《畢馬威（KPMG）：2024年網絡安全重要趨勢報告：技術創新離不開務實戰略（英文版）（41頁）.pdf》由會員分享，可在線閱讀，更多相關《畢馬威（KPMG）：2024年網絡安全重要趨勢報告：技術創新離不開務實戰略（英文版）（41頁）.pdf（41頁珍藏版）》請在三個皮匠報告上搜索。

1、Cybersecurity considerations 2024 Technology innovations demand strategic pragmatism.KPMG I 2024 unfolds,organizational leaders,from the CEO down,have much on their plates.They are contending with diverse challenges around achieving sustained growth,navigating the impact and risks of emerging techno

2、logy,and attracting and retaining talent,to name just a few.For their part,Chief Information Security Officers(CISOs)are increasingly being viewed as proactive co-stewards of these ongoing business imperatives not merely the cavalry leader riding in to save the day during a crisis.In our annual Cybe

3、rsecurity considerations report,a diverse cross-section of global KPMG cybersecurity specialists explores eight considerations that CISOs and their teams are encouraged to prioritize in the coming year to support the organizations business growth objectives by mitigating the impact of specific cyber

4、 incidents and reducing overall cyber risk exposure.Organizations worldwide face many cybersecurity challenges requiring the implementation of controls to build and embed resilience,meet regulatory mandates,and reduce overall risk.However,the rapid emergence of artificial intelligence(AI)as a strate

5、gic tool for both legitimate and nefarious purposes is rapidly moving up the list.The democratization of AI these advanced technology solutions and models are now largely accessible to anyone with a credit card via the cloud has at once revealed new paths to value creation and exposed significant po

6、tential risks.AI is proving to be a true organizational game-changer,including for security teams.This evolving threat landscape requires organizations and their CISOs to view security through a new,more pragmatic lens.More than ever before,they must balance data security and privacy with the broade

7、r objectives of the business.From a cybersecurity perspective,the impacts of societal,economic,political,and regulatory developments are more consistently felt globally today.The simple reason is the world is more connected.The most acute effect of the connected business ecosystem continues to be wi

8、thin global supply chains for all practical purposes,there are virtually no regions of the world that are isolated anymore.However,there remain local nuances.For example,there are regulatory requirements to which businesses must adhere that remain uniquely regional,such as certain markets being more

9、 sensitive to the protection of personal data and new rules around responsible AI,critical infrastructure and supply chains.Theres a global focus within the cybersecurity universe on compliance in general,with a refined eye toward the overall burden of regulation,as well as the diversity of various

10、reporting requirements.As a result,companies are putting more emphasis on embedding privacy and security within the way they comply with a broad range of trans-border regulatory requirements and regimes.This is of particular interest when it comes to building and governing responsible AI systems,ens

11、uring customer privacy,and enacting guidelines around critical infrastructure,supply chains,smart products,and resilience.ForewordMeet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of

12、 AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 20242Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities

13、 provide no services to clients.All rights reserved.At the same time,cybersecurity budgets may have to be more objectively justified moving forward as organizations deal with economic uncertainty.Many CISOs are seeing flat budgets,not necessarily reduced,as some of that spend is diverted to organiza

14、tional innovation,particularly AI and automation solutions.This noteworthy development requires security teams to engage in technology rationalization and budget optimization essentially,doing more with less.While economic headwinds drive budget pressures,there is a growing view that cybersecurity h

15、as matured to the point that organizations can trim investment.Further,security functionality is now embedded within other IT and transformation budgets rather than being a central budget provision.Also,the shift to a cloud-based security-as-a-service approach embeds security costs into companies br

16、oader operating expenses in a way we havent seen previously.In this environment,I encourage CISOs to sharpen their cyber risk quantification(CRQ)process,which helps express the impact of cybersecurity risk in financial terms using mathematical modeling to illustrate risk through measurable variables

17、.1 Looking at risk through a CRQ lens can effectively demonstrate return on investment and investment priorities to leadership and the Board,ensuring the organization understands the threat from both technology and financial perspectives.Fundamentally,this report explores from various angles what is

18、 perhaps the central aspiration for executives across the enterprise:keeping their organizations resilient.Bottom line,if a data leak or network breach occurs,how quickly can the organization resume regular operations,and how can the impact on customers be minimized?This is emblematic of the resilie

19、nce agenda that can be seen within many of the most recently proposed regulations,particularly those focusing on critical infrastructure sectors.In many cases,the emphasis is now on response and recovery,as well as mitigating harm to customers.This is a different lens through which to view security

20、relative to the traditional perspective.Cybersecurity must be viewed as an ever-evolving ongoing endeavor.The more organizations accept cyber incidents as inevitable yet manageable,the better their chances of achieving that balance between preparation and resilience.Akhilesh TutejaGlobal Cyber Secur

21、ity LeaderKPMG International1 Forrester,The Cyber Risk Quantification Landscape,Q4 2022,November 29,2022.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge

22、security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 20243Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to c

23、lients.All rights reserved.Eight key cybersecurity considerations for 2024Click on each consideration to learn more.Meet customer expectations,improve trust With cyber threats and data privacy concerns growing,CISOs should be seeking to work closely with stakeholders across the organization to maint

24、ain trust by ensuring operations are resilient in the event of an incident.01Unlock the potential of AI carefullySecurity and privacy leaders should be supporting the business objectives reliant on AI and determine how to harness this game-changing technology effectively and responsibly.050206Naviga

25、te blurring global boundariesA central consideration that organizations should examine how to most effectively navigate the increasingly complex global business landscape to ensure resilience and business continuity.03Make identity individual,not institutionalDriven by expanding business models,its

26、vital that organizations now view identity not in isolation but from a broad perspective.070408Embed cybersecurity and privacy,for goodThe act of embedding security across the organization should be viewed as an exercise in driving operational excellence.Modernize supply chain security Despite the c

27、hallenges and competing priorities,ensuring the supplier and partner ecosystem is secure should not be a bottleneck;it should be a business enabler.Supercharge security with automationAs operating models digitize,security teams should automate and upgrade their processes to keep pace.Align cybersecu

28、rity with organizational resilience Organizations should find a way to create a broad-ranging culture of resilient security throughout the enterprise and seek to ensure all stakeholders are on the same page.4Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG Internatio

29、nal entities.KPMG International entities provide no services to clients.All rights reserved.Meet customer expectations,improve trust Increasing trust should be high on the cyber agenda in relation to how video and audio files are used in the creation of deepfakes,the impact of which can be grave for

30、 privacy and perhaps even democracy.Mika Laaksonen PartnerGlobal Cyber Security ESG Leader KPMG in FinlandConsumers,employees,suppliers every corporate stakeholder expect businesses to pursue growth and profits.But increasingly,companies are expected to operate in a socially responsible manner,as we

31、ll.Organizations should strengthen the connection between security and privacy and environmental,social,and governance(ESG)factors.This bond is being increasingly recognized across the business ecosystem,particularly by ESG rating services as they search for greater transparency in measuring and com

32、paring organizations.Consideration 1Embed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational res

33、ilience Cyber strategies for 2024Meet customer expectations,improve trust5Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.The importance of ESG and how security and

34、 privacy fit into the bigger pictureAccording to the KPMG 2023 CEO Outlook,69 percent of CEOs have embedded ESG into their business as a means of creating value,and 50 percent anticipate significant returns from those efforts over the next three to five years.While environmental aspects of the ESG a

35、genda have garnered the most attention,governance elements such as cybersecurity and privacy are less well-developed.With cyber threats and data privacy concerns growing,CISOs need to work closely with their ESG counterparts to ensure that,in the event of an incident,operations are resilient and con

36、tinuity plans are ready for activation.By embedding cyber and privacy considerations into social responsibility programs and protecting customer data,organizations can increase the chances of maintaining their reputations and trust among customers,even in the event of a major breach.For consumers wh

37、o share personal information with public and private service providers,there is an expectation that their data will be protected and that it will not be used for purposes other than what theyve supplied it for.At the same time,theres an expectation that,in the pursuit of their business objectives,or

38、ganizations will act in a socially responsible manner to reduce their carbon footprint,support their local communities,improve labor policies,and ensure workplace diversity and equality,to name just a few items.Addressing cybersecurity and privacy specifically and ESG broadly have become top corpora

39、te and,by extension,CISO,priorities.There are different regulations for specific regions and industries,and those guidelines need to engender trust.This is important from a compliance perspective but also noteworthy because B2B customers and B2C consumers have discrete expectations directly impacted

40、 by the various rules.Individual consumers can purchase alternative products or services if theyre not happy with the providers actions regarding their personal data,privacy and response to breaches.In fact,82 percent prefer a brands values to align with their own,and 75 percent said they would aban

41、don a brand over a conflict in values.2 Given a choice,most consumers prefer companies that prioritize security,privacy,and sustainability by adhering to ESG standards.This is especially true on the B2B side,where corporate customers value safeguarding their confidential data and intellectual proper

42、ty.More and more industries have regulatory requirements for cybersecurity and data privacy,and organizations that comply with these regulations are preferred by stakeholders.3 For many organizations operating in B2B industries,this is more than a“nice to have,”with regulatory obligations flowing di

43、rectly from firms in regulated industries to their suppliers,who could be tarnished by association if the brand experiences a significant cyber event.2 Google Cloud,“New research shows consumers more interested in brands values than ever,”April 27,2022.3 KPMG,Cybersecurity in ESG,2023.4 First Insigh

44、t/Wharton School of the University of Pennsylvania,“The Sustainability Disconnect Between Consumers and Retail Executives,”January 2022.Indeed,roughly two-thirds of consumers will pay more for sustainable products,although two-thirds of retail executives are skeptical that they actually will pay mor

45、e.4 However,while consumers may be okay with paying extra for security,privacy and social responsibility,these factors are,for the moment,“table stakes,”the cost of doing business,although they are likely to hit the bottom line sooner rather than later.In cases involving private equity or venture ca

46、pital,the ethical lens through which these firms view their investments is worth noting.Many now look for assurances of the appropriate level of cybersecurity and privacy management.Ultimately,theyre concerned about the brand damage cyber events can bring to the organizations where they infuse funds

47、.Increasingly,theres a big role for cyber to play regarding AI and data ethics.Determining that the data used to train AI algorithms is accurate,hasnt been corrupted,and is free from bias is a herculean and,perhaps ultimately,impossible task,but well worth the effort.Caroline RivettPartner Global Cy

48、ber Security Life Sciences Leader KPMG in the UKEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organi

49、zational resilience Cyber strategies for 2024Meet customer expectations,improve trust6Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.5 KPMG International,“Maintain

50、ing cyber vigilance and staying resilient,”2023.The social benefits of actively embedding cybersecurity into the ESG agendaThe scope of the ESG dialogue needs to be broadened at many organizations,its not yet common to be talking about cybersecurity and privacy in the context of ESG.In todays enviro

51、nment,there are deep issues with the social contract between organizations,employees and consumers relating to data protection.Increasing trust should be high on the cyber agenda when it comes to how video and audio files are used in the creation of deepfakes imagery,video,or audio featuring a speci

52、fic individual that is replaced with another persons face or voice or manipulated to give the impression the individual did or said something they did not.Deepfakes are difficult to combat since,in many instances,its up to the audience to interpret whether the video or audio is real or fraudulent.Or

53、ganizations must be vigilant about identifying and removing these files and should participate in educating the broader public on the subject.Increasingly,theres a big role for cyber to play regarding AI and data ethics.Determining that the data used to train AI algorithms is accurate,hasnt been cor

54、rupted,and is free from bias is a herculean and,perhaps ultimately,impossible task,but well worth the effort.Privacy and cybersecurity also play vital roles in protecting freedom of speech and securing todays proliferating digital communications channels.Privacy controls can also play a key role in

55、limiting the exploitation and misuse of personal information without consent or knowledge.This is vital in maintaining the public trust in organizations.Many decarbonization and CO2 reduction programs rely on digital technologies and automated systems to monitor and manage energy production,distribu

56、tion,and consumption.As efficient as these tools can be,they can also create unforeseen cybersecurity vulnerabilities and require a high level of data protection.Strategically embedding cyber can help mitigate threats,reduce the risk of data breaches and ensure regulatory compliance.Finally,theres a

57、 substantial social responsibility dimension to both cybersecurity and privacy where organizations should work with B2C and B2B customers to help them be more cyber aware.Banks do it routinely,and retailers are doing it more and more.Theres also a connection to supply chain and ecosystem security,wh

58、ere improving the security of the vendor ecosystem is critical.Do people really care whether a business has a cyber incident if its managed?Theoretically,most people would probably say that they dont want a company whose products or services they use to suffer a data breach.But those same people don

59、t want to pay more and want touchpoints to be quick and frictionless.People largely dont care until something bad materializes,and it seems as though they want the work of security to happen“behind the curtain.”A big part of the equation is demonstrating to customers that cybersecurity is an organiz

60、ational imperative it simply is the right thing to do.Organizations should approach this as though they are training their customers and clients to understand and care about the implications of cyber awareness and prove that what theyre doing isnt just another to-do item but a vital service.Training

61、 people outside your organization is itself an exercise in ESG maintenance.Cybersecurity Awareness Month is an example of how government and businesses work together to ensure that employees and consumers appreciate the basics of cybersecurity to avoid the most obvious risks.There is no such thing a

62、s 100 percent security.Despite all the precautions,incidents do happen.In the event of a cyber incident,make a quick decision about whether you need to disclose what happened and,if so,how much information youre prepared or compelled to share.5 Its vital to be open and honest;good communication can

63、lead customers to trust an organization even more than they may have before the incident.Embed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not ins

64、titutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Meet customer expectations,improve trust7Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All right

65、s reserved.Suggested actionsConnect with your organizations ESG team to determine whether they consider cyber a key aspect of their mandate.If not,work to build awareness of how and why its important to all three areas of ESG.Sharpen your global regulatory intelligence around cyber in general and ES

66、G and privacy in particular to ensure timely compliance and reporting;keep track of and remain familiar with ever-increasing regulations and their effects on your cyber efforts.Be practical.Effective cybersecurity is not as much about getting business partners to do things differently as its about r

67、eframing the conversation across the enterprise to inspire other areas of the organization to infuse security into what they already do.Learn moreEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge

68、 security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Meet customer expectations,improve trust8Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG Intern

69、ational entities provide no services to clients.All rights reserved.KPMG global tech report:ESG How businesses can use technology as an opportunity to tackle their ESG ambitions.Road to readinessKPMG ESG Assurance Maturity Index 2023.Cybersecurity in ESG Its time to view ESG and cybersecurity throug

70、h the same lens.Embed cybersecurity and privacy,for goodSecurity,from the CISO down through their entire team,is a very different role today.Cyber is becoming more embedded in core business processes.That reality is being reflected in a move away from a centralization of cybersecurity in the CISO ro

71、le to a federated model,in which the CISO is the conductor of the orchestra,establishing the frameworks,assessing risk,and providing implementation support.Security is integral to every function across the organization,from front office to back,and many leaders now acknowledge the value of integrati

72、ng a security mindset into their very different business cultures and processes.Consideration 2Meet customer expectations,improve trustNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,n

73、ot institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Embed cybersecurity and privacy,for good9Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All

74、 rights reserved.Business models and technology are changing and impacting security Whether you make a widget,deliver a service,or create information,operating models are increasingly cloud-based,which,in concert with other new technologies,is being used to increase scalability,reduce costs,generate

75、 revenue,and widen profit margins.The automotive industry is a good example of transforming business models.Cars today have become huge tablets on wheels.People are ordering pizza from the road and not even using the phone.So much technology has been added to gas-powered cars,not to mention electric

76、 vehicles,that they have become arguably the most sophisticated product available to retail consumers.The downside of technology is it widens the attack surface,creating new potential vulnerabilities and increasing the complexity of the ecosystem with which CISOs must contend.At the same time,the co

77、st of cybersecurity is skyrocketing,leading organizations to consider better strategies for delivering those services.In this new world,organizations cant deploy hundreds of people;security teams must be lean particularly those embedded within business lines.Organizations must find the right combina

78、tion of people and technology,using AI in general and machine learning in particular to cover the ground humans cant cover efficiently.Performing timely solution reviews on thousands of applications is simply impossible for humans.Organizations must decide where to start incorporating security withi

79、n application development processes and move to continuous monitoring to understand the impact of potential attacks and vulnerabilities.The irony is it doesnt take the CISO to do that.Managing these risks requires a cultural shift across the business to embrace security as part of the organizations

80、standard operating procedures.CISOs dont install patches,and they dont manage operations.Security teams should determine how and where to embed certain security tasks in the business and monitor those tasks to ensure they are carried out properly.This is how we see security teams evolving.Its going

81、to be a matter of“insourcing”to nudge security closer to the customer or outsourcing to a third-party service provider to efficiently leverage specialized skills that may not exist within the organization.Many organizations struggle with the idea of security as a core competency,particularly as they

82、 attempt to master the sheer volume of new technologies.Work with business leaders to embed security effectivelyTheres a lot of talk about“shifting left,”but while we acknowledge the importance of considering security early,we also believe organizations must look end-to-end from concept to build and

83、 including continuous monitoring and approach security as an ongoing requirement.Throughout that journey,the number one element of security is visibility.Security professionals are becoming more like air traffic controllers,and the runways must be kept clear.CISOs must make sure“traffic”that is,appl

84、ications are coming in and going out efficiently and safely.Security shouldnt hold up the release of products and services,but there should be early visibility into the processes the business is employing.Ten or 15 years ago,the 80/20 rule for security professionals was 80 percent technical skills a

85、nd 20 percent soft skills.If CISOs want to ensure they are not perceived as support staff,they must get comfortable with the new 80/20 rule under which imperatives such as communication,building trust,problem-solving and conflict management are as vital as ensuring an efficient security operations c

86、enter.Brian Geffert PrincipalCyber Security ServicesKPMG in the USEmbedding security into broader business should be viewed as an exercise in driving operational excellence.Security teams should describe and demonstrate what“good”looks like and inspire embedded security professionals across the ente

87、rprise to manage toward that vision.Its a matter of establishing appropriate guardrails to enable a secure-by-design approach to be embedded,and then integrating the right tooling and templates into development environments.CISOs and their teams as well as security personnel who are embedded in the

88、business should take a holistic approach to operational excellence and shared responsibility.This means giving equal consideration to people,process,technology,and regulatory requirements.By focusing on risk management,incident Meet customer expectations,improve trustNavigate blurring global boundar

89、iesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Embed cybersecurity and privacy,for good10Cybersecurity considerations 2024

90、 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.management,governance and compliance,technology solutions,and employee training and awareness,organizations can develop a sustainable security cultur

91、e.This is particularly pertinent as organizations prepare for the SECs new cybersecurity rules6 and the EUs NIS2 Directive,which requires member states to implement laws to protect essential businesses from cyber threats by October 2024.7 What CISOs need to do to remain relevant Most CISOs grasp the

92、 security implications around data,applications and the overall attack surface,but they can truly differentiate themselves in connection with talent,budgets and cross-organizational politics.CISOs who understand how to work across the organization to embed security into the business while maintainin

93、g a partner role are seeing the most success.Security teams must have insight into the initiatives business units are planning and the potential new threat vectors that can be revealed.CISOs should work to speak the language of their business partners rather than esoteric cyber speak.For example,don

94、t talk about zero-day vulnerabilities,advanced persistent threats or security orchestration,automation and response(SOAR)strategies.Those terms mean nothing to most non-security colleagues.Instead,say,“If this plan doesnt work,you will get cut off from this or that market.If we cant successfully pro

95、tect the product line,you cant generate sufficient revenue because people wont be using the products.”Security teams dont need to employ scare tactics.Rather,they need to adopt a new point of view based on business enablement and risk reduction.CISOs have to inspire people to trust that their guidan

96、ce and strategic vision are in the organizations best interest.Their commodity is trust.New essential skills and competencies Security professionals must improve their soft skills,including interpersonal skills such as negotiations,time management,listening,and networking.Ten or 15years ago,the 80/2

97、0 rule for security professionals was 80percent technical skills and 20 percent soft skills.Today,that equation has flipped.If CISOs cant work with executive leadership to tell a story that the organization can understand and coherently position ideas to influence action across the business,theyresi

98、mply not going to be successful.6 Securities and Exchange Commission(SEC),“SEC Adopts rules on Cybersecurity Risk Management,Strategy,Governance,and Incident Disclosure by Public Companies,”July 26,2023.7 European Parliament,“The NIS2 Directive:A high common level of cybersecurity in the EU,”August

99、2,2023.In addition to these softer skills,security leaders should consider leveraging cyber risk quantification methodologies to more effectively manage overall risk exposure.This will enable better communication and articulation of the financial risks,as well as where the organization should priori

100、tize its cybersecurity investment.The security team must acknowledge that they are communicating mainly with non-technical colleagues to get them to understand risk and act accordingly.IfCISOs want to ensure they are not perceived merely as support staff,they must get comfortable with the revised 80

101、/20 rule under which imperatives such as communication,building trust,problem-solving and conflict management are as vital as ensuring an efficientsecurity operations center.Meet customer expectations,improve trustNavigate blurring global boundariesModernize supply chain security Unlock the potentia

102、l of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Embed cybersecurity and privacy,for good11Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG Inter

103、national entities.KPMG International entities provide no services to clients.All rights reserved.Suggested actionsBring a new perspective to the board on what could disrupt the business and what should be done to manage those risks without impacting operations and customer experience.Run the cyber t

104、eam like a business,which means you must give up a degree of control over what other parts of the organization are doing from a security perspectiveSecurity teams should determine how and where to embed certain security tasks within the business vs.outsourced to a third-party service provider and mo

105、nitor those tasks to ensure they are carried out properly.Learn moreMeet customer expectations,improve trustNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cyber

106、security with organizational resilience Cyber strategies for 2024Embed cybersecurity and privacy,for good12Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.KPMG glob

107、al tech report 2023Discover how leaders are securing value by navigating uncertainty with confidence.The future of ITDiscover the strategies to advance the IT function and prepare organizations to thrive in a cloud and AI-enabled era.KPMG 2023 CEO Outlook More than 1,300 global CEOs share their view

108、s on geopolitics,return-to-office,ESG and generative AI.Navigate blurring global boundariesGlobal businesses are operating within an increasingly complex cyber and privacy regulatory space.National interests are playing out,leading to diverse regulatory requirements over information sovereignty,supp

109、ly chain security,transparency of cyber controls compliance,incident reporting,and,of course,privacy.Businesses need to calibrate their regulatory reporting for an increasingly borderless world but also maintain security controls that can be tailored to local requirements.Organizations need to be pr

110、epared to respond quickly to changing geopolitics and diverse sanctions requirements.The big question for security professionals is around striking the right balance between business enablement and business value whileensuring they are staying on the right side of the regulators.Orson LucasPrincipal

111、Cyber Security ServicesKPMG in the USConsideration 3Meet customer expectations,improve trustModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strat

112、egies for 2024Navigate blurring global boundariesEmbed cyber and privacy,for good13Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Global business landscape:Common

113、cyber and privacy goals,but divergent in practiceFor years,the global regulatory landscape has been very disjointed.While some markets prioritized aggressive regulations over the past few years,many did not.As a result,organizations were left with a decision to implement elevated governance,processe

114、s and controls responsively on a market-by-market basis or to treat emerging regulations as a bellwether for things to come and invest in proactive,mature,and automated privacy and security programs.While some opted for the latter,budget,resources and other competing business priorities caused many

115、organizations to opt forthe former.However,thats a slowly evolving scenario.Markets like Europe,China and the US are setting the tone,and many others are following suit.Patterns and principles are emerging in the security,privacy and AI domains.This provides an opportunity for leading organizations

116、to coalesce,locally and globally around a principles-based approach to proactively protect and manage sensitive information.Ideally,this will manifest in single global privacy and security programs that account for nuances in regulation and local practices inspecific markets.Still,there are several

117、challenges that truly global organizations will need to navigate tomake that vision a reality.For example,data localization and transfer considerations require a solid understanding of data inventory and flows/transfers,both internally and with third-party business and supply chain partners.Often,In

118、 todays world,as cybercrime objectives and tactics have grown more nefarious and sophisticated,customers,companies,and regulators alike should follow a much more holistic approach to data management and information protection.Henry ShekPartnerCyber Security ServicesKPMG Chinathere are multiple paths

119、,though all require significant planning and intentionality to help ensure efficient,cost-effective,and compliant practices.Considered through a business lens,organizations will continue to require a global audience and global footprint to scale their operations,regardless of jurisdiction and where

120、theyre based.The big question for security professionals involves striking the right balance between business enablement and business value while ensuring they stay on the right side of the regulators.Its a fine line and a clear challenge for CISOs,CPOs,and their teams.Global businesses face challen

121、ges adhering to evolving regulatory requirementsOrganizations should navigate the regulatory waters carefully,knowing that the rules are perpetually evolving.As customer relationship management and marketing technology(MarTech)tools mature,organizations are realizing the value of data through the in

122、sights and ROI it provides to the business.Regulators have responded with targeted privacy rules in many jurisdictions globally,requiring CISOs,CMOs,CDOs,and CPOs to ensure they have a sound second line of defense to navigate and comply with current and planned regulatory requirements.In terms of co

123、nsequences,many countries and territories now impose strict financial penalties as well as suspensions of business licenses for privacy infractions.The siloing of privacy is dissipating quickly.As the focus of regulators evolves,areas such as the purchase and sale of data,consent and preference mana

124、gement,data ethics,and responsible use of AI are flattening the siloes between stakeholders and business functions and causing boards and executive leadership to take an objectives-based view centered on both regulatory compliance and consumer trust.The latter is something that leading organizations

125、 are using to differentiate themselves as they seek to build,sustain,and transform relationships with consumers.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake

126、 identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Navigate blurring global boundaries14Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no servi

127、ces to clients.All rights reserved.Shifting geopolitical dynamics influencing response speed and adaptability Doing business in multiple regions is challenging in the current environment because the tools and technologies organizations use in one market may not be accessible in others.For example,in

128、 parts of China,some companies may not have access to certain key tools because availability may be restricted due to vendor decisions to deliver in the Chinese market.This is both a supply chain and operational resilience issue and can severely impact organizational productivity.A central considera

129、tion that organizations must examine is how to most effectively navigate the increasingly complex global business landscape to ensure resilience and business continuity.Attempting to navigate privacy and data challenges requires a well-defined governance plan that reaches a minimum maturity level qu

130、ickly when the organization operates in jurisdictions with strict sanctions regimes.Indeed,Chinese regulations take a different approach to those in the EU,which are different than those in other parts of the world.They have different scopes,definitions of personal data,collection limitations,accoun

131、tability rules and basic legal frameworks.Without a strong principles-based vision,strategy,governance and tactical plan,organizations will increasingly be challenged to innovate or risk falling behind.The politicization of business and its impact on security is another dynamic to bear in mind.In th

132、e US,for example,some companies skew one way or the other politically,sometimes based on the internal values of their leadership but often in response to their target customer base.This development came to a well-publicized head with the conflict in Ukraine as companies that continued to operate in

133、or do business with Russia had sanctions applied against them.From a security and IT perspective,the concept of segmentation or micro-segmentation whereby companies can manage workloads in a data center or cloud environment with granular policy controls and restrict the spread of lateral threats is

134、instructive.Organizations with holistic networks can create these connected segments yet separated by firewalls.Were finding that companies with segmentation models in place are better able to effectively cut off regional operations quickly as needed.Global companies should look at national jurisdic

135、tion through different lenses.For example,offering services to EU citizens outside Europe activates GDPR requirements.In general,firms need to be clear about where their operations are located,who they depend on to conduct business(i.e.,suppliers),the markets Meet customer expectations,improve trust

136、Embed cybersecurity and privacy,for goodModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Navigate blurring global boundaries15C

137、ybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Learn moreSuggested actionsMaintain an understanding of the global regulatory landscape,specifically an understanding

138、 of the relevant rules at a granular,jurisdictional level.Know where critical data both structured and unstructured resides across the organization,as well as where its shared with third-party partners.Enhance transparency to build trust across global supply chains;rather than treating third-,fourth

139、-,and even fifth-party supplier relationships solely as transactional and contractual(which they are),approach them as an extension of your ecosystem.where they offer products and services,and where they are incorporated as a legal entity.The interplay between these four sovereignty concepts gives r

140、ise to a complex regulatory picture most effectively navigated by a flexible,policy-based operational approach.Another consideration is redundancy.For example,suppose a company maintains its entire call center operation in a jurisdiction that becomes restricted for one reason or another,and all busi

141、ness in that country needs to be shut down.What becomes of the customer service apparatus?Having some level of business,security and redundancy in place if the organization needs to temporarily step away from business in a certain part of the world to navigate the prevailing geopolitical challenges

142、can help alleviate the risk of constraining the broader business in the process.In the end,CISOs and their teams should always apply a lens of resilience and preparedness.This helps companies remain a step ahead of the next black-swan event and solidify the ability to make those“break-glass”decision

143、s quickly and confidently,rather than being forced to hastily cobble together a strategic hyper-localization cyber strategy.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodModernize supply chain security Unlock the potential of AI carefullySupercharge security with au

144、tomationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Navigate blurring global boundaries16Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities prov

145、ide no services to clients.All rights reserved.The hostile limelightThe future of cyber in geopolitics.Privacy risk study 2023Staying on top of the evolving privacy risk challenges.Global Economic OutlookKPMG International Global Economic Outlook H2 2023.Modernize supply chain security Despite the c

146、hallenges and competing priorities,ensuring the third-party ecosystem is secure should not be a bottleneck;it should be a business enabler.But there can be no shortcuts.This elevates the pressing need for modernization.How can you do it faster,more efficiently,and with minimal resources without comp

147、romising quality?Thats where a risk-based mindset,paired with a data-driven approach powered by intelligent automation,can make a tangible difference.Mitushi PittiManaging Director Cyber Security ServicesKPMG in the USMany organizations current approach to third-party and supply chain security does

148、not align with the reality of todays complex and interdependent ecosystem of partner organizations.Traditional models were built around the assumption that third parties provide services on a transactional basis.That view does not reflect todays intricate network of APIs and processes tethered by a

149、complex set of software-as-a-service dependencies.Organizations are encouraged to establish more strategic supplier partnerships focused on continuously monitoring and managing the evolving risk profiles of these suppliers to strengthen operational resilience.Consideration 4Meet customer expectation

150、s,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesUnlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Modernize supply cha

151、in security 17Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.The evolving supply chain landscape is affecting traditional security models Historically,the third-pa

152、rty security model has focused on point-in-time assessments.Continuously monitoring and taking inventory of frequently used supplier software components can help CISOs better understand the security structure of these providers and identify potential risks.With this dynamic in mind,CISOs should deve

153、lop a more modern standard for“containerizing”risk exposure in real-time.To achieve that posture,we see three key challenges for CISOs and their teams:VisibilityA longstanding problem has been organizations inability to cover the entire vendor population.Large organizations can have thousands of sup

154、pliers,and often they cannot accurately assess their activities with traditional methods.It would require an army of security personnel to do all the physical endpoint assessments,which is humanly impossible.It would cost tens of millions of dollars,making it unrealistic logistically as well as budg

155、et-wise.ScalabilityBeyond understanding the risk profile of the broad vendor population,the ability to scale enables organizations to keep pace with the challenges of a constantly expanding and changing landscape.From new technologies and processes to the possibility that a vendor doesnt explicitly

156、follow your security protocols,the third-party environment is an ever-fluid threat vector.The evolving risk profile of third-party partners The old transactional model did not have a mechanism for tracking how the relationship is changing and how that might be creating new vulnerabilities.As a resul

157、t,depending on the maturity of the vendor,organizations need to do more(institute monthly reviews)or perhaps less(allow more autonomy with quarterly reviews)to ensure these relationships operate efficiently and adhere to all compliance requirements.Meet customer expectations,improve trustEmbed cyber

158、security and privacy,for goodNavigate blurring global boundariesUnlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Modernize supply chain security 18Cybersecurit

159、y considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.AI poses a variety of potential risks,from questions around data integrity,statistical validity,and model accuracy to transparen

160、cy and reliability issues.This human-thought simulation by machines must be used securely and responsibly at the organizational level and by third-party partners.Extrapolate those risks across the supply chain,and it reveals a new threat landscape for CISOs and their teams to monitor.Elizabeth Huthm

161、an Director Cyber Security ServicesKPMG in the UKWith the rapid pace of technological change and the reality that customers are more demanding,organizations are looking to remain innovative.And,of course,third-and fourth-party suppliers and cybercriminals are doing the same.For example,many vendors

162、are deploying AI to improve processes and complete tasks faster.But fascinating and powerful as it is,AI poses a variety of potential new risks,from questions around data integrity,statistical validity,and model accuracy to transparency and reliability issues.This human-thought simulation by machine

163、s must be used securely and responsibly at the organizational level and by third-party partners.Extrapolate those risks across the supply chain,and it reveals a new threat landscape for CISOs and their teams to monitor.Despite the challenges and competing priorities,ensuring the supply chain ecosyst

164、em is secure should not be a bottleneck;it should be a business enabler.But there can be no shortcuts.This elevates the pressing need for modernization.How can you do it faster,more efficiently,and with minimal resources without compromising quality?That is where a risk-based mindset,paired with a d

165、ata-driven approach powered by intelligent automation,can make a tangible difference.The role of governmentHeavily regulated organizations that must keep pace with the regulatory environment and work with suppliers that dont have the same regulatory constraints must find a way to get them to coopera

166、te and employ the right security controls.Thats an ongoing battle that organizations are facing.Theyre looking to see where regulations will help in compelling third parties to be more secure overall.The recent US Securities and Exchange Commission(SEC)rules around cybersecurity have a position on t

167、hird parties.The regulators know that this is a top-of-mind concern and a growing challenge for all organizations.A little bit of a nudge from the regulators should help convince those less-than-mature vendors to participate in the program a little better and help prop up the cyber posture.Similarly

168、,the EUs revised Network and Information Security Directive(NIS-2)emphasizes that organizations should proactively manage risks introduced by third parties.Also,the Digital Operational Resilience Act(DORA),which facilitates effective monitoring of the risks posed by third-party information and commu

169、nication technology providers,focuses on getting a better handle on supply chain security.Regulators,through DORA,are looking to determine which third parties they view as critical to the overall resilience of the broad supplier ecosystem.These players may not be regulated directly,but since they ar

170、e considered systemically important,the regulated entities will also pass their requirements onto them.Collaborative intelligence sharing:A nascent but worthy strategyAs a practical matter,information sharing between corporations and suppliers may be years away,but conceivably,it can solidify best p

171、ractices and ultimately enhance supply chain relationships.With the threat posed by bad actors growing exponentially,organizations across various industries,particularly critical infrastructure,must do significantly more sharing of threat and risk intelligence internally,with the market,and with sup

172、pliers and partners.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesUnlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience

173、Cyber strategies for 2024Modernize supply chain security 19Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Learn moreSuggested actionsTake a risk-based approach to

174、assessing third-party processes rather than a blanket approach to different suppliers that provide diverse services.Leverage intelligent automation to gain higher visibility into the changing supplier risk profiles and build a sustainable and scalable forward-looking third-party program.Encourage cr

175、owdsourcing of intelligence and sharing both within your organization and with trusted third parties.Organizations should seek to break down the silo mentality and encourage business stakeholders procurement,legal,business units,risk,third parties tocommunicate and collaborate.Collaboration and info

176、rmation sharing also help organizations manage vendor concentration risk.This is amajor consideration for extended supply chains third,fourth,and fifth parties where multiple organizations rely on the same suppliers.In these instances,it makes sense to join forces while maintaining confidentiality a

177、cross certain aspects of the competitive landscape to ensure third parties are not a weak link across the ecosystem.Many organizations are reticent to engage in this form of collaboration.With that reality in mind,the European Union Agency for Cybersecurity(ENISA),via Information Sharing and Analysi

178、s Centers(ISACs),and the Cybersecurity and Infrastructure Security Agency(CISA)in the US,are spearheading a variety of centralized programs aimed at gathering and rapidly disseminating information regarding threats and vulnerabilities.Its not just about whether a vendor can access customer-or busine

179、ss-sensitive data.Suppose a specific supplier is critical to maintaining operational resilience meaning it impacts the organizations ability to assemble and distribute products but is inadequately mature from a security perspective.In that case,steps must be taken to ramp up the vendors security sop

180、histication or atough decision to move on to an alternate partner may be necessary.By establishing a corporate culture grounded in risk awareness and security,no individual or process will be viewed as a weak link or business speed bump.And that mindset will emanate across all aspects of the enterpr

181、ise including third-party affiliates.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesUnlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizat

182、ional resilience Cyber strategies for 2024Modernize supply chain security 20Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Staying ahead of cyber risk in the suppl

183、y chainWith complex global supplier networks and more pathways for threat actors to find a way in,understanding and preventing cyber risk must be a priority.The future of supply chainFrom ESG to robots and the metaverse,supply chain leaders have new challenges to prepare for.Supply chain trends 2024

184、:The digital shake-upWith digital opportunities sweeping the supply chain landscape,readiness and line of sight will be paramount to success.Unlock the potential of AI carefully With careful planning and execution,AI will transform how,when,and by whom work gets done.All the talk is currently about

185、generative AI,but many other branches of AI,from robotics to machine learning,continue to transform business.Calibrating the security,privacy,and ethical implications inherent in these technologies is challenging,and organizations are looking to establish frameworks that provide both risk management

186、 and governance when implementing AI.Data is the critical linchpin for security in general and privacy in particular.The industry needs government bodies worldwide to harmonize because having disparate legislation under which some countries are stricter than others disincentivizes innovation.The mar

187、ket needs to balance that need for innovation with effective regulatory guidance and guardrails.Sylvia Klasovec KingsmillGlobal Privacy Solutions LeadKPMG International and PartnerKPMG in CanadaConsideration 5Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate bl

188、urring global boundariesModernize supply chain security Supercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Unlock the potential of AI carefully21Cybersecurity considerations 2024 2024 Copyright own

189、ed by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.AIs current path:Limited guardrails,but opportunities abound The concern over business outcomes and the need to foster trust among employees and customers,specifically,

190、and society,in general,has sparked a broad ethical debate around how AI can be controlled and deployed responsibly,transparently,and with integrity.To that end,regulation in this space is ramping up.The public and private sectors must work together to offer practical solutions for support during inn

191、ovation and development to ensure security and privacy are embedded from the outset.There is some trepidation in the market to innovate because of the cautionary headlines,the lack of regulatory guardrails,and the absence of a universal standardized global approach to AI.But that unease is being met

192、 with an equal measure of passion for AIs potential to spur innovation.Even local approaches to how AI models and algorithms should be managed,deployed,and legislated are murky.Some countries and regions are further ahead than others.Organizations should maintain awareness of the key foundational el

193、ements needed to establish and maintain trust while also being mindful of the direction regulations are moving in.This will go a long way toward minimizing the work needed to ensure compliance with these regimes in the future.While we encourage organizations to move forward with the exciting and vit

194、al work theyre doing with AI,at the same time,they should ensure they have a thorough understanding of the complexities involved and how to de-risk their models effectively.As the market develops,its important to allow global regulators and legislators the time to establish meaningful guidelines for

195、 AI development.The EU AI Act is a leading example.This landmark legislation is poised to do for AI what the EUs General Data Protection Regulation(GDPR)has done for privacy,paving the way for exciting and responsible advancements in this field.Although the absence of legislation is a clear speed bu

196、mp,the good news is existing privacy legislation has similar principles that can and should be applied to new AI algorithms.Privacy factors such as notice,consent,explainability,transparency,and risk of harm are all codified in existing law.To remain competitive in the market,CISOs should partner wi

197、th Chief Data Officers and Data Protection Officers to support the business objectives that are reliant on AI and determine how to harness this game-changing technology effectively and responsibly.At the same time,they need to wrap sufficient governance and controls around processes that may have op

198、erated largely without oversight for some time.This harmony between enablement and governance is where successful adoption lies.Primary challenges in balancing AI innovation with security and privacy concernsTo facilitate their adoption of AI,organizations must make crucial choices that will shape t

199、heir approach,such as determining whether to create in-house models CISOs and other senior leaders and their teams need to support the business objectives that are reliant on AI and determine how to harness this game-changing technology effectively and responsibly.At the same time,they need to wrap

200、sufficient governance and controls around processes that may have operated largely without oversight for some time.This harmony between enablement and governance is where successful adoption lies.Katie BoswellManaging DirectorCyber Security ServicesKPMG in the USor rely on third parties.While it may

201、 seem that one option is less uncertain,the truth is that both come with inherent risks that organizations must recognize and effectively manage.Organizations must educate themselves about the safeguards around transparency,accountability,fairness,privacy,and security so they can innovate and deploy

202、 with confidence.For example,look to large technology companies and jurisdictions that are further along in their AI journey for guidance around responsible development.From a privacy and security perspective,many organizations are having their hands forced in a sense.With so many business units mov

203、ing full steam ahead Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Supercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyb

204、er strategies for 2024Unlock the potential of AI carefully22Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.with AI,CISOs and Chief Product Officers(CPOs)must follo

205、w along and ensure the necessary controls are installed.Establishing and maintaining trust in those AI solutions from the outset is critical,for the brand and the ability to meet its business objectives.This requires cross-functional cooperation,especially from a funding perspective.But to thoroughl

206、y embrace and pursue the innovation opportunities,organizations need to agree on a unified security,privacy,data science and legal strategy.Taking a cue from the EU AI Act,the US government recently made its commitment to this collective imperative clear by issuing a sweeping Executive Order on Safe

207、,Secure and Trustworthy Artificial Intelligence that codifies safety and security,privacy,equity and civil rights,and innovation and competition in relation to AI.8 Strike a balance between rapid AI innovation and implementing robust privacy and security measures Data is the critical linchpin for se

208、curity in general and privacy in particular.The industry needs government bodies worldwide to harmonize because having disparate legislation under which some countries are stricter than others disincentivizes innovation.The market needs to balance that need for innovation with effective regulatory g

209、uidance and guardrails.This is a cultural mindset shift as well as a technological shift,with change management as a critical success factor.To integrate privacy-and security-by-design thinking with AI and other emerging technologies,the professionals that manage them not just the technologies must

210、advance privacy-and security-first mindsets.If the organization considers privacy and security from the beginning,they will become natural components of the operating model.If the world stays the course in adopting AI to meet innovation needs,it will eventually be business as usual,like with cloud a

211、doption.There was a time not long ago when moving to the cloud was a monumental undertaking.Now,its just part of regular business practice theres no aspect of security that doesnt have a cloud element.We see that as the likely progression for AI as well.There wont be“AIsecurity”because it will be pa

212、rt of overall security.8 Whitehouse.gov,Briefing Room,Presidential Actions,“Executive Order on the Safe,Secure,and Trustworthy Development and Use of Artificial Intelligence,”October 30,2023.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boun

213、dariesSupercharge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Modernize supply chain security Unlock the potential of AI carefully23Cybersecurity considerations 2024 2024 Copyright owned by one or more

214、of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Suggested actionsAlign your AI framework with current standards and develop solid AI governance by aligning the priorities of the various business leaders in the organization and gaining

215、 cross-functional support from those with a vested interest in the success of AI.Acquaint yourself with the stipulations of the EU AI Act and the Biden administrations Executive Order on Safe,Secure,and Trustworthy Artificial Intelligence.Ensure the purpose of AI algorithms,whether developed in-hous

216、e or externally,is clearly defined and documented and training data is relevant,appropriate for the business objective,and secure consent.Learn moreMeet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Super

217、charge security with automationMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Unlock the potential of AI carefully24Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG Int

218、ernational entities provide no services to clients.All rights reserved.Privacy in the new world of AIHow to build trust in AI through privacy.KPMG generative AI survey report:CybersecurityAn exclusive KPMG survey examines four areas where this remarkable technology shows great promise.Generative AI

219、models the risks and potential rewards in businessWhat the rise of ChatGPT,DALLE 2,Bard et al.could mean for your organization.There is huge proliferation of security vulnerabilities from multiple scanner sources.Its imperative to co-relate and identify issues that are real threats.This enables CISO

220、s and governance teams to get a broad-ranging risk view of the organization and sheds light on where we need more human resources with specialized skills.Automation affords security teams the luxury of knowing what to prioritize.Pratiksha DoshiPartnerCyber Security ServicesKPMG in IndiaSupercharge s

221、ecurity with automationBusinesses are increasingly moving systems to the cloud,the volume of data that needs protection is skyrocketing,and more people are working remotely and accessing corporate networks with their own devices.As a result,the cyberattack surface is expanding,creating more alerts,f

222、alse positives and triage events for CISOs to manage.Theres a lot of noise in security operation centers(SOCs),and there arent enough panes of glass or humans to deal with the volume.How can CISOs keep detecting threat after threat and feel theyre not missing something?They need to collect,correlate

223、 and escalate the signals that require a response and it must be done rapidly.The only way to do that is through automation.Consideration 6Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the pot

224、ential of AI carefullyMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Supercharge security with automation25Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG Internationa

225、l entities provide no services to clients.All rights reserved.Why automate security at this moment?Digital agendas are proliferating at a massive rate.At the same time,many organizations see themselves as tech companies,regardless of their core business,because of the explosion of new digital techno

226、logies so many must adopt and master.For example,financial institutions are now nearly completely digital in terms of customer interaction,and many health service providers are utilizing telemedicine,AI-powered medical devices,and blockchain-based record keeping.As operating models digitize,security

227、 teams need to automate and upgrade their processes to keep pace.Indeed,targeted attackers are also using new technology and growing more sophisticated seemingly by the week.And theyre not merely attempting to gain access to the environment but also using AI to commit fraud once there.Cybercriminals

228、 are using deepfakes synthetic media files manipulated to mimic another persons face,voice,or actions to contact call centers and initiate more credible phishing campaigns.CISOs must be as sophisticated as would-be attackers to wade through the chatter and identify legitimate incidents quickly the m

229、ost efficient way to do that is to embrace automation and AI in the SOC.Automating simple security functions such as log management,threat scanning and access controls will enable securityteams to pursue more agile and efficient response times.Many organizations across numerous industries are succes

230、sfully automating the security function and freeing up human resources by automating routine,repetitive,albeit vital tasks.Work that was previously CISOs and their security organizations implement automation to validate controls by collecting real-world evidence and proving the controls are working

231、as prescribed.This streamlines risk management and governance for the first,second,and third lines of defense.Angela LeggettManaging DirectorCyber Security ServicesKPMG in the USperformed by highly trained professionals,such as vulnerability scanning,log analysis and compliance,can be standardized a

232、nd executed automatically.Automation is transforming the broad security landscapeSecurity automation is becoming a critical tool across every cybersecurity function,the first being prevention.Automating scheduled procedures and updates can play a key role in ensuring corporate and sovereign defenses

233、 are resilient and trusted as organized and rogue bad actors expand their scale and accelerate their attacks.Automation can also help secure the third-party ecosystem,assessing vulnerabilities and exposing weak links within vendor and supplier ecosystems.On the detection and response side,automation

234、 can be valuable in helping CISOs create a level of self-service security,which can be instrumental in completing assessments and testing and rolling the results into the production network.This significantly reduces the workforce that would otherwise be required.Further,if specific IP addresses are

235、 already blacklisted,there is no need for human intervention and ticket analysis can be automated.Bad actors use automation to scale and increase the speed of their attacks.The most effective way to defend against an automated attack is with automated detection and response.In the event of a breach,

236、automated monitoring processes can identify security incidents in near real-time and commence remediation by altering access policy rules or placing questionable devices or users in quarantine.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global bo

237、undariesModernize supply chain security Unlock the potential of AI carefullyMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Supercharge security with automation26Cybersecurity considerations 2024 2024 Copyright owned by one or mor

238、e of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Some security organizations implement automation to collect digital forensic evidence and validate that the controls are working as prescribed.This streamlines risk management and gove

239、rnance for the first,second and third lines of defense.Regulatory compliance is another prime example of the value of automation.For instance,in July 2023,the SEC adopted rules for public companies on cybersecurity risk management,strategy and governance.Under the rules,material security incidents m

240、ust be reported within four business days.To comply with this requirement,companies must detect the incident,assess its significance,and then file the report.Establishing a workflow that automatically generates and submits the required Form 6-K filing can be a particularly useful way to support comp

241、liance efforts.9 For global organizations,this goes even further than filing 6-Ks.A range of regulatory reporting requirements must be met in different formats and timeframes sometimes measured in hours.Automating these processes could be the difference between compliance and violations.Automation i

242、mpacts security teams and the business from a people and skills perspectiveAutomation augments the security processes and enables CISOs to prioritize where human workers are best deployed.There appears to be a huge proliferation of security vulnerabilities from multiple scanner sources,and its imper

243、ative to co-relate and identify issues that are real threats.This enables CISOs and governance teams to get a comprehensive risk view of the organization and sheds light on where the world needs more human resources with specialized skills.Automation affords security teams the luxury of knowing what

244、 to prioritize.Clearly,there will be changes in the work security teams perform.Increasingly,humans will focus on more strategic issues involving threat assessment,awareness training,and business alignment,to name just a few,rather than performing the type of repetitive tasks that can be done by AI

245、or predictive analytics engines.And this work will require new skill sets.For example,CISOs and their teams must start to understand how large language models work,how they can be trained,how to program them,etc.There is also a need to build awareness of and proficiency in security concepts in conne

246、ction with the cloud,the Internet of Things,and AI.9 SEC.gov,SEC Adopts Rules on Cybersecurity Risk Management,Strategy,Governance,and Incident Disclosure by Public Companies,July 26,2023.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundar

247、iesModernize supply chain security Unlock the potential of AI carefullyMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Supercharge security with automation27Cybersecurity considerations 2024 2024 Copyright owned by one or more of

248、the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Learn moreSuggested actionsDefine your initial vision and strategy for automation.Consider your short-and long-term security objectives,ensure how those goals align with the organizations b

249、usiness priorities,and determine the type of protections those shared objectives require.Determine what tools to build versus acquire and understand how supply chain partners are automating to strengthen trust between the organizations and leverage that learning where appropriate.Identify what data

250、the organization has centrally accessible and define an automated continuous controls monitoring plan to drive efficiencies across all three lines of defense.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain secu

251、rity Unlock the potential of AI carefullyMake identity individual,not institutionalAlign cybersecurity with organizational resilience Cyber strategies for 2024Supercharge security with automation28Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entitie

252、s.KPMG International entities provide no services to clients.All rights reserved.Empowering securitySecurity orchestration and automated response to help secure the future.Building trust in cloud environments2023 KPMG Cloud Transformation SurveyMastering a multi-cloud environmentThe evolution of clo

253、ud capabilities.Make identity individual,not institutionalAs assurance levels associated with those identities increases,we are beginning to see a trend toward a federated identity model that is,fewer distinct digital IDs that can be securely leveraged across different domains.Marko VogelPartnerCybe

254、r Security ServicesKPMG in GermanyEvery organization with which consumers interact assigns them a unique digital identity,and just as usernames and passwords vary,authentication methods do as well.From a cybersecurity perspective,the identity model is evolving.Most identity and access management(IAM

255、)models were originally devised to manage digital identities and user access for single organizations.Many are now being reconceptualized to encompass a level of resilience suitable for federated,private,public or multi-cloud computing environments.This should eliminate the need for individuals to e

256、nsure the exhaustive,time-consuming and intrusive process of identity-proofing every time they interact with a new institution,either as a customer or employee.Traditional identity models taking on a federated approachIn the current environment,being confident in the identity of people with whom bus

257、inesses interact is a top concern for security leaders and very much a moving target.Over the past 10 or 20 years,most organizations designed and implemented their identity management programs.The thinking among security professionals was,If I implement it myself,I have full control.Control notwiths

258、tanding,this approach created a very isolated point of view and increased the number of unique identities to be managed.From a customer perspective,we ended up with tens or hundreds of identities,one for each business we connected with.Today,the line between business-to-consumer(B2C)and business-to-

259、business(B2B)security has blurred considerably.Leaving aside the fact that B2B users typically have deeper access to network resources than B2C users,they are both external users,which has led organizations in many cases to largely merge the two in terms of their identity management approaches.Drive

260、n by expanding business models,its vital that organizations now view identity not in isolation but from a holistic perspective.Thats an important driver toward an identity model where suppliers and end-customers can nimbly interact with multiple organizations without being forced to endure a complic

261、ated identity-proofing process each time.Consmers should control their digital identities,whichshould be portable between their consumer and employee personas.There has been improvement in recent years around the level of cyber assurance Consideration 7Meet customer expectations,improve trustEmbed c

262、ybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationAlign cybersecurity with organizational resilience Cyber strategies for 2024Make identity individual,not institutional29Cybersec

263、urity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.provided by many prominent technology and social players,with IDs being leveraged across the digital commerce ecosystem.As c

264、onfidence in those identities increases,we are beginning to see a trend toward a federated identity model fewer distinct digital IDs that can be securely leveraged across different domains.Evolving to a model where digital identities with high levels of assurance are the standard will enable busines

265、ses to collect,store and process less personally identifiable information(PII),which would be a decidedly positive outcome for consumers.The value of blockchain in identity management bears mentioning here.Increasingly,distributed ledger systems are being used to develop effective federated identity

266、 models.Integrating security infrastructure with blockchain technology provides trust through visibility,verifiable consent,encryption and audit trails.This helps organizations address privacy and fraud issues by delegating data rights management and access control to the subject rather than a centr

267、alized third party.The higher the level of assurance a digital identity has,the more portable it will be.And when IDs are portable,we can expect to see a trend toward fewer overall consumer logins fewer digital identities.Ultimately,we need to not only make identities portable indeed,digital wallet

268、use is expected to exceed five billion users globally in 2026,an increase of more than 50 percent from 3.4 billion in 202210 but consistently tamper-proof and verifiable.This is where biometrics using unique biological,physical and behavioral identifiers can come into play.A related consideration is

269、 when,or if,organizations may jettison passwords,one of the top points of failure for all identity systems.Moving away from the password model and broadening the use of multiple factors of authentication(device,location,biometric,behavior)for secure identity validation,particularly across the busine

270、ss ecosystem,seems productive.Will passwords actually disappear?Its likely still years away,but we appear to be moving in that direction.Deepfake technology is changing the identity gameThe threat posed by deepfakes synthetic image,video or audio files in which an individuals face,voice,or actions a

271、re manipulated and replaced is very real,as are the accompanying financial,reputational and service implications.CISOs must accelerate security innovation to keep pace.With technology evolving at a breathtaking pace,deepfake-related concerns are scaling more rapidly than they did in connection with

272、phishing 25 years ago.Today,bad actors are looking for bigger targets than individual consumers or public figures.Creative,ambitious cybercriminals with access to the latest technology have set their sights on more profitable targets corporations,institutions and sovereigns many of which are ill-pre

273、pared to defend against this threat.The key question is what it will take to train technology to make audio and video deepfakes that can consistently defeat biometric-based authentication.The cost considerations alone suggest it will require increasingly sophisticated attackers,but as access to the

274、technology broadens,it will get less expensive,making it easier for bad actors to employ deepfakes as a fraudulent tactic.A key concern regarding deepfakes is the funding required for detection,from maintaining the appropriate computing power,forensic algorithms,and audit processes to the talent nee

275、ded to employ these tools.CISOs are encouraged to initiate conversations with senior decision-makers to ensure budgets match the emerging threats and keep technology up to date by ensuring software updates are installed as soon as they are released.11Evolving to a model where a digital identity with

276、 a high level of assurance is a reality will enable businesses to collect,store and process less personally identifiable information that is a decidedly positive outcome for consumers.Jim WilhelmPrincipalCyber Security ServicesKPMG in the US10 Juniper Research,Digital Wallets:Market Forecasts,Key Op

277、portunities and Vendor Analysis 20222026.August 202211 KPMG in the US,“Deepfakes:Real threat,”2023.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge securi

278、ty with automationCyber strategies for 2024Align cybersecurity with organizational resilience Make identity individual,not institutional30Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to client

279、s.All rights reserved.Governments role in the new identity ecosystemThe government and corporate sectors appear to be coming together on the issue of identity.For example,one government is in the process of introducing the Trusted Digital Identity Framework(TDIF).This regime specifies the minimum re

280、quirements that identity service providers must meet to achieve and maintain TDIF accreditation allowing their customers access to digital government services.The ultimate objective is to maintain a user-friendly platform that facilitates digital identities that are accessible,secure and private.Imp

281、ortantly,individuals will be able to use multiple identity service providers to maintain distinct or combined personal and business digital identities.The TDIF empowers individuals to select which digital identity to use,for which purpose and duration,and have assurance around it.Government cant do

282、this alone its simply not cost-effective.Whats more,corporations are likely more trusted than government entities in the current environment.In some countries,the backdrop is more fragmented because the regulatory activity is happening primarily territory-by-territory.But thats merely the tip of the

283、 iceberg,as digital identity unearths a new set of considerations around acceptance.People routinely travel across territory borders to do business.Will their digital credentials be accepted by officials across territory lines?Thinking about the public-private partnership aspect,if an individual has

284、 digital identification connected to a financial institution,as well as a government-issued digital credential,which one do they use in different circumstances?Further,when people present a government-issued digital ID,should they be forced to share all of it?There are certain details that financial

285、,healthcare or law enforcement officials want or need to see.Still,people should be able to maintain full control over what they disclose about themselves.For example,people should have the autonomy to disclose their citizenship status,college degree(s),professional qualifications/licensure,etc.,but

286、 they should not be forced to offer the underlying personal data.Another critical question for security professionals is who owns the risk?If someones digital identity is compromised and used for fraudulent purposes,is the issuer or the holder responsible?Depending on a digital identitys intended us

287、e,strict but manageable regulations should be imposed on corporations.This is an issue over which there must be regulation and generally accepted standards to ensure the providers of digital identities can operate collaboratively and securely.One of the foundational tenets of the EUs General Data Pr

288、otection Regulation(GDPR)is that individuals must provide consent for organizations to use their personal data in specific contexts and for specific transactions.Will passwords actually disappear?Its likely still years away,but we appear to be moving in that direction.Danny FlintPartnerCyber Securit

289、y ServicesKPMG AustraliaMeet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationCyber strategies for 2024Align cybersecurity with organiz

290、ational resilience Make identity individual,not institutional31Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Learn moreBut if a company wants to use personal iden

291、tifiable information(PII)for another purpose or sell it,they must reacquire consent.That basic imperative should be a global standard.Similarly,the EU Digital Identity a personal digital wallet for EU citizens and residents will soon enable individuals to identify themselves or confirm certain perso

292、nal information.This e-identity will be able to be used both online and offline for public and private services across the EU.12The global regulatory position around identity is fragmented and inconsistent.To some extent,the marketplace has become numb to the steady drumbeat of data breaches.Individ

293、ual and institutional customers must be vigilant about the sensitive data they disclose and where they disclose it.CISOs and their teams should keep customer demands for the responsible use of and control over data as a core factor in developing identity management policies and strategies.Suggested

294、actionsKeep your approach to identity flexible to comply with the evolving regulatory environment and ensure your architecture can integrate emerging technologies into the security process much faster than the two-,three-or four-year journeys we see today.Explore more agile andinteroperable identity

295、systems to facilitatea federated identityecosystem.Consider your role,now and in the future,as an identity/credential issuer,relying party,digital wallet provider orallthree in this evolving identity ecosystem.12 European Commission,“Digital Identity for all Europeans,”2021.Meet customer expectation

296、s,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationAlign cybersecurity with organizational resilience Cyber strategies for 2024Make identity individual,not i

297、nstitutional32Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Deepfakes rewrite the cybersecurity playbookFakes arent just for April Fools anymore.Theyre coming to

298、a boardroom near you,with the potential to destabilize your businesses.Fake content is becoming a real problemWidespread availability of sophisticated computing technology and AI enables virtually anyone to create highly realistic fake content.How Identity and Access Management can enhance resilienc

299、e and DORA complianceWith new EU regulations demanding vigilance around security,a robust identity and access framework is a vital tool in the kit.Align cybersecurity with organizational resilience During a cyber incident,organizations need a response measured in minutes and hours,not days and weeks

300、.In todays volatile environment,resilience has become a common theme for organizations across critical infrastructure sectors such as energy,communications and transportation,with executives focused on recovery if preventative controls fail.Resilience should seamlessly align with cybersecurity,empha

301、sizing protection,detection,and rapid response and recovery.Cyber resilience is vital for maintaining business operational capabilities,safeguarding customer trust,and reducing the impact of future attacks.These disciplines should work in tandem to help organizations manage risk.Resilience means bei

302、ng better equipped to manage incidents quickly,comprehensively,and with less impact on the business.It doesnt mean there will never be another incident.CISOs cant control external threats but can control the organizations preparedness.Dani MichauxEMA Cyber Security Leader and PartnerKPMG in IrelandC

303、onsideration 8Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationCyber strategies for 2024Align cybersecurity with organizational re

304、silience Make identity individual,not institutional33Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Rebuilding trust is key after an incidentWhen a data breach or

305、ransomware attack occurs,trust is the first asset to be impacted.And trust is absolutely a corporate asset.How well organizations are prepared and how quickly they can respond,and recover are key determinants in restoring customer and,for public companies,investor trust.When organizations commit to

306、earning and re-earning the trust of these vital stakeholders,they place themselves firmly on the path to operational resilience.In some cases,rebuilding trust is about rapid technical recovery;in others,its about identifying alternate ways of delivering services.In every instance,its about identifyi

307、ng vulnerable and/or impacted stakeholders,expeditiously addressing their needs and minimizing disruption.Regulators across all regions are now putting a greater emphasis on resilience and trust.For example,rules adopted in 2021 by the UKs Financial Conduct Authority are intended to ensure that impo

308、rtant business services in the UKs financial services sector operate with sufficient resilience in the event of operational disruptions.Companies are required to demonstrate that they take a resilience-by-design approach.This framework is based on the notion of avoiding“wide-reaching harm to consume

309、rs and risk to market integrity”as a result of a cyber event.13Mission criticality:Focus on what matters with advance planningEvery organization is unique in what they do and how they do it,but from a security perspective,its universally instructive to conduct structured,scenario-based tabletop exer

310、cises in advance of a cyber incident to ensure people,processes and technology are aligned.Scenario planning shouldnt simply be a box that gets checked.These exercises reveal the strategic choices around how organizations deal with a major disruptive event like a ransomware attack and build confiden

311、ce that leadership is prepared to coordinate response efforts and manage and ultimately lessen the impact on customers and clients.Its also imperative for organizations to determine in advance which business processes truly are mission-critical and need to be brought back online as soon as possible.

312、Cyber resilience,the ability to adapt to and weather a cyber incident,defers from business continuity,the procedures an organization follows to operate during an incident.Resilience is strategic,while continuity is process oriented.In that sense,its much less stressful to carry out a resilience exer

313、cise before a recovery situation than in the middle,when multiple business areas may be in panic mode.Continuously assessing the state of the organizations cyber resilience as a primary pillar of its overall preparedness and going through prioritization exercises is critical to maintaining a cyberse

314、curity plan that is both fit for purpose and fit for the-moment.It provides a response and recovery road map.Every day,advanced persistent threat actors leverage different attack vectors in new ways.This evolution is a reality that CISOs must consider.Having a written and vetted resilience plan as a

315、 springboard to tangible action is much more effective than brainstorming during an attack.Avoid complacency amid a changing threat landscapeOrganizations baseline security is getting better.At the same time,the business and supply chain landscapes are evolving,with increased dependency on a web of

316、suppliers for IT,software and other services,and organizations experimenting with new technologies such as AI,Web 3.0 and smart products.In response,attackers organized/state-supported and lone actors are becoming more sophisticated,exploring new vectors and manipulating reality through identity hac

317、king and deepfakes.Todays attacks have shifted to include supply chain compromises and double or triple extortion ransomware backed by a complex crime-as-a-service ecosystem.14Continuously assessing the state of the organizations cyber resilience as a primary pillar of its overall preparedness and g

318、oing through prioritization exercises is critical to maintaining a cybersecurity plan that is both fit for purpose and fit for the moment.It provides a response road map.Jason Haward-GrauGlobal Cyber Recovery Services LeaderKPMG International and Principal KPMG in the US13 Financial Conduct Authorit

319、y,Policy Statement PS21/3,“Building operational resilience,”March 2021.14 KPMG International,“Maintaining cyber vigilance and staying resilient,”2023.Meet customer expectations,improve trustEmbed cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unl

320、ock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalCyber strategies for 2024Align cybersecurity with organizational resilience 34Cybersecurity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG I

321、nternational entities provide no services to clients.All rights reserved.Bottom line,organizations need to follow a dynamic approach to resilience.They cant be complacent because not only is the threat changing,but the way bad actors seek to disrupt both internal processes and supply chains is also

322、changing.Organizations need to continually improve and adapt.Resilience means being better equipped to address an incident quickly,comprehensively,and with minimal business impact.It doesnt mean there will never be another incident.CISOs cant control external threats but can control the organization

323、s preparedness.The investments of time,people and budget should not be focused solely on incident avoidance but instead on cultivating an enduring state of resilience that becomes an integral,embedded component of the overarching cybersecurity plan.Theres an ongoing arms race between organizations a

324、nd bad actors,and the latter are constantly evolving and innovating faster because its all they think about.If CISOs understand and manage the organizations security drift,they can chip away at attackers ability to identify and exploit vulnerabilities.As organizations navigate todays evolving and vo

325、latile cybersecurity landscape,resilience should not be viewed as a series of one-off or intermittent projects.Rather,it should be an adaptive strategy that complements the organizations cybersecurity agenda,protects customer interests,aligns with the objectives of the business,and focuses on delive

326、ring long-term value.Suggested actionsAssess how the organization can respond better and faster if attacked again next week and next month/year to identify quick wins,like expediting payments,ensuring liquidity,improving communication and enhancing response speed.Foster organization-wide behaviors a

327、nd cultural alignment to prioritize what truly matters to the organization in terms of data,services and infrastructure.Regularly update plans and playbooks to align with the evolving threat landscape and IT and supply chain dependency changes.Learn moreMeet customer expectations,improve trustEmbed

328、cybersecurity and privacy,for goodNavigate blurring global boundariesModernize supply chain security Unlock the potential of AI carefullySupercharge security with automationMake identity individual,not institutionalCyber strategies for 2024Align cybersecurity with organizational resilience 35Cyberse

329、curity considerations 2024 2024 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Maintaining cyber vigilance and staying resilientHow to recover from a cyberattack,rebuild effectively and avoid complacenc

330、y.Cyber and digital operational resilienceTargeting strategic resilience.Mid-market:a holistic approach to boost cyber resilienceA more connected world has increased risk and expectation.In response,the mid-market can implement holistic cyber security strategies.Cyber strategies for 2024 What action

331、s can CISOs,and the broader business lines take in the year ahead to help ensure security is the organizations golden thread?Following is a short list of recommendations CISOs should consider as they seek to accelerate recovery times,reduce the impact of incidents on employees,customers,and partners

332、 and aim to ensuretheirsecurity plans enable rather than expose the business.People Process Connect with your organizations ESG team to determine whether they consider cyber a key aspect of their mandate.If not,work tobuild awareness of how and why its important to all three areas of ESG.Bring a new

333、 perspective to the board on what could disrupt the business and what should be done to manage those risks withoutimpacting operations and customer experience.Foster organization-wide behaviors and cultural alignment to prioritize what truly matters to the organization in terms of data,services and infrastructure.Determine how and where to embed certain security tasks within the business vs.outsou