Salma Mohamed is a consultant in the Digital Risk team and has been employed at KPMG for a year. Salma started her consulting career as a part of the KPMG Challenger Academy and is also co-leading The Graduate Network!, a networking group for Graduates across major companies in Denmark. She works primarily on advising clients on their cybersecurity and data privacy and has a background in computer science and engineering, specialising in cybersecurity.
How does KPMG work with cybersecurity and digital risk?
Salma: My team focuses on three different expertise areas: cyber and information security, governance risk and compliance, and forensics. My role is to ensure that our clients are maturing into cybersecurity regulations – NIS2 for example. I basically work on bringing clients from zero or little security to, at the very least, compliance. We also sometimes work with incident responses when companies get hacked and support them in handling the risk.
Our work spans across attaining the external regulatory requirements as well educating employees internally. We’ve had projects where we ran internal phishing campaigns to raise people’s awareness on cyber risks and how easy it is to be fooled. This part is so important because it doesn’t matter how many systems or technologies you have in place to protect your company against a cyberattack - it’s a human who will break the security first.
That’s why I spend most of my time in a project on communication: flagging risks and translating those risks into a business perspective that anyone can understand, to then make plans and map out the way to get to the best security for the client.
"If your employees aren't cybersecurity aware, you will be hacked"
What starts the conversation about cybersecurity at companies?
Salma: Two things: actually getting hacked, and regulation. It’s always interesting to see how fast budgets can be re-allocated once the damage is done. Luckily, the entire business doesn’t shut down if a company gets hacked, but the reputational and financial damage it creates are enough to shift priorities in the right direction.
And then there's the regulation. Companies fear fines - 4% of your annual turnover or 20 million euro if you are not in compliance with GDPR rules! So, when a regulation comes up, that’s when companies start scrambling. And of course, pressure to reinforce one’s cybersecurity also stems from customers: Have you been hacked? Then I can't trust you anymore.
An important note on the regulations: they increasingly state that the CEO and leadership will be personally fined if an attack happens, and it makes sense since they are often the ones to be targeted. So, the cybersecurity strategy and processes need to be owned at the top, and not by the IT team. But I think in general, there is a growing awareness about cybersecurity coming from every part of an organisation. Everyone is liable when it comes to cybersecurity.
What is something that you'd like to challenge our perspective on?
Salma: I’ll narrow it down to 2 points.
1. We’re not all hackers! Some people working in cybersecurity don’t even have a technical background. For example, psychologists work with us to understand why people click on the links that are sent because there is so much psychology that goes into humans making these mistakes. As humans, we trust very easily and it can be difficult to find the right level of trust-risk balance to both protect people and organisations, but also to make their everyday life convenient. Also, a hacker would probably struggle to communicate with leadership, because leadership wants to know how much things cost, not how the computer works. So, hacking skills are nice to have, not a necessity.
2. If your employees aren't cybersecurity aware, you will be hacked. We learn a lot from hackers by tracking what they hack and how they do it, and while we always strive to keep them out of reach, the truth is that hackers will always be a step ahead of the organisation or person they want to attack. Breaches also happen when people are neglecting basic cybersecurity protocols. Do you know not to put your password on a post-it? Will you still do it? It’s difficult to fight human instincts. I’ll admit it, I’ve once clicked on a phishing link – it just looked so legitimate! There needs to be a lot of emphasis into cyber and information security with the employees for them to understand that they have big part to play in keeping everyone safe.
What difference does cybersecurity make for companies?
Salma: Cybersecurity breaks or makes companies, that’s how much of a difference it makes. It’s a competitive advantage for some industries, and an absolute requirement for others. For energy, telecommunication and financial industries that operate on a national and critical infrastructure, a breach to their security could essentially damage what's happening internally in Denmark. A single hour of disruption can cost so much, both financially and on a reputational level. Cybersecurity protects sensitive data, prevents breaches, maintains customer trust and, depending on the organization, protects national and critical infrastructure.
What do you love the most about your job?
Salma: I fell in love with cybersecurity because it combines the two things I really like: computers and how to keep us safe. It’s exciting to work with a field that is so dynamic and constantly evolving. I get to see the effects of my work on the people who benefit from it in a very direct way.
I’ve always had a knack for IT and I’m driven by learning something new every day, so getting to interact with different clients and improving my skills from one project to the next is what I love the most about being a consultant at KPMG. There’s constant growth and I am keeping up with my education internally by taking courses and getting certified. I didn’t think I was going to enjoy being a consultant at first, but it’s completely up my alley.
I am really motivated to create an impactful change by helping organisations and empowering people to navigate safely in a digital world - for me, for my kids and for the next generation.
"Interacting with different clients and improving my skills from one project to the next is what I love the most about being a consultant at KPMG"
Salma Mohamed
Consultant, Digital Risk
KPMG in Denmark
