KPMG Partner Indy Dhami Explains Where to Start With Cyber Resilience
The shift from traditional InfoSec to cyber resilience is not just an evolution — it's a revolution.
Today’s cybersecurity focus has moved from merely protecting assets to ensuring business can continue in the face of constant and sophisticated threats. This resilience mindset helps companies not only defend against cyber threats but also quickly rebound and adapt to new challenges.
In our latest episode of The Segment: A Zero Trust Leadership podcast, I sat down with Indy Dhami, partner at KPMG UK. We unpacked the industry’s evolution over the past twenty years, why cyber resilience is more important than ever, and how to get business buy-in on your Zero Trust security initiatives.
About Indy Dhami, partner at KPMG UK
With over two decades in the cybersecurity industry, Indy brings a wealth of experience to his role as a Partner at KPMG UK. His journey began managing IT for an architect's firm in the early 2000s, where he developed an interest in cybersecurity.
Indy's career took a turn when he helped build a global certified information security management system. He further honed his expertise and led large-scale security transformation projects across Europe and beyond. Before joining KPMG, Indy worked with a Singaporean government-funded company investing in cyber firms.
At KPMG, Indy is a digital transformation leader who drives innovative strategies to protect various sectors from emerging threats. He is passionate about career mentoring and coaching, inspiring positive cultural change through authentic leadership.
Solving cybersecurity’s awareness problem with resilience
When Indy started in cybersecurity, he remembers a lack of urgency around cyberattacks and their potential to turn into catastrophic breaches.
At one point, he ran a crisis simulation exercise with his company’s leadership, and they didn’t believe an attack could happen at their organization. “Those types of things were often never considered,” Indy explained.
Even still, he believes the increasing prevalence of cyberattacks in the news often leads to a perception of them being routine — overshadowing their true impact.
“Things aren't being reported enough,” Indy said. “So the general public still doesn't have that ‘aha’ moment about why cybersecurity is so important.”
This gap in public awareness makes the need for cyber resilience more important than ever. Today’s public perception of breaches and the traditional tools we’ve used to prevent or detect them isn’t enough. If it’s impossible to stop every breach, then organizations must be proactively prepared to stop breaches when they do happen.
Where to start with cyber resilience: Risk appetite and tolerance
That’s why cyber resilience is so important. “Right now, you may see cyberattacks once, twice, three times in the news,” he said. “It's become more prevalent, and people are asking more challenging questions around it to the security leaders.”
The shift from traditional information security to cyber resilience is a game-changer. It’s no longer just about solving problems — it's about maintaining operations during a crisis.
“Resiliency, not just cyber resiliency, but operational resiliency, is all about how I can continue to function even when all these unexpected things are happening,” Indy said.
This underscores the urgent need for infrastructures that can withstand disruptions from cyberattacks. As cyber incidents become more frequent, security leaders are pressured to develop robust resilience strategies.
So where can organizations start? A Zero Trust strategy is one of the best ways to work toward cyber resilience. Zero Trust is a globally validated strategy based on the mantra of “never trust, always verify.” It helps organizations proactively prepare for breaches, with network segmentation, also called Zero Trust Segmentation (ZTS), at its core.
As you’re building Zero Trust, Indy recommends asking these two questions:
- What is your risk appetite when it comes to cybersecurity?
- What are the data points that allow you to gauge whether you’re inside or outside that level of tolerance?
In Indy’s experience, this helps business leaders get clearer on what matters most in their business, what they need to protect first, and what kinds of information and tools they’ll need to get there.
Treating cybersecurity like a team sport
Indy also highlighted the ways government cybersecurity mandates and guidelines can also help organizations in both the public and private sector reach their resilience goals.
US federal guidelines like CISA’s Zero Trust Maturity Model (ZTMM) or the EU’s DORA and NIS2 mandates offer step-by-step guidance and best practices for organizations of any size or industry.
A key requirement Indy sees across these documents is real-time, end-to-end visibility into network and workload traffic flows.
“You need to start with a really good understanding of how things in your environment interact,” he explained. “But also, how do all your suppliers and upstream and downstream dependencies interact at a systems level?” With this information, teams will be able to understand their network’s exposure and then put the right security controls in place.
This deep dive into your network’s infrastructure means involving teams across the organization. For Indy, successful navigation requires transforming security into a “team sport.” Taking a collaborative approach fosters resilience and aligns cybersecurity initiatives with organization-wide goals.
How to connect Zero Trust to business goals
From Indy’s perspective, a Zero Trust strategy can help security leaders tell a better story about how cyber is aligning to business objectives.
“It’s all about setting the scene, framing it in the correct way, and making it resonate with board-level leaders,” Indy explained.
Zero Trust is a helpful framework for getting cyber buy-in because it takes security out of the realm of technical controls.
Indy recommends security leaders take this approach when advocating for their team’s initiatives and needs:
- Always start with your business’s goals: “Pick up your business strategy, pick up the annual report, understand what the business is trying to do, and then overlay it with your security plans.”
- Use Zero Trust principles as a strategic tool: “Explain how Zero Trust can support [the company] using its strategic pillars.”
- Save the technology for last: “Then, you can start going into the technology controls needed to deliver on each of these points.”
Listen, subscribe, and review The Segment: A Zero Trust Podcast
Want to learn more? Listen to the full episode with Indy on our website, Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read a full transcript of the episode.
We'll be back with more Zero Trust insights soon!