KPMG: Secure the future of your business - Malcolm Marshall
KPMG believes in proactively incorporating cyber-risk management intoall business activities. Malcolm Marshall, the company's global leader, information protection and business resilience, explains why cybersecurity is not just a reactive technical fix but a solution that can drive change and secure a business's future.
As you define your business aspirations - whether they are growth, technology innovation, shareholder returns or improving business reputation - cybersecurity should be an integral part of your considerations. In our digital age, it is crucial for businesses to effectively manage cyber-risk and embrace the opportunities that good cybersecurity unlocks. An integrated cybersecurity strategy that is embedded into governance and risk management processes turns cybersecurity into a business enabler.
At first glance, cybersecurity may seem technical - anti-virus, patching systems, firewalls, passwords - but without the support of your employees and external stakeholders it simply won't work properly. Cybersecurity is the responsibility of everyone within the organisation and not just the chief information officer or the head of security.
Ultimately, accountability lies with the board. Cybersecurity is about understanding the risks of doing business in our modern world - getting the trade-off right between managing cyber-risk and digital opportunity is a matter for the board's strategic judgement, wherever the business is in its life cycle.
As the economy becomes increasingly digital, so does crime. Businesses are being targeted through sophisticated means for many different reasons - from political espionage to financial gain, to the theft of sensitive intellectual property. Understanding the threat will allow you to take a proactive security stance that can frustrate and obstruct the attackers' progress. A better assessment of the motivations and intentions of 'hacktivists', organised criminals, nation states and insiders can enable you to tailor and test your cybersecurity strategy. In this world of 24/7 media, decisions on how to respond to cyberattacks can escalate to the C-suite very quickly and you need to be part of those exercises.
Only by really understanding the risks, embedding cybersecurity into the business, and recognising that people and security culture are every bit as important as technology, can firms really get to grips with the threat and feel free to harness future business opportunities with confidence. Moreover, as organisations become increasingly aware of the value of cybersecurity, those who manage cyber-risk by implementing an effective and responsive cybersecurity strategy will be viewed as more attractive, and less risky, partners and suppliers. This in turn will help to support revenue generation and profitability.
Recent security incidents have led to litigation, regulatory action, reputational damage and even resignations. Governments are increasingly turning to regulation to drive corporate behaviours in this area, often adopting very different approaches and seeking extra-territorial authorities. Overlaying this is the new EU data protection regulation coming into force in 2016, which will penalise businesses for information failures that result in customer data being compromised. There is too much at stake for your business to leave things to chance.
Now in its second year, the UK Government's FTSE350 Cyber Governance Health Check invites the UK's largest organisations to respond to a questionnaire that assesses and reports levels of cybersecurity awareness and preparedness. While boardroom awareness is increasing, with training and threat-intelligence briefings becoming more common, there is still more to be done to proactively manage cyber-risk as part of corporate planning.
Industry leaders need to work together; they depend on each other for products and services, but their connections to third party suppliers must also be scrutinised to ensure that they are not the weak link in security defences. There is much to be gained by working together as a community to pool intelligence and share experience and best practice - something that KPMG facilitates through its International Information Integrity Institute (I-4) forum.
The company believes its positive approach will set organisations free to achieve and effectively negotiate the ever-evolving cybersecurity landscape.It also believes cybersecurity should be about what you can do, and not what you can't.