When you examine technology risk, you’re talking about IT. But when you talk about cyber risk, the ownership and accountability live outside the technology department. The trend we see in the direction and magnitude of cyber-based regulations is moving toward a more holistic approach, focusing on business priorities and responsibilities, such as customer-oriented business activities like building trust; middle- and back-office operational tasks; and Board-driven corporate governance functions. In short, the focus is on management within the first line of defense, as it should be.
The landscape as we see it
In 2020 and beyond, we expect to continue to see increased regulation on a variety of topics from a variety of regulators. In Asia, specifically, we’ve seen new regulations around cyber security where they’ve actually used the word “cyber.” Previously, the regulations in that region used the word “technology,” which had an IT connotation. The increased precision is a welcome development.
With so many countries having issued rules to comply with certain elements of the General Data Protection Regulation (GDPR), or their own privacy laws, we’re seeing—especially with larger multinational companies—the creation of new, proactive data management departments. Essentially, businesses are looking to master data analytics as a discipline and understand not only where the data is located across the organization, but also who owns it, what’s being done with it, and, perhaps most critically, what rights and permissions users have in relation to that data.
Companies are recognizing the need for additional investment, not just in tooling and process development, but in terms of a lack of cyber talent, from cyber governance and risk strategy to configuration and maintenance. There’s still a large gap in this space, and, unfortunately, many companies hire IT professionals who lack cyber security perspective in relation to the regulatory environment. The result is advice that is often ineffective or well-intentioned but misunderstood or inadequately implemented by management and the board.
What we believe you should do about it
Regarding the three lines of defense model, we suggest embedding the responsibilities of cyber security, as well as the role of the CISO, in the first line—preferably formally—and linking these tasks to annual performance targets. The CISO role, at its core, should reside in the first line to cover security strategy and vision, and he or she should have a clear hierarchical or at least functional alignment with security operations regarding daily monitoring and tool configuration.
The second line (i.e., IT risk) should support design quality and resiliency policies and standards, and report back to management and the board. The third line would review and assess the work of the first two lines. This optimal state seeks to extend the company’s cyber security needs, including regulatory compliance, across the entire organization.
We also believe it’s critical to institute ongoing testing of your regulatory compliance program in terms of design, implementation and effectiveness to identify where improvements are needed. Also, ensure operational cyber resilience is embedded into your overall architecture and processes to solidify security for both IT and OT.
Appoint an individual who is not strictly an IT person to oversee regulatory compliance. In fact, new CISOs should become more comfortable speaking the language of business in order to ensure his or her messages are understood and executed. This individual should have a broad mindset regarding the company’s operating model—a Chief Risk Officer, Chief Financial Officer, or Deputy CEO would be ideal because they also have perspective on the company’s overall risk agenda. This individual would be the sponsor or champion for cyber security across the entire organization, working in close partnership with the Chief Operating Officer and CISO.
Take the time to unify all of your regulatory requirements, from internal controls and policies to the various regional and country specific regulations, into a single Unified Control Framework to help enhance the effectiveness of your internal governance, risk, compliance, and testing efforts. Look for synergies between the controls demanded by privacy, resilience, and security regulations— you may be surprised by what you find.
Companies are encouraged to shift their focus from systems and technology to information. Pinpoint what it is that makes you competitive in the market. It could be intellectual property, or your supply chain, or your pricing power. Whatever it is, that’s what you need to protect from a cyber security perspective.
The excerpt was taken from KPMG article, All hands on deck: Key cyber security considerations for 2020”.
© 2020 R.G. Manabat & Co., a Philippine partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.