Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

Application security as a culture

How to counter agile adversaries

Your public-facing applications are a prime target for bad actors. They outnumber security teams and have countless hours to spend on breaching your applications, so a compromise is not a question. It’s a near certainty.

How can you counter these adversaries? The answer is to embed security into all company activities—from the front desk to the corner office—while understanding which applications are most critical to the business. We call this approach “application security as a culture.”

To assess your current security culture or begin investing in a new one, start with these two questions:

1. Who is responsible for security?

If the answer is “the security team” or “the CISO,” your organization may be poised for a breach or other incident. That’s because security is most effective when it’s baked into all processes—and the minds of all employees and suppliers.

To embed this culture, remember that security awareness is an ongoing journey. Start by investing in proper security training, modeling best practices at the highest levels of the organization, empowering all employees to operate securely, and holding third parties accountable for security.

Place special emphasis on application development teams, and consider appointing “champions” to liaise between security professionals and developers. To minimize risk in the development process, these security experts can advise on best practices for managing vulnerabilities. They can also interpret guidance from security teams into a language that developers can understand and act upon. 

2. What is most important to your organization?

In addition to weaving security into all activities, keep in mind that not all public-facing applications will need the same level of scrutiny and protection, because they don’t have the same criticality.

The art of cybersecurity is about risk management, not risk elimination, so it’s important to determine which risks you can accept and which you can manage—based on your company’s strategy, operations, and mission-critical assets.

To prioritize your application security, consider the following as a starting point:

Which applications does your business rely on to operate its core functions?
  • Human resources (e.g., payroll, benefits)
  • Email application infrastructure
  • Sales application infrastructure
  • Supply chain applications
Which applications could, if breached, cause substantial brand or reputational damage, potentially landing your company on the news or in front of Congress?
  • Flagship social media website
  • Major e-commerce/retail website
  • Public-facing, data-processing application programming interface (API) used by customers or other third parties
Do you have applications that might at first glance seem unimportant, but are integrated with business-critical applications or systems? 
  • Back-end API that performs processing for critical applications
  • Applications that serve authentication or authorization on behalf of other critical applications

Progressive companies are focusing on application security as a culture, backed by a smart process for prioritizing and quantifying cyber risks. That’s how you can have confidence that you’re investing appropriately in security—and protecting your future in a volatile world.

How KPMG can help

KPMG offers end-to-end security testing as an outcome based managed service, helping you consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With managed services, we can help you continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust. 

Meet our team

Image of Evan Rowell
Evan Rowell
Specialist Director, Market Development , Advisory, KPMG US

Explore other services tailored to your business

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.