In my last blog, I focused on power in cyberspace and the big trends that shape the political, social, and economic environment in which we all operate. In this blog, I want to focus down more on the changes KPMG member firms are seeing with how clients implement security. And what that means for cybersecurity as a profession and practice.
You'll be seeing a lot more from our Cyber Security team on the KPMG Blog over the next few months on all of these topics. But let's start with one of the trends that I see in many of my financial sector clients, but increasingly in other sectors too.
- The budgets are getting tighter
The renaming of information security to cybersecurity, for many, is seen as an afterthought in the process of transforming a business to exploit the opportunities of the digital world. Whether considered an overhead, a risk reduction exercise, or at best a necessary evil — the money is flowing into transformational projects as companies radically re-engineer their business models to seize the opportunities of the digital world. And that places pressure on business as usual activity as the drive for efficiencies grows. Many CISOs are now being asked to achieve cost reductions, particularly in the financial services sector. And many executives may assume that cybersecurity can be 'fixed' by a change program rather than being seen as an integral and ongoing part of running and transforming the business. So the pressure is on to reduce compliance costs, to automate security functions, and to move away from the 'buy it all' approach to purchasing security solutions. Rationalization is becoming the order of the day.
- The mindset of security is changing for the better
Security is often still seen as an add-on with an additional cost — a suite of new additional software components, hardware boxes flashing away in data center racks, and separate teams of security professionals. This view of security is starting to change. More and more security functionality is being built into the core of operating systems, cloud platforms, and endpoint devices at the point of manufacture. This change is disrupting the security marketplace of vendors who provide those add-on endpoint and perimeter security solutions and operations capabilities, and we'll see consolidation in the market beginning. Also, embedding security into the agile development processes and tools used by developers has started. It's enabling a very different approach that uses standard security libraries, test processes, and tooling integrated into the continuous implementation/ delivery cycles used by developers. Allowing a continuous compliance approach to security that helps embed a secure by design mindset.
- The ecosystem remains a challenge
The supplier and partner ecosystem, in which most companies operate, is becoming more complex, more integrated, and more interdependent. Software as a service has arrived, creating a web of interdependencies and shadow IT; web servers embed third-party analytics and services; open application programming interfaces allow external partners access into core systems and databases. The potential for a supplier or partner compromise to disrupt your business has grown, and the customers and regulators can be unforgiving when that leads to a breach of your customers' data or a failure of your critical business services. In my opinion, the tick box approach to embedding third-party assurance has become unworkable. It fails to capture the sophistication of modern business interactions while simultaneously being viewed as a costly overhead that limits flexibility and speed to market. Risk scoring services are immature, utility models for assuring suppliers remain nascent and often unsupported by key regulators, and controls on third parties remain inconsistent or ineffective. There's a need for a fundamental shift in the security model to one that takes account of the extended enterprise, which characterizes our businesses today. Will zero trust provide the answer? Will the cloud providers offer security in multi-tenanted environments that implements data-centric security? And will the cyber insurance industry find common cause with major companies in driving the right supply chain behaviors?
- The consequences matter
While business rightly focuses on reducing the likelihood of a successful attack, regulators are shifting their attention to driving companies to think about what they can do to reduce the impact of an attack, if and when it happens. What are the critical business services that could impact the customer, the broader industry, or even the nation? What can companies do to reduce the harm if disruption of those services occurs? How can they get back to business quickly, offering alternative services, or helping the impacted customers manage without the service? A customer-centric approach agnostic to the cause of the incident, be it cyber-attack, technology resilience issues, or a physical event. Suddenly security finds itself working with strange bedfellows such as business continuity, disaster recovery, and fraud control. At the worst, this will create another compliance overhead, but done well; it'll encourage a focus on critical services and the customer. The UK's financial sector operational resilience regulations will be finalized in late 2020, keenly watched by other financial regulators around the world.
- And governments remain worried about the unthinkable
Concern over the security issues associated with critical national infrastructure hasn't diminished, and investments are beginning to be made in utility sectors to raise standards, segregate vulnerable systems, and improve monitoring and response actions. Regulatory pressures are increasing as governments move from establishing regulatory frameworks to testing and challenging industry security. In politically sensitive regions of the world, attacks on infrastructure systems are increasing in frequency as part of broader political and military action, and nations continue to build out cyber forces and cyber commands as part of their military-industrial complex. There are perhaps some signs of hope that international norms may begin to coalesce, building on the recent Paris call for Trust and Security in Cyberspace with a consensus emerging around avoidance of the most aggressive behaviors in our interconnected world.
And one last thing. A few years ago, when I made my predictions, I called for the death of the password — I was premature, and it remains alive and well — and as vulnerable as ever. Let me do it again and predict that the time has come for new approaches to authentication, which don't rely on a single guessable and replayable password. Whether that be enabling multi-factor authentication on those internet-facing cloud services, the rise of biometrics, or the embedding of more sophisticated behavioral biometrics and analysis — it's time.