Harvey Nash/KPMG 2017 CIO Survey Part 2: Managing Cyber Risk — How to Move From Aware to Prepared

‘I think the gap between preparedness for those organizations is going to be the same, if not a bit of a backstep, given how fast the technology and the threat landscapes are changing.’

– Tony Buffomante, U.S. Lead, KPMG Cyber Security Services

Cyber risk is on everyone’s mind in today’s IT organization. However, according to the latest Harvey Nash/KPMG 2017 CIO survey, this heightened state of awareness is not translating into preparedness, which remains stubbornly low. 

Only one in five IT leaders (21%) commit to being “very well” positioned to identify and deal with a current or near future cyber attack. This is down 4% from last year, and down 28% in the past four years. Furthermore, almost a third of respondents (32%) reported that their organization had been subject to a major IT security incident or cyber attack during the past 24 months, representing a 14% increase compared with the previous year, and up 45% in the last four years. Awareness is simply not enough at this stage of the game.

These statistics are not surprising, says Tony Buffomante, a Principal at KPMG and the U.S. Lead for the firm’s Cyber Security Services practice. “What I’ve seen with clients across the board is that IT leaders are dealing and struggling with the pace of change,” he explains. “Preparedness is a moving target, especially given the evolving priorities of the business, and how fast the technology and cyber threat landscapes change.  Organizations that are still in the relatively early stages of  maturing cyber risk programs are in bit of catch-up mode.”

The challenge, he explains, is that while companies may implement strong cyber risk management techniques — foundational items like identity and access management; locking down privileged users; building on security awareness and filtering out malware or bad code from emails — the pace of change in the business and in technology continues to move faster than they have seen before.

“There are so many things the business is trying to do, including implementing intelligent automation such as Robotic Process Automation (RPA) and cognitive  automation and enabling the business around more self-service and cloud platforms, all while trying to keep up with an evolving threat landscape,” he says. “The pace of how rapidly the business demands implementation of those new solutions causes quite an issue when you’re trying to get to market fast, while performing appropriate due diligence over cyber risks and considerations.” 

Three Ways Prepare to Manage Cyber Risk

1. Make sure IT is more integrated with the business than ever before. 

IT should not just support the business by being “order takers” for new technology required to satisfy new products, services, and M&A activity. Instead, leaders should be at the table for strategic conversations. “They need to be able to proactively communicate the best way to do things, not just from a functionality standpoint, but from a security standpoint as well,” says Buffomante.  “This has the potential to also lead to a competitive advantage for the organization by embedding cyber discipline into their business transformation efforts.” 

2. Embed cyber thinking into rapid application development. 

Once there is a level of dialogue about critical assets the business is trying to protect, it is easier to integrate security at the front end of development in a rapid Development and Operations (DevOps) cycle, adds Buffomante. It is critical, he explains, to have sound thinking around integrating security architecture resources, for example, or cross-training teams in security principles. “Until we roll up our sleeves and integrate that cyber thinking and architecture into the DevOps cycle, these transformation projects will be nothing more than awareness, not execution,” he says. 

3. Implement a strong monitoring program with a sound governance model 

IT organizations need to not only detect bad actors and activity, but learn from those instances to detect evolving threats. Without a framework for continuous monitoring and integration into the next round of business transformation and daily operations, cyber risk management tends to falter after a single project. Too often the organization lacks a sound governance model that matches up what has been learned with changes in the business priorities, regulatory changes, and the cyber threat landscape. “There needs to be an early dialogue about how to leverage and invest scarce resources in IT and security,” says Buffomante. “If you can embed architecture and cyber thinking into the DevOps cycle, monitor the threat landscape and match that up with the rest of the business from a governance model, you can drive sustainability.”

Who will move ahead of the competition in cyber risk management?

For some organizations, changing the mindset around driving innovation and customer service, while embedding cyber security concepts into a risk management structure, is a big hurdle to overcome. In addition, a skills shortage may keep IT from executing on its cyber risk management promise.  “In order to embed architectural and cyber risk into the DevOps cycle, you have to find not just the right technology skills depth, but also individuals who can speak the language of the business,” says Buffomante.

For CIOs, it is a push and pull, he explains, between how to drive faster from a business standpoint — reducing downtime, for example — and taking the time to take systems offline to protect them from vulnerabilities. “Finding that right balance and being able to creatively execute upgrades, improvements and enhancements while still maintaining good IT hygiene with testing, patching and implementation is key,” he says.  

Over the next year, some industry sectors will be able to invest more heavily in cyber risk management, given the strength of the businesses and their strategic priorities. Some companies can leverage lessons learned in securing their  enterprise more efficiently by also building security into the products they sell, providing a competitive advantage as they market those items. For these organizations, there is a natural crossover of the investment, knowledge and mindsets into their corporate environments, says Buffomante: “I see those pushing fast and improving maturity in a big way. 

However, those that use the traditional roadmap of improving programs over time may be left behind. “Quite frankly, I think the gap between preparedness for those organizations is going to be the same, if not a bit of a backstep, given how fast the technology and the threat landscapes are  changing,” he says.

To learn more about KPMG’s cyber security and risk management and explore the latest insights, visit KPMG’s Cyber Security Services webpage.