3© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Trends accelerating the cyber landscapeChanging market and client needs
1
Consumer identity and omnichannel, enhanced customer expectations, as-a-service on-demand offerings
Change in the way business is
conducted
2
Digital labor helps bridge the skills gap, third party synergies in a hyper-connected world, gamification and crowdsourcing
Rapid technology change
3
Artificial intelligence/cognitive, Internet of everything, identity of things, blockchain
External threats Nation-states, organized crime, insider threats, hacktivism
Regulatory compliance
4
Privacy and General Data Protection Regulation, data sovereignty, intellectual property protection
5
4© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Reactive past: Proactive future
Security supports:— Mobile & cloud deployments— “Big data” analytics and BI— Improved customer experience
Security enables:— Virtualization & cloud platforms— Teleworking/VPNs— New operating systems— Low cost computing models— Changing data center models
Security facilitates:― Growth and profitability― New product/service adoption― Strategic sourcing― Competitive differentiation― Regulatory compliance
Infrastructure layer
Physical environmentNetworksServers/hosts
Enablement layer
DataApplication
Bottom-up and IT focusedBusiness layer
Industry leading practices
Business processCorporate objectives
Geopolitical drivers
Reactive
Proactive Top-down and business driven
6© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
1%
2%
13%
20%
20%
22%
26%
36%
42%Vulnerability from third parties/supplychain
Keeping technology systems up to date
Internal/people risk
Organizational awareness/culture
Talent/expertise
Readiness and response/containment ofbreaches
Monitoring and reporting of cyber threats(e.g., dashboard)
No significant gaps
Other
What are the two most significant gaps in your company’s ability to manage cyber risk?
Source: 2017 Global Audit Committee Pulse Survey, U.S. respondents
7© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
A holistic view: The cyber maturity framework
Board and executive engagement& oversight
8© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Leadership and governance— Understand governance structure and meet executive leadership team— Review output of capability assessment— Review and approve strategy and funding requests— Participate in general board education— Request periodic updates of program
How does the board gain comfort? (KPIs)— Security spend as a percent of overall
IT budget— Capability maturity review output— Certifications within key leadership positions— Number of board education
sessions (frequency)Board and executive
engagement& oversight
9© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Human factors
Board and executive engagement& oversight
— Set the tone for the culture— Review patterns/trends of personnel issues— Understand training & awareness protocols
How does the board gain comfort? (KPIs)— Percentage of employee/contractors
attending training— Trends related to cyber from whistleblower
or ethics hot-line
10© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Information risk management
Board and executive engagement& oversight
— Understand risk management approach and linkage to enterprise risk— Review and approve risk tolerance— Understand third-party supplier program— Review and question program metrics
How does board gain comfort? (KPIs)— Risk Assessment output/linkage to ERM
program— Risk tolerance measures and metrics— Number of “high risk” third-party suppliers
and review status— Review metric output (see other sections)
11© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Business continuity and crisis management
Board and executive engagement& oversight
— Understand current response capability— Review status of overall plan maturity— Meet with communications personnel— Participate in table-top exercises
How does the board gain comfort? (KPIs)— Number of mission critical business
processes with plans in place— Number of table top exercises (frequency)
and results
12© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Operations and technology
Board and executive engagement& oversight
— Understand current maturity of control structure— Review relevancy of selected control framework— Review relevant incident trend metrics— Meet with CIO or equivalent to understand integration of cyber and information
technology trends
How does the board gain comfort? (KPIs)— Percentage of “crown-jewel” assets included
in monitoring coverage— Risk rating of security vulnerabilities
(considering asset value)— Cyber incident trends metrics
13© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Legal and compliance
Board and executive engagement& oversight
— Understand regulatory landscape impacting the organization— Clarify audit committee requirements for cyber— Review litigating inventory trends— Review and approve cyber insurance funding (if relevant)
How does the board gain comfort? (KPIs)— Open regulatory and/or litigation matters— Cyber insurance policy benchmarking with
peer organizations
14© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
Key takeawaysThe new mindset in cybersecurity: Living with cyber risk, enterprise-wide
—Cyber as a business issue (strategy, operations, risk, regulation)
—Regular reporting/communications (KPIs/dashboard, business implications, legal/regulatory)
—Culture/tone at the top
Coordination/best practices (industry, law enforcement)
Incident readiness and response
© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 659902
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
kpmg.com/socialmedia