You are here
In our previous article, we asked the question: Is your data secure and looked at the role employees, c-level executives and technology can play in protecting an organisation’s sensitive data assets.
Today, we examine how chief information officers (CIOs) can prepare for today’s cybersecurity challenges.
Cybersecurity has long been a tough issue for CIOs to tackle. In today’s increasingly complex web of data and cloud-based tools and multitude of devices, however, those challenges have greatly intensified. This is according to the 2016 Harvey Nash/KPMG CIO Survey, the Creative CIO where more than 3,300 CIOs and technology leaders across 82 countries shared their views and experiences.
One startling finding from the survey was that only a fifth (22 per cent) of CIOs feel confident their organisation is very well prepared to identify and respond to cyber attacks, compared to nearly a third just two years earlier.
Why the confidence dive?
According to Greg Bell, the US Cyber leader at KPMG, CIOs have their eyes wide open about the increasing difficulty in keeping external malicious attackers out.
In fact, the Creative CIO survey found that 28 per cent of CIOs have had to respond to a major IT security threat or cyber attack in past two years.
It really speaks to fact that CIOs are much more aware of the insidious nature of cyber attacks,” says Bell.
In addition, monitoring what we think of IT infrastructure today is vastly more complicated than just a couple of years ago now that on-premise data solutions only account for a relatively small subset of a company’s computer environment while a large component is in the cloud.
“Visibility is much more challenging,” says Bell, who adds that a great deal of technology decision making is no longer aligned to its function process owner.
Human resources and marketing, for example, may make more decisions about purchasing and use of information technology without involving the CIO which, in some cases, may put the organisation at risk.
The Cybersecurity Plan: four critical elements
A holistic, comprehensive security management plan is absolutely critical in today’s world, says Bell.
“Every single question posted in the Harvey Nash/KPMG CIO survey has a cybersecurity implication to it,” he explains. The following are four elements he considers critical to a successful cybersecurity plan:
1. Tie a security strategy to business priorities. A security strategy should not be predicated solely on IT technology or architecture, but should be just as connected to the overall business strategy and priorities, as well as the need for business change. The IT organisation needs to be adaptive and agile in an age where there may be only days or weeks to react to the security implications of market forces.
“For example, the organisation might partner with another to deliver greater value to customers, but that might mean sharing data,” he explains. In another case, a company might expand globally, but there may be an issue with customer data in another country due to privacy issues or regulatory impacts. “Or, a Merger & Acquisition (M&A) might happen today that could shift security implications tomorrow,” he says.
2. Optimise and automate security operations. Just as with IT automation, security for larger-size companies needs to be increasingly automated, says Bell.
But today, the right security processes likely involve human beings taking a series of inputs, doing analysis and processing outputs. Still, that process needs to be optimised: “It might be about managing how you collect data from different sources to look for security trends, or how you modify our business response plan,” he explains.
3. Understand that it is a different world of cyber defense. CIOs need to step up their cyber defense game to play in today’s cybersecurity space, says Bell, including enhancing monitoring capabilities; getting more visibility on data being processed; monitoring on-premise networks and dealing with BYOD.
“You’re likely not using the company’s wide area network anymore but the public Internet, hopefully over VPN,” says Bell. “Your data is housed in multiple third-party jurisdictions, so you have to adapt and think differently and creatively.”
4. Plan for when an incident takes place. “It’s no longer a matter of whether you will succumb to a cybersecurity incident, but when,” says Bell. That requires maturity around plans to deal with that occurrence—thinking about the impact on the brand, customers and business partners.
“It’s a complicated, multifaceted area that goes beyond IT, so the CIO has to determine how to communicate and manage that response,” Bell explains.
The biggest challenge among the four elements?
Tying strategy to business priorities, says Bell. “There may be a holistic, detailed security strategy, but it might be defined around an IT architecture and not taking into account the changes the business will face.” For most organisations, he explains, the security policy and control environment does not shift when changes such as an M&A or global expansion occurs.
“Instead, the security strategy is defined as a project as opposed to being adaptive and nimble,” he says.
Cybersecurity will not get any easier
Unfortunately, CIOs will not be putting their feet up and relaxing anytime soon when it comes to dealing with cybersecurity. Instead, respondents to the 2016 Harvey Nash/KPMG CIO survey, the Creative CIO, described it as an “escalating challenge” complicated not by competitive hackers but by concerns about the actions of foreign powers.
Cybersecurity was a new operational priority listed in the CIO Survey, and 41 per cent of surveyed CIOs considered it a top one—ahead of core options such as driving revenue growth (40 per cent), managing operational risk and compliance (36 per cent) and improving time to market (26 per cent). In addition, one out of four IT leaders (27 per cent) report a shortage in security and resilience skills.
“Cybersecurity is really about a scaling arms war,” says Bell. “Attackers are getting better at hiding themselves, and effectively identifying them is difficult. So, IT organisations have to be right 100 per cent of the time with a complicated set of adversaries.”
That will require a CIO that does not simply have an “operational” mindset but a creative one—one that can deal with complex and targeted threats (such as spear phishing campaigns – where individuals or companies are tricked into divulging personal or confidential data for unauthorised use) in a holistic, transformative way.
KPMG can assist organisations apply appropriate information security measures to provide ongoing confidentiality, integrity, availability, and protection of their most sensitive data assets. We provide a full range of cybersecurity maturity assessments, cyber security strategy and business continuity management services. To obtain further information, please contact KPMG at 623-1081 ext. 4619 or firstname.lastname@example.org.