From enforcer to influencer - Shaping tomorrow's security team. KPMG International - assets.kpmg
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
From enforcer to influencer Shaping tomorrow’s security team. KPMG International home.kpmg/cyberinfluencer
Contents
Click on the topics to learn more.
Executive Act like you belong Broaden your Weave cyber Shape the future
summary in the C-suite horizons security into the cyber security
organizational DNA workforce
Embrace automation Brace for further Strengthen the Next steps How can
as the rising star disruption cyber security KPMG help?
ecosystem
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Executive
summary
Executive summary Act like you belong in
the C-suite
Broaden your horizons
Enablers of digital transformation — the evolving role of cyber security
Weave cyber security
The former racing driver Mario Andretti famously said: into every aspect of digital infrastructure and data. into the organizational
DNA
“It’s amazing how many people think that brakes are To do this, they must see themselves as enablers
for slowing the car down.” And he was right — brakes and facilitators, helping others deliver services and
are for making the car go faster, safely. Which I feel brands that deserve cyber trust among customers, Shape the future
cyber security
perfectly sums up the role of cyber security in today’s employees and society at large. workforce
organizations: to enable them to enjoy the fullest benefits
of digital transformation, while managing the many risks. To find out more about how cyber security roles are
evolving, KPMG professionals spoke to a number Embrace automation
COVID-19 has magnified both the opportunities and of Chief Information Security Officers (CISOs) from as the rising star
threats of digitization. Organizations have made major organizations, from a wide range of industries
incredible strides in remote working and collaboration and regions, as well as to KPMG’s cyber security
for employees, as well as improving digital customer specialists from around the world. I would like to Brace for further
disruption
experience. But this has also reminded us that personally thank all those who contributed.
physical perimeters no longer exist. With increasing
reliance on third parties, and the proliferation of We have distilled insights from these thought leaders
with the aim of providing pragmatic advice to help Strengthen the cyber
Internet of Things (IoT) and other devices, cyber security ecosystem
security now involves complex ecosystems with a address the main challenges facing tomorrow’s
dramatically increased threat potential. security team.
In a marketplace where speed to market is essential, Next steps
cyber security teams are now responsible for building Fred Rica
trust and resilience, by forging a pragmatic security Principal, Cyber Security
culture and helping embed secure by design thinking KPMG in the US How can
KPMG help?
From enforcer to influencer 3
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Seven actions for CISOs Executive
summary
1. Act like you belong in the C-suite Act like you belong in
CISOs must speak the language of the C-suite, building consensus, demonstrating pragmatism and navigating politics, to help leaders understand the the C-suite
cyber implications of their strategic choices. CISOs are also becoming public figures, serving as the face of the firm to help build trust and confidence.
2. Broaden horizons Broaden your horizons
CISOs’ responsibilities are broadening to include safeguarding data, dealing with disruptive events to maintain operational resilience, managing third
parties, handling regulatory compliance, and helping to counter cyber-enabled financial crime. This demands they forge strong working relationships with
Weave cyber security
other business leaders, including the Chief Risk Officer (CRO), the Chief Data Officer (CDO) and, of course, the Chief Information Officer (CIO). into the organizational
DNA
3. Weave cyber security into the organizational DNA
Shape the future
Today’s CISOs should be sophisticated communicators, working with other business leaders to embed cyber security into the DNA of the organization. cyber security
This involves integrating security into governance and management processes, education and awareness, plus establishing the right mix of corporate and workforce
personal incentives to do the right thing.
Embrace automation
4. Shape the future cyber security workforce as the rising star
CISOs will have to acquire capabilities from outside the organization, build new partnerships and look for unconventional and diverse talent. In future, we may
even see the cyber function becoming far smaller, taking on a strategic and governance role, with cyber security being truly embedded into the business.
Brace for further
disruption
5. Embrace automation as the rising star
Automation can reduce the manual workload and ease skills shortages, bringing in greater efficiency and helping meet growing compliance requirements in a
consistent and repeatable way. It can also help embed security and improve the user experience, as well as reduce the time to respond to a major cyber incident. Strengthen the cyber
security ecosystem
6. Brace for further disruption
We are heading towards a hyperconnected world in which the IoT and 5G networking will massively increase efficiency and enable radically different business
Next steps
models. But this also opens up organizations to new attack surfaces, and raises privacy concerns — demanding a shift to new, data-centric security models
such as zero trust.
How can
7. Strengthen the cyber security ecosystem KPMG help?
Organizations are now part of a complex ecosystem of suppliers and partners, tied together through shared data and shared services. Conventional
contracts and liability models seem ill-suited to the rapidly evolving supply chain threat, calling for a new partnership approach that brings security to all
parties and individuals.
From enforcer to influencer 4
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Act like you Executive
summary
belong in the
Act like you belong in
the C-suite
Broaden your horizons
C-suite
Gain more influence by aligning
Weave cyber security
into the organizational
DNA
Shape the future
cyber security
workforce
business and cyber security
objectives. Embrace automation
as the rising star
Brace for further
disruption
Strengthen the cyber
security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 5
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Cyber security is now a common topic
Speaking the language of
of boardroom debate. In the KPMG 2021
business risk and opportunity Executive
CEO Outlook Pulse Survey, cyber risk was Addressing the challenge You need a strong CISO summary
ranked as the number one organizational who can articulate the
In stepping up to a C-suite role, CISOs must acquire
threat by global CEOs, with data security total landscape of risk. This Act like you belong in
new skills and mindsets, to focus less on pure the C-suite
taking a priority over all other technology security and compliance, and more on broader requires a real understanding
investments. business risks and opportunities.
of the organization plus a
Here to help the business and enable revenue
Senior executives and non-executive directors have technical understanding of Broaden your horizons
become all too aware of the impact of incidents such
as data loss, ransomware and fraud, which can bring
Today’s businesses must be fast to market, yet the cyber landscape. The
avoid releasing products and services with cyber
operations to a standstill and destroy revenue and
vulnerabilities. There will always be occasions
board discussion is about Weave cyber security
into the organizational
reputation.
when CISOs need to apply the brakes, but, by giving them the confidence DNA
But they also face a dilemma: They want to rapidly getting involved at the earliest stage of new product that you’re managing risk and
digitize the business, but are starting to recognize that development, they can embed security by design Shape the future
moving too fast, without considering security at the and reinvent themselves as business enablers who moving to a better place. cyber security
workforce
design stage, can also bring risks. ultimately help the company go faster, more safely,
preserving digital trust. Lisa Heneghan
As companies become ever more dependent upon Embrace automation
digital technology, every business decision has a cyber A common view of risk Chief Digital Officer as the rising star
security dimension. The CISO’s priorities are shifting KPMG in the UK
In the words of Leon Chang, Head, Cyber Defence
from firewalls and identity management to major
Group, IHiS, “CISOs that go to board meetings Brace for further
strategic challenges like brand trust, product security,
with ill-prepared technical presentations are setting disruption
resilient operations, and robust supply chains.
themselves up to fail.” As risk advisors, CISOs should
More and more CISOs are getting a direct line to the eschew technical detail and speak to the board on
CEO, but are they really prepared for such an elevated its terms, explaining the cyber threat landscape and Strengthen the cyber
security ecosystem
role? As the saying goes: “When you get to the end associated risks to customers, growth, revenue,
zone, act like you’ve been there before.” CISOs need costs and brand. By using a common language for
to start thinking that they deserve to be members of cyber and operational risk, which resonates with
the C-suite, focusing on problem-solving and becoming the board, they can frame a constructive debate on Next steps
business enablers, with a stake in innovation, growth cyber security risk — and emphasize the need to
and revenue. embed cyber security in corporate strategy and major
investment approvals. How can
KPMG help?
From enforcer to influencer 6
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Investing in risk mitigation
Working in the gray zone
KPMG thinks Executive
According to Palo Alto Networks’ The real advantage of going summary
VP and CISO, EMEA, Greg Day, “If The elevation of the CISO role into
the C-suite is good news for everyone
to the cloud won’t come from
you can’t quantify and qualify the involved in cyber security, but CISOs must prove cost savings, but from speed to Act like you belong in
scope of the problem, in terms of they’re up to the task. CISOs should articulate to the market, innovation, scaling up the C-suite
threat to revenue, it’s hard to get board and executives how cyber security plays into
the resources. So, I give my board all decisions, to reduce risk and improve business faster… so we must focus on
three solutions: gold, silver and outcomes — it’s not just about fear. Integrating into what we can do to enable the Broaden your horizons
corporate strategy involves a more holistic approach
bronze. Gold mitigates a higher to business, moving out of the technological comfort
business to move faster, safely,
proportion of risks but requires a zone and becoming storytellers. CISOs should also securely and responsibly. Weave cyber security
larger investment, and so on. Then avoid being reactively driven by regulatory compliance, into the organizational
DNA
the board can make a trade-off. and recognize the benefits of leading the security Gary Harbison
debate and anticipating the regulatory drivers. VP and Global CISO
Shape the future
Working in the gray zone of corporate politics may Bayer cyber security
workforce
prove especially challenging for the many CISOs from
technical backgrounds. Every organization will get
Influencing rather than enforcing hacked at some point, so the CISO has to demystify Embrace automation
cyber security by explaining what an incident could as the rising star
Influence at board level can often be informal, a result
of relationships forged with multiple stakeholders. In
cost the business, and the degree to which investment The objective of bringing a
in cyber security can reduce risk and accelerate
navigating the corporate jungle, CISOs need to gain
recovery. CISOs can bring unique perspectives and cyber person to the board is Brace for further
trust, by attending meetings of finance, marketing,
operations and other functions, to both learn about
insights into the modus operandi of criminals or not to let others relax when disruption
malicious attackers. Most mature organizations will
business risks and educate about cyber threats. CISOs the subject of cyber comes up,
have well-established enterprise risk management
can also bring compelling individuals in front of the
systems, and the CISO should seek to embed cyber but to lift the understanding Strengthen the cyber
security ecosystem
board, from within and outside of the cyber team,
with interesting outlooks and insights into risk, to
security into these. and capability of everyone else,
articulate the importance of cyber security. In this new, Managing expectations is another tricky balancing which transforms the quality of
C-suite world, it’s all about influence, as Greg Day, VP Next steps
and CISO, Europe, Middle East and Africa, Palo Alto
act. Sales and marketing executives want to swiftly discussion.
launch and enhance new products and services,
Networks, puts it: “A CISO is not a great CISO because operations need to run 24/7, while customers expect
of a huge budget and massive team. It’s because Martin Tyley
their data to be secure. By working with CIOs and How can
they’ve empowered the business around them to their DevOps teams, CISOs can help others become Partner and Head of UK Cyber KPMG help?
go ahead and be successful.” heroes, embedding cyber security and making full use Security
of automation, enabling new revenue streams, keeping KPMG in the UK
the lights on, and enhancing trust in the organization.
From enforcer to influencer 7
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Broaden your Executive
summary
horizons
Act like you belong in
the C-suite
Broaden
Broaden your
your horizons
horizons
Taking on wider responsibilities, Weave cyber security
formally or informally, calls for into the organizational
DNA
an open mind and an eye to the
bigger picture. Shape the future
cyber security
workforce
Embrace automation
as the rising star
Brace for further
disruption
Strengthen the cyber
security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 8
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
Today’s organizations are composed of Meanwhile, privacy regulation is growing into a
complex web of transnational obligations, with
a mesh of third parties and individuals, regulations such as the General Data Protection Executive
plus thousands of IoT devices, all with Regulation (GDPR) in Europe setting requirements summary
As the pandemic
varying degrees of access to data and for how individuals’ personal information is handled
well beyond that geography. Information leaks can demonstrated, resilience
systems. Remote working has added impact a company’s reputation, lead to fines and other is a big topic — and CISOs Act like you belong in
the C-suite
to this fragmentation, with a dispersed sanctions, requiring the CISO to work in partnership
and their teams should be
workforce operating from geographically with the Chief Data Officer (CDO) and Chief Privacy
dispersed home offices; a very different Officer (CPO) to manage the risk of non-compliance. involved in response planning
Broaden your horizons
environment to the comfortable security It’s a similar story with resilience. The proposed and business continuity, to
of the corporate office block. European Digital Operational Resilience Act (DORA) help ensure organizations can
will oblige financial services companies to demonstrate Weave cyber security
their ability to maintain resilient operations in the face
react and recover to cyber into the organizational
If a malicious attacker in one part of the world can shut DNA
down a factory or a port thousands of kilometers away, of severe operational disruption. incidents, as part of a holistic,
or bring down a global bank’s customer website, then
Cyber security teams should focus on data and cohesive strategy. Shape the future
cyber security must adapt to these threats. Abid Adam, cyber security
resilience issues. Embed the principles of privacy and
Group Chief Risk and Compliance Officer, Axiata, Hartaj Nijjar workforce
culture of security, and they will be well placed to meet
emphasizes that “It’s about more than your own
compliance obligations, now and in the future. Partner and Cyber Security Leader
organization; the fabric of nations, of society at large,
can be threatened and undermined if a large telco goes KPMG in Canada Embrace automation
as the rising star
down for a couple of hours. We need to embed security Developing new skills and
by design and achieve broader resilience.” networks
Addressing the challenge Brace for further
All of which extends the CISO’s responsibilities to disruption
digital and operational resilience. Data has become the As the scope of their role broadens, CISOs must
new oil, arguably more valuable than physical assets, consider how they work with other data and resilience
as Maersk CISO Andy Powell comments: “We need executives, and how they adapt to their new Strengthen the cyber
to become a digital business — a digital business responsibilities — formally or informally. security ecosystem
that moves boxes, rather than vice versa. The bigger
markets come from customer-facing digital platforms.”
But an ever-greater reliance on data puts additional Next steps
pressure on CISOs to protect this precious resource.
How can
KPMG help?
From enforcer to influencer 9
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.
information and physical security, alongside incident and
crisis management.
Executive
Others regard this as a step too far, seeing the role as summary
Resilience is about engaging diluting the necessary focus on cyber security, with There are two points when
in conversation about the a combined role of CISO and Chief Resilience Officer you can try to solve a
being too demanding for a single individual. Emma
business impact of an Smith, Global Cyber Security Director, Vodafone,
problem — before or after Act like you belong in
the C-suite
outage, and how we plan for concurs with this approach, saying “The risk areas it occurs — and my job is to
these events. This becomes covered in security, privacy and resilience are broad. solve it before! Alongside
Leading the strategy and managing the operational Broaden your horizons
an interesting conversation, aspects of all these functions can require different this, we regularly look at
because redundancy costs approaches and sometimes these areas may conflict. worst-case scenarios and
We believe there are business benefits from keeping Weave cyber security
money, so how much are the functions organizationally separate, strategically
make an assessment of into the organizational
DNA
you willing to invest and aligned and with true collaboration.” what the impact would be
is this worth it to prevent Safeguarding data on our organization. We seek Shape the future
downtime? to always be prepared for cyber security
workforce
As every business becomes a data business, the
debate continues over the limits of personal data extreme risks. Our approach
Tammy Klotz
CISO, Covanta
exploitation and privacy. Companies want to make is to assume that these Embrace automation
the most of data, which means being free to mine as the rising star
and share information with third parties. But they also
events will happen and to
have to preserve data integrity and meet regulatory ensure that SWIFT is as
Embedding digital resilience standards. In companies like Maersk, the CISO enjoys resilient as possible. Brace for further
disruption
a close relationship with the Chief Data Officer (CDO),
There is a confluence of the roles of CISO, Chief Risk where the latter sets data standards and the CISO
Officer (CRO) and the Chief Security Officer. As cyber builds tools to help assure data, with the Chief Privacy
Karel De Kneef
security matures, expect increasing technical security Officer (CPO) or Data Protection Officer (DPO) helping Chief Security Officer, SWIFT Strengthen the cyber
security ecosystem
controls embedded into the CIO’s processes, with assure regulatory compliance.
many CISOs taking on a more strategic role that fits
less comfortably with their traditional reporting line Combatting fraud and financial crime
Next steps
to the CIO. Some of the CISOs KPMG professionals CISOs can bring unique insights into the mind of the
spoke to have taken on the emerging role of Chief cybercriminal and the tactics they employ, as well as
Resilience Officer; this is a new corporate position that their own contacts and relationships with national cyber
takes a holistic view of the organization’s resilience to security, threat intelligence and law enforcement bodies.
How can
KPMG help?
all forms of stress or disruption, malicious or accidental. These skills and insights are vital to the fight against
This resilience role brings together diverse disciplines fraud, working closely with fraud prevention teams
such as business continuity, disaster recovery, (another key partnership) to counter cyber-enabled crime.
From enforcer to influencer 10
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Broad-minded and collaborative Whether they take on the role of Chief Resilience
KPMG thinks Officer, or work more closely with this person,
they should adopt a pragmatic, business-minded Executive
summary
With more on their plates, many CISOs approach while retaining their own integrity and Industries are being disrupted
are becoming collaborators, building professionalism. Many organizations possess huge
symbiotic relationships with the CDO, CRO, CTO, CIO amounts of new and legacy data; managing this and CISOs must have a view
and others. But to make these relationships effective — requires extensive collaboration between the CISO, of the changing ecosystem, Act like you belong in
the C-suite
and to take conversations out of silos — there should be CDO, CTO and Chief Data Privacy Officer (CDPO),
defined responsibilities and a clear governance structure both to use data to drive growth, and to keep it secure
or else face obsolescence.
to avoid duplication, along with a willingness of all and private. Telecoms, for instance, used
Broaden your horizons
parties to recognize each other’s strengths and unique to be about getting a phone
contribution to business success. This is especially the case for global companies in an
increasingly fragmented regulatory landscape, with connection; now there’s more
A broader role also calls for a broader mindset, to different jurisdictions applying strict rules on usage of Weave cyber security
try to appreciate the full business impact of cyber data emanating within their borders or derived from
concern over digital fraud into the organizational
DNA
incidents. CISOs are moving beyond protect and their citizens. CISOs have a key part to play in helping from online banking apps.
detect, to understand how to get the business back to automate regulatory compliance, tailoring controls Cyber security professionals Shape the future
up and running quickly after a crisis — as well as to different national requirements, and streamlining
helping the CEO preserve trust with customers, reporting. Of course, we can also expect to see a should adapt to these and cyber security
workforce
suppliers and regulators. growth in the use of supervisory technology (suptech) other new challenges — like
by regulators too.
data and resilience — to take Embrace automation
as the rising star
a high-level view of risks
across the business.
Brace for further
disruption
Leandro Antonio
Cyber Security and Privacy Leader
and Partner Strengthen the cyber
security ecosystem
KPMG in Brazil
Next steps
How can
KPMG help?
From enforcer to influencer 11
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Weave cyber Executive
summary
security into the
Act like you belong in
the C-suite
Broaden your horizons
organizational Weave cyber security
into the organizational
DNA
DNA
Shape the future
cyber security
workforce
Embrace automation
as the rising star
CISOs should embed cyber security
into the business and make cyber Brace for further
disruption
everyone’s responsibility, so that it
becomes not a conscious act but Strengthen the cyber
innate behavior. security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 12
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.How often do you hear about increased Agents of change
cyber security budgets immediately Addressing the challenge Executive
following an incident — signposting summary
Embedding cyber security into the If you haven’t considered
a move from constrained spend to organizational DNA requires CISOs and cyber security as part of
an overnight demand for action and their teams to become evangelists, to make security
processes second nature and to change behavior, your conceptual product Act like you belong in
the C-suite
investment? But security shouldn’t be an
while also respecting the differing organizational discussions, you’re probably
event-driven, knee-jerk activity; it must cultures found in development teams.
permeate every part of the organization,
too late.
Broaden your horizons
Change starts at the top
from product design to customer service, Dani Michaux
supply chain to production. CISOs must invest time building strong relationships at
EMA Region Cyber Security Weave cyber security
board level, articulating risk and explaining how cyber,
Cyber security should be a key part of building trust and when done right, can enable the business. Once the Leader and Partner into the organizational
DNA
integral to corporate strategy — not an afterthought. board and executives buy into the concept of implicit KPMG in Ireland
It’s the same with DevOps, where developers security, CISOs are in a stronger position to spread
Shape the future
tend to be incentivized on speed to market and not the message more widely, knowing that they have cyber security
security, with inevitable consequences. In industries leadership support. workforce
like construction and oil and gas, safety has become
second nature. All the operations have embedded a Forging a security culture
Embrace automation
safety culture, helping employees instinctively avoid CISOs can exert influence by being visible, and giving as the rising star
incidents by encouraging, measuring, rewarding and individuals the knowledge and the power to practice
publicizing responsible behavior. CISOs should follow good cyber security habits. This doesn’t just apply
a similar path, and perhaps even build on that culture in to employees, but also to any third parties handling Brace for further
those industries where it already exists. disruption
data, such as contractors, suppliers and partners.
For cyber security teams, the new, subtler role of As Covanta CISO Tammy Klotz explains, there’s
influencer may take some getting used to. CISOs nothing like building one-to-one relationships with
Strengthen the cyber
themselves should think less in terms of security key stakeholders: “It’s not rocket science. It’s about security ecosystem
empires, and more about orchestrating a resilient, having a presence, having conversations, investing
cyber-aware ethos where everyone is accountable for time in understanding the business operations
their contribution to corporate security. you support and protect, to show you understand
Next steps
what’s most important. I call it ‘getting into the other
person’s movie’. My entire first year in this job was
about building relationships. You can’t do Operational
Technology (OT) security without visiting a facility and How can
KPMG help?
getting your hands dirty.”
From enforcer to influencer 13
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.From DevOps to DevSecOps Gamification
Development teams remain reluctant to integrate Particularly relevant for product developers in DevOps Executive
cyber security, fearing it will slow down their efforts teams, gamification is a great way to enthuse and summary
and seeing it as a corporate overhead. In some engage people on the importance of cyber security. Our role has shifted from
organizations, CISOs fund cyber security specialist It lets developers integrate security within their daily security awareness to
roles within DevOps teams as a free resource, to work jobs, with the ultimate reward of a faster release into
to integrate security into products, using a standard the market. Other events like ‘Capture the Flag’ games
behavior management. Act like you belong in
the C-suite
approach. By doing this, the CISO enables rather can help to upskill the DevOps team and build closer This means fostering better
than dictates, and creates development evangelists relationships. digital citizens, with phishing
respected by their peers who can show how security Broaden your horizons
practices are embedded into development pipelines. Cracking Operational Technology (OT) security exercises, gamification and
Security is not just about servers and laptops, now that other methods to change
Donating cyber skills computers have become ubiquitous. Today’s industrial behavior and understand the Weave cyber security
into the organizational
environments are heavily dependent upon software, DNA
hardware and IoT. However, the culture of managing
importance of information
Vodafone is using a DevSecOps
OT can be very different, an engineering mindset, a security wherever you are.
model, getting involved in product and focus on availability and safety, and a strict approach
Shape the future
cyber security
service design and development. They to managing downtime. In championing OT security, Jim Nelms workforce
want to empower development teams it’s important to get into the heads of engineers, CISO, LabCorp
by appointing a security champion, understand their objectives, win their confidence, and Embrace automation
providing training, tools and where demonstrate that threats are real. Cyber professionals as the rising star
can then develop pragmatic solutions reflecting the
possible reusable code. American reality of legacy systems, complex vendor landscapes
Express has a similar philosophy, and the need for 24/7 availability.
Segregating OT risk Brace for further
as Michael Papay, Executive VP, disruption
Enterprise IT Risk and Information
Incentivizing common good With many research and
Security, explains: “We embed Axiata is just one company that opts for what they call a manufacturing sites around
Strengthen the cyber
specialized resources across functional ‘Collective Brain’ approach, as Abid Adam, Group Chief the world, GSK is engaged in security ecosystem
areas to drive awareness and swiftly Risk and Compliance Officer, says: “We incentivized a multi-year program to gain
the different operating companies to work properly an enterprise view of risk.
address information security and risk together and drive consistency. We restructured KPIs
issues. These people understand Although each site has its own Next steps
and remuneration, which meant they all had skin in
the business challenges and apply the game. They were then tasked to come up with responsibility for OT upgrades,
a security lens to ensure the most solutions that solved not only their problems, but the the central cyber security function
How can
effective response. This model also problems of other operating companies — and aligned will have the capability to contain KPMG help?
with their business too.” the risk to one location in event of
serves the dual benefit of creating a
best practices feedback loop.” an attack.
From enforcer to influencer 14
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.The new hybrid world of home and conventional
CISO as a broker, integrator, office-based working brings multiple threats, often
orchestrator from unaware family members using the same Executive
summary
KPMG thinks networks. Every employee should be taught to With organizations digitizing
treat the home as an extension of the workplace
People are often called the weakest link in cyber and become ‘CISO of their own house’. The most at warp speed, we need
security. But actually, they can be critical to cyber
security if they are well educated, supported and
successful awareness campaigns make it personal to embed security in every Act like you belong in
the C-suite
and educate employees on protecting themselves and
incentivized to make the right decisions, and understand their families, not just the company. It’s also important
process of developing
how their actions impact the security of customers, to recognize the demographics of the workforce. solutions and products,
operations, intellectual property, money, and reputation. Different age groups have very different views on Broaden your horizons
By acting as a kind of ‘Chief Cyber Security Marketing so that people think about
data security and privacy, which will influence the
Officer’ CISOs can foster a true security culture, messaging on cyber security. security before transforming
constructing an effective cyber brand that’s aligned with Weave cyber security
the organization’s mission and values. There’s more than one way to embed security. Some
and as they transform into the organizational
DNA
favor a hub-and-spoke model, with a smaller, core digitally.
The nature of the cyber threat is subtle, sophisticated security team that performs security operations,
and constantly evolving, which calls for learning with security professionals embedded into lines of Leah Gregorio Shape the future
cyber security
techniques based upon social cognitive theory, to business — or ‘donated’. In such a structure, the
make security second nature, and enable employees
Managing Director, Cyber Security workforce
cyber security function becomes a broker, integrator,
to look out for and recognize hackers and criminals. KPMG in the US
orchestrator; a big leap for technically minded security
This is especially so when combatting fraud and professionals accustomed to enforcing from the
Embrace automation
as the rising star
financial crime, where everybody involved in the comfort of their desks. Automation will make the task
customer journey should be fully connected and easier, taking every day manual checks out of the
committed to protecting customers’ data and money. hands of busy workers. Brace for further
disruption
Strengthen the cyber
security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 15
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Shape the future Executive
summary
cyber security
Act like you belong in
the C-suite
Broaden your horizons
workforce
A combination of outsourcing, gig workers
Weave cyber security
into the organizational
DNA
Shape the future
cyber security
workforce
and automation will transform the way that
capabilities are accessed. Embrace automation
as the rising star
Brace for further
disruption
Strengthen the cyber
security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 16
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Cyber security faces a critical skills gap
across a wide range of areas, including Executive
cloud security, OT security, data science Cyber may in future operate with a small core team and many summary
and analytics, security architecture and subcontractors and gig economy workers, tapping into a global pool
engineering, and attack simulation. The
of resources, which could help resolve some of our talent challenges. Act like you belong in
the C-suite
war for talent is made even tougher due
But we need to know that people are trustworthy. I envision a kind
to high demand for many of the same
of ‘trust ring’ being built around people, who are vetted by other
capabilities across IT, pushing up salaries Broaden your horizons
trustworthy people.
and increasing attrition.
The average CISO’s tenure has been estimated Fred Rica Weave cyber security
by Forrester at just over two and a half years for Principal, Cyber Security into the organizational
DNA
UK CISOs and just over four years for US CISOs,1 KPMG in the US
and many are well aware of their market value and
increasing demands (not least from regulatory Shape the future
cyber security
obligations) leading to stress and burn-out. Another workforce
challenge for busy CISOs is acquiring the ‘soft’
skills necessary to forge relationships and influence
Embrace automation
behavior, as they and their teams become cyber My role as a leader and manager of people must focus even more on as the rising star
evangelists.
mental health and wellbeing. Cyber security professionals are expected
Consequently, there are moves to professionalize cyber
security, and to formalize qualifications and career paths
to prevent or stop any incident, but we all know that’s not possible — Brace for further
in this youngest and most dynamic of occupations. it’s asking too much. If you ask a CISO about their expectations for an disruption
Looking further ahead, new roles are evolving that incident, they’ll likely say ‘we’ll get sacked.’ This is unhealthy and must
may not even exist today, such as resilience strategist, change, which means focusing heavily on pastoral care of my team. Strengthen the cyber
security ecosystem
cyber risk modeler, orchestration manager, behavioral
analyst, and AI ethicist. Vendor management has
I’m incredibly strong on this.
also taken on greater relevance, with the surge in
outsourcing and third party partnerships — especially
Darren Kane Next steps
for cloud-based services, where cyber teams must Chief Security Officer, NBN Co, Australia
share responsibility for security — so perhaps an
ecosystem security architect too. How can
KPMG help?
1
UK CISO Career Paths, Forrester Research, Inc., March 24, 2021.
From enforcer to influencer 17
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.In shaping the future cyber security workforce, Are these the cyber security roles of the future?
CISOs will have to consider how to access both
existing and new capabilities needed to stay on top of Executive
summary
emerging threats, rebalancing the skills within their
organizations to meet the changing demand.
Act like you belong in
Bridging the cyber skills gap the C-suite
Addressing the challenge
Whether hiring, retraining or outsourcing, Resilience strategist Cyber risk modeler
the CISOs KPMG professionals spoke Broaden your horizons
with have some innovative ideas on how to possibly
address the skills shortage.
Weave cyber security
Harnessing automation into the organizational
DNA
Automation will play a vital role in the cyber workplace,
as Joanna Burkey, CISO, HP acknowledges: “The cyber Shape the future
industry has deep structural challenges. We can’t keep cyber security
workforce
up with the pace of technology change from a skills
perspective, we can’t get enough talent in, and never Orchestration manager Behavioral analyst Attack simulator
will, and we can never assume 100 percent retention Embrace automation
at any time. It’s not possible to keep up with the pace as the rising star
of technology change without embracing automation.”
Brace for further
Maintaining the pace disruption
Automation is vital for low-value Strengthen the cyber
activities like connecting with ticketing Ecosystem security AI overseer
security ecosystem
systems and automating workflow. architect
Global Cyber Security Director
Next steps
Emma Smith says “Automation helps
increase efficiency and retain interest
for analysts. Addressing root cause How can
issues is essential to keep improving KPMG help?
and learning, so we don’t keep dealing
with the same issues.”
From enforcer to influencer 18
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Re-emergence of deep technical skills workforce, to cope with the shift from on-premises and
access protection to cloud, mobile, IoT and big data.
The trend for cyber security generalists appears Executive
to have declined, with a new demand for and Looking outside the profession summary
appreciation of people with strong technical
There’s less of a skills gap
CISOs can bring in people with in-demand skillsets
capabilities, as Emma Smith, Global Cyber
like data analytics, risk management and cloud as
than a diversity gap. A
Security Director, Vodafone, notes: “Technical
core technical disciplines before ‘converting’ these team, with diverse skills, Act like you belong in
the C-suite
expertise, rewarding engineers and technical skills,
creating a new model for building career paths, are
individuals into well-rounded cyber professionals. backgrounds, opinions and
They don’t have to be cyber experts: What’s more
fundamental to our strategy. I think organizations
important is that they understand the business and perspectives will give us
now realize the importance of both leadership and Broaden your horizons
technical skills in cyber security teams.”
are willing to learn. Such a move would help overcome better answers.
the lack of diversity in cyber security, encouraging
Reskilling new skills, backgrounds, perspectives and opinions Leon Chang Weave cyber security
to look at the same problem from multiple angles. Head of Cyber Defence Group, into the organizational
Retraining existing cyber professionals is costly and Decrypting Diversity, a 2020 KPMG in the UK/National DNA
takes time. GSK SVP and CISO Matthew McCormack Cyber Security Centre UK paper, surveyed diversity
IHiS
observes that: “Reskilling is a challenge. To use and inclusion in cyber security. Of those experiencing Shape the future
a motoring analogy: Motorbike mechanics can’t cyber security
career barriers, 32 percent said it was due to gender workforce
become Tesla mechanics overnight!” As technology discrimination, and 22 percent cited race, ethnic,
transformation puts pressure on existing capabilities, social background or regional discrimination.
it’s likely to take 2–3 years to upskill the current Embrace automation
as the rising star
Brace for further
disruption
Strengthen the cyber
security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 19
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Collaborating to expand the talent pool masse, CISOs will look to cloud service providers for a
growing range of security activities.
Forming partnerships with universities and colleges Executive
and investing in young talent has the dual benefit of With automation taking over the bulk of transactional summary
training individuals and fostering loyalty. YPF CISO tasks, the cyber workforce is transitioning from ‘doer’ The good news for cyber
Brian O’Durnin feels that “By offering apprenticeship to ‘enabler’, focusing on new product development, security professionals is
schemes and university places in regions with high operational productivity and resilience, and larger,
unemployment and an underprivileged population, strategic cyber initiatives. However, it will take time
that they’re becoming Act like you belong in
the C-suite
we’ll contribute to the profession in general. Even to get this partnership between human and machine more important and more
if some of these people don’t end up working for right. visible, with their roles
us, we’ll be contributing to the ecosystem of cyber Broaden your horizons
security and making the world a little safer.” A key question for CISOs will be ‘What skills do I need encompassing a wider
to retain in-house?’, to establish a core that lets the
Outsourcing organization govern its security, set strategic direction,
range of challenges like
Weave cyber security
make tough and informed choices on risk, and manage collaboration tools and into the organizational
The trend towards outsourced labor is only likely DNA
to accelerate; with CISOs in some cases looking
incidents and crises. Beyond this core will be a complex transformation, giving them
tapestry of sourcing strategies and relationships with
to lower-cost locations, as remote working rises in outsourced and co-sourced suppliers, who provide a chance to expand their Shape the future
popularity. The gig economy is also likely to increase, the scale and specialist skills needed for security commercial and strategic cyber security
workforce
with cyber security professionals seeking greater operations, as part of the shift to a shared responsibility
flexibility over where and when they work; a trend model. Increasing regulatory expectations around the
skills and build richer
reinforced by the shift to remote working during role and competence of CISOs and their teams will careers. Embrace automation
COVID-19. also impact roles and responsibilities. as the rising star
Lisa Heneghan
From ‘doer’ to enabler And, while it’s vital to attract talent from peripheral
KPMG thinks industries into cyber security, it’s also helpful to
Chief Digital Officer Brace for further
encourage cyber practitioners to move in the opposite KPMG in the UK disruption
To shape a dynamic 21st century direction. Not only will this enhance career prospects,
workforce, CISOs must constantly it can also spread awareness of the value of cyber
assess what capabilities they need, and then in other functions and integrate cyber security more
Strengthen the cyber
security ecosystem
source these skills from within and outside the deeply into every employees’ thinking, until it becomes
organization — using a hybrid model of permanent second nature. For instance, cloud engineering and
hires, temporary workers and contract models. legacy IT teams are swapping people to add greater
Next steps
Increasingly, we are likely to see CISOs outsource rigor and security to the former and pace to the latter.
some of their operations. This may be to specialist This type of cross-fertilization extends to diversity and
providers that can scale up and down at ease; inclusion, as well as neurodiversity, which can bring
professional services companies offering huge benefits in terms of creativity. Cyber could also How can
KPMG help?
transformation support and strategic advice; and do more to embrace new workforce initiatives like
niche service providers and contractors. And, as returning parents, late career employees and retirees,
organizations continue to migrate to the cloud en all of whom can add to the skills base.
From enforcer to influencer 20
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Embrace Executive
summary
automation as
Act like you belong in
the C-suite
Broaden your horizons
the rising star Weave cyber security
into the organizational
DNA
Shape the future
cyber security
Bringing a host of efficiency and workforce
workforce benefits.
Embrace automation
as the rising star
Brace for further
disruption
Strengthen the cyber
security ecosystem
Next steps
How can
KPMG help?
From enforcer to influencer 21
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.Automation has huge potential for the assess data and size up the risk. With a greater focus
on expertise and driving value, cyber jobs become
cyber security industry. According to global more interesting, which can help attract more people Executive
research group Research for Markets, into the profession.” summary
I expect the role of SecOps to
the worldwide security, orchestration, Another useful application is chatboxes for security be almost entirely automated
automation and response market will be queries — especially helpful for third party security.
away. The cyber security team Act like you belong in
the C-suite
worth almost US$19 billion by 2025.2 Getting swift answers enhances the employee
and user experience, and can help improve cyber should design SecOps, and
By taking on tasks that previously required human
intervention, automation can reduce the workload,
security by spreading best practice. Onboarding new then manage outcomes and
employees can also be streamlined, to automatically Broaden your horizons
increase efficiency, improve consistency, accelerate provide appropriate levels of access to systems and exceptions from SecOps —
responses and help provide comprehensive decision resources — once again freeing up resources. activity should be automated
support to security professionals. Weave cyber security
Embedding cyber security into the organization and repeatable. into the organizational
As data volumes continue to increase, automation is DNA
becoming a must-have for any cyber security team. The relationship between cyber security professionals Matt O’Keefe
Whether monitoring intrusion detection systems, and developers can be fraught; the latter want to
innovate and get new products out quickly, while
Asia Pacific Region Cyber Security Shape the future
cyber security
onboarding employees or third parties, responding
to incidents or checking for compliance, automation the former aim to reduce vulnerabilities. HP’s CISO, Leader and Partner workforce
reduces errors, giving you more assurance and freeing Joanna Burkey, feels that automation can align KPMG Australia
up cyber professionals. objectives and help cyber security teams adapt: Embrace automation
“We must understand how they work and avoid as the rising star
Fulfilling automation’s being prescriptive. The development community is
huge potential not typically unified, so automation helps us fit in,
Addressing the challenge encouraging them to incorporate tools in a secure way.” Brace for further
disruption
Automation can have a significant and Enhancing overall cyber security
positive impact on the effectiveness of CISOs and Automation reduces human error and guides cyber Strengthen the cyber
their teams. professionals on sources of risk, acting as a radar to security ecosystem
Overcoming the talent gap emerging threats. This should help to protect sensitive
personal and private data and, when linked with Security
In common with other professions, automation eases Orchestration, Automation, and Response (SOAR) and Next steps
the workload for cyber security specialists in a number a ticketing workflow, lead to faster responses to actual
of ways, as Gary Harbison, CISO of Bayer, explains: or potential incidents. Attackers are increasingly using
“Automation is a big opportunity to reduce manual automation, and cyber security teams need the same
How can
work. Rather than pulling data, your engineers are pace of data gathering and analysis to counter such KPMG help?
freed up to analyze the data. An incident should trigger threats.
automated data gathering, enabling engineers to
2
Security, Orchestration, Automation, & Response Market Research Report, Research for Markets (360iResearch), 2021.
From enforcer to influencer 22
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.When introducing automation across operational Re-shaping the cyber team
technology, safety becomes paramount. Maersk is a KPMG thinks
major global integrated shipping company that operates Executive
summary
several ports around the world. CISO Andy Powell The rapid growth of automation With automated controls,
explains his approach: “We started cautiously with comes from a low base, as CISOs
automation on one pier in one port and had to prove everywhere figure out how best to exploit this we are not doing the manual
that we could ‘fail safely’ from a cyber attack. Once nascent technology. Its potential is enormous and surveillance, so behaviors Act like you belong in
the C-suite
this was achieved, we were able to build a template for continues to grow. With demands on the security
automation safety and expand across other operations.” team increasing as it takes on a more strategic role in
must now be the trigger —
the organization, the ever expanding and complicating which means investing more
Broaden your horizons
Enhanced decision-making ecosystem, not to mention the evolving regulatory in the analytics of behavior,
landscape — it is critical that the sector takes
advantage of technology automation. both internally and amongst
Axiata is investing in automation customers and suppliers, to Weave cyber security
into the organizational
to boost data analysis, ultimately Use areas include: low-level activities, linking SOAR to DNA
hoping to automate much of its workflows and ticketing; bots to take over traditional avoid insider threats.
customer service tasks; and automated provisioning
decision-making, as Group Chief Risk and de-provisioning of accesses to resources. In this Sharon Barber Shape the future
cyber security
and Compliance Officer Abid Adam way, automation can target three of the most labor- CISO, Lloyds Bank workforce
explains: “You can’t be an innovative intensive areas of the classic cyber security function.
company if you don’t innovate yourself. Automating security can help to shape the future of Embrace automation
We must be automated and digitized the entire cyber team, as it makes it easier to identify as the rising star
and I’m challenging my team to work and report any gaps with consistent metrics, which in
on data governance models and turn helps CISOs allocate investment.
Brace for further
improve how we collect and analyze In a complex regulatory compliance landscape, disruption
data and build analytical models.” automation enables a ‘test once, comply many’
approach, with automated controls producing
Strengthen the cyber
automated reporting, and rapid notifications for the security ecosystem
Keeping regulators happy regulator.
Regulatory demands can be a major challenge However, when integrating security into DevOps,
with global companies facing different regimes especially in the cloud, there’s currently no definitive Next steps
from multiple countries and territories. Managing guide, so cyber is a little behind the game. Cloud does
this privacy landscape calls for fast, efficient data provide the capability to embed controls in a consistent
gathering, and automation can play an increasing way, so CISOs and their teams must figure out exactly How can
role in continuous controls monitoring. how to automate — and what tools are needed. KPMG help?
From enforcer to influencer 23
© 2021 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.You can also read
