Embed cyber security into your organisation | KPMG | AU
Share with your friends

Embed cyber security into your organisation

Embed cyber security into your organisation

Organisations are keenly aware they need technical mechanisms in place to protect themselves from cyber security threats. As a result, most organisations have heavily invested in cyber security technologies.


Partner, Technology Risk

KPMG Australia


Also on KPMG.com

Binary numbers in orange

However, this often fails to take account of two factors:

  1. What are the information assets and systems that are of highest value to your organisation?
  2. Are our processes and levels of staff awareness at a maturity level commensurate with our technology investment?

It only takes one slip up, such as an inadvertent click on an infected email, the accidental emailing of a spreadsheet with customer data or the slow application of a security patch to bypass the technology investment.

"Cyber security is not a conversation about technical controls – it is a business conversation focused on the information assets and systems that are valuable to your organisation, the threats to these assets and mechanisms to manage the risk."
Mark Tims
Partner, Technology Risk

Expanding the concept of security

An essential part of thwarting cyber attacks is broadening the definition of what security means to an organisation. Cyber security cannot be seen as separate from your core business processes. Organisations need to ensure their key business processes like marketing, customer management, merger, acquisition and divestment processes, in addition to user access management, risk, change, incident, program management and others take account of cyber security. These processes need to operate together to adequately protect your organisation.

Targeting the problem

Organisations are often overwhelmed by the sheer size of the task when it comes to cyber security. However, they are beginning to understand that protection is not about a blanket solution.

In fact security efforts should be focused on the threats to your organisation’s information assets and network connected physical assets, such as industrial control systems and building management systems. Questions you should be able to answer include:

  • What are our information assets and network connected physical assets? 
  • How valuable are these assets to our organisation? How valuable are they to an external perpetrator?
  • Where are our valuable information assets held? How are they accessed?
  • Who is using our various information and physical assets?
  • How are we keeping them secure from a technology, process and people perspective?

Answering these questions will not necessarily lead to additional technical controls being required. In some organisations, anyone who accesses the IT environment has to undergo a two-stage authentication process. That can represent a disproportionately high cost if the environment contains assets of minimal value.

Instead, it should be a matter of protecting the information assets that really matter. This calls for targeted protection mechanisms – both from a technology perspective and from an awareness and process perspective. This is ultimately more effective than a blanket control, and could be considerably less expensive.

Finding your place on the cyber maturity curve

Cyber security is a long standing risk and while financial institutions and the defence and intelligence community are high on the security maturity curve, most organisations have some way to go.

It is only through understanding your assets, the corresponding threats and your desired risk profile, that you can determine your cyber security maturity level. Once you have established that baseline, you can develop a holistic approach to improve your overall cyber security maturity relating to people, processes and technology. This, in turn, provides your organisation with a strong cyber security foundation to allow your business to grow, transform and expand.

Connect with us


Request for proposal