Cyber security is business enablement

Yet, we live in a world of business opportunities. Cyber security today should go beyond planning for business continuity. For businesses to gain the edge over global and local competitors, they will need to start reimagining technologies. Beyond meeting risk reduction needs, engaging customers will also require an enhanced user experience.

A case in point is ‘passwordless access’. The concept is clear: enable consumers to sign into apps for sensitive transactions such as banking and trading without the need for passwords. In an ideal world, authentication systems should be so seamless such that users don’t need to use passwords while still meeting strong risk management standards.

However, the implementation process takes rigour, and requires a clear understanding of security boundaries with consumer intent and journeys considered.

“This is why investments going into protecting versus growing a business should not be seen as mutually exclusive if cyber security is to be a business enabler,” suggests KPMG’s Ganesha Rajanaidu, a Partner of Cyber Advisory with 17 years of experience in the overseas cyber security market.

“Conversations when cyber is considered as a business enabler should be: how is cyber security going to increase revenue; and how are my investments in cyber security going to improve customer experience?” Ganesha adds that reframing discussions this way can take the market forward in driving business innovations that consumers can trust in the years to come. 

Partner of Cyber Advisory, Wendy Lim, suggests that in planning their roadmaps, businesses can take reference from competitors or similar organisations as benchmarking can be a useful “reality check” for companies. This will also help organisations be clear where their cyber security maturity is currently at, versus where they hope to reach.

This clarity and foresight are especially important in incorporating cyber security into your business story. Businesses need to be purpose-led in their offerings and the same is true for cyber security. This allows for potentially unique integrations of cyber security and in the process, a distinctive competitive edge.

As businesses start innovating with the intent of combining great user experience with cyber security by design, customers will also be looking for greater assurances of the confidentiality, integrity and availability of these solutions, especially in the protection of their privacy and assets, and the integrity of their digital transactions. Capitalising on innovations is not a walk in the park since they could draw various methods of attack by threat actors. Partner of Cyber Advisory Wong Loke Yeow remarks that this is also why continual cyber risk management must accompany the drive for cyber security integration into business offerings. Companies will need to move beyond just maintaining baseline standards and afford adequate attention and concerted effort towards constantly raising their bar on cyber security.

He adds that regular red teaming and tabletop exercises should be anchored as part of the programme. Stress testing won’t just be to identify known vulnerabilities but also to push boundaries so that better iterations of solutions can be created to defend against the yet-to-be-discovered threats. 

Certainly, every company will have different priorities even as they all aim to grow their customer experience securely. For those that choose to invest less in cyber capabilities but still opt for innovation, Ganesha notes that they will need to have a larger risk appetite, as “the more risk you take, the larger the potential for gain or loss”. He adds that startups typically tend to have a larger risk appetite but once they become mature organisations with predictable streams of income to protect, these risk appetites usually start shrinking.

Regardless of risk appetite, both Ganesha and Loke Yeow agree that Boards are uniquely positioned to help organisations tackle cyber risk. Through a well-thought-out cyber strategy and effective influence, they can set off a chain reaction of cultural change across the C-suite, business units and even third parties. In fact, Board attentiveness to cyber security leadership and governance can be considered a fiduciary duty since a cyber incident can have the potential to materially impact the organisation.

Businesses may not be able to control when or how they get breached, but they have the power to take action to reduce the chances of this occurring and start planning the response they need to reduce the impact when it does happen.

Regardless of where businesses are in their roadmap, it is clear that the role of cyber security in organisations has evolved and the professionals in this field must evolve with it. They need to have the curiosity to view cyber security in novel ways that help it feed back into the business, a desire for continuous improvement to keep up with an ever-changing threat landscape and the breadth in expertise in bringing all of this together. 

Wendy sums it up as she reflects on her team, where her specialists have backgrounds from technology to psychology. Cyber security requires the understanding of organisational culture (to influence impactful change), threat actor motivations as well as mindsets of the man-on-the-street who fall prey to social engineering – just as much as it is about technical interventions.

She says, “Diversity in cyber security is a needed edge as the complexity of real-world challenges continues to grow. Aside from cross-industry global and local insights that KPMG provides, the variety of perspectives and talent within the team has to be unique so that we never stop giving our clients out-of-the-box thinking when it comes to solutions in cyber.”

Ganesha has over 17 years of experience in cyber security risk and incident management spanning across professional services and major global corporations. His previous roles include Asia Pacific Chief Information Security Officer and Asia Pacific & Japan Cyber Consulting Partner.

Wendy has almost 17 years of experience in the Cyber practice in KPMG in Singapore. Her areas of focus include third party / outsourcing risk management, operational & IT governance and risk management, business/cyber resilience, and cyber/privacy laws and regulations.