Connect with us

Hi, what are you looking for?


Management & Strategy

KPMG on Key Cybersecurity Considerations for 2020

KPMG’s Take on Key Trends and Requirements for Enterprise Cybersecurity for 2020 and Beyond

KPMG’s Take on Key Trends and Requirements for Enterprise Cybersecurity for 2020 and Beyond

In its 2020 annual cyber considerations report, KPMG highlights six major cybersecurity trends and requirements that should occupy the minds of enterprises over the next 12 months. These trends come from interactions with its major clients.

The essential considerations discussed in the latest report (PDF) are: automating essential tasks; improving the consumer authentication experience; preparing for new cloud threats; improving the business acumen of the security team; aligning business and security; and preparing for more regulation.

Many of these revolve around one central paradigm: the flight to the cloud.

“KPMG believes,” Steve Barlock, principal at KPMG LLP and lead for cloud and AI, told SecurityWeek, “we are at an inflection point with cloud and cloud take-up. The evidence we’re seeing in the market with our customers is that they are generally moving into the cloud at scale, and moving some of their more sensitive applications and workloads into the cloud.”

This move is complicated by insufficient understanding of the new threats that will affect the new technology. “There is a real skills gap,” he continued. “In cybersecurity in general, this has persisted for many years — but it’s even worse where cloud is concerned. We’re finding a major skills gap around the cloud native security stacks of each of the major cloud service providers (CSPs).”

This is further exacerbated by each of the major CSPs (Azure, AWS and Google) using different underlying technologies. At the same time, a cloud-only approach to infrastructure is not feasible for the majority of existing, large companies. Skills in existing on-prem data center technologies will need to be simultaneously maintained with increasing knowledge of cloud technology stacks.

Advertisement. Scroll to continue reading.

A multi-cloud approach is without doubt more difficult and less secure than focusing on a single CSP — but there are often good economic reasons (costs, business continuity, avoiding single supplier lock-in) to go the multi-cloud route. As a result, a major factor in preparing for cloud threats is to increase the cloud skill level of the security team, whether that is with additional staff or upskilling existing staff — without diminishing the existing skill levels for on-prem technologies.

Cloud technology skills are not the only new requirement for the security team. As business transformation or digitization proceeds and the pace of business increases, it is more important for business and security to be closely aligned. At the overarching strategic level, this will be driven by the CISO and the CISO’s relationship with the business leaders. KPMG also suggests that it can be aided by automating security operations center playbooks, fraud decisions and cyber responses through partnerships with leading cloud and security information and event management providers.

Barlock also calls for “automation in the build process through devops.” He believes that automation is a friend of security, “to the extent that you can reduce manual configuration in that environment and automate builds. On the operation side,” he adds, “you have the potential to automate controls and monitoring on the backend. I think that is going to be a key technique for handling the scale that comes with cloud.”

While the overall business alignment strategy might be down to the C-suite, KPMG further notes it expects to see the whole security team becoming a more strategic, forward-looking resource for the organization. To achieve this, the business acumen of the team needs to be improved. “Security teams,” it suggests, “should regularly communicate with business leaders about what the organization needs to worry about in today’s evolving ecosystem.”

Outside of cloud specifics, KPMG sees two further areas that need to be given careful consideration. The first is the increasing level of regulation, which KPMG expects to continue. “Companies should institute ongoing testing of regulatory compliance programs – in terms of design, implementation and effectiveness – to identify where improvements are needed.,” it warns. KPMG suggests the CISO should be tightly integrated with someone in the company, such as the CRO or CFO or deputy CEO with a broad understanding of the company’s operating model.

The second is consumer authentication. For many years, the drive in authentication has simply been to make it more secure at almost any cost. But consumer habits are changing, and consumers are increasingly moving to online commerce. Brand loyalty online is more fickle than off-line — and consumers will readily change brands based on their purchasing experience.

“Brick and mortar is slowly disappearing, and whoever reigns supreme in terms of the digital customer experience is likely to enjoy the greatest market share,” notes the report. That digital experience starts with the authentication process. The greater the friction caused by authentication, the less likely it is for the customer to remain loyal. “Having a PIN sent to a mobile device via a text message that has to be reentered and confirmed is friction.”

“Organizations will spend a lot of effort in trying to reduce the friction on user authentication, and trying use a user-friendly design,” said Barlock. “Consumer experience around authentication is going to become very important in 2020. This implies a rethink of technology, biometrics, user behavioral habits, and other subtle means to identify the user — and maybe stepping up authentication for the sensitive transactions to apply more security and more control. I think rethinking the entire structure of how authentication happens and what makes a good user experience is a growing necessity.” 

There is no easy solution, he added. “For every security technique developed, there are ways to circumvent things. But password-only login is not enough, and additional factors need to be implemented without increasing the user friction beyond user acceptability.”

Related: The More Authentication Methods, the Merrier 

Related: Can Biometrics Solve the Authentication Problem? 

Related: Security Performance in the Age of Digital Transformation 

Related: Tips for Bridging the Gap Between Cyber Risk & Business Risk

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.