According to KPMG in Malaysia, companies should instead revisit their overall cost efficiency and bolster funds towards cybersecurity as an essential part of their digital transformation plan. It is not about investing in the latest technology, but rather to strategically focus investments in developing a robust cyber defense capability.
“Achieving cost efficiency while maintaining robust cybersecurity controls is a complex task at the best of times, and even more so in the middle of a pandemic. While organizations significantly increased their investments into digital adoption last year to cope with the new normal, cybersecurity tend to be relegated as an afterthought in favor of enabling customer engagement online and improving employee mobility,” observed KPMG’s Head of Cyber, Jaco Benadie.
It was observed that a total of 10,790 incidents were reported to CyberSecurity Malaysia during 2020. A worrying global trend, including Malaysia, is the increase in ransomware attacks with the Financial Times reporting that cybercriminals profited more than US$350m in 2020, a 311 percent increase from 2019.
Citing a recent incident in January where a hacktivist group had threatened to hack government websites and online assets, Jaco added, “The Government’s initiative to increase cybersecurity uptake among businesses through the Malaysia Digital Economy Blueprint is certainly timely and showcases their commitment to double down against cyber threats. Not only do organizations face mounting cost pressures due to extended restricted movement control orders, they also need to ensure their security can defend against adversaries in the evolving threat landscape. This of course means that they have to ensure they invest adequately and are able to strike the right balance in their budgets.”
The world’s IT leaders spent more than their annual budget rise in just three months last year as the global crisis hit and lockdowns began to be enforced, according to Harvey Nash/KPMG CIO Survey 2020. This was one of the biggest surges in technology investment in history. However, this massive increase in cybersecurity spend would be unsustainable in the long run, and it is anticipated that technology budgets will be under more strain in the year ahead.
KPMG’s latest report Security through a downturn, lists five challenges and the best corresponding strategy that Chief Information Security Officers (CISOs) should consider:
1. Cash preservation
For organizations in ‘cash preservation’ mode, a tactical cost takeout measure is to identify and pause discretionary spend and costs associated with the ‘low-risk,’ ‘noncritical’ activities. These types of activities vary from organization to organization. Once they’ve identified ‘low risk’ activities, organizations can then determine where best to temporarily ‘take a pause’ on their spending.
However, while the realization of cost savings is almost immediate, this should be considered a temporary solution given the ever-evolving threat landscape and changing security risk profiles.
2. Third-party security spend
Security organizations may opt to engage externally with technology providers, trusted advisers, or contractors for independent insights, cyber experience, or an objective view on their cyber capability. However, as this could prove more costly than in-house personnel, it is typical for organizations to disengage consultants and contingent workers to save on cost. This neglects the significant value they can provide organizations embarking on initiatives requiring specialist technical skill sets or providing independent opinions on their cyber security program.
Instead, it would be more beneficial for organizations to seek open dialogue with suppliers, such as requesting ideas for value and cost efficiencies when renegotiating contracts renewals or amendments.
3. Cybersecurity tools and abundance of projects
To keep pace with the evolving landscape, some organizations may find themselves having to manage a huge portfolio deploying and operating underutilized or duplicative tools while wasting valuable security resources. Rationalizing the toolset can prove to be a simple fix and bring about significant savings, both financially and operationally.
4. Regulatory and compliance obligations
While many industry and government regulators have begun to collectively acknowledge the criticality of cybersecurity risks, the approach to administering oversight varies from regulator to regulator. This can result in an array of obligations and additional workload. Organizations should first focus on establishing a clear, succinct foundational taxonomy for policies, standards, control objectives, control testing procedures, risk events, issues, and converge control assessments and compliance activities.
5. Security processes
Highly manual, siloed, and disparate security processes are a clear and obvious focus for optimization as inefficiencies are often exacerbated by inaccessible or inaccurate data. To combat this, organizations can focus on simplifying, converging and automating their processes. A simple start would be to strengthen the foundation such as the cleanup, simplification, and accessibility of the data that is integral to their security processes.
“During these turbulent times, an organization’s cybersecurity controls could be the sole defense against cyber breaches or attacks. A cyber incident not only disrupts the business, it often undermines brand trust that may have taken years to build. Organizations, and especially CISOs, should plan their technology investments strategically in order to achieve significant returns for the long-term. This not only enables commercial operations to continue uninterrupted, but also safeguards the hard-earned trust placed on the company by their customers,” Jaco advised.
© 2021 KPMG PLT, a limited liability partnership established under Malaysian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.