Cybersecurity has long been a tough issue for CIOs to tackle. In today’s increasingly complex web of data and cloud-based tools and BYOD, however, those challenges have greatly intensified, according to the 2016 Harvey Nash/KPMG CIO Survey, the Creative CIO. One startling finding from the new survey was that only a fifth (22 percent) of CIOs feel confident their organization is very well prepared to identify and respond to cyber-attacks, compared to nearly a third in 2014.
Why the two-year confidence dive? According to Greg Bell,US Cyber Leader at KPMG, CIOs have their eyes wide open about the increasingly difficulty in keeping external malicious attackers out. In fact, the Creative CIO survey found that 28 percent of CIOs have had to respond to a major IT security threat or cyber attack in past two years.
“It really speaks to fact that CIOs are much more aware of the insidious nature of cyber attacks,” says Bell.
In addition, monitoring what we think of IT infrastructure today is vastly more complicated than just a couple of years ago — on-premise data solutions only account for a relatively small subset of a company’s compute environment while a large component is in the cloud. “Visibility is much more challenging,” says Bell, who adds that a great deal of technology decision-making is no longer aligned to its function process owner. HR and marketing, for example, may make more decisions about purchasing and use of technology without involving the CIO, which in some cases may put the organization at risk.
The Cybersecurity Plan: Four Critical Elements
A holistic, comprehensive security management plan is absolutely critical in today’s world, says Bell. “Every single question posted in the Harvey Nash/KPMG CIO survey has a cybersecurity implication to it,” he explains. The following are four elements he considers critical to a successful cybersecurity plan:
1. Tie a security strategy to business priorities. A security strategy should not be predicated solely on IT technology or architecture, says Bell, but should be just as connected to the overall business strategy and priorities, as well as the need for business change. The IT organization needs to be adaptive and agile in an age where there may be only days or weeks to react to the security implications of market forces. “For example, the organization might partner with another to deliver greater value to customers, but that might mean sharing data,” he explains. In another case, a company might expand globally, but there may be an issue with customer data in another country due to privacy issues or regulatory impacts. “Or, an M&A might happen today that could shift security implications tomorrow,” he says.
2. Optimize and automate security operations. Just as with IT automation, security for larger-size companies needs to be increasingly automated, says Bell. But today, the right security processes likely involve human beings taking a series of inputs, doing analysis and processing outputs. Still, that process needs to be optimized: “It might be about managing how you collect data from different sources to look for security trends, or how you modify our business response plan,” he explains.
3. Understand that it’s a different world of cyber defense. CIOs need to step up their cyber defense game to play in today’s cybersecurity space, says Bell — including enhancing monitoring capabilities; getting more visibility on data being processed; monitoring on-premise networks and dealing with BYOD. “You’re likely not using WLAN anymore but the public internet, hopefully over VPN,” says Bell. “Your data is housed in multiple third party islands, so you have to adapt and think differently and creatively.”
4. Plan for when an incident takes place. “It’s no longer a matter of whether you will succumb to a cybersecurity incident, but when,” says Bell. That requires maturity around plans to deal with that occurrence — thinking about the impact on the brand, customers and business partners. “It’s a complicated, multifaceted area that goes beyond IT, so the CIO has to determine how to communicate and manage that response,” Bell explains.
The biggest challenge among the four elements? Tying strategy to business priorities, says Bell. “There may be a holistic, detailed security strategy, but it might be defined around an IT architecture and not taking into account the changes the business will face.” For most organizations, he explains, the security policy and control environment does not shift when changes such as an M&A or global expansion occurs. “Instead, the security strategy is defined as a project as opposed to being adaptive and nimble,” he says.
Cybersecurity Won’t Get Any Easier
Unfortunately, CIOs won’t be putting their feet up and relaxing anytime soon when it comes to dealing with cybersecurity. Instead, respondents to the 2016 Harvey Nash/KPMG CIO survey, the Creative CIO, described it as an “escalating challenge” complicated not by competitive hackers but by concerns about the actions of foreign powers.
Cybersecurity was a new operational priority listed in this year’s CIO Survey, and 41 percent of surveyed CIOs considered it a top one — ahead of core options such as driving revenue growth (40 percent), managing operational risk and compliance (36 percent) and improving time to market (26 percent). In addition, one out of four IT leaders (27 percent) report a shortage in security and resilience skills.
“Cybersecurity is really about a scaling arms war,” says Bell. “Attackers are getting better at hiding themselves and effectively identifying them is difficult. So, IT organizations have to be right 100 percent of the time with a complicated set of adversaries.” That will require a CIO that doesn’t simply have an “operational” mindset but a creative one — one that can deal with complex and targeted threats (such as spear phishing campaigns) in a holistic, transformative way.
KPMG Cyber can assist organizations apply appropriate information security measures to help provide ongoing confidentiality, integrity, availability, and protection of their most sensitive data assets. Learn more about our capabilities here.