The fourth industrial revolution is both enabling vast business innovation and also creating sizable cyber security risks. KPMG’s 2016 Global CEO Outlook presents CEO views on their actions and readiness to mitigate business cyber risks.
“When we went through the third industrial revolution, we failed to secure the Internet effectively, but have we learned our lessons?” asks Malcolm Marshall, Global Head of Cyber Security, KPMG International.
The fourth industrial revolution, the age of the Internet of Things, machine learning, cognitive computing and artificial intelligence increases the security risks exponentially. If not secured from the beginning, the consequences may be measured in lives lost, not just money lost.
According to KPMG’s 2016 Global CEO Outlook, the world’s leading CEOs are beginning to learn the lessons from the third industrial revolution and, going forward, they recognize the risks of the new wave of technologies.
Cyber security is the top risk named by CEOs this year (30 percent), up from the fifth highest ranked last year.
CEOs enter this new era with some trepidation. Eighty-five percent are concerned about having to consider the integration of basic automated business processes with artificial intelligence and cognitive processes.
Depending on the type of company, cyber security does not need to be the CEO’s direct responsibility, but there needs to be somebody on the executive team who has clear responsibility for cyber security.
To be able to thrive in the fourth industrial revolution, companies need mainstream cyber capabilities: people in all parts of the organization who understand cyber issues. Each major decision needs to be looked at through the cyber security lens.
Seventy-two percent of CEOs are not fully prepared for a cyber event, significantly higher than in 2015 (50 percent). In interviews CEOs frequently said: “We are as prepared as we can be” or “You can never be fully prepared.”
Marshall thinks that the level of CEO apprehension highlighted by the KPMG survey shows understanding of the complexity and unpredictability of cyber security. “The CEOs we speak to increasingly understand that while they might not personally be the expert, they will be held accountable if there is a major problem. They recognize the need for senior people they trust to equip their organization to withstand the cyber-test."
How to prepare? By practicing the ability to respond to cyber events. Companies need an ability to be agile and deal with the unexpected. Often organizations that can deal with the unexpected in a business sense and have more effective governance are better prepared for cyber events. Being agile enough to respond to a cyber event often depends as much on an organization's governance as their technology capability.
Cyber security is not just a cost, it is also a revenue driver. The survey reveals that cyber security is correlated with performance. More CEOs from top-performing companies believe that they are fully prepared for a cyber event.
What is the correlation between cyber security and growth? It starts with confidence. “If you have close to 100 percent confidence that your organization is able to build new digitally enabled services that have a very low risk of being compromised, you are likely to be much more ambitious in what you do,” says Marshall.
Eighty-two percent of CEOs are concerned that their customers may be more worried about their privacy than their organization is. As the volume of data grows exponentially, so do the opportunities to use it. Typically, when services are free, businesses make money from the data, and the consumer becomes, in effect, a product. Customers are beginning to recognize the value of data and see it as part of a transaction.
As customers better understand the amount of data that is collected on them, and how companies are using it, there is a danger they will hit back. “With CEOs recognizing the importance of privacy, we are turning a corner towards a more open and transparent approach,” says Marshall.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.