《畢馬威：2023網絡安全重要趨勢報告（英文版）（26頁）.pdf》由會員分享，可在線閱讀，更多相關《畢馬威：2023網絡安全重要趨勢報告（英文版）（26頁）.pdf（26頁珍藏版）》請在三個皮匠報告上搜索。

1、Cybersecurity considerations 2023The golden threadKPMG I TutejaGlobal Cyber Security LeaderKPMG InternationalOur future is dependent on data and digital infrastructure.The COVID-19 pandemic accelerated our shift to digital channels and brought these issues into sharp focus.As global economies,and su

2、pply chains were disrupted,organizations had to rethink their dependencies on goods,services and the digital infrastructure that underpins them.Breakthrough technologies are expected to shape that future artificial intelligence,blockchain,biometrics,hyperconnected systems and virtual reality,to name

3、 just a few.And all can pose new security,privacy and ethical challenges and raise fundamental questions about our trust in digital systems.Consensus on tackling those issues can be hard to arrive at with diverse national and cultural views;nonetheless,this is the environment in which global commerc

4、e needs to thrive,and we need to address concerns now as we innovate,not retrospectively when its too late.The list of industries we consider systemically important is also changing.In the past,we focused on utilities,telecommunications and financial services.Now we have a complex tapestry of public

5、-private partnerships,connected ecosystems,and information infrastructures.One look at financial markets shows a hyperconnected world of financial institutions,market infrastructure,data and managed service providers all of whom are now systemically important.As the degree of interconnectedness and

6、dependency increases,so does the interest from those looking to attack and exploit those infrastructures.With these changes comes a global drive toward greater cybersecurity regulation.This increases concern among organizations over the growing burden of regulation and the diversity of various repor

7、ting requirements.As a result,businesses are putting more and more emphasis on embedding privacy and security into how they operate,both in response to the changing threats and the need to comply with trans-border regulatory requirements.Cybersecurity should be integral to every business line,functi

8、on,product and service.Organizations must aim to ensure that cybersecurity is ubiquitous across the digital enterprise and woven into strategy,development and operations across the board.As Lisa Heneghan,Chief Global Digital Officer,KPMG International,says:“Organizations need to start thinking about

9、 cybersecurity as the golden thread that runs throughout their organization.It should be put at the heart of business and used as a foundation to build digital trust.But the Chief Information Officer(CISO)and their teams cannot do this alone;it should be the responsibility of everyone.This isnt easy

10、 first,people should understand how it relates to them and then you must think about how you can integrate security into existing processes.Treating every business function as a customer and designing security controls with experience in mind can encourage responsible and secure behaviors and can be

11、nefit the business hugely.”CISOs will likely also play a major role in activating and shaping a broader dialogue around the resilience of business to digital disruption,helping companies better understand the evolving nature of the assets and digital services companies need to protect and providing

12、the basis for trust in those systems.The report explores the actions CISOs,specifically,and the broader business generally,can take in the year ahead to demonstrate to boards and senior management that digital trust can and should be a competitive advantage.See page 22 for specific people,process,da

13、ta/technology,and regulatory recommendations.Foreword2Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security driv

14、es secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Eight key cybersecurity considerations for 2023Click on each consideratio

15、n to learn more.Digital trust:A shared responsibilityAre organizations thinking broadly enough about how to protect the interests of employees,customers,suppliers,and partners?01Trust in automationWhat can organization do to help ensure robotic process automation(RPA),machine learning(ML)and other f

16、orms of artificial intelligence(AI)are implemented and managed effectively,sensibly,and securely?05Unobtrusive security drives secure behaviorsHow do security teams effectively integrate security into business processes,agile development programs,and disparate operating models?02Securing a smart wor

17、ldWhat are the implications for security and privacy teams as companies shift toward a smart,hyperconnected product mindset?06Securing a perimeter-less and data-centric futureWith the security perimeter all but gone,how can organizations pragmatically and realistically transition to a zero trust app

18、roach that protects every aspect of their ecosystem?03Countering agile adversariesHow can security teams keep up with the pace of the changing threat landscape and the increasingly aggressive tactics of attackers?07New partnerships,new modelsHow can organizations keep security,privacy and resilience

19、 at the forefront in an environment where outsourcing and managed services are a growing priority?0408Be resilient when and where it mattersWhy is it important to think beyond response and proactively plan for recovery?3Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPM

20、G International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart wor

21、ldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Digital trust:A shared responsibility Digital trust covers so many topics that touch every aspect of an organization and is inherently linked to corporate strategy not just because it can create a competitiv

22、e advantage,but because it is simply the right thing to do for the broader industry and society.John Anyanwu Partner,Cyber Security ServicesKPMG in NigeriaDigital trust is finding its way onto Board agendas as privacy,security and ethics debates gain momentum partly driven by regulation and partly b

23、y public opinion.The future success of any digitally enabled business is built on digital trust cybersecurity and privacy are vital foundations for that trust.CISOs must be prepared to help the Board and C-suite create and maintain the trust of their stakeholders if they are to create a competitive

24、advantage.Realizing this potential requires a collective commitment from all stakeholders.Globalization has made the world borderless and interconnected a reality made only too evident by the disruption to global supply chains brought on by the pandemic.To create lasting relationships with customers

25、(whether B2B or B2C),organizations must establish and maintain digital trust.Value and trust Trust is key to success and is not just about reputation.Boosting trust can create competitive advantage and can add to the bottom line.Source:KPMG Cyber trust insights 2022.But 65%report that information se

26、curity requirements are shaped by compliance needs rather than long-term strategic ambitions.49%believe that the Board of Directors sees security as a necessary cost rather than a way to gain competitive advantage.65%of executives continue to view information security as a risk reduction activity ra

27、ther than a business enabler.More than 1/3 of organizations recognize that increased trust leads to improved profitability.Consideration 14Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clien

28、ts.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strateg

29、ies for 2023Digital trust:A shared responsibilityBusinesses are starting to careGrowing numbers of senior leaders recognize the benefits of digital trust,with 37 percent seeing improved profitability as the top commercial advantage of increased trust.1 Digital trust encompasses a wide range of disci

30、plines.Cybersecurity is a major part of that broad spectrum of closely linked digital trust-related issues reliability,safety,privacy and transparency.These areas impact how companies conduct business and pursue values;the products and services provided;the technology used;how to collect and use dat

31、a;and how to protect the interests of customers,employees,suppliers,and all other third-party partners and stakeholders.By contrast,65 percent continue to view information security as a risk reduction activity rather than a business enabler.2 Many organizations still view cybersecurity primarily as

32、a cost and not necessarily as an investment in the future,which is misguided.CISOs should embrace the concept of digital trust and demonstrate how security as an enabler for the business will securely support an organizations digital growth agenda.CISOs have a significant role in helping their organ

33、izations build digital trust,but they cannot do it alone.They should invest sufficient time in encouraging other critical internal and external stakeholders with respect to their respective roles on the digital trust journey.Indeed,CISOs must demonstrate to the C-suite and Board why this is such an

34、important topic and how digital trust depends on clearly articulated,business-focused strategies.As the World Economic Forum(WEF)suggests,companies are beginning to acknowledge that cybersecurity is as much a strategic business element as enterprise risk,product development and data management.In it

35、s report,Earning digital trust:Decision-making for trustworthy technologies,the WEF writes,“digital trust requires a holistic approach,where cybersecurity is one dimension of trust among many.”3What digital trust means to customersWhile the typical retail consumer may not care about the nuts and bol

36、ts of a companys formal data protection program,the moment customers learn of a breach,they want to know what action is being taken and that their interests are at the heart of the response.The organization can re-establish trust over time by responding to the incident expeditiously and transparentl

37、y.Todays consumers understand that breaches happen and,gradually,most come back if the company offers solid products and services at a competitive price point,there is a consistently positive customer experience,and the details around the response to and recovery from a cyber event are clearly commu

38、nicated and reassuring.1 KPMG International,KPMG Cyber trust insights survey,“Building trust through cybersecurity and privacy,”2022.2 Ibid.3 World Economic Forum,Earning Digital Trust:Decision Making for Trustworthy Technologies,”November 2022.Transparency means different things to different audien

39、ces.While retail consumers demand transparency when incidents occur,organizations must know in advance how the suppliers and partners they work with protect information.This is because organizations have a much higher obligation to customers and need to be certain they can deliver trust in terms of

40、information protection.Henry ShekPartner,Cyber Security ServicesKPMG China5Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnob

41、trusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Digital trust:A shared responsibility4 KPMG Cyber tr

42、ust insights survey.Op cit.Digital trust strategies that workIts vital to embed the concept of digital trust into corporate strategy,product development,and the companys overall market presence and relationship with corporate and retail customers.Thinking broadly about what digital trust means acros

43、s different stakeholder groups can help underline the importance of cybersecurity and the other disciplines that contribute to establishing and maintaining digital trust,as well as encourage a holistic approach across disciplines.Trust is a function of specific technologies developed or deployed,and

44、 the decisions leadership makes.CISOs must continually support a narrative for the Board and C-suite to clarify why and how cybersecurity is an integral building block for digital trust.CISOs must help drive decisions around the right partners and suppliers.Qualifying criteria must be established co

45、vering transparency regarding information protection practices and the organizations ability to demonstrate adequate recovery and response resilience.Make no mistake,regulatory obligations are expected to grow regarding the components of digital trust,and so can expectations over the levels of trans

46、parency and accountability regulators expect from companies in this regard.A principle-based and holistic approach to meeting the diverse and increasingly complex regulatory landscape can pay dividends and avoid creating costly compliance-driven silos.It starts at the top and filters down if leaders

47、hip accepts and lives this narrative,so should the rest of the organization.That means making it a tangible feature of the companys annual report,in which the companys philosophy and strategy around digital trust by design are outlined in detail.With 34 percent of corporate leaders concerned about t

48、heir businesses ability to satisfy reporting requirements for greater transparency over cybersecurity and privacy,KPMG professionals advocate a proactive approach.4Simply put,companies that are able to establish trust among all stakeholders in their products and services,and how they operate and pro

49、tect the business,are more likely to see positive commercial and reputational impacts.Annemarie ZielstraPartner,Cyber Security ServicesKPMG in the NetherlandsLearn more6Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entitie

50、s provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and

51、 where it mattersCyber strategies for 2023Digital trust:A shared responsibilityCyber trust insights 2022Building trust through cybersecurity and privacy.Earning digital trust,togetherWhy trust matters more than ever in this hyperconnected world.Reversing the digital trust deficitThe critical need to

52、 rebuild digital trust as technology proliferates.Unobtrusive security drives secure behaviorsUltimately,unobtrusive and intuitive security controls are a positive for users,who are your best firewall.Julia Spain Partner,Cyber Security ServicesKPMG in the UKEmbedding security within the business in

53、a way that helps people work confidently,make productive choices,and play their part in protecting the organization must be a key,albeit often elusive,CISO objective.Its all too easy for people to see security as an impediment,and only by considering security from both human and business-centric per

54、spectives can CISOs hope to change this mindset.Perhaps the most essential point is to be attentive to where and when security matters most and where additional security measures will likely impact the business justifiably.There is no absolute security,and if CISOs try to protect everything at every

55、 moment,they risk protecting nothing as users find ways around intrusive security measures.CISOs need to be pragmatic around the extent of security controls that are warranted and commensurate with the criticality of the specific business process and the related risk profile.Confidence in the CISOOr

56、ganizations display high levels of confidence and strong belief in the CISOs ability to deliver on crucial tasks.79%of organizations are confident CISOs can accurately map where critical data is across the enterprise.3/4 are confident CISOs can identify what their crown data jewels are.78%are confid

57、ent CISOs know how much of their sensitive data is with third parties and that its appropriately secured.Source:KPMG Cyber trust insights 2022.Consideration 27Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide

58、no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it

59、mattersCyber strategies for 2023Unobtrusive security drives secure behaviorsCompanies should move away from thinking about enterprise security in binary terms.In todays environment,its a moving target,and the concept of secure versus not secure is transitory.Instead,CISOs should work to raise the or

60、ganizational IQ around cybersecurity through awareness;simple,intuitive processes engineered with users in mind;and a better-informed employee base and executive team.Customer experience applies to security tooIts crucial to focus on building realistic processes for responsible users while still hav

61、ing the means to detect and quickly counter malicious activity.It boils down to ease of use,customer experience,and planning around cybersecurity within the context of enterprise-wide priorities the commercial needs of the broader business as opposed to thinking of it purely as a regulatory imperati

62、ve.Advances in technology can help.From defensive AI,machine learning,and chatbots to cloud encryption,blockchain,and extended detection and response applications,all are vital parts of the puzzle.So too,is creating a more security-aware workforce,guided by consistent IT governance,to inspire people

63、 to approach digital communications with appropriate caution.CISOsshould consider how they can help employees do the right thing instinctively and design security controls that support them in doing so.As an ongoing,ever-evolving endeavor,cybersecurity presents many opportunities to bolt-on new tool

64、s and controls.Still,we encourage organizations to build it in from the beginning,considering the human element.Major transformational initiatives have many components one should be security.Building security into broad process-oriented initiatives,such as DevSecOps,operational technology and procur

65、ement,can be an effective and unobtrusive way to motivate people to behave securely and function as human firewalls without seeming overbearing.Security teams can learn much from the way organizations enhance the customer experience.Internal security controls should be easy to use,or employees may b

66、e motivated to bypass these processes;consider including customer experience specialists in the design of controls.Security processes should also be personal for internal users.Require the individual to make judgment calls,explain the context,draw a parallel between the value of cautious,secure beha

67、vior in their personal and professional lives,and make them“edutaining.”People can then play their part in the security and not be seen as the weakest link.Technology alone cant solve the problem.Billions of capital flow into cybersecurity and thousands of cybersecurity companies offer myriad tools,

68、yet companies are still vulnerable.Why?Because the bad actors have access to the same tools.Prasad JayaramanPrincipal,Cyber Security ServicesKPMG in the USLearn moreBeyond technology,CISOs must look at the human aspect.From education and training to general awareness,its important to build a solid c

69、ulture of security across the organization.Eddie TohPartner,Cyber Security ServicesKPMG in Singapore8Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A

70、 shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Unobtrusive security drive

71、s secure behaviorsHuman firewallingOvercoming the human risk factor in cybersecurity.Want better cybersecurity?Dont check that boxThe greatest threat to your organizations security might not be ransomware or phishing attacks it might be your tendency to do this.Synthetic identity fraudA$6 billion pr

72、oblem.Securing a perimeter-less and data-centric futureThe traditional perimeter security approach is obsolete in our interconnected,digital world.CISOs have to protect a much broader attack surface across public and private infrastructure and a distributed user ecosystem.As a result,CISOs must stri

73、ve to enable the business by providing security from anywhere,with any device,and in a trusted manner.Natasha PassleyPartner,Cyber Security ServicesKPMG AustraliaIts no surprise that business operating models have fundamentally changed over the last decade becoming more fluid,data-centric,connected

74、ecosystems of internal and external partners and service providers.In this distributed computing world,to help reduce the blast radius of any potential outages or breaches,CISOs and security teams must adopt very different approaches,such as zero trust,Secure Access Service Edge(SASE)and cybersecuri

75、ty mesh models.Today,the clear business imperative is to enable employees,customers,suppliers and other third parties to connect seamlessly,remotely and securely.The accompanying security challenge is that,in a perimeter-less environment,organizations are no longer able to trust every user and devic

76、e.Zero trust for perimeter-less businessesZero trust approaches can help reduce the blast radius in the event of an outage or breach and limit the impact so the incident can be better managed and contained.Data security is a key issue for stakeholdersIn a perimeter-less environment,concerns over how

77、 data is protected,used and shared are the leading factors undermining stakeholders trust in an organizations ability to use and manage its data.Source:KPMG Cyber trust insights 2022.28%of executives identify a lack of confidence in the governance mechanisms in place as a leading factor undermining

78、stakeholders trust in an organizations ability to use and manage its data.36%are concerned over how their data is protected.32%also identify a lack of clarity over why data is required for a particular service and the benefits of sharing or providing data as another factor.35%are concerned over how

79、their data is used or shared.Consideration 39Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure

80、 behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Securing a perimeter-less and data-centric futureSASE and cybersecurity mesh model

81、s with a foundation in zero trust have common principles in terms of how security overall is organized,distributed and aligned across the network.Perhaps most important,however,is that as more enterprises adopt a cloud-centric mindset,it has become critical to move security mechanisms closer to the

82、data.As an umbrella over todays perimeter-less business environment,zero trust is a framework,a way of thinking about how the design and enablement of security and identity access needs to change over time.Zero trust complements the convergence of services under a SASE model and the holistic,analyti

83、cal cybersecurity mesh architecture.New models of identityDecentralized identity access management is a core responsibility for CISOs and a function of network traffic.The north-south traffic concept that is,user to resource is all about identity,while east-west traffic lateral movement within the e

84、nvironment is about segmentation and other controls.The link between data and identity is unmistakable.In a perimeter-less environment,theres no zero trust,SASE,or cybersecurity mesh without a clear underlying focus on identity and data governance.For CISOs,the challenge with zero trust is verifying

85、 that devices and users are who they say they are and can be trusted.This requires CISOs to think about security from an identity verification perspective,focusing on least privilege access for users within their enterprise and the many third parties with whom they interact.Making zero trust work in

86、 practiceZero trust should be defined in relation to every scenario,every user and every endpoint representing a key pillar of the companys foundational security program and core principles.CISOs must play a key role not only in codifying the zero trust model and message,but in establishing policies

87、,setting standards,designing software solutions,and assembling an enterprise-wide security council encompassing various technology and business leaders.Another challenge is around funding and budgeting.CISOs must be able to explain the framework around zero trust,so the board and other corporate lea

88、ders understand that the investment is not just another new technology but a new way of thinking that is designed to support a secure,perimeter-less future.Finding a middle ground between on-and off-prem structures is a distinct challenge,particularly with cloud-native technologies.Many companies ar

89、e thinking about moving multiple processes to the cloud,but often legacy infrastructures cannot fully adapt to SASE specifications because of the advanced technology requirements.CISOs at large,complex organizations have the challenge of managing a security posture that spans an on-prem and off-prem

90、 ecosystem that can result in higher operational costs in the short term while operating in this dual environment.Clients looking toward full cloud adoption should consider the same on-prem zero trust principles for systems they deploy into the cloud.They should also factor in the impact of an opera

91、ting model change.For example,a well-managed shared responsibility model with a cloud provider can be key to helping ensure a secure cloud architecture.The identity ecosystem has exploded in the gig-economy world in which we operate today.Because of that,organizations can only accurately monitor hum

92、ans and machines through the common denominator of identity.Deepak MathurPrincipal,Cyber Security ServicesKPMG in the USLearn more10Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All

93、rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for

94、 2023Securing a perimeter-less and data-centric futureThe convergent future of identityWhats next for identity access management.Safeguard your digital environments from all anglesFive steps to beginning the zero trust journey.Assume nothing,verify everythingWhy zero trust is the way forward.New par

95、tnerships,new modelsAlthough many organizations outsource certain business processes to third-party vendors,data security and identity and access management and the related controls remain internal responsibilities.Markus LimbachPartner,Cyber Security ServicesKPMG in GermanyGone are the days when se

96、curity teams focused solely on the security of their organizations IT systems.CISOs need to understand when to hit the brakes,when to press go on outsourcing cybersecurity efforts and determine what skills to keep in-house today and in the future.Security has become a business priority,delivered thr

97、ough a shared responsibility model between the organization and service providers.CISOs today are supporting business strategy across the organization from operational technology and product security to complex supply chain ecosystems.Increasingly,organizations recognize that innovation is improved

98、by collaboration between various aligned sources,from supply chain and customer service to organizational design and information security.That combination of innovation delivered at a competitive price point to customers,wherever they might be,is how enterprises can gain competitive advantage.Howeve

99、r,some organizations struggle to implement robust security at scale primarily because of a lack of talent and skills,which is why theyre looking to outsource,managed services,and transition to the cloud.Trusted communities External partnerships are expected to also be vital to success in hyperconnec

100、ted ecosystems,but practical barriers stand in the way of collaboration.79%say constructive collaboration with suppliers and clients is vital,but only 42%report doing so.60%admit their supply chains are leaving them vulnerable to attack.78%of executives are confident that the CISO can secure their d

101、ata across the supply chain.Source:KPMG Cyber trust insights 2022.Consideration 411Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibi

102、lityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023New partnerships,new modelsKnowing what to r

103、etainJust as companies cannot simply outsource security,they also need the right talent and skills in-house.It takes specialized knowledge to set up a repeatable control and measurement framework under which internal staff and third-party providers can operate effectively.One of the keys is understa

104、nding what to retain in-house in terms of security responsibilities and then identifying the most effective sourcing strategy for talent in those areas.Using the cloud as an example,strategically,CISOs have to embody multiple personas broker,orchestrator and integrator to align the necessary staff a

105、nd third-party skills and manage risk,governance and reporting.That cant be outsourced fully.Organizations might be able to outsource preparation and planning,but,ideally,someone in-house who understands the business and security environments and the potentially broad impact of a cyber incident shou

106、ld manage the organizational overlay and quality control.Architecting cyber controls in a cloud ecosystem is a different skillset relative to more traditional security engineering skills.The ability to manage cyber across organizations,APIs and disparate technology sets at business speed requires a

107、level of sophistication that many organizations lack.Its a capability CISOs should aspire to.Matt OKeefePartner,Cyber Security ServicesKPMG AustraliaFinding the right blend of skillsIts crucial and easier said than done for CISOs to understand their internal and external responsibilities,navigate th

108、e gray area between different models and disciplines,and manage those complexities by establishing the appropriate controls.Working with outside security providers requires a unique skill set,focusing on management and governance skills rather than technical skills.Regardless of the amount of work o

109、utsourced,organizations need to retain solid in-house security knowledge and capabilities.Its also essential that dialogue between parties is clear and regular to ensure implemented controls and KPI reporting are properly managed.Furthermore,its crucial to agree on clear incident response processes

110、and run relevant simulations to test the system.CISOs need to assess their skills base regularly and aim to ensure the organization is equipped to be an intelligent,collaborative customer of cloud and managed security services.Doing so requires understanding the businesss future infrastructure needs

111、 and determining what the security function should look like to provide the best support.The key word is future look three to five years out and work back,rather than solely looking at the companys security needs today.Learn more12Cybersecurity considerations 2023 2023 Copyright owned by one or more

112、 of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring

113、a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023New partnerships,new modelsThird party and cloud:Regulatory challengesCompanies are forming more frequent and complex relationships with third parties,introducing new or elevated risks.Evolving ve

114、ndor,operational and strategic risksThird party risk management.Third-party risk management outlook 2022Time for action.Source:KPMG Cyber trust insights 2022.Trust in automationKnowing how the business is thinking about the use of machine learning is really important for the security team to add val

115、ue.Once they have that understanding,the security team can look at the systems theyll use,identify the right input data,and then work to handle the adversarial risk around using their AI systems.Michael Gomez Principal,Cyber Security ServicesKPMG in the USIn the race to innovate and harness emerging

116、 technologies,concerns over security,privacy,data protection and ethics,while gaining more attention,are often ignored or forgotten.Left unchecked,this negligence could lead businesses to sabotage their potential,especially with new AI privacy regulations on the horizon.Historically,AI has been a se

117、ries of data science experiments,with a relatively small percentage of projects going into production.Now,the age of applied,real-world ML has dawned and over the next 18 to 24 months you should expect to see more of those projects go live.Theres been much trial and error,but the learnings can ultim

118、ately lead to huge success in the form of recommendation engines,decision support tools,sophisticated simulations and neural networks that may unlock hundreds of millions of dollars of value for many organizations.Automating mundane,repetitive tasks frees time and creates efficiencies so workers can

119、 focus on initiatives requiring complex,deliberative,nuanced thought.Hence,AI is being used across many industries.In the banking sector,bots are helping to decide the most appropriate products and services for clients,and in insurance,the use of automated decision-making in an applicants creditwort

120、hiness assessment is being explored.Challenges of AI/ML There are growing societal and business concerns over the ethics,security and privacy implications of adopting AI and ML solutions for big data analysis.78%agree that AI and ML bring unique cybersecurity challenges.3 in 4 say AI and ML raise fu

121、ndamental ethics questions.76%of executives agree that AI/ML adoption requires additional safeguards around how AI/ML systems are trained and monitored.76%agree that AI/ML adoption requires transparency in how we use AI/ML techniques.Consideration 513Cybersecurity considerations 2023 2023 Copyright

122、owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in

123、 automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Trust in automationBuilding trustworthy and credible AI modelsAre companies utilizing AI appropriately and getting the most productive output?With the insurance use case,there

124、are instances where the algorithm makes decisions about applicants who live in specific areas.Those who live in less-affluent neighborhoods were rated differently than those who live in more upper-class neighborhoods.As a result,premiums would differ based on the applicants address.AI bias can be vi

125、ewed as discriminatory and needs to be reined in.Historically,applications were developed to run uniformly the relationship between the inputs and corresponding outputs was not supposed to change.That was what developers tested against.The end user decided if they liked using the application and whe

126、ther or not they wanted to continue doing business with the developer.ML and AI tools are designed to learn and evolve.And that evolution represents a massive transformation in how companies must now think about these systems,how theyve been trained and their fit for purpose.People have mixed feelin

127、gs and understanding of AI.And many companies simply dont have many professionals who understand AI,let alone how to secure it.Machines,like DevOps,are beginning to assume a role in shortening the development lifecycle and ensuring continuous delivery.And if businesses dont bring security into that

128、machine-powered environment,it may never achieve scale because people simply wont trust it.To that end,76 percent of executives agree that AI/ML adoption requires additional safeguards around how AI/ML systems are trained and monitored.5AI and data privacyAI elevates many core privacy principles emp

129、owering security teams to analyze customer data more deeply,for example but organizations need to think about proportionality with respect to the amount of data it collects relative to the data minimization requirements in certain regulations.Similarly,considering AI has the potential to embed exist

130、ing biases,there must be transparency around the output.Regulators,governments and industry must work together.AI regulation isnt just a privacy issue.It requires data scientists to work with privacy specialists to determine what requirements should be built into the technology to make it safe,trust

131、worthy and privacy sensitive.And governments need to set the tone and establish an overarching digital agenda to inspire the industry to put budget behind innovation.While various government bodies sometimes seem to approach AI as a competition,regulators are also starting to try to limit intrusive

132、and high-risk applications of emerging AI capabilities.Following the G20 adoption of principles for trustworthy AI,there have been major developments in AI risk management and regulation.Singapore was fast off the mark with its AI security standard,the National Institute of Standards and Technology(

133、NIST)has published its AI risk management framework and the EU AI act will follow later in the year.Regulation in this space is expected to ultimately have an impact as significant as GDPR has had on privacy.Many companies need to prepare.5 KPMG Cyber trust insights survey.Op cit.AI is powerful but

134、can be harmful to individuals if the automated decision-making is inadvertently biased or discriminatory.Sylvia Klasovec KingsmillPartner,PrivacyKPMG in CanadaLearn more14Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entit

135、ies provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when a

136、nd where it mattersCyber strategies for 2023Trust in automationIs my AI secure?Understanding the cyber risks of artificial intelligence to your business.Trust in artificial intelligence:Global insights 2023Global survey exploring peoples trust in AI and benefits and risks for business and society.Th

137、e path to transparency and trustCorporate data responsibility survey.The pace of technological innovation is not slowing down,and it often forces regulators and security teams to play catch-up.CISOs should neither wait for the next wave of regulations,nor rely on regulation alone and instead take a

138、proactive and pragmatic approach to implement security controls throughout the product lifecycle and supply chain.This is no small feat,and success will likely depend on how well CISOs engage with other functions across the business.Walter RisiPartner,Cyber Security ServicesKPMG in ArgentinaSecuring

139、 a smart worldBusinesses across almost every industry are shifting to a product mindset focusing on developing network-enabled services and managing their supporting devices.CISOs and their teams are getting pulled into discussions with engineering,development and product support teams as organizati

140、ons realize product security matters too.In todays smart-product-focused environment,some emerging drivers or enablers dominate:CEO cyber outlook Growing experience of the challenges of cybersecurity is also giving CEOs a clearer picture of how prepared or underprepared they may be.Source:KPMG 2022

141、CEO Outlook.Applied AI Real-world fundamental application of artificial intelligence as a developmental wrapper around smart products.Quantum computingMassively cuts processing and calculation time.5GOffers speed,hyperconnectivity and reduced latency.Software 2.0Rapid,AI-written code that can reduce

142、 complexity while increasing development speed from months to weeks.Trust architecturesHelp to ensure that data and identities are secure and trusted from one connected device to another.24%of CEOs recognize theyre underprepared for a cyberattack,compared to 13 percent in 2021.56%say theyre prepared

143、.3/4 say their organization has a plan in place to deal with ransomware attacks.3 in 4 CEOs say that protecting their partner ecosystem and supply chain is just as important as building their organizations cyber defenses.Consideration 615Cybersecurity considerations 2023 2023 Copyright owned by one

144、or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSe

145、curing a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Securing a smart worldThere are many smart device risks,such as weak default passwords,poor or absent encryption,failure to provide timely secure software updates,malware,and lack of denial

146、-of-service protection,to name just a few.CISOs must realize that,with these devices,security is not just based on the CIA triad(confidentiality,integrity,availability).Safety is also a key consideration because hyperconnected,tangible real-world systems are involved.Cyberprofessionals must apply th

147、ose risks to a CIAS framework because targeted attacks at scale are a distinct possibility.As we move to a world of ecosystems,products,devices and sensors,and they increasingly become the target of sophisticated cyberattacks,regulators are placing heightened scrutiny on how organizations embed secu

148、rity across the product lifecycle.Applying the CIAS framework in a hyperconnected worldCISOs should consider smart device-related risks across four main components spanning the lifecycle,each with specific DevSecOps-related priorities:product development,from design implementation to release;managin

149、g the expanding supply chain;maintenance and ongoing software updates;and the end user,whether its another business or an individual consumer.These four areas help CISOs determine how to organize a security plan and gain confidence that the product is as secure as possible.It has become essential th

150、at CISOs have a line of sight in all areas of the business.Software embedded in smart devices has the added complexity of not being easily updated,which is attributable to various factors,such as connectivity and the inability to patch while in use.It depends on the criticality of the device.This po

151、ses an additional challenge to builders:having to embed early assurance mechanisms,as well as having a well-organized software bill of materials,which enables companies to detect,and eventually recall,devices in the event critical vulnerabilities are discovered once devices are in use.Cybersecurity

152、has become a market differentiator.Perhaps it sounds obvious,but its important for current and prospective customers,and the broad marketplace,to know that the organizations cybersecurity program,and device controls in particular,are ever-evolving,never static,and managed with device lifecycles in m

153、ind.Expect regulators worldwide to take a growing interest in the security of these systems and the minimum standards required.Learn moreNumerous challenges exist with embedding security within the smart-product lifecycle,including proactively monitoring,identifying and addressing the related cyber

154、vulnerabilities.One of the CISOs key challenges should be working with the quality control department to embed security within product design and pre-shipment inspection processes.Motoki SawadaPartner,Technology Risk ServicesKPMG in JapanCISOs should work with the entire enterprise to help ensure cy

155、bersecurity is viewed as a risk management priority.Also,merely thinking about security in terms of the technical processes that can be applied within the device is too narrow an approach the broader impact to areas such as supply chain and customer service are also important.Jayne GobleDirector,Cyb

156、er Security ServicesKPMG in the UK16Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behavior

157、sSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Securing a smart worldA pathway to cyber resilienceAssessing and bracing against cyber vuln

158、erabilities in industrial sectors.Accelerating OT security for rapid risk reductionSecuring operational technology environments as they become increasingly digitized and connected.Control systems cybersecurity report 2022 Overcoming the roadblocks to true progress as cyber threats grow.Countering ag

159、ile adversariesAttackers are going to gain access that has to be accepted.Its about reducing dwell time.Whats critical is whether their presence and actions are detected within hours,days,weeks or months.The time from initial compromise to enterprise-wide ransomware activation is shrinking.Increasin

160、gly,rogue and state-sponsored attackers can penetrate systems with automated tooling and accelerate the exploitation of systems.Security operations should be optimized and structured to fast-track the recovery of priority services when an incident occurs,which can reduce the impact on clients,custom

161、ers and partners.Cyberattackers have two apparent motives;exploitation and disruption.The exploitation of systems to steal or manipulate data,whether for intelligence or fraud,and disruption for extortion or political gain.The tactics can be quite different.Some state-sponsored attackers focus on cr

162、itical infrastructure,such as oil pipelines,electric utilities and financial systems.The mission is to cause harm or chaos and exert political or economic influence to benefit the attacker and their sponsor.They intend to monetize the misfortune of others.The probability of success for cybersecurity

163、 incidents has increased substantially,resulting in growing ransomware attacks in recent years.And it will likely continue if security professionals dont make it harder on the attackers.Charlie JaccoPrincipal,Cyber Security ServicesKPMG in the USCybersecurity teams are struggling to keep upCybersecu

164、rity teams are under pressure to keep up with evolving threats,with talent shortages frequently undermining security efforts.Over 1/2 of organizations admit they are behind schedule with their position on cybersecurity.More than 50%are either very or extremely confident in combatting various cyber t

165、hreats,including from organized crime groups,insiders and compromised supply chains.59%agree that attackers are exploiting vulnerabilities in procurement and the supply chain,but they do not know whether their defenses are strong enough to stop them getting through.#1 internal challenge to achieving

166、 cybersecurity goals is lack of key skills(40%).Source:KPMG global tech report 2022.Consideration 717Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A

167、 shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Countering agile adversari

168、esTo make matters worse,hybrid working has expanded the attack surface,raising the number of potentially vulnerable endpoints.Adding to the challenges,shadow IT within the business often includes business applications and software as a service use over which CISOs and CIOs have limited visibility or

169、 understanding of the possible exposures.Sharpening your security operations strategyTime matters.How quickly can an attacker be detected,how quickly can they be contained,how quickly can services be restored and in doing so,how can you minimize information and system compromise?Its less about how t

170、hey got in and more about what information they obtain.Was it mission-critical?Did it leak out the back door or is it being held hostage?The time attackers take to move from initial compromise to successful exploitation of systems is reducing.Now it might take just a few days,or even less,for an att

171、acker to deploy ransomware across an enterprise.Attackers are also increasingly creative in automating their tactics,even to the extent of exploring the potential of AI in helping them plan and orchestrate their attacks.The bottom line:CISOs and their teams have considerably less time to detect intr

172、usions and take swift and decisive containment action.There is a triangular structure in todays security operations centers(SOC),with a small but specialized threat-hunt team at the top,various Level 2 investigators in the center,and numerous Level 1 alert analysts on the bottom triaging an ever-mul

173、tiplying volume of alerts.That triangle needs to be inverted.Todays SOCs require fewer Level 1s,more Level 2s,and considerably more threat hunters looking for potentially catastrophic events.One way to do that,and respond to the pace and volume of attacks,is to automate Level 1.An effective SOC requ

174、ires you to leverage more advanced technologies,bring the relevant data together,trust the available tools to manage the alerts,and get the partnership between human analysts,sophisticated ML,and robotic process automation right.As you do that,you can draw in new data sources that provide greater bu

175、siness context to the analysis of potential attacks,exploring the fusion of cybersecurity operations with physical security,fraud prevention and insider threat management.Achieving that level of trust is a challenge for most security organizations.Suppose CISOs and their teams can harness AI to do t

176、hat triage work,look across the firewall and the security information and event management(SIEM)system and assess the various threat intelligence sources and vulnerability scanning tools.They can be able to start trusting.Thats where the SOC is headed,but its not there yet.Harnessing and retaining t

177、echnical cyber expertiseAs for talent,attrition and retention must be front-burner priorities.Many organizations need help to create a durable career path and model for the SOC.Teams are consumed with monitoring the system and they throw more personnel at the problem rather than properly training th

178、e professionals already on the job.As a result,people feel stuck and ultimately move on,leaving CISOs with a perpetual revolving door in the SOC.All because they havent prioritized training.And while attackers continuously evolve their techniques,tactics and strategies becoming better and faster at

179、what they do CISOs dont have the resources to keep up.Learn more18Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive s

180、ecurity drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Countering agile adversariesKPMG global tech report 2022Disco

181、ver how leaders are using technology to move their business forward and strengthen ongoing digital maturity.Really ready for a ransomware attack?Challenging business assumptions about risk readiness,today and tomorrow.A triple threat across the Americas:KPMG 2022 Fraud OutlookA review of the fraud,c

182、ompliance and cybersecurity risks facing the Americas.Be resilient when and where it mattersIts critical for CISOs to engage with the business early and often to help ensure a clear,yet flexible resilience strategy is properly set ahead of time,rather than testing it in the middle of a crisis.Dani M

183、ichauxPartner,Cyber Security ServicesKPMG in IrelandEvery security system has its flaws.There is an air of inevitability that,at some point,an organization will suffer an incident,large or small,and likely more than one.Regulators are increasingly focusing on plausible scenarios and pushing companie

184、s particularly those in strategically important industries like energy,finance,and health care to be resilient and position themselves to recover.Perhaps the most glaring issue is that organizations often dont see that the impact of and recovery from a cyber incident can be protracted.Its typically

185、not a 72-or 96-hour event.They have to assume large-scale business disruption,a worst-case scenario.In too many cases,senior leaders havent fully appreciated the enterprise-wide technology linkages or the business operational dependencies paying staff,paying suppliers,communicating with customers an

186、d investors on those connections.The regulatory outlook Lawmakers and regulators are paying greater attention increasing demands for transparency and oversight.Many organizations are concerned about navigating an increasingly complex global regulatory landscape.36%worry about their ability to meet e

187、xisting or new cybersecurity regulation when activities are outsourced to digital service providers.26%worry about more stringent incident reporting requirements.31%worry about the growing demands around critical infrastructure,which is the subject of increasing regulation in the UK,the EU and the U

188、S.Source:KPMG Cyber trust insights 2022.Consideration 828%worry about existing or new regulation related to resilience of key systems.19Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.

189、All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies

190、 for 2023Be resilient when and where it mattersThere must be a structure in place and an understanding of the potential trajectory of a cyber event.Having a plan and a clear approach for marshaling resources can be the difference between a 60-day nightmare and a 30-day nightmare.Jason Haward-GrauPri

191、ncipal Cyber Security ServicesKPMG in the USAlso,many organizations have yet to truly consider what they need to do proactively to be resilient.They assume they have a backup plan and sufficient security controls.What if they dont have a plan for a particular scenario,and business operations halt?Th

192、is has severe financial and reputational ramifications,let alone regulatory.Theres also a psychological component.CISOs need to have ongoing conversations with their C-suite colleagues and the Board about the nature and motivations of attackers:the harder they hit you,the more likely you are to pay,

193、and they know it.Most organizations still struggle to understand what theyre really up against.Proactive coordination is required in and out of battleDuring the chaos of an active attack,the CISOs key objective is to provide the business with the insights it needs to continue operating.They must ste

194、p away from the day-to-day technical details and engage proactively and strategically with the organization about the seriousness of the situation and how,collectively,the business must respond if it wants to recover expeditiously.A big part of the CISOs job is to be a communicator and to articulate

195、 across the enterprise the potential business impact of a breach and the value of keeping cybersecurity top of mind.Beyond that,response and recovery the components of resilience require coordination.This can be achieved through a small crisis board comprising the CISO,the CEO,CFO and the chief lega

196、l counsel.Unfortunately,this important group doesnt formally exist at many companies because they dont think it will happen to them.And if it does,they believe their business continuity plan which in many cases is several years old and aligned to an outdated set of use cases is sufficient.Its not.Re

197、covering to your minimal viable businessIts about more than just building in good security because controls fail.Its about gaining clarity around what it takes to recover.Company leaders tend to look at the immediate horizon because most cant think any further when theyre in the middle of an event.A

198、t that point,the CISO must be the voice of reason and talk pragmatically about getting back to minimum viable business processes:keeping the lights on,paying people and ensuring that operations resume.The longer it takes to get back to minimum viable business processes,the more likely the business w

199、ill have an existential crisis.The bad actors dont work on your timetable.They innovate faster because theyre financially motivated.Thats the challenge CISOs face theyre perpetually playing catch up.20Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International ent

200、ities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile

201、adversariesBe resilient when and where it mattersCyber strategies for 2023Be resilient when and where it mattersLearn moreRegulations role in resilienceWhen it comes to resilience,regulations can either be seen as a foundation or a ceiling.Most organizations see it as the latter something they must

202、comply with;therefore,they do the bare minimum.Alternatively,it can be viewed as a foundation because there are frequently new or different actions to be taken.Regulation plays a vital role in organizational resilience but often needs to be coordinated or aligned.This is one of the greatest challeng

203、es CISOs face as the regulatory line of sight imperatives expand to encompass a companys supply chain.Its no longer just a matter of worrying about the organization overall.CISOs have to consider the downstream implications for suppliers and other key partners and whether theyre compliant with the r

204、elevant regulations,as well as the upstream implications of whether customers and investors are unclear about if the company is compliant with the European Cyber Resilience Act.Resilience is ultimately an organization-wide issue in which cybersecurity has a vital role,alongside other recovery capabi

205、lities and disciplines such as business continuity.CISOs can play a key part in helping organizations proactively plan for disruptive cyber events,which can vary in nature,scale and response to classic technology or property incidents.Many CISOs may also find themselves taking on wider resilience re

206、sponsibilities as organizations focus more and more on such scenarios and their consequences.Yet another evolution of the CISO role.21Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.Al

207、l rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies f

208、or 2023Be resilient when and where it mattersIncident readiness:A playbook for your worst dayBeing prepared for a cyber incident can minimize critical power and utility infrastructure disruption.From continuity to resilienceThe growing dependence on electricity makes it more critical to build a proa

209、ctive,resilient organization to help ensure continuity of service.The day afterRecovery,resistance and resilience after an industrial cyberattack.Cyber strategies for 2023 Prioritize a robust cybersecurity culture that is interesting,engaging and,where appropriate,fun to inspire employees to do the

210、right thing and function as human firewalls.Build a security team with the skills mix needed to manage a perimeter-less organization,including cloud and third-party dependencies.Communicate broadly and clearly.Ask leaders in other organizational functions about their pain points and how automated pr

211、ocesses might help.Take a multidisciplinary,cross-culture approach.Establish a security ecosystem comprising internal business line specialists,security professionals,data scientists,privacy-oriented attorneys and external policy and industry professionals.Embed yourself in the organization and act

212、as a peer,a sounding board and an advisor.What actions can CISOs and the broader business lines take in the year ahead to help ensure security is the organizations golden thread?Following is a short list of tangible steps CISOs should consider as they seek to accelerate recovery times,reduce the imp

213、act of incidents on employees,customers,and partners and aim to ensure their security plans enable rather than expose the business.Build consistent approaches to cyber risk management with an understanding of threat scenarios and attack paths to help inform attack surface reduction and prioritize co

214、ntrol improvements.Focus on fit-for-purpose security processes that feature consistent user experiences.Establish strict identity controls and work to achieve a mature state of identity governance and services.Segment legacy environments to limit the attack surface and help contain any breaches.Have

215、 a proactive recovery plan focusing on the organizations most critical workflows with a communication structure and stress test it often.Embrace the inevitable automation of the security function trust the latest tools,such as robotic processes,to security orchestration,automation and response(SOAR)

216、,and extended detection and response(XDR)systems.Work with cloud providers to help ensure broad visibility into how products and services are configured to avoid inadvertent vulnerabilities.Consider cybersecurity and privacy issues up front when exploring emerging technologies,including the evolving

217、 risks associated with adopting AI systems.Assign responsibilities and establish accountability around how critical data is processed and managed and how it supports critical business processes.In the interest of speed,scalability and trust,a transition to identity as a service in the cloud needs to

218、 happen sooner than later.Be aware of changing regulatory trends and drivers and what they could mean for the companys future technology strategy,product development,and operations.Consider the regulatory impacts vis-vis AI and automation establish a clear concept of what the business can and cant d

219、o in these arenas and be alive to public concerns and changing expectations.Explore automating compliance monitoring and reporting and task a team member to serve as a regulatory monitor to stay on top of privacy and security regulatory trends.Align security and privacy compliance strategy with the

220、companys broad business strategy to help ensure stakeholders from across the organization are on the same page.Look beyond the letter of the regulation and be prepared to ask yourself more fundamental questions about digital trust and how you make that central to your strategic thinking.PeopleProces

221、sData and technologyRegulatory22Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSec

222、uring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Cyber strategies for 2023How KPMG professionals can helpKPMG firms have experience across the c

223、ontinuum from the boardroom to the data center.In addition to assessing your cybersecurity and aligning it to your business priorities,KPMG professionals can help you develop advanced digital solutions,implement them,monitor ongoing risks and help you respond effectively to cyber incidents.No matter

224、 where you are in your cybersecurity journey,KPMG firms can help you reach your destination.As a leading provider and implementer of cybersecurity,KPMG professionals knows how to apply leading security practices and build new ones that are fit for purpose.Their progressive approach to cybersecurity

225、also includes how they can deliver services,so no matter how you engage,you can expect to work with people who understand your business and your technology.Whether youre entering a new market,launching products and services,or interacting with customers in a new way,KPMG professionals can help you a

226、nticipate tomorrow,move faster and get an edge with secure and trusted technology.Thats because they can bring an uncommon combination of technological experience,deep business knowledge,and creative professionals passionate about helping you protect and build stakeholder trust.KPMG.The Difference M

227、akers23Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less an

228、d data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it mattersCyber strategies for 2023Meet the authorsAs the US Leader of KPMGs Cyber Security practice,Kyle has more than 20 years of experience in the infor

229、mation systems field and a diverse background in cybersecurity,data privacy,regulatory compliance,risk management,and general technology issues.While he has strong technical skills,Kyle utilizes a business-centered approach to solving technology problems by addressing root causes rather than technic

230、al symptoms.Hes a trusted advisor to numerous Fortune 500 organizations,working with senior executives,including Boards of Directors,audit committees,Chief Information Officers,Chief Financial Officers,Chief Operating Officers,Chief Technology Officers and Chief Information Security Officers.In more

231、 than 22 years in cybersecurity,Dani has worked with government agencies on national cybersecurity strategies and with international regulatory bodies on cyber risk.She has extensive experience working with clients to improve Board-level understanding of cybersecurity matters.She has built and manag

232、ed cybersecurity teams as a CISO at telecommunications and power companies in Asia.Dani advocates for inclusion and diversity and womens participation in computer science and cybersecurity.She previously led the Cyber Security and Emerging Technology Risk practices for KPMG in Malaysia and the ASPAC

233、 region and also led KPMGs global IoT working group.Matt is responsible for driving KPMGs cyber strategy within the 12 KPMG member firms in Asia Pacific.He has more than 25 years of technology,finance,assurance and advisory experience,focusing on financial services industry clients.Matt specializes

234、in technology advisory,particularly in superannuation and wealth management,banking and insurance,and provides a range of services across technology governance and risk,cybersecurity,project management,IT strategy and performance.He is deeply interested in using technology to advance organizational

235、goals,enabling clients digital strategies and operating models,and protecting data,assets and systems.With more than 17 years of experience in identity management practice,Prasad is an intuitive and results-oriented leader with a strong track record of performance in technology-related professional

236、services organizations.He has superior interpersonal skills and can resolve multiple complex challenges in all aspects of business,from sales,human resources and legal to finance and operations.He has directed cross-functional teams with motivational leadership and a personal touch that inspires loy

237、alty and a willingness to give 100 percent.In addition to serving as the Global Cyber Security practice leader,Akhilesh heads the IT Advisory and Risk Consulting practices for KPMG in India.He is passionate about how developments in information technology can help businesses drive smart processes an

238、d effective outcomes.Akhilesh has advised over 200 clients on cybersecurity,IT strategy and technology selection and helped them realize the business benefits of technology.He is also knowledgeable in the area of behavioral psychology and is enthusiastic about addressing the IT risk issues holistica

239、lly,primarily through the application of user-behavior analytics.Dani Michaux EMA Cyber Security Leader Partner,KPMG in Ireland E:dani.michauxkpmg.ieMatt OKeefe ASPAC Cyber Security Leader Partner,KPMG Australia E:.auKyle Kappel Cyber Security Services Network Leader Principal,KPMG in the US E:Akhil

240、esh Tuteja Global Cyber Security Leader KPMG International Partner,KPMG in India E:Prasad Jayaraman Americas Cyber Security Leader Principal,KPMG in the US E:24Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide

241、 no services to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it

242、 mattersCyber strategies for 2023This report would not be possible without the invaluable planning,analysis,writing and production contributions of colleagues around the world.The Global cyber considerations teamJessica Booth David Ferbrache John Hodson Billy Lawrence Leonidas Lykos Michael ThayerJo

243、hn Anyanwu Partner,KPMG in Nigeria Jonathan Dambrot Principal,KPMG in the US David Ferbrache Head of Cyber Innovation KPMG International Jayne Goble Director,KPMG in the UK jayne.goblekpmg.co.ukJason Haward-Grau Principal,KPMG in the US Lisa Henegan Global Chief Digital Officer KPMG in the UK lisa.h

244、eneghankpmg.co.ukCharles Jacco Partner,KPMG in the US Our Global collaboratorsPrasad Jayaraman Principal,KPMG in the US Sylvia Klasovec Kingsmill Partner,KPMG in Canada skingsmillkpmg.caMarkus Limbach Partner,KPMG in the US Deepak Mathur Principal,KPMG in the US Dani Michaux Partner,KPMG in Ireland

245、dani.michauxkpmg.ieMatt OKeefe Partner,KPMG Australia .auNatasha Passley Partner,KPMG Australia npassleykpmg.auWalter Risi Partner,KPMG in Argentina wrisikpmg.arMotoki Sawada Partner,KPMG in Japan Henry Shek Partner,KPMG China Julia Spain Partner,KPMG in the UK julia.spainkpmg.co.ukEddie Toh Partner

246、,KPMG in Singapore .sgAkhilesh Tuteja Partner,KPMG in India Annemarie Zielstra Partner,KPMG in the Netherlands zielstra.annemariekpmg.nlAcknowledgements25Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no se

247、rvices to clients.All rights reserved.Digital trust:A shared responsibilityUnobtrusive security drives secure behaviorsSecuring a perimeter-less and data-centric futureNew partnerships,new modelsTrust in automationSecuring a smart worldCountering agile adversariesBe resilient when and where it matte

248、rsCyber strategies for 2023Contact usAkhilesh Tuteja Global Cyber Security Leader KPMG International and Partner KPMG in India Prasad Jayaraman Americas Cyber Security Leader and Principal KPMG in the US Kyle KappelPrincipal,Cyber Security ServicesNetwork LeaderKPMG in the USMatt OKeefe ASPAC Cyber

249、Security Leader and Partner KPMG Australia .auDani Michaux EMA Cyber Security Leader and Partner KPMG in Ireland or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.The information contained herein is of a general nature and

250、is not intended to address the circumstances of any particular individual or entity.Although we endeavor to provide accurate and timely information,there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.No one s

251、hould act on such information without appropriate professional advice after a thorough examination of the particular situation.KPMG refers to the global organization or to one or more of the member firms of KPMG International Limited(“KPMG International”),each of which is a separate legal entity.KPM

252、G International Limited is a private English company limited by guarantee and does not provide services to clients.For more detail about our structure please visit Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights

253、reserved.The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.Designed by Evalueserve|Publication name:Cybersecurity considerations 2023|Publication number:138614-G|Publication date:February 202326Cybersecurity considerations 2023 2023 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.