KPMG survey: Building trust through cybersecurity and privacy
KPMG has released its “Cyber trust insights 2022” report that analyses the five crucial steps to building trust through cybersecurity and privacy.
The report surveyed 1,881 executives and conducted a series of discussions with corporate leaders and professionals worldwide to explore the extent to which the C-suite recognizes this, how they are meeting the challenge and what they need to do next.
KPMG has identified five crucial steps towards building trust through cybersecurity:
Treat cyber and privacy as a golden thread woven into the business;
Build internal alliances;
Reimagine the Chief Information Security officers (CISO) role;
Secure leadership support; and,
Reach out to the ecosystem.
Emerging technologies such as distributed ledger technology (DLT), quantum computing, 5G networks, artificial intelligence (AI)/machine learning (ML), and augmented and virtual reality are developing rapidly and promise to transform how businesses operate.
However, the successful rollout of future applications (connected economy, smart systems, NFT, metaverse, etc.) that rely on these technologies will likely be governed by an organization’s ability to instill trust across multiple dimensions. This means embedding security and privacy controls with transparency, reliability and integrity, the report said.
Organizations know they must become data-driven or risk irrelevance. Many are scaling AI to automate data-driven decision-making, but AI brings new risks to brand and profitability.
The technology has the potential to drive inequality and violate privacy, as well as limit the capacity for autonomous and individual decision-making.
“You can’t simply blame the AI system itself for unwanted outcomes. Trustworthy, ethical AI is not a luxury, but a business necessity. Growing numbers of business leaders recognize this, but trust is not secured without effort or challenges,” stated Ton Diemont, Head of Cybersecurity & Data Privacy at KPMG in Saudi Arabia and Levant.
He stated that trustworthy AI can only be achieved with a holistic, technology-agnostic and broadly endorsed approach to awareness, AI governance and risk management.
Globally, the growth of cybersecurity and privacy regulation is accelerating. More than 137 countries now have some form of data-protection regime, often claiming extra-territorial jurisdiction over services offered in the country or the data of citizens of that country.
More mature privacy regimes are moving into a second generation of regulation while confronting new privacy challenges driven by technology adoption, Diemont said, indicating discussions about the regulation of AI are now being formalized in draft legislation.
In addition, countries are implementing increasingly strict critical infrastructure cybersecurity regulations as concerns grow around attacks on industrial control systems. These regulations move from self-assessment to more directive control frameworks, including mandatory incident reporting and external audit.
Regulators are also being more prescriptive in their control frameworks, while also seeking to reinforce the independence of the CISO and their role in setting internal control standards, the report stated.
Corporate requirements for transparency over cyber risks are under debate, along with growing requirements for the disclosure of ransomware incidents.
Companies should invest in automating compliance monitoring and reporting; maintain a regulatory watch; and consider privacy and security regulatory trends when developing new services and products, advised Diemont.
Organizations embracing the ESG agenda can earn their customers’ trust and reinforce their brands’ strength. In today’s digital world, boardrooms, investors, regulators, customers, and the wider public expect transparent reporting on the organization’s cybersecurity and privacy posture.
Stakeholders want to feel confident that boards and executives appreciate the social implications of striving to ensure the resilience and integrity of critical services, while protecting the information they hold in trust.
In the KPMG Cyber trust insights 2022 survey, almost half of the respondents (44 percent) say that collaboration on cybersecurity across the broader ecosystem will help them anticipate attacks.
Although collaboration may be desirable, it’s not always straightforward. More than one-third of respondents (38 percent) say that privacy concerns stand in the way of external cybersecurity partnerships, and 36 percent worry about revealing too much about their own security arrangements. Other problems include regulatory restrictions, lack of support from the C-suite and lack of resources.
According to the KPMG report, CISOs are now in a position to play a crucial role as enablers. By operating as one of the organization’s ultimate guardians of trust, they can be a driving force for its success.
“CISOs themselves recognize what is at stake,” Diemont noted, adding more than three-quarters of respondents (77 percent) say increased trust is a key objective of their cyber risk programs.
Forty-five percent of C-suite respondents now see the CISO as a key executive and the profile of the CISO role has grown rapidly over the last five years, driven by digital transformation, growth in cybercrime, and rising regulatory expectations, he stated.
KPMG has identified five crucial steps towards building trust through cybersecurity:
Treat cyber and privacy as a golden thread woven into the business;
Build internal alliances;
Reimagine the Chief Information Security officers (CISO) role;
Secure leadership support; and,
Reach out to the ecosystem.
Emerging technologies such as distributed ledger technology (DLT), quantum computing, 5G networks, artificial intelligence (AI)/machine learning (ML), and augmented and virtual reality are developing rapidly and promise to transform how businesses operate.
However, the successful rollout of future applications (connected economy, smart systems, NFT, metaverse, etc.) that rely on these technologies will likely be governed by an organization’s ability to instill trust across multiple dimensions. This means embedding security and privacy controls with transparency, reliability and integrity, the report said.
Organizations know they must become data-driven or risk irrelevance. Many are scaling AI to automate data-driven decision-making, but AI brings new risks to brand and profitability.
The technology has the potential to drive inequality and violate privacy, as well as limit the capacity for autonomous and individual decision-making.
“You can’t simply blame the AI system itself for unwanted outcomes. Trustworthy, ethical AI is not a luxury, but a business necessity. Growing numbers of business leaders recognize this, but trust is not secured without effort or challenges,” stated Ton Diemont, Head of Cybersecurity & Data Privacy at KPMG in Saudi Arabia and Levant.
He stated that trustworthy AI can only be achieved with a holistic, technology-agnostic and broadly endorsed approach to awareness, AI governance and risk management.
Globally, the growth of cybersecurity and privacy regulation is accelerating. More than 137 countries now have some form of data-protection regime, often claiming extra-territorial jurisdiction over services offered in the country or the data of citizens of that country.
More mature privacy regimes are moving into a second generation of regulation while confronting new privacy challenges driven by technology adoption, Diemont said, indicating discussions about the regulation of AI are now being formalized in draft legislation.
In addition, countries are implementing increasingly strict critical infrastructure cybersecurity regulations as concerns grow around attacks on industrial control systems. These regulations move from self-assessment to more directive control frameworks, including mandatory incident reporting and external audit.
Regulators are also being more prescriptive in their control frameworks, while also seeking to reinforce the independence of the CISO and their role in setting internal control standards, the report stated.
Corporate requirements for transparency over cyber risks are under debate, along with growing requirements for the disclosure of ransomware incidents.
Companies should invest in automating compliance monitoring and reporting; maintain a regulatory watch; and consider privacy and security regulatory trends when developing new services and products, advised Diemont.
Organizations embracing the ESG agenda can earn their customers’ trust and reinforce their brands’ strength. In today’s digital world, boardrooms, investors, regulators, customers, and the wider public expect transparent reporting on the organization’s cybersecurity and privacy posture.
Stakeholders want to feel confident that boards and executives appreciate the social implications of striving to ensure the resilience and integrity of critical services, while protecting the information they hold in trust.
In the KPMG Cyber trust insights 2022 survey, almost half of the respondents (44 percent) say that collaboration on cybersecurity across the broader ecosystem will help them anticipate attacks.
Although collaboration may be desirable, it’s not always straightforward. More than one-third of respondents (38 percent) say that privacy concerns stand in the way of external cybersecurity partnerships, and 36 percent worry about revealing too much about their own security arrangements. Other problems include regulatory restrictions, lack of support from the C-suite and lack of resources.
According to the KPMG report, CISOs are now in a position to play a crucial role as enablers. By operating as one of the organization’s ultimate guardians of trust, they can be a driving force for its success.
“CISOs themselves recognize what is at stake,” Diemont noted, adding more than three-quarters of respondents (77 percent) say increased trust is a key objective of their cyber risk programs.
Forty-five percent of C-suite respondents now see the CISO as a key executive and the profile of the CISO role has grown rapidly over the last five years, driven by digital transformation, growth in cybercrime, and rising regulatory expectations, he stated.
