS sector, the stakes are particularly high. Digital identity systems play a vital role in safeguarding individual privacy, preventing fraud, and ensuring the integrity of sensitive data. A breach or failure of these systems can have far-reaching consequences, eroding public trust, disrupting essential services, and even compromising national security. As such, CISOs must prioritise the development and implementation of secure, transparent, and compliant digital identity frameworks. They must work closely with their teams to embed security and privacy considerations throughout the digital identity lifecycle. 

      Key challenges

      Upholding public trust and data privacy 

      Individuals are more aware than ever of how their personal information is used and protected, especially when it comes to biometric data. There are concerns regarding how data is stored, processed, and shared. Privacy and data sovereignty remain top-of-mind issues.

      Biometric data and authentication security 

      With advanced attacks being increasingly automated and scaled through AI, attackers’ efficiency has risen significantly. For example, multiple deepfakes can be generated simultaneously, and AI systems can continuously learn from the behavior of defenders to refine their strategies. This advancement makes it easier to circumvent traditional authentication methods, such as facial recognition or fingerprint scans, and amplifies the security vulnerabilities within these systems.

      Key opportunities

      Public-private collaboration – Acknowledging governments, technology companies, and other related organisations all play critical roles in shaping digital identity frameworks, cyber security teams can act as collaboration facilitators in the development of secure and interoperable systems. By driving cross-sector discussion and partnerships, cyber security professionals can help bridge gaps in standardisation, regulatory compliance, and best practices.

      Regulatory alignment – While navigating regulatory challenges is complex, alignment with regulations like General Data Protection Regulation (GDPR), DORA, NIS2 or eIDAS provides an opportunity for cyber security teams to establish best practices in compliance and strengthen trust in digital identity systems.

      Most Gov/PS organisations have low levels of preparedness relative to other sectors when it comes to securing digital identities. Often, this is attributable to insufficient investment and a lack of effective public-private collaboration. The complexity of challenges such as trust, privacy concerns, and user experience is often underestimated. In federated government systems, alignment and cooperation across levels adds to the complexity. To overcome these obstacles and achieve a cohesive approach to digital identity, organisations must prioritise investment and collaboration.

      Real-world cybersecurity in Gov/PS

      As governments roll out large-scale digital initiatives that benefit citizens, balancing cybersecurity concerns with convenience remains top of mind.

      A case in point is the national biometric-based digital processing system that revolutionises the airport experience for travelers in India. The app uses the individual’s face as a single identity token, linking identity, travel documents, and travel information. Since its implementation in late 2022, this program has achieved remarkable adoptions rates, with close to 10 million users and tens of thousands of new downloads daily. The system is operating across more than 20 airports in India.

      The implementation of this technology has yielded several key benefits, including improved passenger experience, enhanced efficiency, and increased security. The paperless system limits data sharing and ensures that passengers' personally identifiable information (PII) is securely stored in the traveler's mobile wallet. As adoption continues to grow, it serves as a prime example of how biometric technologies can be leveraged to enhance security and convenience in the public sector.

      KPMG provides support in implementing public projects that bring together commercial and government cybersecurity industry context and experience. The support spans various areas, including strategy and governance, identity and access management, security architecture, and continuous diagnostics and mitigation.
      With the right approach, government initiatives can uphold the highest standards of data privacy and security while delivering services that are accessible, efficient, and user-friendly.

      Top priorities for government and public security professionals

      Prioritise the fundamentals of cybersecurity, focusing on basic cyber hygiene rather than solely investing in the latest, "shiny" technologies.

      Maintain and document a comprehensive inventory of all systems, processes and assets — including the organisation’s “crown jewels” — ensuring they are regularly patched and updated to help minimise vulnerabilities.

      Develop and implement a robust cybersecurity awareness training program for all employees, cultivating a strong culture of security within the organisation.

      In today’s dynamic environment, perform continuous monitoring of the threat/risk landscape and adapt accordingly as conditions and developments warrant.

      How KPMG professionals can help

      KPMG professionals can assess your cybersecurity program to help ensure it aligns with business priorities. We work with government and public sector cyber leaders in developing digital solutions, advising on the implementation and monitoring of risks, and designing responses to cyber incidents.

      We use advanced methodologies to address cybersecurity needs and develop custom strategies. The range of digital solutions includes cyber cloud assessments, privacy automation, third-party security optimisation, AI security, and managed detection and response.

      Our technology insights

      Something went wrong

      Oops!! Something went wrong, please try again

      Our people

      Nicholas Fox
      Nicholas Fox

      Partner, Head of Government (Justice)

      KPMG in the UK

      Richard Krishnan
      Richard Krishnan

      Partner, IGH Resilience Lead

      KPMG in the UK

      Get in touch

      Read enough? Get in touch with our team and find out why organisations across the UK trust us to make the difference.

      Contact us
      Person smiling whilst using a mobile phone