Authors: Benoit Watteyne (KPMG)
Publication date: 3/08/2020
Five changes to how companies are implementing security, and what that means for cyber security as a profession and practice.
Now the first half of the year is over, our KPMG Cyber team takes stock of current changes and looks at what the next few months and years may bring – with five changes shaping the (geo)political, social, and economic environments in which organizations operate to how companies are implementing security, and what that means for cyber security as a profession and practice.
1. Budgets are getting tighter
“For many, the re-naming of information security to cyber security is seen as an afterthought in the process of transforming a business to exploit the opportunities of the digital world. Whether considered an overhead, a risk reduction exercise, or at best a necessary evil — the money is flowing into transformational projects as companies radically re-engineer their business models to seize the opportunities of the digital world. That places pressure on business as usual activities, as the drive for efficiencies grows. Many CISOs are now being asked to achieve cost reductions, particularly in the financial services sector. Meanwhile, many executives may assume that cyber security can be ’fixed’ by a change program rather than being seen as an integral and ongoing part of running and transforming the business. So the pressure is on to reduce compliance costs, automate security functions, and move away from the ’buy it all’ approach to purchasing security solutions. Rationalization is becoming the order of the day.”
2. The mindset of security is changing for the better
“Security is often still seen as an add-on with an additional cost — a suite of new additional software components, hardware boxes flashing away in data center racks, and separate teams of security professionals. This view of security is starting to change. More and more, security functionality is being built into the core of operating systems, cloud platforms, and endpoint devices at the point of manufacture. This change is disrupting the security marketplace of vendors who provide those add-on endpoint and perimeter security solutions and operations capabilities, and we’ll see consolidation in the market beginning. Embedding security into the agile development processes and tools used by developers has also started. It’s enabling a very different approach, using standard security libraries, test processes, and tooling integrated into the continuous implementation/delivery cycles used by developers. Doing so allows a continuous compliance approach to security that helps to embed a secure-by-design mindset.”
3. The ecosystem remains a challenge
“The supplier and partner ecosystem in which most companies operate is becoming more complex, more integrated, and more interdependent. Software as a service has arrived, creating a web of interdependencies and shadow IT; web servers embed third-party analytics and services; open application programming interfaces allow external partners access into core systems and databases. The potential for a supplier or partner compromise to disrupt your business has grown, and both customers and regulators can be unforgiving when that leads to a breach of your customers’ data or a failure of your critical business services. The tick box approach to embedding third-party assurance has become unworkable. It fails to capture the sophistication of modern business interactions while simultaneously being viewed as a costly overhead that limits flexibility and speed to market. Risk scoring services are immature, utility models for assuring suppliers remain nascent and often unsupported by key regulators, and controls on third parties remain inconsistent or ineffective. There’s a need for a fundamental shift in the security model to one that takes account of the extended enterprise that characterizes our businesses today. Will zero trust provide the answer? Will cloud providers offer security in multi-tenanted environments that implement data-centric security? And will the cyber insurance industry find common cause with major companies in driving the right supply chain behaviors?”
4. Consequences matter
“While business rightly focuses on reducing the likelihood of a successful attack, regulators are shifting their attention to driving companies to think about what they can do to reduce the impact of an attack, if and when it happens. What are the critical business services that could impact the customer, the broader industry, or even the nation? What can companies do to reduce the harm if disruption of those services occurs? How can they get back to business quickly, offering alternative services, or helping the impacted customers manage without the service?
A customer-centric approach can be agnostic to the cause of the incident, be it cyber-attack, technology resilience issues, or a physical event. Suddenly security finds itself working with strange bedfellows such as business continuity, disaster recovery, and fraud control. At worst, this will create another compliance overhead, but done well, it’ll encourage a focus on critical services and the customer. The UK’s financial sector operational resilience regulations will be finalized in late 2020, keenly watched by other financial regulators around the world.”
5. Governments remain worried about the unthinkable
“Concern over the security issues associated with critical national infrastructure hasn’t diminished, and investments are beginning to be made in utility sectors to raise standards, segregate vulnerable systems, and improve monitoring and response actions. Regulatory pressures are increasing as governments move from establishing regulatory frameworks to testing and challenging industry security. In politically sensitive regions of the world, attacks on infrastructure systems are increasing in frequency as part of broader political and military action, and nations continue to build out cyber forces and cyber commands as part of their military-industrial complex. There are perhaps some signs of hope that international norms may begin to coalesce, building on the recent Paris Call for trust and security in cyberspace with a consensus emerging around avoidance of the most aggressive behaviors in our interconnected world.”
And as the KPMG Cyber team looks to the longer term, they share one last prediction for 2020:
“Finally, we have been predicting the death of the password for quite some time. However, it remains alive and well — and as vulnerable as ever. This year, we stick to that prediction that the time has come for new approaches to authentication, which don’t rely on a single guessable and replayable password. Whether that be enabling multi-factor authentication on those internet-facing cloud services, the rise of biometrics, or the embedding of more sophisticated behavioral biometrics and analysis — it’s time.”