When information security is discussed today, the spotlight usually turns toward system integrators, security boutiques or large technology vendors. Hardly anyone initially thinks of an audit and advisory firm. Yet KPMG has become one of the most influential players in this field. Not because the firm suddenly decided to “do cyber,” but because information security at KPMG has evolved organically over decades from the very core of its traditional business.To understand why information security plays such a unique role at KPMG, one must first understand where the firm comes from. KPMG is deeply rooted in the world of financial auditing, internal control systems, governance structures and regulatory assurance. For decades, the firm has worked closely with CFOs, executive boards, supervisory committees, internal audit departments and regulators. Long before “information security” became a defined discipline, KPMG was already asking questions that today sit at the heart of it: Are processes auditable? Is the IT landscape transparent? Are access rights clearly structured? Is data integrity ensured? Can the organization be trusted from a control perspective?
At the time, IT was not yet seen as a standalone risk domain. It was viewed as a supporting function. However, it was already a critical component of trust, accountability and control. As one senior partner once summarized: “In the past, we checked whether systems were auditable. Today, we assess whether organizations remain operational if security fails.” This statement captures the transition that defines KPMG’s approach to information security.
As business processes became increasingly digital, global and interconnected through ERP systems, cloud platforms and shared service centers, it became clear that financial risk and IT risk could no longer be separated. A data breach can create balance sheet exposure. A system outage can disrupt operations. Manipulation of data can lead to direct liability. Regulatory frameworks such as MaRisk, BAIT, DORA, SOX and ISO 27001 have accelerated this realization. Information security at KPMG gradually moved from being part of IT audit into the realm of internal control systems, from there into governance frameworks, and ultimately into strategic risk advisory.For this reason, information security at KPMG is not primarily a technical topic. It is structural, regulatory and governance-driven. It rarely appears in isolation. Instead, it is embedded in broader contexts such as IT general controls in statutory audits, access management and control concepts, regulatory programs, audit readiness, forensic investigations following incidents, ERP transformations, cloud migrations, carve-outs and post-merger integrations. The focus is not on configuring firewalls or deploying tools.
The focus is on understanding why a particular security architecture is necessary and what the economic and regulatory consequences are if it is missing.The professional profiles working in information security at KPMG differ significantly from those in traditional system integrators. Many come from backgrounds in auditing, risk management, governance, compliance, law or business administration and have deliberately expanded their expertise into information security. Technical roles such as cloud security specialists, identity and access management experts and security architects are important, but they are typically embedded in advisory engagements. As one senior manager in this environment put it: “We do not build systems. We evaluate whether organizations are structurally, regulatorily and strategically secure with the systems they operate.”
This highlights a key difference between KPMG and classic security providers. While system integrators design and implement architectures, KPMG assesses whether those architectures align with governance requirements, regulatory expectations and the organization’s risk profile. Both worlds are essential, but they require very different mindsets and skill sets.
Ten to fifteen years ago, information security at KPMG was still a peripheral topic within IT audit. Today, it is a dedicated and rapidly growing discipline with global cyber practices and strong integration into risk, audit, advisory and legal services. This development has been driven by the fact that information security has moved to the boardroom. Executive boards, supervisory committees and regulators now treat it as a business-critical issue rather than an IT matter.As the operators of Darkgate Magazine and as a specialized recruitment partner for IT, security and leadership roles, we maintain close exchanges with partners, directors and hiring managers in this space. What we clearly observe is a growing demand for professionals who can bridge disciplines. The market is no longer looking for pure technicians, nor for pure theorists. It seeks individuals who understand regulatory frameworks, can speak the language of technology, think structurally and communicate effectively at board level.
We increasingly support roles in areas such as information security governance, cyber risk, IT compliance, regulatory security, IAM advisory, cloud security governance and strategic security leadership. These positions clearly reflect how information security has evolved from a narrow technical field into a central element of governance and enterprise risk management.Not every information security consultant thrives in this environment. Professionals focused solely on technical implementation often struggle with the governance-driven nature of the work. Conversely, purely conceptual profiles without technical grounding face limitations as well. Successful candidates are those who understand that information security decisions are ultimately business decisions and who feel comfortable navigating between technology, regulation and executive management.
KPMG is therefore not a traditional security provider. It acts as a structural security architect at the governance level. Information security is not a technical side topic but a core component of trust, control and regulatory stability. For information security professionals, this offers a career path that differs significantly from classic IT consulting. For enterprises, it provides a framework to address security as an integral part of governance and risk management.And from our perspective at Darkgate, one thing is clear: anyone who wants to truly understand the information security market cannot ignore the role of KPMG.
