Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Adopting automated governance

Speeding away from security

How KPMG can help: Cyber security services

Speeding away from security

Many software development teams today have adopted DevOps practices that enable them to regularly produce and push code into production environments. These developers aim for rapid releases to deliver great user experiences and drive business value often. At the same time, Security and Compliance groups struggle to keep up as they navigate the complicated challenge of balancing the merits of faster development speed against the need to manage risk and protect the organization without introducing unnecessary hurdles.

Today, a growing list of security tooling adds complexity to build pipelines and the data generated by the tools usually lives in its own silo. While the scanning tool may provide additional visibility into potential vulnerabilities, the introduction of more components to increasingly complicated continuous integration/ continuous delivery (CI/CD) pipelines can make it hard to have a wholistic understanding of security and compliance.

Competing priorities

In organizations trying to adapt to this evolving challenge multiple teams are involved in the process, including:

  • Engineering teams that work towards optimizing delivery but are often be delayed due to time-consuming controls and compliance requirements
  • Security teams that work towards improving the security of products and reducing the potential for data breaches without restricting velocity of deployments
  • Technology Risk and Internal Audit teams that work towards accurately identifying and mitigating risks but that are often working with legacy controls, which can lead to lengthy or narrow review processes

Each of these teams tend to have different priorities. Luckily, there is a way to align the goals of the three distinct teams. By implementing a common framework of Automated Governance, organizations can enable a unified vision for automation, security, and compliance at scale.

Building the foundation

An Automated Governance framework solves the issues of our three stakeholder tribes by reducing the time needed for audits, improving the coverage of security controls in the development pipeline, and increasing the reliability of risk assessments and audits.

To implement this framework, organizations need to outline potential risks that can be introduced and a set of associated controls to mitigate these risks at different stages of the software delivery pipeline. In most organizations, the typical pipeline stages may be:

  • Source code repository: Application software and services are hosted on a version-controlled tool
  • Build: Source code is compiled and tested for quality and security
  • Dependency management: Management of external libraries and/or base images
  • Package: Deployable artifacts are composed from source code and external dependencies
  • Artifact repository: The artifacts generated in the build and packaging stages are hosted in a version-controlled tool
  • Non-prod deploy: Artifacts are deployed to non-production environments to undergo testing
  • Prod deploy: Tested and approved artifacts are deployed in production environments

The controls that are defined for the different stages offer checks that development teams’ code must pass before a deployment can occur and offer an opportunity to capture evidence, or “attestations” of each control. By storing machine-generated and digitally signed attestations in a single data repository, stakeholders have an objective, trustworthy record of what happened during the software build process.

Driving sustained change

To keep the business protected from relevant threats without reducing time to value, these governance processes must be automated in development pipelines to help ensure that developers can continue to accelerate the rate of software delivery while Security and Compliance teams can have confidence in the reduction of overall risk. As we expect this challenge to escalate further, understanding how to adopt and implement an Automated Governance framework may be vital for organizations that wish to have a trustworthy, repeatable approach to build, protect, and deliver their products and services.

Explore more

Cyber security in the new reality

Working together to respond to the challenges.

Explore more

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.