Secure and resilient: Preparing your organization for evolving cybersecurity challenges

The rapid evolution of technology, and its integration into nearly every aspect of business, brings unprecedented opportunities for productivity, innovation, and growth. But it also drastically changes the attack surface that can be exploited by more complex and sophisticated threats in an unprecedented manner. These threats are exacerbated by various ongoing macroeconomic and geopolitical trends that are leaving critical infrastructure vulnerable to security risks.

From ransomware and malware, to phishing and insider threats, to supply chain attacks and deepfakes, cyberattacks pose significant danger to organizations. It is an established fact that a malicious attack can disrupt operations at scale, cause substantial financial and high-value intellectual property (IP) losses, and fracture customer trust. According to the KPMG Risk & Resilience Survey, executives ranked cybersecurity as the top risk for the next five years and the #1 risk area needing improvement .¹

In today’s digital and connected world, traditional cyber defense mechanisms are not robust enough to protect organizational value. A multidisciplinary approach to cybersecurity is needed to sustain enduring business resilience. This approach requires collaboration across various functions within the organization, including cybersecurity executives, technology risk managers, risk managers, compliance officers, legal counsel, and internal auditors.

In the face of evolving cyber threats, resilience is central to the enterprise risk agenda because the hard truth is that a cyber breach is often a matter of “when,” not “if.” Consider the alarming toll of financial cybercrime, which cost nearly $5 million per data breach in 2024² and underscores the urgent need for organizations to strengthen their resilience plans and procedures.

Cyber resilience involves reducing the probability of a breach by managing the attack surface, quickly identifying and responding to incidents, minimizing their impact, and recovering swiftly. Organizations need comprehensive resilience plans to ensure vigilance, speed, agility, and innovation required to address the many challenges of today's cybersecurity landscape, including:

Maintaining asset visibility: New threats are emerging daily. Organizations must be proactive, not reactive, to identify, inventory, and safeguard their most critical digital assets.
Complexity of technology environments: Organizations must navigate a vast array of intricacies to effectively safeguard their data, products, systems, and networks that are on premises, cloud, and hosted by third parties and their extended ecosystem.
Increasing sophistication: As attackers leverage AI and automation to enhance their strategies, organizations must adopt equally competent threat detection and response mechanisms to stay ahead.
AI and deepfakes: AI introduces new vulnerabilities and points of failure that must be carefully managed, including the startling advent of deepfakes.
Smart products: The proliferation of connected things, from automobiles to medical devices, continues to expand the attack surface, aligning physical and digital threats in unprecedented ways.

To effectively address the myriad of cyber threats, it is essential to adopt a multidisciplinary approach that involves collaboration across various risk functions. While the roles outlined below are not an exhaustive list of all risk-related functions, they represent the minimum set of stakeholders expected to collaborate in driving an integrated approach to cyber risk and resiliency. Each plays a critical part in safeguarding the organization and ensuring a cohesive, enterprise-wide response to evolving threats.

Cybersecurity executives

Cybersecurity executives lead the charge in cybersecurity strategy, implementing advanced threat detection and response mechanisms, and building a skilled and diverse cybersecurity team.

Technology risk managers

Technology risk managers assess and mitigate technology risks, ensure alignment with business objectives, and conduct regular risk assessments.

Enterprise risk leaders

Enterprise risk leaders identify and manage enterprise-wide risks, integrate operational and cybersecurity risks into broader risk management frameworks, and conduct scenario planning and stress testing.

Compliance officers

Compliance officers ensure adherence to regulatory requirements, conduct regular audits and assessments, and stay updated on regulatory changes.

Legal counsel

Legal counsel navigates legal and regulatory landscapes, provides guidance on data protection and privacy, and prepares for legal and regulatory challenges.

Internal auditors

Internal auditors conduct independent assessments of cybersecurity controls, providing assurance to the board and senior management.

While each role has its own responsibilities, they all contribute to strengthening the organization’s resilience. For example, CISOs run continuous controls monitoring programs, technology risk leaders retire outdated technologies, and compliance managers collaborate with legal counsel to close gaps in policies and controls. Together, these roles form a unified defense that is essential to maintaining security and resilience.

With the collaborative framework expressed and established between various risk and resilience leaders, what pragmatic actions can organizations take to continue to bridge the gaps between cyber risk and resilience?

By embracing the following strategies, all risk professionals can work together to build a resilient cybersecurity posture that can better withstand and recover from today’s complex and evolving threats.

Consider an alternate operating model
Navigating the evolving cyber risks presented by existing and emerging threats demands different skill sets than any one function has provided in the past. For example, merging and/or fostering a tighter collaboration between IT, digital, and data teams that support core businesses will help embed greater security and resilience from the front to the back office.

Foster a strong culture over rigid rules
Cyber resilience in a volatile business landscape depends on more than just policies—it requires a strong, organization-wide risk culture. This means engaging multiple functions to address cybersecurity challenges collectively. While continuous training and upskilling of cybersecurity teams is essential, real impact comes when all employees understand their role in protecting digital assets. Empowering individuals to take ownership of cybersecurity fosters a proactive mindset that strengthens resilience far beyond what rules alone can achieve.

Make cyber part of the corporate strategy
Although cyberattacks are the #1 business risk and recognized as important to achieving an organization’s strategic pursuits, rarely are they deeply expressed as a part of the CEO’s corporate strategy. Connecting the cyber program to broad strategic plans ensures that security measures are aligned with organizational goals and objectives. It also sets the tone at the top, which then filters down to improve cohesive operations and enhance resilience.

Shift from data bloat to data moat
While organizations generate a ton of cybersecurity data, it is not often used as a lever to protect against risks and ensure resilience. Developing a strategy and processes that leverage security data for insights and actions will allow organizations to move out of reactive mode and start to address cyber threats before it’s too late.

Leverage automation and AI for threat detection
With a strong foundation in data, organizations can significantly enhance the efficiency and effectiveness of cybersecurity defenses by leveraging them for advanced AI and automation tools that can help prepare for and respond to threats with greater speed and confidence.

By adopting a multidisciplinary approach that brings a range of stakeholders into one frame, implementing robust governance programs, and leveraging advanced technologies, organizations can enhance their cyber resilience in a challenging and evolving threat landscape. But to truly stay ahead of threats, risk and resilience leaders must work together—sharing data, aligning strategies, and enriching the automation of their processes. This kind of collaboration enables faster threat detection, more coordinated responses, and ultimately, a stronger, more adaptive defense posture.

Sources: ¹KPMG Risk & Resilience Survey (KPMG LLP, 2025); ²Cyber considerations 2025 (KPMG International, 2025)

Service

Enhance stakeholder trust that makes the difference.

A dynamic approach to risk, regulation, cyber, and ESG

In today’s volatile risk environment, organizations face increasingly complex and evolving cyber threats that demand robust resilience strategies. KPMG offers wide-ranging cybersecurity and cyber resilience services designed to help organizations navigate these challenges, leveraging advanced technologies and deep industry experience across protection, detection, response, and recovery. Along with the broad range of KPMG risk services, we help businesses fortify their cybersecurity posture, withstand and recover from cyber incidents, align cybersecurity investments with business goals, and build trust and confidence among stakeholders.

Client stories