State and local governments under siege from cyber threats

With both security budgets and talent pools negatively affected by the ongoing pandemic, state and local governments are struggling to cope with the constant wave of cyber threats more than ever before, a Deloitte study reveals.

governments cyber threats

The study is based on responses from 51 U.S. state and territory enterprise-level CISOs.

Key themes

  • COVID-19 has challenged continuity and amplified gaps in budget, talent and threats, and the need for partnerships.
  • Collaboration with local governments and public higher education is critical to managing increasingly complex cyber risk within state borders.
  • CISOs need a centralized structure to position cyber in a way that improves agility, effectiveness and efficiencies.

The report also details focus areas for states during the COVID-19 pandemic. While the pandemic has highlighted the resilience of public sector cyber leaders, it has also called attention to long-standing challenges facing state IT and cybersecurity organizations such as securing adequate budgets and talent, and coordinating consistent security implementation across agencies.

Remote work creating new opportunities for cyber threats

These challenges were exacerbated by the abrupt shift to remote work spurred by the pandemic. According to the study:

  • Before the pandemic, 52% of respondents said less than 5% of staff worked remotely.
  • During the pandemic, 35 states have had more than half of employees working remotely; nine states have had more than 90% remote workers.

“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” said Meredith Ward, director of policy and research at NASCIO.

“The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”

“The pandemic forced state governments to act quickly, not just in terms of public health and safety, but also with regard to cybersecurity,” said Srini Subramanian, principal, Deloitte & Touche LLP.

“However, continuing challenges with resources beset state CISOs/CIOs. This is evident when comparing the much higher levels of budget that federal agencies and other industries like financial services receive to fight cyber threats.”

governments cyber threats

The need for digital modernization amplified by the pandemic

State governments’ longstanding need for digital modernization has only been amplified by the pandemic, along with the essential role that cybersecurity needs to play in the discussion. Key takeaways from the 2020 study include:

  • Fewer than 40% of states reported having a dedicated budget line item for cybersecurity.
  • Half of states still allocate less than 3% of their total information technology budget on cybersecurity.
  • CISOs identified financial fraud as three times greater of a threat as they did in 2018.
  • Overall, respondents said they believe the probability of a security breach is higher in the next 12 months, compared to responses to the same question in the 2018 study.
  • Only 27% of states provide cybersecurity training to local governments and public education entities.
  • Only 28% of states reported that they had collaborated extensively with local governments as part of their state’s security program during the past year, with 65% reporting limited collaboration.

Cyber teams are getting more involved in M&A

Despite ongoing economic uncertainty amidst a global pandemic, many dealmakers remain optimistic about the outlook for the year ahead as they increasingly pursue alternative merger and acquisition (M&A) methods to navigate the crisis and pursue new disruptive business growth strategies.

virtual dealmaking

According to a Deloitte survey of 1,000 U.S. corporate M&A executives and private equity firm professionals, 61% of survey respondents expect U.S. M&A activity to return to pre-COVID-19 levels within the next 12 months.

Soon after the WHO declared COVID-19 a pandemic on March 11, deal activity in the U.S. plunged — most notably during April and May.

Responding M&A executives say they tentatively paused (92%) or abandoned (78%) at least one transaction as a result of the pandemic outbreak. However, since March 2020, possibly aiming to take advantage of pandemic-driven business disruptions, 60% say their organizations have been more focused on pursuing new deals.

“M&A executives have moved quickly to adapt and uncover value in new and innovative ways as systemic change driven by the pandemic has resulted in alternative approaches to transactions,” said Russell Thomson, partner, Deloitte & Touche LLP, and Deloitte’s U.S. merger and acquisition services practice leader.

“We expect both traditional and alternative M&A to be an important lever for dealmakers as businesses recover and thrive in a post-COVID economy.”

Alternative dealmaking on the rise

For many, alternative deals are quickly outpacing traditional M&A activity as the search for value intensifies in a low-growth environment.

When asked which type of deals their organizations are most interested in pursuing, responding corporate M&A executives’ top choice was alternatives to traditional M&A, including alliances, joint ventures, and Special Purpose Acquisition Companies (45%) — ranking higher than acquisitions (35%).

Private equity investors plan to remain more focused on traditional acquisitions (53%), while simultaneously pushing pursuit of M&A alternatives — including private investment in public equity deals, minority stakes, club deals and alliances (32%).

“As businesses prepare for a post-COVID world, including fundamentally reshaped economies and societies, the dealmaking environment will also materially change,” said Mark Purowitz, principal, Deloitte Consulting LLP, with Deloitte’s mergers and acquisitions consulting practice, and leader of the firm’s Future of M&A initiative.

“Companies were starting to expand their definition of M&A to include partnerships, alliances, joint ventures and other alternative investments that create intrinsic and long-lasting value, but COVID-19 has accelerated dealmakers’ needs to create more optionality for their organizations’ internal and external ecosystems.”

Virtual dealmaking to continue playing large role post-pandemic

87% of M&A professionals surveyed report that their organizations were able to effectively manage a deal in a purely virtual environment, so much so that 55% anticipate that virtual dealmaking will be the preferred platform even after the pandemic is over.

However, virtual dealmaking does not remain without its own challenges. Fifty-one percent noted that cybersecurity threats are their organizations’ biggest concern around executing deals virtually.

“When it comes to cyber in an M&A world — it’s important to develop cyber threat profiles of prospective targets and portfolio companies to determine the risks each present,” said Deborah Golden, Deloitte Risk & Financial Advisory, cyber and strategic risk leader, Deloitte & Touche LLP.

“CISOs understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”

Other virtual dealmaking concerns included the ability to forge relationships with management teams (40%) and extended regulatory approvals (39%). When it comes to effectively managing the integration phase in a virtual environment, technology integration (16%) and legal entity alignment or simplification (16%) are surveyed M&A executives’ largest and most prevalent hurdles.

“It may be too early to assess the long-term implications of virtual dealmaking as many of the deals currently in progress now are resulting from management relationships that were formed pre-COVID. We also expect integration in a virtual setting will become much more complex a few months from now,” said Thomson.

virtual dealmaking

“Culture and compatibility issues should be given greater attention on the diligence side, as they pose major downstream integration implications.”

International dealmaking declines, focus on domestic-only deals

Interest in foreign M&A targets declined in 2020 as corporate executives reported a significant shift in their approach to international dealmaking, with 17% reporting no plans to execute cross-border deals in the current economic environment, an 8 percentage point increase from 2019.

In addition, 57% of M&A executives say less than half of their current transactions involve acquiring targets operating primarily in foreign markets.

Notably, the number of survey respondents interested in pursuing deals with U.K. targets dropped by 8 percentage points, while Chinese targets declined by 7 percentage points. Interest in Canadian (32%) and Central American (19%) targets remained highest.

Save-to-transform as a catalyst for embracing digital disruption

Organizations that invest in key capabilities today to navigate a post COVID-19 business environment can position themselves to thrive in the “next normal”, according to a Deloitte survey.

embracing digital disruption

The survey also found that expectations for positive revenue growth have declined significantly since the 2019 edition of the study, and two-thirds of respondents expect at least one more wave of COVID-19 relapses to occur. As a result, 66% of companies globally now expect to pursue cost reduction over the next 12 months, compared to 38% before the pandemic.

In addition, the percentage of respondents pursuing cost reduction targets greater than 10% increased by 61% (25 percentage points) compared to pre-COVID-19 levels.

The report, conducted between June and July 2020, aims to understand the short- and long-term impacts of the COVID-19 crisis on global cost management, performance improvement practices and transformation trends.

Survey results include responses from 1,089 global executives from 14 countries in the U.S., Latin America, Europe and Asia Pacific regions that have direct involvement in their companies’ cost management and enterprise transformation efforts.

Shifting cost management strategy from “Save-to-Transform”

The 2019 survey, conducted prior to the COVID-19 pandemic, found that the prevailing mindset for strategic cost management and enterprise transformation was “Save-to-Transform.”

In this approach, businesses evolve through infrastructure investments in digital technologies. In turn, these technologies can deliver dramatic improvements in competitiveness, performance and operating efficiency.

In response to the pandemic, the survey shows that organizations are evolving into a “Save-to-Thrive” mindset, in which they are accelerating strategic transformation actions specifically in response to challenges posed by COVID-19 to make shifts to their operating models, products and services and customer engagement capabilities.

“The Save-to-Thrive framework will be essential to success in the next normal as companies rely on technology and digital enablement — with a renewed emphasis on talent — to improve their plans for strategic cost transformation and overall enterprise performance improvement,” said Omar Aguilar, principal and global strategic cost transformation leader, Deloitte Consulting.

“Companies that react quickly and invest in technology and digital capabilities as they pursue the strategic levers of cost, growth, liquidity and talent will be best-positioned to succeed.”

Business challenges in a COVID-19 world

As countries responded to the pandemic by implementing restrictions such as stay-at-home orders and mandatory shutdowns, organizations began to experience demand-driven financial impacts.

According to the study, the top external challenge reported globally is a drop in consumer demand (74%), followed by a related shift in consumer behavior (67%). Cybersecurity vulnerabilities (65%) and supply chain challenges (65%) were also reported by survey respondents as top issues impacting their organizations.

In addition, industry-specific impacts are posing challenges — though they vary significantly by sector. A decline in revenue is expected by 61% of transportation sector and 60% of hospitality sector respondents, many of whose operations have been significantly curtailed by consumer demand and public health measures.

On the positive side, revenue growth is expected by 63% in the medical technology sector followed closely by telecom (58%), pharmaceuticals (58%) and software and information technology services (57%).

Finally, inability to adjust cost structure to meet demand is the top internal challenge globally and across all regions. Inability to meet employee safeguards and satisfy increased demand round out the top three internal challenges globally.

Coping with COVID-19: respond, recover, thrive

Current actions to address the COVID-19 crisis can be divided into three major stages: “respond” (immediate actions to respond to the crisis), “recover” (stabilize operations), and “thrive” (defined strategy with structural changes to thrive).

These stages culminate into a long-term operating environment we call the “next normal,” which represents new business conditions established as a result of the societal, commercial and technological changes caused by public and private reactions to COVID-19.

Today, survey respondents report that they are mostly in the “recover” phase as they respond to the immediate crisis and turn to recovery actions. The study also shows, as organizations move through these phases, that expectations for revenue growth, although down from pre-COVID-19 levels, remain somewhat positive in the respond stage (55%) and “recover” stage (58%).

In the “thrive” stage, the vast majority of companies globally (74%) and in all regions have a positive outlook for revenue growth, with only 24% globally expecting flat or declining revenue.

Lastly, automation has emerged as the top transformation action with about 2 in 3 companies expecting to pursue automation in all three stages of the respond-recover-thrive framework.

Succeeding in the next normal: New business conditions after COVID-19

When mapping out strategies to respond, recover and thrive, organizations should have informed insights about the future business environment. The 2020 Cost and Transformation Survey reports several trends that are shaping the next normal, including:

  • Revenue sources will be fundamentally different: According to the survey, the fastest growing revenue sources will be: digital channels; new products and services; and domestic operations.
  • IT infrastructure, remote work, and digital channels will be the top operating model priorities: The survey reports the top priorities as: enhance IT infrastructure (78%); enable remote work (76%); and enable pre-sale, sale and post-sale activities through digital channels (72%).
  • Top product strategies for the next normal focus on innovation, health and safety measures and customization: Globally, the top product strategies include: adjust, redesign or innovate your product/service offering to expand to adjacent and/or new markets (74%); leverage new health and safety measures by redesigning your current product/service offering (73%); and customize products or services to meet new customer and/or government requirements (74%).
  • Next normal customer engagement strategies will be driven by digital channels and flexible customer experiences: Globally, the most popular strategy for customer engagement will be to shift most transactions to digital channels (75%).
  • Cybersecurity and cloud will be the key technologies: Respondents report the most relevant technologies in the next normal will be cybersecurity solutions (80%) and cloud computing (80%).

“Our 2020 Global Cost and Enterprise Transformation survey shows how organizations that strategically pursue cost reduction in the wake of COVID-19, while concurrently reimagining the enterprise and transforming work and business models, can be more successful in the next normal,” said Sam Balaji, Deloitte global consulting leader.

“Investing in critical technology capabilities such as cloud and digital can increase business agility, improve competitiveness and better prepare organizations to persevere, and position them well for the post-COVID environment.”

Businesses express concerns around ethical risks for their AI initiatives

Businesses are entering a new chapter in AI implementation where early adopters may have to work harder to preserve an edge over their industry peers, according to Deloitte.

ethical risks AI initiatives

The study shows that companies at the top will be those that utilize AI to pursue creative and novel applications, actively address inherent AI risks and — as more organizations buy AI-powered capabilities — become smarter consumers of AI technology.

“Seasoned” adopters are the example to follow as the global survey of 2,737 information technology and line-of-business executives finds this category has undertaken many AI production deployments. They have also developed a high level of AI expertise across the board in selecting AI technologies and suppliers; identifying use cases for building and managing AI solutions; integrating AI into their IT environment and business processes; and hiring and managing AI technical staff.

Seasoned and skilled adopters evolve

Responding organizations were grouped into three segments, based on the number of AI production deployments undertaken and how respondents rated their enterprise’s expertise across various measures.

  • Seasoned adopters are setting the pace in terms of AI adoption maturity. This category of adopters has grown since the last survey in 2018 from 21% to 26%.
  • Skilled adopters have generally launched multiple AI production systems but are not yet as AI-mature as the Seasoned organizations. This category of adopters has grown since the last survey from 43% to 47%.
  • Starters are just dipping their toes into AI adoption and have not yet developed solid proficiency in building, integrating and managing AI solutions. This category of adopters has declined since the last survey from 36% to 27%.

“As organizations become more invested in AI, it is imperative that they have a common framework, principles and practices for the board, C-suite, enterprise and third-party ecosystem to proactively manage AI risks and build trust with both their business and customers,” said Irfan Saif, principal and AI co-leader, Deloitte & Touche.

”Our study results show that while early adopters of AI are still bullish, their competitive advantage may be waning as barriers to adoption continue to fall and more creative use of the technology grows.

“In the era of pervasive AI, where capabilities are readily available, organizations should go beyond efficiency and push boundaries to create new AI-powered products and services to be successful.” — Nitin Mittal, principal and AI co-leader, Deloitte Consulting.

Purchasing AI intelligently

As purchasing barriers have dropped and AI is more available, choosing the right technology is more important than ever. Those AI adopters surveyed tend to “buy” their capabilities rather than “build” them.

To become smarter consumers, companies should evaluate the landscape, find the most advanced AI and integrate those technologies into their infrastructure. However, the survey found many adopters lack purchasing maturity:

  • Only 47% of all adopters say that they have a high level of skill around selecting AI technologies and technology suppliers.
  • 45% say that they have a high level of skill around integrating AI technology into their existing IT environment.

Moving AI applications beyond IT and cyber security

It will likely take more creativity for organizations to differentiate themselves as AI becomes commonplace. For example, many companies are still using AI mostly in IT- and cybersecurity- related functions, which was also the case in Deloitte’s second edition of the survey. This year’s survey found:

  • Forty-seven percent of respondents indicated that IT was one of the top two functions for which AI was primarily used.
  • When asked to identify the top two benefits they were seeking from AI, respondents’ top choices were “making processes more efficient” and “enhancing existing products and services,” the same as the last survey.
  • Top business functions for AI applications, such as marketing, human resources, legal and procurement ranked at the bottom of the list.
  • However, there are signals that AI may be expanding as respondents rated “creating new products and services” as the third-highest overall AI benefit.

ethical risks AI initiatives

Managing risks: Advocating for trustworthy AI

Despite strong enthusiasm for their AI efforts, the majority of adopters only feel somewhat prepared to address AI risks — from unintended bias to determining accountability — and not enough are implementing specific practices to address them. In fact, survey respondents rank managing AI-related risks as the top challenge for their AI initiatives.

Adding to this trust concern, many adopters feel underprepared and that these risks may impede their AI efforts:

  • More than half of adopters surveyed report “major” or “extreme” concerns about potential risks for their AI initiatives, while only four in 10 adopters rate their organization as “fully prepared” to address them.
  • While cybersecurity remains the most worrisome AI risk for adopters, AI failures, misuse of personal data, and regulatory uncertainty are also top areas of concern.
  • Fifty-six percent agree that their organization is slowing adoption of AI technologies because of the emerging risks, and the same proportion believe that negative public perceptions will slow or stop adoption of some AI technologies.
  • Fifty-seven percent of adopters have “major” or “extreme” worries about how new and changing regulations could impact their AI initiatives.

Rising threats call for primary cyber resilience, new strategies for governments

Cybercriminals are holding governments hostage more frequently, expanding their attack base, and asking for more money, according to a report released by Deloitte.

governments ransomware attacks

The study explores the rising trend in ransomware attacks on state and local governments. It also discusses the dilemma of paying or not paying criminals, with the risk of losing access to critical data or the ability to provide services. Government organizations can take simple steps to secure information technology infrastructure and improve resilience.

“State and local governments should live and plan with the reality that their critical systems and data will be attacked,” said Srini Subramanian, principal, Deloitte & Touche LLP, and cyber state and higher education sector leader.

“Even with cyber insurance and preventive measures in place, the growing frequency and sophistication of attacks calls for government entities to perform cyber health checks and revisit resilience strategies. The effort more than pays off.

“Governments can be better positioned to defend against catastrophic events that are expensive to recover from and could impact public safety and trust.”

In 2019 alone, governments reported 163 ransomware attacks with more than $1.8 million dollars in ransoms paid and tens of millions of dollars spent on recovery costs, a nearly 150% increase in reported attacks from 2018.

According to the report, refusing to pay ransom demands may be the principled option, but it also may be far more expensive. For example, the city of Baltimore refused a $76,000 ransom demand, only to suffer over $18 million in recovery costs and lost revenues.

Sensing the vulnerability of state and local governments, criminal enterprises are demanding nearly 10 times what they demand from commercial entities.

Key considerations for organizations

  • Smarter systems architecture – Many state and local governments have deferred IT modernization, which leaves governments with increasingly vulnerable networks and systems.
  • More prepared workforce – Governments should look to creative human capital approaches to train, retain and share more qualified cyber talent as well as private-public-higher education partnerships to effectively tackle cyber security.
  • Better cyber hygiene – Attention to details such as timely software patches and updates, regular system back-ups and regular training for all staff can help to reduce risk. Organizations also should look to compartmentalize data and develop air-gapped system back-ups to limit the scale of a breach.
  • Cyber insurance usage scenarios – The use of cyber insurance can be an effective strategy for governments to contain the cost of attacks. However, those that use cyber insurance to fund ransom payments may unwittingly increase the incentives for criminals by increasing the likelihood of a big payday. Build scenarios for when to leverage cyber insurance.
  • Practiced response – Governments should practice responding to cyber incidents with wargames and simulations, involving business and program leaders so they understand the threats and their roles in response and recovery.

governments ransomware attacks

“Connected devices, digital systems and integrated data mean governments have the opportunity to serve people and communities like never before,” said Deborah Golden, principal, Deloitte & Touche LLP, and cyber risk services leader.

“It also means there is a large surface for cybercriminals to attack local governments and hold sensitive citizen data hostage. Government officials need to understand the risk involved if their systems and data were suddenly gone or rendered useless.”

Photos: RSA Conference 2020, part 2

RSA Conference 2020 is underway at the Moscone Center in San Francisco. Check out our microsite for the conference for all the most important news. Part one of the photos is available here.

Here are a few photos from the event, featured vendors include: Tenable, Ping Identity, PKWARE, eSentire, Deloitte, Securonix, and Futurex.

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

photo gallery RSA Conference 2020

Are businesses prepared for an extinction-level cyber event?

In an era of technological transformation and cyber everywhere, the attack surface is exponentially growing as cyber criminals attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to enterprise-wide destructive cyberattacks, a Deloitte survey reveals.

extinction-level cyber event

Majority of C-suite and executive poll respondents (64.6%) report that the growing threat of destructive cyberattacks is one of the top cyber risks at their organization.

It’s time for senior leadership to modernize risk management programs and solutions to keep pace with the current threats and technologies to incorporate new educational tools, technical solutions and business strategies.

A truly viable cyber resilience program can benefit an organization’s ability to recover, respond and be ready for a destructive cyberattack, where over a quarter of respondents (27.2%) believe a comprehensive approach to cyber resilience would most improve their organizations’ approach address these potential extinction-level events.

Why it matters

The well-publicized impact of the NotPetya attack, for example, spread beyond it’s intended target in seconds, and highlights how cyberattacks can compromise countless devices and spread across global networks in seconds rendering servers and endpoints inoperable.

From destructive malware to the growing threat of ransomware, attacks like these can propagate quickly and extensively impact an entire enterprise network.

Even organizations with fundamentally sound risk management programs will need to adapt to emerging and elusive cyber risks and the destructive impacts they present. Improving cyberattack readiness, response, and recovery will require a new approach to many traditional risk domains.

Why are these attacks so successful?

  • Poor access management: A fundamental issue that is pervasive and is often the open door through which a destructive attack will initiate and spread.
  • Weak cyber hygiene: Poor cyber hygiene has a direct impact on enterprise security and can be most commonly seen in the form of missing patches, misconfigurations of systems, partially deployed security tools, poor asset discovery and tracking.
  • Poor asset management: This can happen when organizations have no knowledge of specific applications, operating systems, or other device information, and the relationship between those applications.
  • Flat networks: Flat networks allow an adversary to easily maneuver to any system. Minimal segmentation and zoning allow for lateral movement, expanding the adversary’s reach into the enterprise.
  • Aggressive redundancy: Traditional recovery results in aggressive data redundancy for critical systems. When malware is introduced, these costly backup capabilities accelerate the spread across environments.
  • Limited business awareness: Leadership may still be operating under the assumption that the time, money and effort put into traditional disaster recovery programs are going to protect them in a destructive malware scenario. They need to be aware of the gaps and refocus efforts on these emerging threats.

“Understanding your organization’s attack surface, and what implications a destructive cyberattack may have are important, but what is critical is to avoid ‘analysis paralysis’ and move quickly on deploying the proper technical solutions, like the cyber recovery vault, educational tools and business strategies.

“Senior leadership and boards need to get a grasp of what their traditional disaster recovery plan provides, what it does not provide, and how an attack might play out.

“When boards are made aware of the risk, these capabilities are often prioritized and quickly implemented,” said Pete Renneker, technical resilience leader in cyber risk services and a managing director at Deloitte & Touche LLP

“Physical and traditional outages are often measured in hours or days. Whereas destructive attacks are often measured in weeks or months, which can be very difficult to recover from.

“To be successful, you have to have strong agile capabilities and leaders on the ground who can address the risks and interact effectively in the event of a large-scale incident,” said Kieran Norton, infrastructure security leader in cyber risk services and principal at Deloitte & Touche LLP

Building a comprehensive cyber approach

A viable cyber resiliency program expands the boundaries of traditional risk domains to include new capabilities like employee support services; out-of-band communication and collaboration tools; and a cyber recovery vault.

A cyber recovery vault is isolated on the network to limit lateral movement by a threat actor, secures the environment physically and logically, prevents deletion or destruction of critical data, and can be analyzed to accelerate identification of suspicious activity.

Given its design, the data sits in a cryogenically frozen state, meaning malware may enter the vault but will be unable to deliver its payload. This makes it possible to extract and cleanse affected data, recover critical systems, and restore the business as soon as possible.

With 26.3% of respondents reporting that their organization’s biggest challenge in implementing a cyber recovery vault is budget restrictions, organizations should consider focusing first on deploying a critical materials vault limited to protecting essential services.

This accelerates protection against these threats, reduces the initial spend, and enables the organization to analyze additional protection requirements in parallel.

Deloitte and Google Cloud to provide customers with end-to-end secure cloud transformation services

As organizations move more of their businesses to the cloud, better control over data and activities in the cloud, as well as preventing privilege misuse, becomes critically important.

Building on their existing global alliance, Deloitte and Google Cloud announced that together they will leverage the strength of their portfolios in cyber and cloud solutions to provide customers with end-to-end secure cloud transformation services and solutions in support of their digital transformation journeys and to better combat cyber threats.

“The increasing integration, interconnectedness, and data exchange of our businesses and lives create shared vulnerabilities where a problem in one area can quickly cascade into another.

“By building security into these environments, organizations can better protect their data, privacy, and operations,” said Deborah Golden, U.S. cyber leader, Deloitte Risk & Financial Advisory, and principal in Deloitte & Touche LLP.

“Together with Google, we are supporting secure transformative change for our clients, something that all organizations should prioritize, and can enable them to be better secured in their critical cyber and cloud needs.”

“For enterprise customers moving to the cloud, security isn’t an afterthought, it’s at the top of every CIO’s list, and in general is a board level topic,” said Sunil Potti, vice president engineering at Google Cloud Security.

“Building in the right security processes and controls from the beginning of the cloud journey can significantly reduce risks and costs for customers, and so we are delighted to be collaborating with Deloitte to help deliver end-to-end security services and solutions to our joint-customers.”

As a Google Cloud Security Premier Partner, Deloitte offers cloud security services to its clients globally and helps assist Google Cloud Platform customers address security, privacy and compliance related risks as they migrate and transform their business in the cloud.

As part of growing the alliance, Deloitte will offer Google Cloud customers cloud security solutions in the areas of security monitoring and threat response, zero trust, identity and access management (IAM) and data security.

  • Security monitoring and threat response: Provide next-generation capabilities that can help organizations proactively detect, continuously monitor and respond to unauthorized activity before it can adversely affect networks.
  • Zero trust: Establish and operationalize a zero trust architecture and program to continuously monitor and authenticate users — constantly determining their level of risk based on who they are, what they access, and when and where they do it from.
  • Identity and access management: Enhance a digital transformation strategy and lay the foundation to leverage new data-driven identity models as they evolve.
  • Data security: Provide a suite of services designed to help organizations address data risk management challenges and help them understand the value of their data and privacy considerations, as well as to operationalize their data risk governance program.

Deloitte also has been recognized as Google Cloud’s Global Services Partner of the Year, for its solutions related to analytics, machine learning, cloud-native application development, SAP, security, workload migration, and managed services.

This second consecutive win for Deloitte underscores the strength of its relationship with Google Cloud and the breadth of solutions the two organizations offer their clients.

What are the qualities of a good digital identity management program?

Growing consumer expectations, the breakdown of traditional “walls” and emerging technologies are making it hard for organizations to devise a successful digital identity management program, according to Deloitte.

digital identity management program

More than ever before, identity management is at the center of cybersecurity, regulatory compliance and consumer trust, and many organizations are struggling to define a digital identity management program both internally for the enterprise and externally for consumers.

Deloitte surveyed more than 2,500 professionals across industries and positions.

“In a digital economy, identity is a point of trust, perimeter of security and an index of customer satisfaction,” said David Mapgaonkar, principal, Deloitte & Touche LLP, and cyber technology, media and telecom sector leader.

“Organizations should think about challenges related to both consumer and enterprise identity management to understand what they can do to create better outcomes. But it’s not easy — it requires managing relationships with many stakeholders and alignment on technology and funding.”

Rising global data privacy regulations pose compliance challenges

Identity, data privacy and regulatory compliance are increasingly overlapping. Cybersecurity leaders and executives are burdened with developing a more comprehensive view of their consumers to comply with legal and audit-related mandates such as the GDPR, the CCPA and the recommendations of the NIST Cybersecurity Framework.

This means that technology, cybersecurity, legal and business leaders are all stakeholders in effective identity management, each with their own challenges and ambitions related to user experience, system availability, resilience, risk management and consumer engagement.

Digital identity lags on investment and priority

Cybersecurity teams must deal with legacy IT environments and a resistance to migrate to cloud-first architectures. In the survey, 35.4% of poll respondents recognized upgrading legacy systems as a challenge to organizations employing identity programs.

Nearly 18% of poll respondents selected lack of funding and sponsorship as a challenge. Either way, many organizations haven’t built modern systems that are API-based, orchestrated and enable easy integration with apps. And, investment into new systems and structures can be significant.

Without an organization wide understanding of the identity imperative, sponsorship at an executive level can be hard to attain.

The survey found that 95% of C-suite level executives commit 20% or less of their security budgets to support identity solutions.

Companies are reluctant to outsource identity management

Many cybersecurity leaders are concerned about integration, flexibility and access to specialized support with outsourcing their identity management to third parties. But third-party managed services, either on-premise or in the cloud, can offer the latest skills and capabilities, increase automation and future-proof identity systems.

For example, 14.4% of poll respondents selected lack of talent and a skills deficit as a challenge for identity. With a cyber talent gap only growing, identity-as-a-service (IDaaS) may be a viable option for many organizations to empower innovation efforts and drive digital transformation.

Responsibility and ownership often distributed

Responsibility and ownership are often distributed among multiple executives, teams (marketing, sales, cybersecurity, etc.) and IT systems, making coordination of large-scale projects challenging.

The poll shows that 14.4% of respondents selected lack of executive prioritization and alignment as a challenge to impair identity from impacting digital transformation.

A digital identity management program tends to take time and that can be a challenge for cyber organizations that may need to show immediate progress and broader return on investment. Many stakeholders increase complexity and timelines, and these critical programs are not getting implemented fast or well enough.

“An integrated digital identity program will provide organizations operational efficiencies and improve user experiences by powering digital transformation. In addition to the fact that regardless of what business you are in, we all need to know that what we share is protected, what we access is secure, and who we allow into our systems are supposed to be there,” said Mike Wyatt, principal, Deloitte & Touche LLP and cyber identity solutions leader.

“An integrated approach can help prevent a future digital identity crisis from surfacing by building consumer trust and enabling both privacy and security.”

Digital identity is both a use case for blockchain and an enabler that allows each of the other assets for blockchain integration to exist. Other top use cases for digital identity, for example in government, include land and corporate registrations, voting, supply chain traceability and taxation.

The operating environment for digital identity will likely become increasingly complex — with greater business expectations to meet; new technologies to integrate; multiple data privacy regulations to adhere to; and increasing numbers of people and devices to manage.

Every company will have a different set of digital identity challenges and a unique approach to identity management.

Digital identity management program

A digital identity program should be:

  • Safe – To ensure security, privacy and compliance.
  • Flexible – To work across multiple platforms (on-premise and cloud); work with people, systems and devices.
  • Agile – To quickly adapt to end-user needs, IT requirements and new applications.
  • Scalable – To address the shifting requirements of the business — such as adding new users from an acquisition or managing an influx of customers.
  • Open – To accommodate many types of users, including employees, consumers, partners and contractors.
  • Private – To give users control over their information and an understanding of how it is used and how they can access it.
  • Frictionless – To provide a seamless and convenient experience for both users and cybersecurity administrators.
  • Resilient – To overcome potential service disruptions, technology failures, or cyber threats — whether on-premise or in the cloud.

In a digital economy, every outcome depends on digital identity as a point of trust, a perimeter of security, an index of relationship management and a means of service personalization. Companies that harness digital identity should be better positioned to reap the benefits of security and long-term customer value.