Building inherent trust, ensuring the ethical use of data, and developing a cyber incident response strategy are key areas that boards and executives should focus on when dealing with cyber security challenges, according to research from KPMG.
KPMG’s Australia Cyber Security Insights 2022 report examines how boards and executives from a cross section of Australian businesses are dealing with cyber security challenges, and what they need to do to be effective in responding to cyber threats.
Inherent trust:
According to Gergana Winzer, partner enterprise advisory – cyber services at KPMG, the concept of inherent trust, which first emerged from Stephen M.R. Covey’s book ‘The Speed of Trust’, refers to developing a culture of transparency and collaboration to drive performance and innovation.
“I believe that ability to create inherent trust becomes the imperative for organisations that want to perform long term as a consequence an effort in that direction is required to produce those extraordinary results,” Winzer told iTnews.
The KPMG report reveals that more than a third of respondents see better customer and employee retention, stronger commercial relationships with stakeholders and improved profitability as a result of increased trust.
Winzer believes that CISOs play a “huge role” in building inherent trust, while also largely assuming responsibility when protection, detection and response mechanisms fail in response to a security incident.
“This is where we need to ensure the CISO is actually empowered to have those required, thorough conversations and to sit on the appropriate committees and leadership seat so that they can provide their guidance and be able to build that trust internally,” she said.
According to Winzer, one of the most surprising results from the report, is that 44 percent of executives doubt that the board has a ‘high trust’ relationship with the CISO.
Ethical use of data:
The increasing reliance on technologies such as artificial intelligence (AI), big data, and advanced analytics has made personally identifiable information and critical data vulnerable to risks such as cyber threats, espionage, and unethical usage.
To ensure the responsible usage of AI while still recognising the potential of technology to improve productivity and offer more inclusive services across industries, the Australian government has developed the AI Ethics Framework.
According to the KPMG report, 80 percent of respondents believe that AI and ML adoption creates unique cybersecurity challenges, and more than two-thirds of respondents felt the need for monitoring, increasing transparency, managing privacy concerns, and implementing careful governance and oversight when adopting AI/ML solutions.
According to Winzer, “This is a broad problem to face as AI starts entering our lives even more. One of the ways to [ensure the ethical use of AI] is to ensure the people in the organisation are aware of their biases and do not transmit those unknowingly to the algorithm supporting their business functions.
“A part from the bias there are other ethical aspects around the use of AI that are still being uncovered and I think we will need a lot of reflection and time to be able to solve this dilemmas.”
Cyber incident response strategy:
A cyber security incident response plan (IRP) outlines the key steps for an organisation to follow in the wake of a cyber emergency. The report reveals that a successful IRP outlines the involvement of key stakeholders including the CISO and the board, and their roles and responsibilities following an attack.
According to Winzer, an effective cyber security response strategy includes a number of phases: preparation, detection and investigation, containment and remediation, recovery and reporting, and learning and improvement.
“All of those underpinned by effective internal and external communication,” she said.
It is crucial for organisations to examine their cyber response strategy to gain technical expertise and plug the gap as soon as a cyber incident is detected. Having a well-designed and tested IRP in place can minimise the impact of a cyber attack and aid in the swift recovery of business operations.