Aligning business goals with security imperatives
Many organizations have spent massively on cyber security, both on tooling and personnel. As businesses feel the economic impact of the pandemic, the drive to cut back on those costs is mounting.
In that sense, the cost of security has became a major focus—perhaps as much as security itself. In an effort to manage costs and ensure that business and security priorities are aligned, companies are automating significant portions of their cyber functionality by putting digitized cyber risk management processes in place to ensure they ladder up to the organization’s top-line operational and business strategies.
The landscape as we see it
In reviewing many risk models, we find the concept of business-driven risk scenarios to be lacking. Certainly, the pandemic has revealed a significant disconnect between the businesses perception of value of technology and the cyber risks that come with adoption. The viewpoint of the business needs to go handin-hand with the viewpoint of the cyber security team and that is not the case at many organizations. The identification of these risk scenarios should be led by the business.
The process would be much more effective if it were informed by a model that enables business leads to better understand the impact security controls may have on those risk scenarios. Many companies don’t get that insight consistently, making it challenging to formulate a fluid ongoing relationship between the controls and the business.
In the cyber community, we try to plan for worst-case scenarios, but many incidents happen in relative obscurity and are not earth-shattering, let alone business-shattering. From that perspective, we see many companies working to embed security, not only within the second line of defense, but within the more operationally focused first line as well as the audit-driven third line.
Larger organizations have spent, over the last 10 years to 15 years, big money on IT security. The pandemic has demonstrated the increasing role of cyber security in the new reality, but there’s a need to deliver that role without raising the cost. That requires them to develop a new risk-based model focused on lowering costs through an automated approach to security and putting the right people in the right roles.
What we believe you should do about it
Think holistically about where you need to invest. Consider what risk scenarios need to be in place, and what controls are most relevant. Whatever plans companies had for digital transformation before the pandemic, they’re now understanding a need to accelerate these in the new reality, while also worrying about the cost pressures. This suggests they should also explore automating their cyber and risk management processes.
Many incidents would be quite easy to detect if security policies and controls were embedded in the business. Bottom line, companies are encouraged to integrate cyber security across all three lines of defense, rather than operating in silos. Leverage threat intelligence from across multiple functions such as fraud and financial crime, and integrate playbooks and tooling to respond at speed to the changing cyber threat landscape and patterns of attack.
Make security an end-to- end priority. The foundational action is to establish an ongoing dialogue between the security organization and the rest of the enterprise to ensure security is in sync with the business in terms of strategic and operational planning.
To that end, implement engineering approaches—such as secure by design and privacy by design— that are intended to introduce security into the daily mindset of the Devops team as they craft new applications and services.
Ultimately, we’re hoping to see cyber security professionals move away from being perceived as an It-driven function. As such, the cyber team needs to be businessled and business-aware. Otherwise, that symbiotic handshake between business and cyber is never going to solidify.
The excerpt was taken from “KPMG Thought Leadership, Consumers and the New Reality.”
© 2020 R.G. Manabat & Co., a Philippine partnership and a member-firm of the KPMG network of independent member-firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Printed in the Philippines.
For more information on KPMG in the Philippines, you may visit www.kpmg.com.ph.