Organisations Must Balance Data Security And Privacy With Broader Objectives Of Business
As 2024 unfolds, organizational leaders, from the CEO down to the manager, have much on their plates. They are contending with diverse challenges to achieving sustained growth, navigating the impact and risks of emerging technology and attracting and retaining talent, to name just a few. For their part, Chief Information Security Officers (CISOs) are increasingly being viewed as proactive co-stewards of these ongoing business imperatives — not merely the cavalry leader riding in to save the day during a crisis.
In its annual Cybersecurity Considerations report, a diverse cross-section of global KPMG cyber security specialists explore eight considerations that CISOs and their teams are encouraged to prioritize in the current year to support the organization’s business growth objectives by mitigating the impact of specific cyber security breach incidents and reducing overall cyber risk exposure.
As per the KPMG report, organizations worldwide face many cyber security challenges requiring the implementation of controls to build and embed resilience, meet regulatory mandates and reduce overall risk. However, the rapid emergence of artificial intelligence (AI) as a strategic tool for both legitimate and nefarious purposes is rapidly moving up the list. The democratization of AI — these advanced technology solutions and models are now largely accessible to anyone with a credit card via the cloud — has at once revealed new paths to value creation and exposed significant potential risks. AI is proving to be a true organizational game-changer, including for security teams.
“This evolving threat landscape requires organizations and their CISOs to view security through a new, more pragmatic lens. More than ever before, they must balance data security and privacy with the broader objectives of the business. From cyber security perspective, the impacts of societal, economic, political and regulatory developments are more consistently felt globally today. The simple reason is the world is more connected,” says Akhilesh Tuteja, Global Cyber Security Leader, KPMG International.
The most acute effect of the connected business ecosystem continues to be within global supply chains — for all practical purposes, there are virtually no regions of the world that are isolated anymore. However, there remain local nuances. For example, there are uniquely regional regulatory requirements to which businesses must adhere, such as certain markets being more sensitive to the protection of personal data and new rules around responsible AI, critical infrastructure and supply chains.
There is a global focus within the cyber security universe on compliance in general, with a refined eye toward the overall burden of regulation, as well as the diversity of various reporting requirements. As a result, companies are putting more emphasis on embedding privacy and security within the way they comply with a broad range of trans-border regulatory requirements and regimes. This is of particular interest when it comes to building and governing responsible AI systems, ensuring customer privacy and enacting guidelines around critical infrastructure, supply chains, smart products and resilience.
At the same time, the KPMG report says, cyber security budgets may have to be more objectively justified moving forward as organizations deal with economic uncertainty. Many CISOs are seeing flat budgets, not necessarily reduced, as some of that spend is diverted to organizational innovation, particularly AI and automation solutions. This noteworthy development requires security teams to engage in technology rationalization and budget optimization — essentially, doing more with less.
While economic headwinds drive budget pressures, there is a growing view that cyber security has matured to the point that organizations can trim investment. Further, security functionality is now embedded within other IT and transformation budgets rather than being a central budget provision. Also, the shift to a cloud-based security-as-a-service approach embeds security costs into companies’ broader operating expenses in a way we have not seen previously.
“In this environment, I encourage CISOs to sharpen their cyber risk quantification (CRQ) process, which helps express the impact of cyber security risk in financial terms using mathematical modelling to illustrate risk through measurable variables. Looking at risk through a CRQ lens can effectively demonstrate return on investment and investment priorities to leadership and the Board, ensuring the organization,” adds Tuteja.
Fundamentally, this report explores from various angles what is perhaps the central aspiration for executives across the enterprise: keeping their organizations resilient. Bottom line, if a data leak or network breach occurs, how quickly can the organization resume regular operations, and how can the impact on customers be minimized? This is emblematic of the resilience agenda that can be seen within many of the most recently proposed regulations, particularly those focusing on critical infrastructure sectors.