KPMG’s Take on Key Trends and Requirements for Enterprise Cybersecurity for 2020 and Beyond
In its 2020 annual cyber considerations report, KPMG highlights six major cybersecurity trends and requirements that should occupy the minds of enterprises over the next 12 months. These trends come from interactions with its major clients.
The essential considerations discussed in the latest report (PDF) are: automating essential tasks; improving the consumer authentication experience; preparing for new cloud threats; improving the business acumen of the security team; aligning business and security; and preparing for more regulation.
Many of these revolve around one central paradigm: the flight to the cloud.
“KPMG believes,” Steve Barlock, principal at KPMG LLP and lead for cloud and AI, told SecurityWeek, “we are at an inflection point with cloud and cloud take-up. The evidence we’re seeing in the market with our customers is that they are generally moving into the cloud at scale, and moving some of their more sensitive applications and workloads into the cloud.”
This move is complicated by insufficient understanding of the new threats that will affect the new technology. “There is a real skills gap,” he continued. “In cybersecurity in general, this has persisted for many years — but it’s even worse where cloud is concerned. We’re finding a major skills gap around the cloud native security stacks of each of the major cloud service providers (CSPs).”
This is further exacerbated by each of the major CSPs (Azure, AWS and Google) using different underlying technologies. At the same time, a cloud-only approach to infrastructure is not feasible for the majority of existing, large companies. Skills in existing on-prem data center technologies will need to be simultaneously maintained with increasing knowledge of cloud technology stacks.
A multi-cloud approach is without doubt more difficult and less secure than focusing on a single CSP — but there are often good economic reasons (costs, business continuity, avoiding single supplier lock-in) to go the multi-cloud route. As a result, a major factor in preparing for cloud threats is to increase the cloud skill level of the security team, whether that is with additional staff or upskilling existing staff — without diminishing the existing skill levels for on-prem technologies.
Cloud technology skills are not the only new requirement for the security team. As business transformation or digitization proceeds and the pace of business increases, it is more important for business and security to be closely aligned. At the overarching strategic level, this will be driven by the CISO and the CISO’s relationship with the business leaders. KPMG also suggests that it can be aided by automating security operations center playbooks, fraud decisions and cyber responses through partnerships with leading cloud and security information and event management providers.
Barlock also calls for “automation in the build process through devops.” He believes that automation is a friend of security, “to the extent that you can reduce manual configuration in that environment and automate builds. On the operation side,” he adds, “you have the potential to automate controls and monitoring on the backend. I think that is going to be a key technique for handling the scale that comes with cloud.”
While the overall business alignment strategy might be down to the C-suite, KPMG further notes it expects to see the whole security team becoming a more strategic, forward-looking resource for the organization. To achieve this, the business acumen of the team needs to be improved. “Security teams,” it suggests, “should regularly communicate with business leaders about what the organization needs to worry about in today’s evolving ecosystem.”
Outside of cloud specifics, KPMG sees two further areas that need to be given careful consideration. The first is the increasing level of regulation, which KPMG expects to continue. “Companies should institute ongoing testing of regulatory compliance programs – in terms of design, implementation and effectiveness – to identify where improvements are needed.,” it warns. KPMG suggests the CISO should be tightly integrated with someone in the company, such as the CRO or CFO or deputy CEO with a broad understanding of the company’s operating model.
The second is consumer authentication. For many years, the drive in authentication has simply been to make it more secure at almost any cost. But consumer habits are changing, and consumers are increasingly moving to online commerce. Brand loyalty online is more fickle than off-line — and consumers will readily change brands based on their purchasing experience.
“Brick and mortar is slowly disappearing, and whoever reigns supreme in terms of the digital customer experience is likely to enjoy the greatest market share,” notes the report. That digital experience starts with the authentication process. The greater the friction caused by authentication, the less likely it is for the customer to remain loyal. “Having a PIN sent to a mobile device via a text message that has to be reentered and confirmed is friction.”
“Organizations will spend a lot of effort in trying to reduce the friction on user authentication, and trying use a user-friendly design,” said Barlock. “Consumer experience around authentication is going to become very important in 2020. This implies a rethink of technology, biometrics, user behavioral habits, and other subtle means to identify the user — and maybe stepping up authentication for the sensitive transactions to apply more security and more control. I think rethinking the entire structure of how authentication happens and what makes a good user experience is a growing necessity.”
There is no easy solution, he added. “For every security technique developed, there are ways to circumvent things. But password-only login is not enough, and additional factors need to be implemented without increasing the user friction beyond user acceptability.”