Hello and welcome to our Touchpoints blog! We are Nils and Julia, two members of the Enterprise Design Services team, and we are writing this blog to discuss recent topics in the fast-paced, changing, and more and more digital world. We interview experts in their field of specialty and want to understand what it takes for businesses to make it in today’s competitive world.
Q: Could you tell us what your role at KPMG is in 2 sentences?
Hi, I am Jari Pitkänen. I’ve been acting as security architecture practice lead at KPMG since 2020, mainly focusing on cyber security architecture engagements and developing related methodologies.
Q: Security architecture, that sure sounds exciting, but for someone who’s never heard of the term, how would you explain security architecture in a nutshell?
Security architecture includes all aspects of information security, namely governance, technologies, processes, and covers visibility, traceability, and justification for the decisions made in all architecture layers. The core of our methodology is to evaluate customers’ objectives and create multi-layer architecture that can be understood in customer organisation from top management, deferent stakeholders to specialists. At KPMG, we pride ourselves in looking after customers’ needs by always following up to ensure their IT security and infrastructure continue to achieve their best potential.
Q: Can you give us an example?
There might be situations when a customer does not have the visibility/understanding regarding how their current security architecture is built or should be built. That’s where KPMG helps them to develop security architecture towards the desired target state, based on their business needs, regulatory requirements, and stakeholders’ objectives. We can then compare the customer’s current state to the target state and form a development roadmap to achieve the target state.
To do this, we would interview the top-level executives and work closely with those in business and security to gain insights into the necessary objectives. There can be different work tracks to design and document the target stage, including security governance and technical security. The outcomes of the development tracks define the target state for the security architecture.
Potential next steps are to help with the target architecture’s implementation or to train the client’s organization to work according to the target state. Finally, we would proceed with testing the compliance of the implementation and design additional security controls to fill in any remaining gaps. The governance model can then be published to the entire organization and tested for acceptance. Once the architecture is fully implemented, it should be continuously monitored for performance and potential improvement.
Q: Could you summarize the top 3 reasons why companies should invest in security architecture and development?
- Improves governance of cyber security to be more cost-efficient.
- Decreases deviations from the security architecture, number of security incidents, and wasted time.
- KPMG uses a holistic approach for cyber security development considering, e.g., technical, governance and legal, privacy, and service design aspects.