《畢馬威（KPMG）：2025年網絡安全重要趨勢報告：AI時代下的八大關鍵要點（英文版）（44頁）.pdf》由會員分享，可在線閱讀，更多相關《畢馬威（KPMG）：2025年網絡安全重要趨勢報告：AI時代下的八大關鍵要點（英文版）（44頁）.pdf（44頁珍藏版）》請在三個皮匠報告上搜索。

1、Cybersecurity considerations 2025In an AI-dominated business environment,the foundational principles of cybersecurity are even more criticalKPMG I key cybersecurity considerations for 2025ContentsMeet the authors0503Reflections on a five-year journey 20202025ForewordHow KPMG professionals can help39

2、Cyber strategies for 20252Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.As 2025 takes form,the digital landscape continues to evolve at an unprecedented rate,brin

3、ging forth new challenges and amplifying the urgency for robust cybersecurity measures.Against this backdrop,the sixth global installment of the annual Cybersecurity considerations report aims to shed light on the current and upcoming obstacles facing organizations across various industries and high

4、light several strategic actions they might undertake,all of which are aligned with eight key cyber considerations that are thoroughly explored in this report.At a time when technology is intertwined with every facet of our professional and personal lives,cybersecurity emerges not just as a business

5、concern but as a broad issue that impacts all aspects of society.According to KPMG research,CEOs view cybersecurity as the top threat over the last decade.1The incorporation of AI across virtually every industrial sector brings to light the critical issue of embedding trust within AI models and proc

6、esses by establishing a thorough and robust governance program through which CISOs can understand the various business cases,determine where and how AI is already being used in the organization,and identify the related vulnerabilities.The proliferation of smart products,from automobiles and medical

7、instrumentation to home appliances and other Internet of Things-related devices,continues to expand the attack surface,aligning physical and digital threats in unprecedented ways.The advent of deepfakes and the resurgence of digital assets such as cryptocurrency which remains largely unregulated and

8、 volatile augment the complexity of these threats,necessitating vigilance and innovative countermeasures.In this environment,CISOs are urged to focus on educating themselves and their teams about AI technologies,not only to assemble the best teams but to understand the unique risks each use case pre

9、sents.As for talent acquisition and development,CISOs face the daunting task of assembling teams capable of comprehending AIs complexities and often subtle risks a task complicated by the rapid innovation occurring in this space,as well as the difficult-to-govern pockets of“shadow AI”that are croppi

10、ng up across the business.While all this occurs,a rationalization or consolidation of cyber capabilities appears to be at hand with security teams moving from perhaps dozens of solutions in their security operations centers(SOC)to a leaner suite of best-of-breed tools to integrate solutions more eff

11、ectively and economically and to better leverage new AI capabilities offered by the providers of these tools.Todays cybersecurity hurdles transcend the realm of traditional technical skills,necessitating a multidisciplinary approach that also encompasses a deep understanding of risk management,as we

12、ll as an array of soft skills,such as problem-solving,critical thinking and communication.Cybersecurity professionals can come from unconventional backgrounds and must be able to adapt quickly and acquire tangible knowledge beyond what is typically taught in the training for traditional degrees in c

13、omputer science,software engineering or information technology.2 Its imperative for cybersecurity professionals to prioritize situational risk assessment without losing sight of the need for explicit,yet flexible controls.1 KPMG 2024 Global CEO Outlook,August 2024.2 World Economic Forum,Strategic Cy

14、bersecurity Talent Framework,April 2024.ForewordThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO3 2025 Copyright owned by one or more

15、 of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Cybersecurity considerations 2025Cybersecurity is not a static function,but rather a dynamic and ever-evolving challenge.For example,the rise of quantum computing,through which attacker

16、s can circumvent encryption tools at an alarming speed,potentially compromising everything from banking and retail transactions to business data,documents,email and more;the potential for“superintelligent”AI systems,which perpetually improve and expand their knowledge while protecting themselves whe

17、n sensing danger;and the velocity at which misinformation is spreading,especially through deepfake audio and video content,are just several of the emerging issues over which CISOs are losing sleep.These and other threats highlight the urgent need for innovation and strategic foresight.Legislative la

18、ndscapes are shifting toward more localized regulations,presenting a multifaceted challenge for global security operations.This,coupled with the economic imperative to justify security budgets not solely based on return on investment alone but also on the mitigation of risk,places CISOs in the preca

19、rious position of advocating for resources without the traditional financial assurances.CISOs are similarly challenged by ascending geopolitical complexities.With rising state-sponsored attacks,the fluid regulatory environment and cross-border data flows,CISOs must navigate a vast array of intricaci

20、es to effectively safeguard their networks.Clearly,the pressure to stay ahead of emerging threats and ensure compliance is more daunting than ever.The broad experience among todays CISOs both those who have weathered significant incidents and those who may have only faced minor skirmishes underscore

21、s the need for a nuanced appreciation of the ever-fluid threat landscape.In this report,a wide cross-section of KPMG specialists delves deeper into these issues,providing comprehensive analysis of the current state of cybersecurity and offering actionable strategies for CISOs aligned to eight cybers

22、ecurity considerations.Our enduring goal is to equip leaders with the knowledge and tools necessary to navigate the complexities of the digital age,ensuring the security and resilience of their organizations in the face of a fascinating and exciting,yet often uncertain future.Akhilesh TutejaGlobal C

23、ybersecurity LeaderKPMG InternationalThe technology landscape is evolving rapidly,with new threats emerging daily.To stay ahead,businesses must be proactive not reactive to safeguard their digital assets,ensure compliance,and foster an environment where innovation can thrive securely.Bobby Soni Glob

24、al Technology Consulting Leader KPMG InternationalThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO4 2025 Copyright owned by one or mo

25、re of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Cybersecurity considerations 2025Over the past five years of producing this report,an ever-evolving cybersecurity landscape has emerged as a tangible focal point for organizational le

26、aders.Many key themes continue to resonate resilience,identity access management(IAM),cloud security,talent and skills gap,to name a few.However,the fundamental underpinning of this fascinating and pivotal subject has shifted from traditional security measures to the priorities and challenges of a g

27、lobal and multifaceted digital landscape,to which CISOs and their teams must respond in near real time.Above all,its crucial to emphasize how pervasive cybersecurity has become,expanding beyond technology risks to encompasses broader business threats,affecting industries and society alike.Digging a

28、bit deeper:With the COVID-19 pandemic and the normalization of remote working arrangements,a focus on cloud and AI security have become key CISO objectives.Talent,and the always-looming skills gap,has long been critical given emerging technologies and the new and varied skills required.Identity has

29、moved from traditional IAM,an important albeit separate function,to the heart of Zero Trust strategies and a means for identifying digital identities and deepfakes.Resilience has become an essential objective throughout and will remain so going forward.CISOs continuously strive to reinforce,particul

30、arly as cyber threats have transformed into far-reaching business threats,which hold the potential to disrupt industries and cause harm to society.Looking at the trend analysis 2020-2025 exhibit on the next page,much of the basic security foundation examined remains central to the research conducted

31、.But between new technologies,expanding regulations,more sophisticated tooling,and a mounting threat landscape,the role of the CISO is growing in scope and accountability.Reflections on a five-year journey 20202025The power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform cons

32、olidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO5Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All ri

33、ghts reserved.Trend analysis 2020 202520252020Key themesCOVID-19 pandemicRemote workingthe new realityGen AIEU AI ActCyber attacks have become more pervasive,affecting businesses,industries and societyas a whole.Key events2024 CrowdStrikeincidentIncreased use of cyber warfarein geopolitical conflict

34、sAI-enabled cyber threats,i.e.AI phishing,intelligent malware,deepfakes,mass surveillance and others.Strategy and leadershipPeople and talentTechnology and dataDigital trustResilience The CISO has become a trusted internal advisor and operational leader.Security teams are transforming into a key res

35、ource with a relevant voice at the strategy table.Cyber and privacy regulations focus on business priorities and responsibilities the importance of trust.From scenario-to impact-based focus on critically and regulation.New virtual infrastructure models and collaboration tooling.Accelerated cloud tra

36、nsformation(due to COVID-19)but security was an afterthought.Traditional identity authentication and management(IAM).Moving the conversation from cost and speed to strategic and effective security.CISOs budgets increasingly tied to risk reduction for the business.Cyber exists to support not hinder f

37、rom organizational enforcers to influencers.Weaving cyber into the organizational fabric.Digital trust is a shared responsibility that starts with the business andinvolves multiple stakeholders,e.g.CISO,DPO,CDO,CIO,etc.No longer just about prevention focus on response and recovery.Enhanced security

38、through automation.Rapid advancements in Gen AI create excitement around use cases in cyber.Securing a perimeter-less and data-centric world.Placing identity at the heart of zero trust.As cyber becomes more pervasive across the organization,the pressure on the CISO to deliver increases.The CISO role

39、 disperses but accountability increases partially due to regulatory developments.The cyber skills gap persists AI might offer some viable solutions,but the workforce needs new skills to adapt and adopt.Embedding trust as AI pierces all fabrics of business and society focus on security,privacy,safety

40、,ethics,etc.CISOs continue to build on resilience as cyber threats have evolved from tech risks to business and industry threats,with po-tential harm to society.Investment in AI for cyber becomes more strategic and forward-looking.Enterprise-wide cost-saving,efficiency,security and innovation(especi

41、ally AI implementation)drive platform consolidation.The rise of digital identities and deepfakes.The power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role

42、 of the CISO6Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.The ever-evolving role of the CISOWhat CISOs and their teams focus on,and how they interact with the re

43、st of the organization is fluid,as the cybersecurity function becomes more broadly embedded within and better understood across the organization.01The power of the peopleAs organizations continue to transform their business models in the face of new digital disruptions,many are experiencing real cha

44、llenges around workload,which is exacerbating the long-discussed cyber skills gap.AI and automation can help,but there is an underlying risk of talent attrition as many teams struggle to cope.02Harness AI for cyber:Racing ahead vs.racing safelyMany factors appear to be contributing to the buzz aroun

45、d AI adoption,from a lack of training to the fear of missing out and possibly falling behind.A key challenge is weighing the potential benefits of integrating AI into cyber and privacy functions against the potential risks.04Embed trust as AI proliferatesAI is here to stay and has a place in virtual

46、ly every organizational function,but there are a number of key cyber and privacy challenges that have the potential to affect the adoption and deployment of AI.03Platform consolidation:Embrace the potential but recognize the risksIncreasingly,many global organizations are looking to reduce the compl

47、exity and cost of their technology.Organizations that choose to do so by consolidating tools and services onto a single or a limited number of platforms must identify and navigate the inherent risks.05The digital identity imperativeAlthough there are several initiatives around digital identity sprou

48、ting up worldwide,interoperability between systems and enhanced authentication due to the emergence of deepfakes remain a challenge,whether due to regulations,risk appetite and/or public opinion regarding the processing of personal and biometric data.06Resilience by design:Cybersecurity for business

49、es and society Resilience is becoming central to the CISO agenda as the prospect of attackers using ransomware or other malicious means to cause large-scale industrial disruption,risking both data and human lives,remains alarming.08Smart security for smart ecosystemsThe rise of smart devices and pro

50、ducts worldwide is challenging and changing traditional views and approaches toward security,prompting many regulators to introduce new regimes to ensure these products meet basic security requirements.07Eight key cybersecurity considerations for 2025Click on each consideration to learn more.The pow

51、er of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO7Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG Internati

52、onal entities.KPMG International entities provide no services to clients.All rights reserved.Consideration 1The ever-evolving role of the CISOA combination of factors is reshaping cybersecurity and significantly transforming the role of the Chief Information Security Officer(CISO).Heightened regulat

53、ory scrutiny,the pressure to deliver virtually without failure,and increasing accountability and personal risks are all contributing to this momentum shift.At the same time,traditional CISO functions are gradually being dispersed across organizations,raising important questions about the future of t

54、he role and the evolution of the cybersecurity function.The success of CISOs will likely depend on their ability to effectively establish decision-making authority,manage the impact of emerging technologies,particularly AI,and adapt to new threats.Rising expectations as operating models evolveThe ro

55、le of the CISO is becoming increasingly complex.Regulatory scrutiny and the need to ensure strong cybersecurity outcomes across the entire organization are largely driving this.This complexity is further compounded by changes in the operating model and a growing reliance on external vendors.However,

56、these controls may not always align with the unique needs of the organization,particularly in the case of global operations spanning multiple countries.CISOs now face the challenge of managing and configuring vendor-provided controls to ensure they are fit for purpose and comply with local laws and

57、regulations.This shift in the operating model means that CISOs have less direct control over the implementation of security measures.While the embedded cybersecurity and privacy controls offered by these vendors can be beneficial,they often lack the flexibility and granularity required by CISOs to e

58、ffectively manage risk across diverse environments.CISOs must navigate this growing complexity while still enabling people to work efficiently and maintain visibility into the operation of controls across the organization.When it comes to cloud-based software vendors,there is added complexity becaus

59、e typically theyre binary theyre either on or off.Ideally,CISOs would like to see specific controls positioned as on or off based on circumstance or location on for the US,but off for Germany,on for Singapore but off for Switzerland.Paul Spacey Global Chief Information Security OfficerKPMG Internati

60、onalThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO8Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPM

61、G International entities.KPMG International entities provide no services to clients.All rights reserved.Designing a blueprint for cybersecuritys organizational role and scopeThe organizational structure surrounding the CISO role is evolving,with a growing trend toward splitting responsibilities with

62、 the Technology Information Security Officer(TISO)if there is one on staff.This division of roles enables the CISO to focus on risk management and broader cybersecurity strategies.The TISO typically is embedded in the organizations technology functions,overseeing the implementation of relevant contr

63、ols and managing day-to-day operations.Additionally,larger organizations may have multiple CISOs,each responsible for different lines of business,such as the supply chain network or commercial online presence.This segmentation of responsibilities recognizes that a single individual may struggle to m

64、aintain detailed knowledge across all areas while effectively managing the overall cybersecurity landscape.As the cybersecurity domain continues to expand,CISOs are finding themselves with a broader scope of responsibility.They must serve as the source of truth for a wide range of aspects,including

65、controls,performance,risks,intelligence,identity management and overall cyber hygiene.CISOs are tasked with presenting this information in a manner that is relevant and consumable for the business,enabling informed decision-making.While CISOs may delegate many security priorities to other teams,such

66、 as reporting on key risk indicators,running risk assessments and performing penetration testing,they must still maintain oversight and awareness of these activities.The challenge for CISOs is to effectively manage this expanded scope while ensuring agility,efficiency,and situational awareness acros

67、s the organization.Walking the tightrope:Balancing accountability and authority in the face of growing risksThe increasing regulatory scrutiny and potential for personal liability have highlighted the need for clearly defined accountability and decision-making authority for CISOs.In the event of a c

68、ybersecurity incident,CISOs may find themselves exposed to legal and professional consequences,particularly in heavily regulated industries.To mitigate this risk,organizations must establish formal governance processes that empower CISOs to take necessary actions during an incident without fear of r

69、epercussions.This includes providing CISOs with a clear understanding of their authority and the limits within which they can operate.With this,they can make critical decisions quickly and confidently.The reporting line of the CISO also determines the ability to effectively manage cybersecurity risk

70、s.While having a direct line of communication with the C-suite,general counsel and the board is important,CISOs must also have the autonomy to make decisions based on their technical expertise.In emergency situations,such as a supply chain breach,CISOs need the authority to take immediate action wit

71、hout waiting for approval from superiors who may not have the necessary technical understanding.However,this autonomy must be balanced with a clear set of accountability controls and guardrails,developed in collaboration with senior management.CISOs should be encouraged to pause at critical moments,

72、consider the potential consequences,and assess the most effective course of action.CISOs used to start off by trying to identify,protect and secure the organizations crown jewels key data,intellectual property,trade secrets,etc.But today,CISOs really need to focus on the security and resilience of t

73、he business.Wendy Lim Partner,Cyber,AdvisoryKPMG SingaporeThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO9Cybersecurity consideratio

74、ns 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Rewriting the CISO playbook for the futureAs organizations increasingly adopt automation and AI technologies,the role of the CISO is set to un

75、dergo significant changes.The growing automation of security operations centers(SOCs)is expected to result in smaller teams and reduced focus on day-to-day operations.The cybersecurity remit is so vast that organizations have to split responsibilities.CISOs will struggle to effectively oversee a tec

76、h delivery team,manage capabilities,interpret signals from controls and handle all aspects of reporting,data engineering,personnel management,outreach and training.This overwhelming workload will likely lead to them becoming bogged down and ultimately paralyzed in their roles.Thus,CISOs are expected

77、 to expand their attention to other critical and strategic areas.With the rapid adoption of generative AI across industries,CISOs can play a crucial role in ensuring that organizations understand and mitigate the associated risks.They will need to become more strategic and proactive,engaging with th

78、e business at the early stages of AI projects to explain potential risks and outline necessary steps for mitigation.Bottom line,CISOs need to determine how AI can help better protect the company,its people and customers while investing in and embedding the necessary AI-specific safeguards within the

79、 models.To that end,KPMG research has found that 64 percent of global CEOs acknowledge they will invest in AI regardless of economic conditions.33 KPMG 2024 Global CEO Outlook,August 2024.In the future,CISOs will likely need to continuously broker tradeoffs with other areas of the organization,balan

80、cing the demands of the board,the business,technology managers and their own need to manage inherent risks.This will require CISOs to be skilled stakeholder managers,able to navigate complex relationships and effectively communicate the importance of cybersecurity priorities.To facilitate this,CISOs

81、 may consider embedding security personnel within key business functions,allowing for better alignment of security culture and priorities across the organization.By cultivating a holistic perspective,CISOs can provide valuable insights to the board and ensure that cybersecurity is integrated into th

82、e fabric of the organization.And then theres the resilience objective on which many regulators are focused.Resilience entails mapping critical business processes and the systems organizations need to recover after an incident.CISOs cant just flick a switch and engage business and technical teams to

83、address these issues.Thats why organizations are splitting responsibilities.Companies are realizing that for all these things to proceed efficiently,they cant fall to one individual.The broad security team has to protect the entire enterprise at all times,but attackers only need one unprotected vect

84、or to access the network.Clearly,its an asymmetric battle and to do it all well,multiple parts of the company must work together.The CISO may be best positioned to oversee it all,but they cant do it all alone.Cybersecurity has become much more of a delegated and shared function.But while the CISO to

85、day works very closely with many counterparts across the business,they must speak in one unified voice to manage risks while supporting the organizations commercial interests.Oscar Caballero Partner,Head of CybersecurityKPMG MexicoThe power of the peopleEmbed trust as AI proliferatesHarness AI for c

86、yberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO10Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services

87、 to clients.All rights reserved.Suggested actionsStay informed about regulatory changes,communicate with the board,and clarify limits of authority to mitigate personal liability risks.Prepare for the CISO roles evolution due to AI automation and the shift to cloud-based services.Take the lead in dis

88、cussing the adoption of disruptive technologies like AI,explaining risks and mitigation steps.Continue to build security in by design across DevSecOps processes,in addition to embedding cyber-focused team members into business functions.As the boundary between personal and enterprise data within clo

89、ud-based and AI services blurs,conduct thorough due diligence on third-party vendors to ensure their contractual obligations are clear and consistent with the organizations overarching data governance framework.Fundamentally,reducing the probability of an attack starts with an understanding of the e

90、nvironment.You cant secure what you dont know.CISOs must know the entire cybersecurity estate:their organizations critical business applications and services,whats public-facing,what controls are in place,how they can be more proactive,their security posture and the vectors bad actors tend to use,to

91、 name just a few pieces.All that is fundamental.Only then can they determine how to reduce the chances of something bad happening.Lou Fiorello Vice President Security Products ServiceNowLearn moreKPMG 2024 CEO OutlookKPMG global tech report 2024How CISOs can help kickstart Gen AI projectsThe power o

92、f the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISO1111Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG Internatio

93、nal entities.KPMG International entities provide no services to clients.All rights reserved.The power of the peopleAmong the range of challenges for cybersecurity leaders,the workforce skills gap is prominent.The human element continues to be the most critical factor in the fight against cyber threa

94、ts.New sophisticated technologies and rapidly evolving threats are only exacerbating an already-widening skills gap.To address these challenges and secure their digital assets,organizations must adopt a holistic approach that recognizes the power of people in building a resilient cybersecurity ecosy

95、stem.Empowering talent with the necessary tools,cultivating a robust security culture,optimizing the use of AI,and strengthening the talent pipeline are some viable solutions.Addressing the cybersecurity skills gap and talent retentionAccording to the World Economic Forum,more than half(52 percent)o

96、f public organizations cite a lack of resources and skills as the greatest challenge to creating effective cyber resilience programs.4 Much has been reported around the dearth of experienced cyber talent and the skills gap,which have created an attrition rate nearly eight percentage points higher th

97、an other roles,making team consistency difficult to maintain.5 At this point in time,the rapid growth of cybersecurity as a profession,and the ongoing need for specialized knowledge,have conspired to outpace the ability of our educational institutions to produce enough qualified candidates.6 The gro

98、wing disconnect between technical and non-technical skill sets is particularly striking.While strong technical abilities remain essential,non-technical skills such as effective communication,problem-solving,adaptability and collaboration are increasingly important for privacy,risk and compliance pro

99、fessionals.To address this disconnect,industry leaders are encouraged to prioritize comprehensive training programs.Talent retention is another important part of the story,with nearly half(47 percent)of security leaders in a recent KPMG security operations center(SOC)survey telling us they have“majo

100、r issues”retaining good workers.7As the demand for experienced cybersecurity professionals continues to outpace the available talent,CISOs must develop strategies to attract and retain a diverse workforce.This needs to include partnering with human resources(HR)to understand and address the unique n

101、eeds of a multi-generational workforce.For example,Gen Z and Millennials,the youngest and fastest-growing generations in the workforce,place particular value on work-life balance,recognition,and career mobility.8 By offering flexible work arrangements,clear career paths and opportunities for profess

102、ional development,organizations can create an attractive environment for cybersecurity talent.Inclusion,diversity and equity(IDE)initiatives will also be important in addressing the cybersecurity skills gap.By actively encouraging and supporting the participation of women and diverse groups in cyber

103、security,organizations can tap into a wider pool of talent and benefit from unique perspectives and creative skills.However,promoting diversity is not enough;employers must also create supportive and inclusive environments that enable diverse staff members to thrive,especially those who fall on the

104、neurodiversity spectrum.4 World Economic Forum,Strategic Cybersecurity Talent Framework white paper,April 2024.5 STI Group,The State of US Cybersecurity Employment:Analyzing Growth,Demand,and Retention Challenges,April 5,2024.6 KPMG,Matthew Miller,Addressing the Cybersecurity Talent Gap in the SOC,L

105、inkedIn,August 1,2024.7 KPMG Cybersecurity Survey,Security Operations Center Leaders Perspective,April 2024.8 Paychex,Navigating the New Workforce:Engaging Millennials and Gen Z in the Workplace,April 23,2024.Consideration 2Embed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe

106、digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe power of the people12Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to cli

107、ents.All rights reserved.AI is integral to cybersecurity,not reductiveWhile many organizations are still in the early stages of AI adoption,as cybercriminals increasingly turn toward AI to enhance their attack strategies,CISOs should explore how this technology can be securely and responsibly integr

108、ated into their cybersecurity strategies.To stay ahead of the curve,AI-enabled areas such as real-time threat detection,faster incident response and predictive modeling should be a primary focus.This can also help reduce the burden on understaffed teams.AI is going to be a true enabler for security

109、teams in addressing the skills gap not,in most cases,a replacement for human workers.In fact,according to the KPMG SOC survey,at least six out of ten security leaders consider AI to be a“game changer”for all security functions,including identity and access management,threat detection and response,an

110、d perimeter monitoring.9 By automating routine tasks with AI,organizations can significantly increase efficiency,freeing cyber teams to focus on the more complex and strategic tasks that are essential to safeguarding the network.The human element will have a key role in adoption.CISOs should ensure

111、that their teams are properly trained to work alongside AI systems,understanding their capabilities,limitations and potential biases.AI is also a source of anxiety in the workplace.In that context,consensus and trust will be the keys to progress.According to KPMG research,more than three-quarters of

112、 organizations(78percent)are concerned that many users continue to view AI as an arcane“black box.”Almost as many(77 percent)expect AI to pose operational challenges that will lead to job reduction and create ethical concerns.10Ultimately,however,we believe the union of human intuition,creativity an

113、d contextual understanding with the speed,scalability and data analysis capabilities of AI should contribute to a more resilient cybersecurity ecosystem.9 KPMG Cybersecurity Survey,Security Operations Center Leaders Perspective,April 2024.10 KPMG 2024 Global CEO Outlook,August 2024.11 Joint research

114、 between KPMG and Cybersecurity at Massachusetts Institute of Technology/Sloan School of Management,September 2024.12 KPMG,A new age of cybersecurity culture:How to harness AI to promote secure workplace behaviors,December 2024.The perception should be that cyber exists not to interrupt business ope

115、rations and act as a speed bump but to solve problems quickly,safely and build trust with internal and external stakeholders.Breah SandovalDirector,Cybersecurity and Technology RiskKPMG USTo better understand this relationship,KPMG has collaborated with Massachusetts Institute of Technology(MIT)to s

116、tudy cybersecurity culture,its challenges and how AI can make an impact.11 Although many organizations are early in their cybersecurity culture journey and more so when it comes to using AI to support it 74 percent of respondents in a KPMG-MIT quantitative survey agreed that building a cybersecurity

117、-focused culture is central to successful integration of AI across the enterprise.12From awareness to action:Cultivating a proactive cybersecurity cultureA strong cybersecurity culture is established when every individual within the organization actively participates in effectively managing cyber ri

118、sks.CISOs must recognize that people are not the weakest link,but rather the strongest cyber defense capability when properly engaged.If a culture of risk avoidance is not prioritized and embedded across the organization,the burden of defending against threats and proactively identifying risks falls

119、 solely on the shoulders of the cybersecurity team.This is not only unsustainable but also leaves the organization vulnerable to potential breaches.To create a truly resilient cybersecurity ecosystem,CISOs must focus on bridging the gap between the security team and the broader workforce.This involv

120、es actively engaging with both team members and senior leadership,educating them about the importance of cybersecurity and empowering them to take ownership in protecting the organizations digital assets.Moving hearts and minds and creating a shared understanding of cyber risks can transform the way

121、 the entire organization approaches cybersecurity.Thus,cybersecurity is seen not just as another siloed function but a collective responsibility.This requires CISOs to become influential leaders who can connect technical and non-technical stakeholders.Embed trust as AI proliferatesHarness AI for cyb

122、erPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe power of the people13Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entitie

123、s provide no services to clients.All rights reserved.To create a more user-friendly and efficient cybersecurity environment,CISOs should adopt a human-centric design approach when evaluating and refining security processes.This means identifying and targeting specific processes that cause frustratio

124、n or friction for employees.Many of these pain points lead to decreased productivity and increased risk of non-compliance.By carefully analyzing these processes,CISOs can determine which controls are essential for protecting critical assets and which ones can be streamlined,rationalized or even elim

125、inated.With this approach,CISOs can create a more intuitive and less disruptive security experience for employees,adding to a culture of compliance and shared responsibility.This can promote a positive view of cybersecurity and encourage employees to become active participants.From a broader cyber-H

126、R management perspective,CISOs can play a vital cross-functional role in measuring security knowledge,attitudes and behaviors among the workforce to reveal potential drivers of human-centric risks and shift the perception of cybersecurity from a restrictive function to a key capability and business

127、enabler.A public-private partnership can support cyber as a function and promote it as a career In addition to addressing the current skills gap,governments,academic institutions and organizations should collaborate to promote cybersecurity as an appealing career choice.1313 World Economic Forum,Why

128、 closing the cyber skills gap requires a collaborative approach,July 23,2024.This effort should start early,engaging younger,pre-high school students girls,in particular but also include men and women who are embarking on a second career or perhaps are re-entering the workforce post-family leave,to

129、showcase the diverse range of opportunities available.Governments can support this initiative by investing in robust cybersecurity education programs,offering scholarships and internships,and partnering with industries to provide hands-on learning experiences.With exposure from a young age,an active

130、 ecosystem can spark interest and encourage more individuals to pursue careers in this critical field.In addition to early education and awareness,governments and industry leaders must work together to develop alternative pathways for individuals to enter the cybersecurity workforce.While traditiona

131、l university degrees in computer science and related fields remain valuable,they often fail to keep pace with the rapidly evolving threat landscape and the specific skills needed by employers.In response,investments in shorter-term certification programs and specialized training courses can help qui

132、ckly upskill and re-skill professionals from diverse backgrounds.With a more flexible and inclusive talent pipeline,building a stronger,more resilient cybersecurity workforce capable of tackling the challenges of the future can be possible.Our greatest cyber challenge and vulnerability lay not so mu

133、ch in the codes or the systems,or necessarily the digital pathways anymore.Its in the very people who manage and navigate these networks every day.They require support,training and nurturing to equip them with the skills and defenses they need to protect our data and systems every day.Dominika Zerbe

134、-Anders Cyber Human Risk Partner&Solution Owner KPMG AustraliaEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe power of the people14Cybersecurity conside

135、rations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.14 Verizon,Data Breach Investigation Report,2023.15 World Economic Forum,Bridging the Cyber Skills Gap,2024.Develop and deploy continuous

136、 training programs that go beyond traditional methods,utilizing innovative and immersive techniques to drive sustainable behavior change among employees.Empower employees by engaging them in cybersecurity initiatives,providing proper education and creating a culture that recognizes their role as the

137、 organizations strongest cyber defense capability.Establish an annual cyber influencer program that ensures regular engagement with staff and senior management to raise cybersecurity awareness and collaborate.15Recognize the expanding role of the CISO from solely a network defender to risk manager,l

138、obbyist and influencer.Develop and refine influencing skills to effectively communicate the importance of cybersecurity and drive change across all levels and departments.Implement human-centric risk-reduction strategies that focus on addressing the human element of cybersecurity,as it accounts for

139、three-quarters of cyber breaches.14Invest in AI technologies to measure,quantify and track human-centric risk,enabling more effective risk management and alignment with the evolving threat landscape.Suggested actionsLearn moreA new age of cybersecurity culture KPMG 2024 Cybersecurity SurveyThe Futur

140、e of WorkEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe power of the people15 2025 Copyright owned by one or more of the KPMG International entities.KP

141、MG International entities provide no services to clients.All rights reserved.Cybersecurity considerations 2025Embed trust as AI proliferatesOrganizations continue to explore how AI can add value to their business operations.However,leaders remain skeptical about AI adoption,especially when it comes

142、to security and privacy.The risk of data breaches,unauthorized access and misuse remains high.Moreover,there is a lack of clarity regarding how some AI algorithms can lead to bias,discrimination and other unintended consequences.In this environment,greater transparency,accountability and governance

143、around the development and deployment of AI is likely to remain a top CISO priority.Managing AI data is keyClearly,data is a critical organizational asset,fueling the development and deployment of AI systems.Many businesses continue to struggle to establish clear guidelines and processes for managin

144、g the vast amounts of data at their disposal.This has also brought into focus challenges related to data access,use,classification and quality.All of these factors directly impact how AI systems generate reliable insights and make sound decisions.When data quality is poor,AI models are more likely t

145、o produce unreliable results,leading to suboptimal performance and potentially harmful outcomes.Indeed,although many organizations are investing in data accessibility,KPMG research indicates that only 24 percent are focusing on establishing a data-centric culture and ensuring data interoperability.T

146、his is shortsighted and undermines the ability to effectively use and understand data across all levels of the organization.16 Moreover,the speed at which organizations are embracing AI has put tremendous pressure on data management practices.On the positive side,it makes clear the importance of com

147、petent data management in connection with reliable AI practices.Traditional approaches to data governance often involve manual processes and siloed systems.These are insufficient in the face of the volume,velocity and variety of data generated by AI applications.Businesses now need to adopt more agi

148、le and automated data management strategies to keep pace.16 KPMG Global Tech Report 2024,September 2024.Consideration 3Whether companies rely on their own or third-party data to generate and train their AI models,its become clear that poor data quality produces poorly performing AI models.Samantha G

149、loede Managing Director,US&Global Trusted LeaderKPMG USThe power of the peopleHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOEmbed trust as AI proliferates16Cybersecurity considerations

150、 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.17 KPMG 2024 Global CEO Outlook,August 2024.This requires a fundamental shift in the way organizations think about data,from a static asset to a

151、 dynamic resource.To mitigate the risks associated with inferior data quality,organizations must prioritize strong information governance practices.This involves establishing clear policies and procedures for data collection,storage and management,as well as implementing robust data validation and c

152、leansing processes.Doing so can enable businesses not only to improve the performance of their AI models but also build trust with stakeholders by demonstrating a commitment to responsible and transparent data practices.Confronting the minefield of AI adoption risks AI adoption comes with a wide ran

153、ge of risks that organizations must carefully navigate;operational,technical,legal,compliance and human safety are just a few.AI systems can introduce new vulnerabilities and points of failure that can disrupt business processes and lead to financial losses.Technical risks,such as algorithmic bias a

154、nd data drift,can undermine the accuracy and reliability of AI models.This is why 70 percent of CEOs say their organization is increasing its investment in cybersecurity specifically as a means of protecting operations and intellectual property from AI-related threats.17AI systems that do not comply

155、 with privacy regulations,discriminate against protected groups,or infringe on intellectual property rights can lead to legal and compliance risks.The most concerning risks are the ones to human safety,particularly in healthcare and transportation,where AI failures can have life-threatening conseque

156、nces.There is another significant risk associated with AI:the erosion of the ability to be forgotten,which means removing personal data from the model.Doing so requires the model to be completely retrained with a new dataset,which is expensive and complex.But even if personal data is removed and the

157、 model is retrained,it can still make fairly accurate inferences about an individual based on patterns and correlations learned from other data points.Unfortunately,the ability to truly be forgotten in the digital realm is becoming more elusive.As AI becomes more accessible and embedded in many diff

158、erent“smart”products,many organizations,even smaller businesses with limited budgets,are turning to third-party providers to access AI capabilities.While this can offer cost savings and rapid deployment,it also introduces new risks.Organizations may have limited visibility into the inner workings of

159、 the AI system,such as the data the model was trained on,the algorithms it uses and the potential biases it may have.“Shadow”AI the use of AI systems within an organization without the knowledge or oversight of leadership and security teams is another emerging risk.Shadow AI can arise when individua

160、l departments or employees deploy AI solutions on their own,often without proper checks.The heightened risk is not just about the vulnerabilities of ungoverned AI,but also the possibility that the undesired,potentially biased output may be integrated into business decision-making without understandi

161、ng the implications.As a result,unmanaged AI systems can introduce security exposures and compromise data privacy.To mitigate these risks,organizations should proactively establish clear policies and procedures around the procurement,deployment and monitoring of internal and third-party AI systems.I

162、n addition,CISOs are encouraged to explore the universe of new security tools and capabilities that enable organizations to identify and analyze AI usage patterns to reduce the risk of shadow AI.Close collaboration between business leaders,IT teams,and security experts is key here.Relying solely on

163、the CISO or the CPO to address AI risks may mean overlooking critical issues such as transparency,reliability,and potentially even safety.Katie Boswell Managing Director,Cybersecurity and Technology RiskKPMG USThe power of the peopleHarness AI for cyberPlatform consolidationThe digital identity impe

164、rativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOEmbed trust as AI proliferates17Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All right

165、s reserved.Take a bottom-up approach to AI-related risksEven as adoption accelerates,many leaders lack a complete understanding of AI governance and the complex technical,ethical and legal implications.As a result,many take a reactive approach.Organizations that align their AI risk management strate

166、gies with their overall business objectives and values are much more likely to achieve success.Indeed,to establish and maintain trust in AI systems,organizations must prioritize the interests of stakeholders,including customers,employees and society at large in AI decision-making.Organizational lead

167、ers,including CISOs,data protection officers and privacy officers,have a crucial role to play in embedding security and privacy into the AI development lifecycle.Further,leaders must maintain visibility into the various business cases for AI and clearly identify where and how AI is being used across

168、 the organization.This can guide the development of secure and ethical data management practices and the appropriate controls within the broader AI security framework.Solidifying trust and monitoring external risksWhen it comes to AI-related risks,organizations need a forward-looking approach that g

169、oes beyond simply reacting to issues and addresses potential risks early.Establishing an AI security framework is not a project with a distinct end point;it must be ongoing and supported by existing security domains through identity and access management,multifactor authentication,and crisis respons

170、e and recovery plans,among other factors.In short,ongoing monitoring and evaluation of AI systems should be baked into the organizations business-as-usual processes.By mapping out the data flow across the AI landscape,organizations can better assess potential risks and vulnerabilities and develop ta

171、rgeted strategies.One of the key external considerations is the potential impact of AI-related regulations,such as the EU AI Act(the Act),which took effect in August 2024.The Act has wide-ranging impacts on any business that operates in the EU and offers AI products,services or systems that can be u

172、sed within the EU.Although it is perhaps the most well-known and far-reaching rule,the Act is part of a wider trend of rising regulatory guidelines for AI globally.Many policymakers around the world are looking to the Act as an example and seeking some level of alignment with its perspective on topi

173、cs such as safety,security,privacy,governance and compliance,as well as fairness,transparency and trustworthiness.CISOs of companies that provide services of any kind to the EU need to evaluate how the Act applies and take steps to comply.Organizations must stay closely attuned to all regulatory dev

174、elopments and proactively align their AI governance practices to build trust with stakeholders and realize the full potential of AI while mitigating its risks and challenges.Many companies have put off data projects for a long time because they dont necessarily see the value.But theyre going to have

175、 to realize they need to clean up their data and train their large language models(LLMs)with relevant and accurate information.Unfortunately,in a lot of cases,CISOs are not necessarily the data owner.To build those bridges and strengthen the relationships between the data and security teams,there ne

176、eds to be shared data classification definitions and common rules of engagement,especially as it relates to AI.Bottom line,bad data yields bad decisions.Erin Hughes Head of Cybersecurity Advisory North America SAPThe power of the peopleHarness AI for cyberPlatform consolidationThe digital identity i

177、mperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOEmbed trust as AI proliferatesCybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All righ

178、ts reserved.18Bring together cross-functional stakeholders,including CISOs,data protection officers and privacy officers,to update policies and align on the organizational approach to addressing the potential impact and risks associated with AI implementation.Understand regulatory obligations and as

179、sess existing compliance requirements related to AI implementation.Develop and communicate clear AI usage policies,standards and procedures.Collaborate and maintain an open dialogue with other industry leaders and federal and global policy makers.Uplift existing governance processes and communicate

180、clear AI usage policies,standards and procedures.This should include an AI intake process that takes a consistent approach to identifying AI risk,determining the appropriate controls and establishing the corresponding incident management plans to address potential AI-related issues.Determine and est

181、ablish ownership of the necessary controls to mitigate AI-related risks and clearly define who owns and is accountable for those controls is clear and consistent with organizations overarching data governance framework.Establish a red teaming structure to perform testing of AI models,ensuring their

182、robustness and reliability to avoid generating inaccurate or undesirable information.Define roles and responsibilities to support AI capabilities between the first and second lines of defense.Suggested actionsLearn moreTrust in artificial intelligenceBlueprint for Intelligent Economies What your AI

183、Threat Matrix Says about your Organization The power of the peopleHarness AI for cyberPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOEmbed trust as AI proliferates19Cybersecurity considerations 2025 2025 C

184、opyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Harness AI for cyber:Racing ahead vs.racing safely The potential benefits of AI continue to captivate business leaders across industries.For CISOs,AI is vie

185、wed as a means to increase efficiency,cut operational costs,improve risk management and possibly tackle escalating workloads,particularly in security operations centers(SOCs).Still,questions remain:Does my organization fully understand the range of AI risks?Do we have a robust AI-specific security f

186、oundation in place?What if I dont know where to start or how to identify areas where AI will be most useful?Against this backdrop,CISOs must strike a delicate balance between the desire to implement AI across the enterprise and the need to prioritize good security practices.18,19 KPMG Global Tech Re

187、port 2024,September 2024.Consideration 4To be blunt,it doesnt make sense to employ AI tools when your patch management and authorizations are not under control.The basics always need to be right.Koos Wolters Head of Cybersecurity KPMG NetherlandsBuilding a strong security foundation for AIIn an ever

188、-fluid cybersecurity ecosystem,staying ahead of would-be attackers requires not just vigilance but innovation.AI has emerged as a powerful tool for security operations centers(SOCs),transforming the way security professionals perceive and respond to threats.While 2024 was the year for Gen AI,2025 is

189、 the year of agentic AI.Agentic AI has the potential to transform security operations,whereby bots could proactively analyze,detect and respond to cyber threats in a way we have not seen before.Indeed,nearly three-quarters of organizations are realizing business value from their AI investments,but o

190、nly one in three has been able to achieve these gains at scale.18But before diving headfirst into AI adoption,organizations must ensure they have a solid foundation of basic cybersecurity practices.This includes everything from effective patch management and device encryption to secure identity and

191、access management.Simply rushing to deploy AI tools can expose an organization to greater risks.CISOs have a critical role to play here.They must assess their organizations current cybersecurity posture and identify any gaps or weaknesses for AI to be introduced gradually and strategically.In short,

192、the investment should be measured and strategic to avoid disjointed implementations.19The power of the peopleEmbed trust as AI proliferatesPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOHarness AI for cybe

193、r20Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.The talent equation:Bridging the AI skills gapThe conversation around AI in cybersecurity inevitably turns to tal

194、ent.Theres a significant skills gap,not just in understanding AI but in leveraging it effectively within the cybersecurity domain.The development of AI technologies,particularly generative AI(Gen AI),has outpaced the skills available in the market.Strengthening workforce AI skills is one of the top

195、CISO challenges in this environment.Teams are learning that the quality of the prompts used to interact with and query AI models can significantly impact the accuracy and relevance of the output.Without a strong understanding of best practices,security teams may struggle to obtain the desired insigh

196、ts and actionable intelligence from AI implementation.To address this skills gap and ensure that security teams can keep pace with the rapid advancements in AI technology,CISOs must prioritize upskilling and training initiatives for their teams and themselves,so they are able to identify the right t

197、alent needs and the best people to hire.This involves investing in educational programs focused on AI concepts such as prompt engineering,data analysis and model evaluation.CISOs should foster a culture of continuous learning,encouraging other security professionals to explore new AI capabilities,sh

198、are their findings with colleagues,and ensure they and their teams have the intellectual curiosity and knowledge to harness the power of AI,protect the organizations digital assets and increase cyber resilience.Navigating the hype vs.the reality of AI KPMG research has found that the hype surroundin

199、g AI in cybersecurity has led to a growing sense of fear of missing out(FOMO)among organizations,particularly at the senior management and board levels.In fact,82 percent admitted they are choosing to invest in tech investments such as virtual and augmented reality,which are enabled by AI,in order t

200、o keep pace with their competitors.20 However,leaders need to make decisions based on the current realities of AIs capabilities and limitations.While AI has the potential to revolutionize cybersecurity,its current use in the SOC is still relatively immature and limited in scope.CISOs need to set rea

201、listic expectations and communicate the true potential of AI to senior management and the Board.This involves highlighting the current limitations and having a strategic approach to adoption.By encouraging a culture of experimentation,CISOs can help with the discovery of appropriate use cases that a

202、lign with the organizations unique needs and priorities.As AI continues to mature and evolve,CISOs must remain vigilant in assessing its capabilities and limitations.20 KPMG Global Tech Report 2024,September 2024.In cyber,we have more tolerance for false positives than false negatives.I would rather

203、 AI think something bad is happening and prompt me to investigate through manual processes to see whether the network is compromised versus actually having a cybersecurity issue,not knowing about it,and not mobilizing to address it.Matt Miller Principal,Cybersecurity ServicesKPMG USThe power of the

204、peopleEmbed trust as AI proliferatesPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOHarness AI for cyber21Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International enti

205、ties.KPMG International entities provide no services to clients.All rights reserved.Identifying and deploying use cases with the most impactCISOs must carefully assess and prioritize potential AI use cases that offer the greatest impact and align with their organizations specific needs.A promising a

206、rea is the analysis of large volumes of data to identify potential threats or anomalies,as AI excels at processing vast amounts of information to extract insights.Additionally,AI can be used to automate repetitive,manual tasks,freeing up human analysts to focus on more complex and strategic initiati

207、ves.AI-driven analysis can enable developers to patch small vulnerabilities before they become big problems.By empowering team members to explore AIs capabilities and propose ideas for implementation,CISOs can uncover areas where AI can be most effectively deployed.Carefully assessing and selecting

208、use cases that address real-world problems positions CISOs to ensure that their AI investments are targeted,effective and aligned with the organizations overall cybersecurity and business goals.Preparing for AI-powered cybersecurity threatsWhile adopting AI technologies to enhance their cybersecurit

209、y efforts,CISOs must also be prepared to face the emerging threats posed by AI-powered attacks.One particularly concerning example is the rise of deepfakes and the reality that AI algorithms can now quickly,easily and inexpensively create highly realistic and convincing manipulated audio and video c

210、ontent.In fact,deepfake technology has become democratized to the point that essentially any threat actor can obtain and operationalize it with minimal effort.This purposely deceptive material is increasingly being used in social engineering attacks or to spread disinformation,making it more challen

211、ging for cybersecurity teams to distinguish between genuine and fraudulent content.Also,the growing use of AI in voice detection and biometric authentication in call centers can inadvertently make it more difficult to detect and defend against deepfakes.Attackers may exploit these same technologies

212、to bypass security measures and manipulate systems.To combat these evolving risks,CISOs must stay informed about the latest developments in AI-powered threats and adapt their defense strategies accordingly.This may involve investing in advanced AI-driven security tools,such as those designed to dete

213、ct and flag potentially manipulated content,as well as educating employees.They need to ensure that any AI deployment is supported by clear roles,responsibilities and context to maximize its impact on cybersecurity efficiency and effectiveness.Unfortunately,in regard to AI,security holds a lot of th

214、e liability.CISOs were already in difficult waters,but the rapid pace at which it is now being rolled out is exponentially increasing stress levels around what good security looks like when you start introducing these LLMs at scale.However,there are effective strategies and tools available to manage

215、 the evolving environment.Terence Jackson CISM,CDPSE,GRCP Customer Security Officer Microsoft Security SolutionsThe power of the peopleEmbed trust as AI proliferatesPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of t

216、he CISOHarness AI for cyber22Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.22Address the basics of good security patch management,safeguarding data,IAM,etc.before

217、 turning to more sophisticated activities like implementing and scaling AI across the enterprise.Work to enhance awareness among employees and customers of the risks associated with enterprise and adversarial use of AI.Continue to assess use cases for AI for SOC Level 1 and Level 2 tasks.Provide a c

218、lear vision of the roles and responsibilities of people utilizing AI and be transparent about the context and initiatives in which AI is being used.Prioritize upskilling the security workforce with the necessary technical skills and ensure they stay up-to-date with the latest AI developments.Encoura

219、ge teams to be intellectually curious about AI and to propose ideas for experimentation and potential use cases.Suggested actionsLearn moreKPMG Security Operations Center Survey 2024Redefining Security Operations with AI Rethinking Cybersecurity:You Need to Use AI to Fight AIThe power of the peopleE

220、mbed trust as AI proliferatesPlatform consolidationThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOHarness AI for cyber23Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KP

221、MG International entities provide no services to clients.All rights reserved.Platform consolidation:Embrace the potential but recognize the risksTo tackle increasingly complex cybersecurity risks,organizations continue to add to their arsenal of tools and solutions designed to protect their digital

222、assets.From endpoint security and security information and event management(SIEM)to vulnerability management,Internet of things(IoT)security,extended detection and response(XDR)and managed detection and response(MDR),the sheer number of options available can be overwhelming.CISOs struggle to manage,

223、maintain and integrate this complex patchwork of disparate tools.Worse yet,more time is spent on integration than harnessing the value of the data for usable security insights.In response,many organizations are exploring the adoption of security platforms,giving them greater efficiency,improved visi

224、bility and enhanced control over the security environment.This broader shift to platform consolidation offers both promises and pitfalls.Consideration 5There are economies of scale that come with consolidating with a particular platform or discipline,such as identity.Giving the security team improve

225、d,but perhaps less technologies to work with can help create a more well-rounded security workforce that is more effective across capability domains.Jim Wilhelm Principal,Global Microsoft Security Leader KPMG USRecognizing the value of platform consolidation Large organizations are particularly keen

226、 on the shift toward platform consolidation.One reason is that disparate tools produce a huge volume of data and signals,and they enforce different aspects of the overall security policy.This complexity makes integration and enforcing a consistent security policy a challenge.Streamlining the cyberse

227、curity toolset by consolidating disparate solutions gives leaders a clearer,more comprehensive view of their organizations security landscape.This,in turn,facilitates the enforcement of consistent security policies across the board,closing potential gaps and vulnerabilities.Consolidation also matter

228、s in the context of a zero-trust framework.At its core,zero trust requires the evaluation of every interaction within an organizations network,including the device used to access the network,the authentication methods employed,and the specific data being requested.However,implementing a zero-trust m

229、odel can be incredibly challenging when organizations rely on a fragmented array of security tools.Platform consolidation can help enforce granular access controls and provide the required visibility.The power of the peopleEmbed trust as AI proliferatesHarness AI for cyberThe digital identity impera

230、tiveSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOPlatform consolidation24Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved

231、.Moreover,organizations can benefit from economies of scale when it comes to managing identity,data security,threat management,endpoint protection and network control.Consolidation yields significant cost savings,as fewer tools require less maintenance,training and support.With consolidated data sou

232、rces,the security team can also better harness the power of AI.Understanding your security data(logging and monitoring,signals,threat intelligence,authentication policies,entitlement assignments,user account data,etc.)is critical to empowering security personnel with the capabilities of Gen AI to im

233、prove productivity in the security operations center(SOC)and beyond.The byproduct of this work is data consolidation and beginning the first steps of the journey toward an AI-enabled cyber program.Working through possible pitfallsWhile platform consolidation offers numerous benefits,it is crucial fo

234、r CISOs to be aware of the potential risks and challenges.One significant,although not new,concern is concentration risk wherein an organization may become overly reliant on a single vendor or platform.Putting too many eggs in one basket a risk that has been on CISOs radar since the early days of cl

235、oud adoption companies expose themselves to heightened risk if there is a compromise or vulnerability in a particular product or platform.Recent high-profile IT-related disruptions have put this risk in the spotlight.So,CISOs must strike a delicate balance between reaping the benefits of a streamlin

236、ed security stack and mitigating the potential impact of a single point of failure.Another challenge from a commercial perspective that may emerge over time is vendor lock-in.As organizations become increasingly dependent on a specific set of products or services,they may find that the chosen platfo

237、rm no longer meets their needs.In such cases,switching to a different vendor can be a costly and complex undertaking.This can involve significant compatibility issues and additional training requirements.To mitigate these risks,CISOs should consider adopting a hybrid approach to platform consolidati

238、on.By relying on platform providers for foundational security capabilities and augmenting gaps with purpose-built solutions,organizations can ensure they have the necessary resiliency and flexibility to adapt to changing circumstances.Thus,CISOs can minimize the potential downsides of overreliance o

239、n a single vendor or platform while still taking advantage of the core benefits of a platform-based approach.The consolidation decision is rarely made in isolation.Rather,it is a collaborative effort involving key stakeholders such as the CISO,CIO,CFO,COO and CDO.Perspectives from all leaders play a

240、 role in ensuring the chosen platform aligns with the organizations overarching security strategy and business objectives.Talent and upskilling need to keep paceIn the move toward platform consolidation,talent development and upskilling initiatives also need to evolve.Cybersecurity professionals nee

241、d to be prepared to adapt and thrive in a new and very different environment.CISOs must prioritize continuous learning and talent development across all domains of security,from the SOC to monitoring personnel and beyond.CISOs and their organizations are concerned about the shortage of talent.To enh

242、ance cybersecurity under these conditions,it is necessary to simplify and consolidate the number of tools and solutions used to protect digital assets.Motoki Sawada Partner,Technology Risk Services KPMG JapanThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberThe digital identit

243、y imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOPlatform consolidation25Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights

244、reserved.With the right investments in skills and knowledge,security teams can establish the necessary agility and expertise to make the most of platform consolidation.By working with a more focused set of tools,security professionals will be able to devote their time and energy to high-impact initi

245、atives and respond to threats with greater efficacy.Platform consolidation also gives CISOs a unique opportunity to optimize their talent-development strategies.Working with fewer vendors enables CISOs to streamline their training efforts,making it easier and more cost-effective to upskill their tea

246、ms.As SOC engineers and analysts receive training on a consolidated set of tools,they,too,will become more efficient and effective in their roles.This can contribute to a stronger overall organizational security posture.By aligning talent development with the goals of platform consolidation,CISOs ca

247、n create a virtuous cycle of continuous improvement and risk reduction.Keeping pace and operating at the speed of businessAs organizations grow and expand into new markets and regions,the demands on cybersecurity teams are multiplying.CISOs must contend with an increasing number of users,devices,and

248、 data points,all of which require robust protection and monitoring.At the same time,weve heard,anecdotally,from several clients,that budgets remain constrained with only modest year-over-year increases.In this context,the pressure to justify cybersecurity spending and demonstrate clear value to lead

249、ership has never been higher,requiring CISOs to continually look to extract more value from existing investments.The focus must be on making smart,strategic investments that deliver tangible value and return on investment.Moreover,security needs to operate at the speed of business.However,as the bus

250、iness grows and new technology-enabled capabilities are rolled out,integration with security tooling cannot be exponentially expensive.It must be flexible and adaptable and a platform approach helps make this process more repeatable and agile in the long run.Whether its applying advanced authenticat

251、ion methods to a new application or technology asset or signals-based access control,common patterns and a platform approach to integration help to improve the resiliency and speed of adoption.CISOs must be able to articulate how their investments in platform consolidation are helping to close criti

252、cal capability gaps,reduce vulnerabilities and risk,and support the overall goals of the business.By striking the right balance between fiscal responsibility and strategic investment,CISOs can position their organizations for success.Traditionally:Most cybersecurity ISVs say they can communicate wit

253、h disparate platforms,but the market has realized varying degrees of success of interoperability and effectiveness often at high labor and maintenance cost.New generation:Some new cyber ISVs are consolidating traditionally disparate products into a new single,seamless tool with broader functionality

254、 and better data accessibility.This is a more effective approach,enabling companies to customize and contextualize those environments for individual clients and leading to improvements around data,speed,scale,efficiency,cost and functionality.Philip Bice Global Lead Service Provider PartnershipsGoog

255、leThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberThe digital identity imperativeSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOPlatform consolidationCybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG I

256、nternational entities.KPMG International entities provide no services to clients.All rights reserved.26Evaluate current vendors,assess platform compatibility with your technology landscape,and establish clear criteria for vendor selection and performance monitoring to ensure a strong foundation for

257、consolidation.Identify areas where a hybrid approach can provide benefits;determine the right balance between consolidated platforms and specialized tools.Establish backup and recovery procedures to ensure resilience.Recognize that complete consolidation may not be feasible;identify areas where spec

258、ialized tools or providers may be necessary.Develop a phased approach to consolidation,prioritizing high-impact areas first.Invest in training and upskilling your security team to work efficiently with a consolidated set of tools.Implement continuous monitoring and auditing processes to ensure platf

259、orm performance.Suggested actionsLearn moreProtecting your business through technological changeAs cloud over-spending rises,look to cost optimizationMake operational resilience your North StarThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberThe digital identity imperativeSma

260、rt security for smart ecosystemsResilience by designThe ever-evolving role of the CISOPlatform consolidation27Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.The di

261、gital identity imperativeDigital identities are paving the way to a more agile and efficient digital world.However,securing digital identities is becoming increasingly challenging for several reasons,from inadequate systems and controls to the rise of deepfakes.Consequently,there is an urgent need t

262、o incorporate new and more advanced security mechanisms into verification regimes.More importantly,CISOs and decision-makers need to develop a fuller understanding of the landscape,rethink entrenched processes and invest in innovative systems rooted in sound principles.Consideration 6Deepfakes prese

263、nt another daunting challenge as they increasingly blur the line between reality and manipulation.With current AI technology,more powerful,broadly accessible and inexpensive,personal information,voices and faces in particular,is increasingly susceptible to compromise and exploitation.While deepfakes

264、 pose a significant threat in terms of impersonation and the spread of misinformation,they also present an opportunity for both content creators and content consumers.Improved authentication methods will help advance accountability,ethical standards and transparency among content creators.The result

265、ing heightened awareness can lead to a more discerning consumer audience.Investing in better authentication will help safeguard the integrity of digital information and restore trust in the content we consume.Another area of growing concern for organizations is the proliferation of machine identitie

266、s,specifically in connection with privileged non-human service accounts,which have access to sensitive data to run specific applications.With the Internet of Things growing more prominent,machine identity is becoming a significant challenge for organizations to manage.Not surprisingly,CISOs direct m

267、ost of their teams attention to human access,but theyve got to keep a record of the non-human network users as well,to monitor if and when they are being attacked and potentially compromised.The increasing complexity of digital identity managementUltimately,each individual possesses a unique identit

268、y that is distinct to them.However,across different contexts government,finance or life sciences,for example identity is applied in various ways to serve specific functions or satisfy different needs.It is essential to understand that while an individuals core identity remains singular,its interpret

269、ation and validation can differ across organizational environments.As organizations strive to maintain the integrity of individual identities,they are increasingly turning to advanced authentication technologies including biometrics,such as fingerprint,facial,voice and retinal scans to enhance secur

270、ity and streamline processes.However,these modalities give rise to risks and the impact can go well beyond the scope of a typical data breach.If these unique identifiers are compromised,for example,individuals face the ongoing possibility of identity theft and misuse that is not easily rectified sin

271、ce biometric traits are inherently permanent and irreplaceable.The collection and processing of biometric data also raise concerns about potential data discrimination and bias in biometric systems,making diversity and accuracy in data coding practices to ensure fair and reliable recognition more imp

272、ortant than ever.The power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe digital identity imperative28Cybersecurity considerations 2025 2025 Copyright owned by one or m

273、ore of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Why businesses need a future-proof digital identity strategyFrom a commercial perspective,whether in a B2B or B2C context,digital identity management revolves around establishing tru

274、st between organizations and the individuals accessing their networks.By empowering users with control over their personal information and providing transparency about its usage,businesses can cultivate trust and loyalty among their customer bases.This trust is built on the assurance that individual

275、s can access the resources they require,the confidence that access will be promptly revoked when no longer necessary,and the certainty that all actions taken within the system will be logged and fully traceable.Maintaining this trust requires a proactive approach to the entire identity and access ma

276、nagement lifecycle,from provisioning and ongoing administration to deprovisioning of access.This is particularly important because long-tenured employees could amass access to numerous systems,granting them significant power.To mitigate these risks associated with the accumulation of privileges,CISO

277、s and their teams must adhere to two key principles of cybersecurity:least privilege and need to know.By ensuring that individuals only have access to systems essential to their specific roles,organizations can significantly reduce the potential for bad actors to compromise powerful administrator ac

278、counts and gain access to sensitive data.As the lines between workforce and consumer identities continue to blur,organizations must adopt a holistic approach.For employees,a robust digital identity framework ensures that access to sensitive information is granted based on well-defined roles and resp

279、onsibilities.This involves implementing secure onboarding and offboarding processes and conducting regular access control reviews and updates.An effective digital identity strategy can also significantly enhance efficiency and user experience.A streamlined process can minimize the need for repetitiv

280、e form-filling for tasks such as filing taxes,making insurance claims and going for medical visits.This can reduce friction and waiting times for both employees and customers.As organizations increasingly rely on digital technologies to drive growth and innovation,a strong digital identity framework

281、 becomes a cornerstone of their overall business strategy.By investing in secure,transparent and user-centric digital identity solutions,businesses can position themselves for success.Organizations tend to focus on the human aspect of security because its more tangible.Its much more difficult to ver

282、ify a machines identity and usage and when it was created in the system.Anubha Sinha Partner,Digital Trust&IdentityKPMG AustraliaThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationSmart security for smart ecosystemsResilience by designThe ever-evolving rol

283、e of the CISOThe digital identity imperativeCybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.2929How governments can enable trusted digital identity ecosystemsDigita

284、l identity remains a crucial touchpoint for secure and efficient verification processes across various government services and transactions.Governments and global corporations worldwide are actively pursuing improved solutions for personal and business-related digital identities.For instance,Austral

285、ia recently introduced a comprehensive digital identity program,known as the“Trust Exchange,”which is highlighted by a digital wallet that integrates different areas where identity authentication is needed,such as government,social,financial and workforce identities.21 By facilitating digital identi

286、ty verification across multiple services,the Trust Exchange seeks to increase trust among organizations while granting citizens control over the personal information they share.Estonia is another example,issuing every citizen a digital identity at birth that remains valid throughout their life.Citiz

287、ens have full transparency regarding when and where their identity is authenticated,which helps to combat privacy concerns.22 Despite these encouraging developments,interoperability between global systems remains a challenge.This is due to differing regulations,risk appetites and public opinion rega

288、rding the handling of personal and biometric data.When it comes to a global consensus on trusted identity exchange,a coalition of willing countries may emerge,such as the EUs interoperable framework to develop a shared trusted identity framework.However,not all countries prioritize the same values,e

289、specially concerning privacy,which may limit the extent of interoperability in the short term.21 Australia Department of Social Services,Trust exchange drives secure digital services,August 13,2024.22 e-Estonia,Solutions and services:e-Identity,2024.How CISOs can lead the charge in implementing digi

290、tal identity strategiesIn shaping digital identity strategies,CISOs can serve as the connective tissue between government,regulators and the enterprise.In an increasingly complex environment where much of the identity management process lies outside of their direct control,CISOs must adopt a proacti

291、ve and collaborative mindset,engaging stakeholders from the top down to ensure awareness and drive the necessary changes.Security leaders need to keep up with user needs and expectations,ensure adherence to core security principles and stay informed about the implications of emerging technologies li

292、ke AI and deepfakes.Additionally,CISOs must elevate the discussion of digital identity at the board level,ensuring that senior leaders understand its importance and provide the necessary support.By prioritizing identity as the new perimeter in cybersecurity and promoting a culture of security throug

293、hout the organization,CISOs can lay the foundation for successful digital identity management.Transparency is the cornerstone of trust in the world of digital identity.I believe,by openly sharing how personal information is collected and used,we can alleviate concerns about privacy and empower indiv

294、iduals to make informed choices regarding their online presence.The more transparent the process,the more trust people will have in the system.Imraan Bashir Partner and National Public Sector Cyber LeaderKPMG CanadaThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform con

295、solidationSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe digital identity imperative30Cybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All

296、rights reserved.Ensure adherence to core security principles,such as data minimization and timely deletion of unnecessary data,to maintain the highest standards of data protection.Build strong relationships and trust with other business units to ensure efficient collaboration and coordination in ide

297、ntity management processes.Stay informed about the implications of AI and deepfakes on digital identities to proactively address emerging threats and vulnerabilities.Engage all stakeholders,from the top down,to ensure awareness and drive the needs around sustainable digital identity and access manag

298、ement.Prioritize identity as the new perimeter in cybersecurity,recognizing its role in securing the organizations assets and stakeholders.Streamline identity while maintaining security.Focus on user experience by simplifying the issuance and usage of credentials,reducing passwords,etc.Suggested act

299、ionsLearn moreDeepfake How real is it?Deepfakes:Real ThreatAs deepfake technology advances,the risk of identity manipulation and fraud intensifies,making robust digital identity protections crucial to safeguarding both consumers and organizations from emerging threats.Nancy Chase Global and Canadian

300、 National Leader,Risk Services KPMG InternationalThe power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationSmart security for smart ecosystemsResilience by designThe ever-evolving role of the CISOThe digital identity imperativeCybersecurity considerations 202531C

301、ybersecurity considerations 2025 2025 Copyright owned by one or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.Smart security for smart ecosystemsWith improving technology,there has been an explosion of smart devices and IoT pro

302、ducts,transforming the way we interact with the world around us.From home appliances and wearables to industrial equipment and vehicles,the proliferation of connected devices introduces new vulnerabilities for cybersecurity professionals to protect against,impacting both companies and consumers.Many

303、 of the risks are still unfolding.Protecting organizational data accessed by networked devices will be crucial for preserving the integrity,safety and security of entire sectors and infrastructures.The traditional methods used just a decade ago are no longer sufficient.There is an urgent need to dev

304、elop effective strategies for securing connected assets throughout their entire lifecycle and across the organizational ecosystem.23 KPMG,Smart-X:A holistic approach to cybersecurity for smart devices,January 2024.24 KPMG Global Tech Report 2024,September 2024.The role of CISOs in securing smart pro

305、ductsAs organizations across myriad sectors industrial manufacturing,energy and defense,to name several are looking to increase efficiency and gain competitive advantage,consumers are demanding convenience,accessibility and personalized experiences.Against that backdrop,we expect to see a surge in i

306、nterconnected smart devices that will transform virtually every sector of the global economy,particularly healthcare,transportation,manufacturing and retail.As these products powered by what we call“Smart-X”technologies become increasingly connected to companies back-end systems and databases,CISOs

307、will have to take a more product-centric approach to security.They need to become deeply involved in organizational and product-specific processes,ensuring that security is embedded throughout the entire lifecycle of smart devices,from secure design until the device is decommissioned.23 According to

308、 KPMG research,72 percent of organizations are embracing secure-by-design principles by ensuring cyber teams are involved in technology-related projects from the beginning.24From the initial design and development stages to ongoing maintenance and updates,CISOs must collaborate closely with various

309、teams.This includes engineering,development and product support to address the unique security challenges posed by these connected devices.Consideration 7CISOs must recognize that the supply chain around smart products is exceedingly complex.In relation to security,these external vendors and process

310、es must be closely managed end-to-end because all aspects are interconnected.Marko VogelPartner,CybersecurityKPMG Germany The expansion of these technologies introduces new risks and vulnerabilities.Further,this new reality brings cybersecurity much closer to broader society if something goes wrong,

311、it isnt just a business issue.Breaches can range from minor inconveniences to major threats to public safety,security and privacy.Therefore,securing Smart-X technologies is not just crucial for protecting individual entities,but also for preserving the integrity,safety and security of entire sectors

312、 and infrastructures.The power of the peopleEmbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeResilience by designThe ever-evolving role of the CISOSmart security for smart ecosystems32Cybersecurity considerations 2025 2025 Copyright owned by one

313、or more of the KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.When tires meet technologyAn example of a device thats changed significantly and now falls under the smart device ambit is an automobile.In recent years,vehicles have evolved fro

314、m simple mechanical machines to complex,connected devices.Modern automobiles are now equipped with an array of sensors,processors and software systems that enable autonomous driving,real-time navigation and over-the-air updates.Moreover,OEMs(original equipment manufacturers)are increasingly offering

315、 additional features as a service,highlighting a shift toward service-based models for accessing advanced vehicle functionalities.Clearly,connected vehicles have fundamentally changed the way we interact with our cars.However,the increasing sophistication has also introduced new challenges for cyber

316、security professionals.As vehicles become more reliant on software and connectivity,they become vulnerable to the same types of cyber threats that plague other connected devices,such as hacking,data breaches and malware infections.Smart vehicles serve as an extension of the company,with direct acces

317、s to back-end systems and databases.This can create a new risk of exposing sensitive organizational data to potential hackers.From a consumer perspective,as electric,autonomous and connected vehicles become more prevalent,the threat of cyberattacks has risen considerably.Todays vehicles utilize mill

318、ions of lines of code to power their many advanced functions,leaving them vulnerable to unauthorized access and hacking.CISOs in this sector must research and adopt tools and strategies to operationalize relevant cybersecurity protocols and procedures.25aking a healthy look at smart medical devicesS

319、imilarly,the frequency and severity of cyber attacks on medical equipment is escalating as these devices proliferate and cyberattackers recognize their vulnerabilities.Medical devices represent a ready target for threat actors.Despite rapid innovation,there is a significant number of older medical d

320、evices in use,many of which are not secure or inadequately managed.Compromised medical devices can reveal sensitive patient information to unauthorized persons,disrupt connected technologies,harm patients and potentially shut down hospital operations.It requires all stakeholders from manufacturers a

321、nd healthcare providers to security teams to communicate and work in collaboration to actively identify cyber risks and related threats,plan for mitigation and remediation,and ensure the ongoing safety and security of patients.With the continuous evolution of cybersecurity standards and practices,ma

322、nufacturers and,by extension,CISOs face the daunting task of ensuring these devices meet and are compliant with the latest recommendations and requirements.25 KPMG International,Cybersecure Vehicles:Growing number of connected vehicles warrants better cybersecurity measures,2024.26 Center for Cybers

323、ecurity Policy and Law,The UK PSTI Act Comes into Effect,April 29,2024.27 Australian Government,Department of Home Affairs,Cyber Security Act,November 29,2024.he shifting landscape of IoT and Industrial IoT(IIoT)security regulations The regulatory landscape surrounding IoT and IIoT security is also

324、evolving.There are new regulations to address the growing concerns around the privacy and security of connected devices.The EU Cyber Resilience Act(CRA),a groundbreaking EU regulation that came into force in 2024,governs connected hardware and software product manufacturers.The CRA“tackles the chall

325、enges consumers and businesses currently face when trying to determine which products are cybersecure and in setting them up securely.”All manufacturers and suppliers,both inside and outside the EU,are required to comply with the CRA,for products that are sold and used in the EU.This is important,co

326、nsidering many global organizations have facilities and supply chain relationships in the region.In the UK,the Product Security and Telecommunication Infrastructure Act(PSTI)has set standards for the protection of consumers using connectable technology products.It requires manufacturers to focus on

327、security by design principles,such as banning simple preloaded passwords,providing transparency on the minimum duration of security updates,and offering a statement of compliance.26 The PSTI sets a precedent for other regions when it comes to security regulations for smart products.With the growing

328、proliferation of IoT and IIoT devices,organizations must navigate an increasingly complex web of security regulations and directives,particularly in Europe.To effectively navigate this environment,companies must develop a harmonized approach to security that considers the full spectrum of regulation

329、s across jurisdictions.This requires CISOs to closely work with various stakeholders,including legal and compliance teams.Similar legislation was enacted in Australia in 2024 to ensure manufacturers and suppliers of smart devices comply with the relevant security standards.27The power of the peopleE

330、mbed trust as AI proliferatesHarness AI for cyberPlatform consolidationThe digital identity imperativeResilience by designThe ever-evolving role of the CISOSmart security for smart ecosystemsCybersecurity considerations 202533Cybersecurity considerations 2025 2025 Copyright owned by one or more of t

331、he KPMG International entities.KPMG International entities provide no services to clients.All rights reserved.TTManaging the prolonged lifecycle of smart products The extended lifecycle of smart products presents unique security challenges for CISOs and their teams.Unlike traditional devices,which m

332、ay have a relatively short lifespan,smart products such as automobiles can remain in use for decades.The underlying architecture of these devices must be designed to accommodate periodic updates and upgrades to adapt with new technologies,regulatory requirements and evolving security threats.In this

333、 fluid environment,CISOs must work closely with product development teams to embed security considerations into the long-term roadmap of smart products.Right now,this means exploring potential advancements like quantum computing that could impact the security landscape in the coming decades.Unlike traditional IT systems,where patches and updates can be easily deployed,smart devices often have embe