Cyber security is about what you can do — not what you can’t
The threat landscape is expanding. Cybercriminals are as entrepreneurial as ever and using increasingly sophisticated tools and technologies. In this fluid environment, we believe Chief Information Security Officers (CISOs) and their teams should adopt a mindset of enablement — cyber security is no longer just about prevention. It’s not a matter of telling colleagues what they can’t do, it’s showing them what they can do — securely.
CISO paradigm shift: From enforcer to influencer
While one of the key lessons of the pandemic is that some of the best cyber teams are able to pivot quickly to enable their organisations to work safely, remotely and effectively, the broader, more strategic takeaway is that this period has caused organisations to rethink how they engage with and serve their customers in a digital-first environment. This shift in mindset to customer centricity has led to rapid digital transformation, which has helped customers move at the pace of business, securely.
Under this dynamic environment, cyber professionals are transforming from organisational enforcer to influencer. The C-suite is taking note. According to KPMG 2021 CEO Outlook, a sizeable majority of CEOs (75 percent) believe a strong cyber strategy is critical to engender trust with key stakeholders.
But within the context of accelerated digital transformation — which augments the risks of an ever-expanding third-party ecosystem — cyber teams also recognise the challenge of protecting their partner ecosystem and supply chains, with 79 percent indicating it’s just as important as building their own organisation’s cyber defences.
The majority of CEOs (58 percent) feel they are well prepared for a cyberattack. Indeed, for nearly every organisation, some type of cyber event is seen as increasingly inevitable. Security teams must be prepared for the increasing inevitability of some type of cyber event and be ready to respond, recover and re-establish trust as quickly as possible to mitigate the damage. At the same time, they must recognize that risk in this environment is a moving and evolving target. From the board to the C-suite and from front office to back, controls should be in place to protect the organisation’s and clients’ high-value assets, the proverbial ‘crown jewels.’
Over the years — and particularly as a result of the pandemic — it has been found that a lack of preparation and being overly reactionary can be as detrimental as the actual event. That’s why it’s so important to have a plan, test your responses according to different scenarios, and understand the depth and breadth of potential cyber incidents. This is an opportunity for organisations across virtually every sector to reimagine their response and recovery strategies and truly shift security left.
Gordon Archibald,
National Lead, Cyber Security, KPMG Australia