Audio Quick Take: KPMG’s Fred Rica on How Cybersecurity Teams Can Evolve to Keep Organizations Resilient and Competitive
Download this podcast
The former racing driver Mario Andretti famously said, “It’s amazing how many people think that brakes are for slowing the car down.” And he was right—brakes are for making the car go faster, safely. Fred Rica, KPMG cybersecurity services principal, feels this perfectly sums up the role of cybersecurity in today’s organizations—to enable them to enjoy the fullest benefits of digital transformation while managing the many risks.
Covid-19 has magnified both the opportunities and the threats of digitization. Organizations have made incredible strides in remote working and collaboration for employees as well as in improving the digital customer experience. But this has also reminded us that physical perimeters no longer exist. With increasing reliance on third parties and the proliferation of the internet of things and other devices, cybersecurity now involves complex ecosystems with a dramatically increased threat potential. In a marketplace where speed to market is essential, cybersecurity teams are now responsible for building trust and resilience by forging a pragmatic security culture and helping embed security by design thinking into every aspect of digital infrastructure and data. To do this, they must see themselves as enablers and facilitators, helping others deliver services and brands that deserve cyber trust among customers, employees, and society at large.
Todd Pruzan, HBR
Welcome to the HBR Audio Quick Take. I’m Todd Pruzan, senior editor for research and special projects at Harvard Business Review. Here with me today is Fred Rica. Fred is a principal in KPMG’s Cybersecurity Services Practice and has significant experience in cybersecurity and technology risk management. He’s a nationally recognized authority about information security, and he’s performed or managed hundreds of security assessment, design, and implementation projects in large and complex processing environments. Fred, thanks so much for joining us today.
Fred Rica, KPMG
It’s great to be here. Thank you.
Todd Pruzan, HBR
CISOs need to speak the language of the C-suite, so can you tell us about the specific actions CISOs need to take to earn their place in the C-suite?
Fred Rica, KPMG
Many times, we find that CISOs talk a technical language, and it’s a language that C-suite executives and board members simply don’t understand. When they start talking about firewalls and blockages and IPS and IDS, typically, executives’ eyes roll back in their heads. What modern CISOs must be able to do is translate that technology into the context of the business. This means talking about the risks that the business might face, what we put in place to mitigate those risks, and what risks we might be leaving on the table.
It should all be tied to: How we help grow the business? How do we help enable business strategy? We have that great saying from Mario Andretti about you don’t have brakes to go slow, you have brakes so you can go fast. Modern CISOs must be able to talk about how those brakes are going to help the business grow—how they’re going to help the business achieve its strategic objectives.
Many times, when I counsel boards, one of the things I say sort of half-jokingly is if your CISO comes in and says the word “firewall” in their presentation, you need to fire them. They’re talking the wrong language. They’re talking technology. They’re not talking business enablement, and that is what separates today’s modern and more effective CISOs from their predecessors. Those are the CISOs that earn their place in the C-suite.
Todd Pruzan, HBR
The makeup and nature of tomorrow’s security team are rapidly changing, creating a serious gap in the available talent pool of cyber professionals. In addition, working from home and the gig economy are making cyber hiring and retention a challenge. So, what can CISOs do to close that gap and ensure a robust and talented cyber team?
Fred Rica, KPMG
There is a real gap right now in cybersecurity talent. There is essentially negative unemployment. There are more jobs than there are qualified people, and so recruiting, attracting, and retaining cyber-skilled people are enormous challenges for everybody right now. Then when you start to look at what the pandemic has done to the traditional models of work, when you think about the gig economy, when you think about a generation of workers that perhaps is not as interested in a 10-, 20-, or 30-year career as their predecessors might have been, that creates some real problems in making sure that we’ve got enough of the right types of people. Modern CISOs need to start thinking about different staffing models, about different engagement models, and about different ways to make sure that they’ve got the right resources on their team.
It’s easy to envision almost everybody in a contractor scenario, where CISOs can start to pull from a trusted talent pool. If you could imagine a pool of people who are vetted by other people and are deemed trustworthy, well, then you’ve got access to a pool of resources that you can bring onboard and offboard as you need them, right? You have surge capacity. You have specific skills that you might only need for a discrete period, and so smart CISOs are starting to look outside the traditional hiring models. And they’re starting to look at other models whereby they acquire on-demand resources, and they know those resources are trustworthy and it helps them to fill that gap, not only in the short term but probably over the long term as well. So, they operate with a core group of people, but they expand and contract by using “everybody’s a contractor” in a more aggressive way than they are today.
Todd Pruzan, HBR
Covid-19 and working from home have shown how quickly disruption can accelerate and dramatically affect an organization’s risk profile. It’s forced us to rethink our risk tolerance. So, what can CISOs do to anticipate and embrace continued disruption?
Fred Rica, KPMG
It’s clear we’re heading toward a very hyperconnected world. When you start to think about the internet of things and connected devices, when you start to think about the power of technology, [about] things like 5G networking, it’s going to massively increase efficiency. It’s going to enable radically different ways of doing business, which is great, but it’s also going to open organizations to new attack surfaces, new types of attacks, and new privacy concerns.
So, forward-looking CISOs are going to have to do a couple of things. One, they’re going to have to understand this change is coming—and whether they want it or not, it’s coming. They need to be ready for it. They need to be ready to shift to it. They need to start thinking about models where they’re much more data-centric. In the past, we used to talk about perimeters, and we used to talk about identities. I think, in the future, we’re going to talk more about data-centric models. There will be a lot of technology that comes along with this. We hear things like zero trust and continuous red teaming, more use of automation, machine learning, artificial intelligence—all those things are going to be important. But the most important things are to recognize that the business model is rapidly changing, being able to assess the new threats and the new vulnerabilities that this will present, and then being able to leverage new technology to help address those threats and address those risks. And again, like we talked about at the beginning, being able to help the business move forward, work more efficiently, grow faster, and meet its strategic objectives.
Todd Pruzan, HBR
It’s hard for CISOs and organizations to go it alone in today’s hyperconnected world, where new threats and risks are emerging at a previously unheard-of pace. What are some of the ways CISOs can use a broader ecosystem to help secure the enterprise?
Fred Rica, KPMG
Whether you like it or not, your organization is now part of a very complex ecosystem. You’ve got suppliers. You’ve got partners. We’ve talked for many years about the lack of a perimeter, so the shared services and the shared data that you’ve got with all these third parties are important ways we do business now, but they also present a new set of risks.
In the past, we used to talk about contracts and liability models, but they just don’t really seem to work in this rapidly evolving, growing supply chain. We’re seeing more and more threats coming at organizations from third parties and from even fourth parties. Forward-looking CISOs need to start thinking about: What does the new partnership model look like? How do I understand in a much more intimate way than I did in the past? Who am I doing business with? What kind of risks do they present to my organization? What types of data are they handling for me? What types of transactions are they processing on my behalf? Do I truly understand the risks that my ecosystem presents to me, and am I putting the right controls in place to not only mitigate that risk, but to monitor it on a continuing basis?
A lot of times what happens is a third party or a partner that we work with today that’s relatively low risk, over time may become higher and higher risk for us. We’ve seen many organizations have problems because they haven’t done that continual assessment. They don’t have an updated understanding of the risk that ecosystem presents to them. The fact of the matter is you can’t go it alone anymore. Your ecosystem is going to continue to expand at an exponential pace, and so different models of assessing that risk, monitoring that risk, and managing that risk over time are what’s going to separate the good CISOs from the CISOs that might have problems.
Todd Pruzan, HBR
Cybersecurity training and awareness are no longer a one-and-done, and T-shirts and coffee mugs don’t cut it anymore. How can CISOs embed cybersecurity in the organization’s DNA and make thinking about cyber a process and not an event? How do we go from conscious act to habit?
Fred Rica, KPMG
Modern CISOs need to be much more sophisticated communicators than they were in the past. They need to be evangelists for their cybersecurity program. We know from empirical data that effective cybersecurity training and awareness greatly reduce the risk, the likelihood, the cost, and the impact of a cyber event. So, it’s not enough to give out a T-shirt and a coffee mug once a year. What we really need to start thinking about is: How do we build a brand around our cybersecurity program? How do we get people to buy into the mission? How do we get them excited that cybersecurity is important, and they play a huge role in protecting the company?
What we have found is modern programs that are highly effective have a couple of things in common. One is a recognition that adults learn differently than children, and so you need a program that’s built on adult learning styles. We know that things like gamification, augmented reality, virtual reality—that type of delivery mechanism—can be enormously impactful. It gets people excited to participate in the training.
If you ask people if they’re looking forward to their training, not many hands get raised. But when you start adding things like games and automation, people really get excited about that. Ultimately, what we have found is that we should make training personal for people. Really good programs today not only teach people how to protect the company, but in the work-from-home, post-Covid-19 environment, where everybody is the CISO of their house or their home, programs should also take that into account and show people how to protect their families—how to protect your children, who are probably online more than usual; your parents who might live with you, who are online more than usual; going to school remotely. When programs start to take that into account and we show our people that we care about them personally as well, we know that that translates back to a stronger desire to protect the company.
That persistent and consistent message of we’re all in this together, it’s part of a mission, it protects the company, and it protects you personally, [that] takes those programs to a more modern level and makes them much more effective against all the new and emerging threats that we continue to see.
Todd Pruzan, HBR
Fred Rica from KPMG, thank you for joining us today.
Fred Rica, KPMG
My pleasure. Thank you.
If you’d like to learn more about how KPMG helps clients earn the trust of stakeholders, visit read.kpmg.us/trust.