.McKnsy - 2020 - Cybersecurity in A Digital Era

Digital McKinsey and Global Risk Practice
Cybersecurity
in a Digital Era
June 2020
Introduction
Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ-
ment as they sought to protect their institutions from cyberattack, without degrading their ability to
innovate and extract value from technology investments. CISOs and their partners in business and IT
functions have had to think through how to protect increasingly valuable digital assets, how to assess
threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent
customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models
as companies adopt agile development and cloud computing.
We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular:
1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity
is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza-
tion, but also from application development, infrastructure, product development, customer care,
finance, human resources, procurement and risk. A successful cybersecurity strategy supports the
business, highlights the actions required from across the enterprise – and perhaps most importantly
captures the imagination of the executive in how it can manage risk and also enable business innovation.
2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities
to address and more protections you can consider than you will have capacity to implement. Even
companies with large and increasing cybersecurity budgets face constraints in how much change
the organization can absorb. Therefore, better cybersecurity requires the ability to make rigorous,
fact-based decisions about a company’s most critical risks – and which cybersecurity investments it
should make.
3. Build cybersecurity into business products and processes. For digital businesses – and almost
every company we know of aspires to be a digital business – cybersecurity is an important driver of
product value proposition, customer experience and supply chain configuration. Digital businesses
need, for example, design security into IoT products, build secure and convenient customer
interaction processes and create digital value chains that protect customer data.
4. Enable digital technology delivery. Digital businesses cannot let slow technology delivery get in
the way of business innovation, so they are scrambling to adopt agile development, DevOps, cloud
computing. However, most companies have built their security architectures and processes to
support waterfall development and on-premises infrastructure – creating a disconnect that can
both increase risk and decelerate innovation. Forward-leaning CISOs are moving to agile security
organizations that enable much more innovation technology organizations.
5. Help the business address impacts of a global pandemic. COVID-19 created three imperatives
for cybersecurity teams: supporting continued business operations by enabling remote working,
mitigating immediate risks – and helping their business partners transition to the next normal.
2
Over the past year, we’ve sought to publish cybersecurity articles in each of these areas that will help
senior executives consider their options and make pragmatic decisions about how to move forward in
making the right tradeoffs in managing technology risks. We hope you find this compendium of articles
interesting and helpful. We, and our colleagues in McKinsey’s cybersecurity practice, have appreciated
the opportunity to comment on what we consider to be one of the most complex and important business
issues today.
Thank you,
Kevin Buehler Venky Anant Tucker Bailey

Senior Partner, New York Partner, Silicon Valley Partner, Washington, DC
James Kaplan Mahir Nayfeh Wolf Richter

Partner, New York Partner, Abu Dhabi Partner, Berlin
3
Risk Practice
Cybersecurity: Linchpin
of the digital enterprise
Table of contents As companies digitize businesses and automate operations,

cyberrisks proliferate; here is how the cybersecurity organization can
support a secure digital agenda.
by James Kaplan, Wolf Richter, and David Ware
Get a strategy
in place that
will activate the
organization
Risk Practice
The risk-based 6
Risk Practice
Enhanced cyberrisk
approach to reporting: Opening
Cybersecurity: Linchpin of the
cybersecurity
© Chad Baker/Getty Images
doors to risk-based
July 2019
digital The
enterprise
most sophisticated institutions are moving from a “maturity
cybersecurity
based” to a “risk based” approach for managing cyberrisk. Here is
how they are doing it. New cyberrisk management information systems provide executives
with the risk transparency they need to transform organizational
by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
cyberresilience.
by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle
Create granular, ana-

lytic risk manage-
ment capabilities
Marketing & Sales
Consumer-data privacy and

Risk Practice
Risk Practice
The consumer-data15 personalization at scale: How 25 Financial crime 34

opportunity and the leading retailers and consumer and fraud in the age of
© me4o/Getty Images
The risk-based approach Enhanced cyberrisk reporting: cybersecurity

January 2020
October 2019
privacy imperative © lvcandy/Getty Images
brands can strategize for both Critical resilience: Adapting infra-

to cybersecurity
As consumers become more careful about sharing data, and regulators
step up privacy requirements, leading companies are learning that data
Opening
Customer concerns doors to risk-based
about the security and privacy of their online data can structure
Critical
impede
personalized marketing at scale. Best-practice companies are building protections
to
resilience:repel
Adapting cyber
As cybersecurity threats
threats compound the risks of financial crime
infrastructure to repel cyber threats

and fraud, institutions are crossing functional boundaries to enable
protection and privacy can create a business advantage.
by Venky Anant, Lisa Donchak, James Kaplan, and Henning Soller
cybersecurity
into their digital properties.
by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel
collaborative resistance.
As the digital world becomes increasingly connected, it Hasham,

by Salim is no longer possible
Shoan forDaniel
Joshi, and infrastructure
Mikkelsen
owners and operators to remain agnostic in the face of evolving cyber threats. Here’s what
Build cybersecurity
they can do to build an integrated cyber defense.
into business
products and James Kaplan Christopher Toomey Adam Tyra
processes Partner, New York

McKinsey & Company
Vice president, Boston
CP&I Major Projects
McKinsey & Company
Expert, Dallas
McKinsey & Company
29 Global Infrastructure Initiative
Risk Practice
Critical infrastructure 40 48 54 Operations Practice
A practical approach
Thecompanies and the
consumer-data global
opportunity Consumer-data privacy and Financialtocrime
supply-chain
and fraud risk
in the
© Getty Images
© Phil Sharp/Getty Images
cybersecurity threat
April 2020 November 2019
management
© Cimmerian/Getty Imag
and the privacy imperative personalization at scale: How

October 2019
How the energy, mining, and materials industries can meet the unique
age of cybersecurity
challenges of protecting themselves in a digital world.
leading retailers and consumer In supply-chain risk management, organizations often don’t
know where to start. We offer a practical approach.
by Adrian Booth, Aman Dhingra, Sven Heiligtag, Mahir Nayfeh, and Daniel Wallance
brands can strategize for both by Tucker Bailey, Edward Barriball, Arnav Dey, and Ali Sankur
McKinsey Center for Future Mobility
The race for

64 75 77
cybersecurity: Protecting
April 2019
Criticalthe
infrastructure
connected car in the The cybersecurity posture of A practical approach to supply-
© Milko Marchett/Getty Images
March 2019
© Phil Leo/Michael Denora/Getty Images
era ofand
companies new regulation
the global financial-services companies: IIF/ chain risk management
cybersecurity threatThe car industry’s digital transformation exposes new cybersecurity
McKinsey Cyber Resilience Survey

threats. Learn what OEMs can do to protect their cars and customers
from hackers.
by Johannes Deichmann, Benjamin Klein, Gundbert Scherf, and Rupert Stützle
83 89
The race for cyber-security: Defense of the cyberrealm:
© Cogal/Getty Images
October 2019
Protecting the connected car in How organizations can thwart

the era of new regulation cyberattacks
4
Protecting the business: The modern CISO:
Views from the CIO’s Managing scale, building
and CISO’s offices trust, and enabling the
At JPMorgan Chase, CISOs and CIOs work together to align cybersecurity
business
with business goals. The modern CISO is uniquely positioned to bridge gaps across technology,
processes, automation, and cybersecurity.
Enable digital
technology delivery
The benefits of a CISO 100 Robust cybersecurity 106 Enterprise-wide security 110
background the
Understanding to auncertainties requires
Protectingmuch more Views is both
the business: a technology
The modern and
CISO: Managing
than great technology business issue
March 2020
of cybersecurity: CIO
business-unit
March 2020
Questions for
A deep understanding of cybersecurity is a competitive advantage.
from the CIO’s and CISO’s
Security is increasingly an interdisciplinary capability.
scale, building trust, and
CISOs have important skills that can position them for the CIO role.
chief information-security officers offices enabling the business
Risk Practice
Securing software as Agile, reliable, secure,

a service 113 compliant IT: Fulfilling 117 120
The the promise of DevSecOps
Here isbenefits
how SaaS providersof a CISO
can meet back-
the security needs of their Robust cybersecurity requires Enterprise-wide security is both © Getty Images
March 2020
March 2020 March 2020
enterprise customers. By integrating security into DevOps, companies can step up the
ground to a business-unit CIO much more than great technology a technology and business issue
speed and frequency of software releases without compromising
controls or increasing risk.
by Santiago Comella-Dorda, James Kaplan, Ling Lau, and Nick McNamara

by Rich Cracknell, James M. Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart
Risk Practice
Cybersecurity’s
Risk Practice
Cybersecurity tactics
dual mission during 123 for the coronavirus 132
the coronavirus crisis pandemic
Securing software as a service © jjaakk/Getty Images Agile, reliable, secure, compliant IT: © Getty Images
May 2020
September 2019 Chief information-security officers must balance two priorities to
Fulfilling the promise of DevSecOps
The pandemic has made it harder for companies to maintain
respond to the pandemic: protecting against new cyberthreats and security and business continuity. But new tactics can help
maintaining business continuity. Four strategic principles can help. cybersecurity leaders to safeguard their organizations.
by Jim Boehm, James Kaplan, and Nathan Sportsman by Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen
Help business
address impact of
global pandemic
139 144
Cybersecurity’s dual mission Cybersecurity tactics for the
© Gorodenkoff/Getty Images
© Fabian Schmidt/EyeEm/Getty Images March 2020
March 2020
during the coronavirus crisis coronavirus pandemic
5
Get a strategy in place that will activate the organization
Risk Practice
As companies
As companiesdigitize businesses
digitize businesses andand
automate operations,
automate operations,
cyberrisks proliferate;
cyberrisks here
proliferate; is how
here thethe
is how cybersecurity
cybersecurity organization can
support acan
organization secure digitala agenda.
support secure digital agenda.
© Chad Baker/Getty Images
July 2019
6 Cybersecurity: Linchpin of the digital enterprise

Two consistent and related themes in enterprise They must also incorporate security controls
technology have emerged in recent years, both into analytics solutions that may not use a
involving rapid and dramatic change. One is formal software-development methodology.
the rise of the digital enterprise across sectors As companies apply robotic process automation
and internationally. The second is the need (RPA), they must manage bot credentials
for IT to react quickly and develop innovations effectively and make sure that “boundary cases”
aggressively to meet the enterprise’s digital – cases with unexpected or unusual factors,
aspirations. Exhibit 1 presents a “digitization or inputs that are outside normal limits – do not
index” – the results of research on the progress introduce security risks.
of enterprise digitization within companies,
Likewise, as companies build application
encompassing sectors, assets, and operations.
programming interfaces (APIs) for external
As IT organizations seek to digitize, however,
customers, they must determine how to identify
many face significant cybersecurity challenges.
vulnerabilities created by interactions between
At company after company, fundamental tensions
many APIs and services, and they must build and
arise between the business’s need to digitize
enforce standards for appropriate developer
and the cybersecurity team’s responsibility to
access.1 They must continue to maintain rigor
protect the organization, its employees, and its
in application security as they transition from
customers within existing cyber operating models
waterfall to agile application development.
and practices. If cybersecurity teams are to avoid
becoming barriers to digitization and instead
become its enablers, they must transform their
Challenges with existing
capabilities along three dimensions. They must cybersecurity models
improve risk management, applying quantitative At most companies, chief information officers
risk analytics. They must build cybersecurity (CIOs), chief information-security officers
directly into businesses’ value chains. And they (CISOs), and their teams have sought to establish
must support the next generation of enterprise- cybersecurity as an enterprise-grade service.
technology platforms, which include innovations What does that mean? They have consolidated
like agile development, robotics, and cloud-based cybersecurity-related activities into one or a few
operating models. organizations. They have tried to identify risks and
compare them to enterprise-wide risk appetites to
Cybersecurity’s role in digitization understand gaps and make better decisions about
closing them. They have created enterprise-wide
Every aspect of the digital enterprise has
policies and supported them with standards. They
important cybersecurity implications. Here
have established governance as a counterweight
are just a few examples. As companies seek to
to the tendency of development teams to prioritize
create more digital customer experiences, they
time to market and cost over risk and security. They
need to determine how to align their teams that
have built security service offerings that require
manage fraud prevention, security, and product
development teams to create a ticket requesting
development so they can design controls, such as
service from a central group before they can get a
authentication, and create experiences that are
vulnerability scan or a penetration test.
both convenient and secure. As companies adopt
massive data analytics, they must determine how
to identify risks created by data sets that integrate
many types of incredibly sensitive customer
information.
1
An API is software that allows applications to communicate with each other, sharing information for a purpose.
Cybersecurity: Linchpin of the digital enterprise 7

McK Risk 8 2019
Cybersecurity digital enterprise
Exhibit 1 of 6
Exhibit 1
Across sectors, companies are digitizing, with profound implications for cybersecurity functions.
Digitization levels
Low digitization High digitization
Asset Usage Labor
Overall Digital- Business Market Digital spend Digital Digitization

Sector digitization Digital spend asset stock Transactions Interactions processes making on workers capital of work
Media
Professional
services
Finance and
insurance
Wholesale
trade
Personal and
local services
Government
Transportation
and warehousing
Healthcare
Entertainment
and recreation
Source: Appbrain; Blue Wolf; ContactBabel; eMarketer; Gartner; IDC; LiveChat; US Bureau of Economic Analysis; US Bureau of Labor Statistics; US Census Bureau;
Global Payments Map by McKinsey; McKinsey Social Technology Survey; McKinsey analysis; McKinsey Global Institute analysis
actions, however, exist in tension with the emerging At one financial institution, development teams
digital-enterprise model—the outcome of an end- were frustrated with the long period needed
All thesedigital
to-end actions have proven absolutely
transformation—from necessary
the customer bypole in the tent”
the security team– to
the most intractable
validate and approvepart of the
to the security
interface of an
through theorganization. Without them,
back-office processes. As problem ofitems
incremental standing applications
in their on provider’s
cloud service public cloud
cybersecurity
companies seek breaches occurcloud
to use public moreservices,
frequently
they– infrastructure.
catalog for production usage. Developers at other
and often,
often withsecurity
find that more severe consequences.
is the “long The
pole in the tent”— companies have puzzled over the fact that they can
At one financial institution, development teams
the mostactions,
needed intractable part of exist
however, the problem of standing
in tension with the spin up a server in minutes but must wait weeks
were frustrated with the long period needed by the
applications
emerging on public cloud infrastructure.
digital-enterprise model – the outcome for the vulnerability scan required to promote
security team to validate and approve incremental
of an end-to-end digital transformation – from
items in their cloud service provider’s catalog for
the customer interface through the back-office
production usage. Developers at other companies
processes. As companies seek to use public cloud
have puzzled over the fact that they can spin
services, they often find that security is the “long
up a server in minutes but must wait weeks
How cybersecurity can best support the digital enterprise 3

their application to production. IT organizations Cybersecurity for the digital
everywhere are finding that existing security enterprise
models do not run at “cloud speed” and do not
In response to aggressive digitization, some of
provide enough specialized support to developers
the world’s most sophisticated cybersecurity
on issues like analytics, RPA, and APIs (Exhibit 2).
their application to production. IT organizations Cybersecurity for the
functions are starting digital enterprise
to transform their
everywhere
The are finding
misalignment that existing
between security
development and Incapabilities
response to along the three
aggressive dimensions
digitization, someweof the
models do not teams
cybersecurity run at “cloud
leads speed” andbusiness
to missed do not world’s most sophisticated cybersecurity functions
described: using quantitative risk analytics for
provide enoughas
opportunities, specialized supportare
new capabilities to developers
delayed are startingmaking,
decision to transform theircybersecurity
building capabilities into
on issues like analytics, RPA, and APIs (Exhibit 2). along the three dimensions we described:
in reaching the market. In some cases, the the business value chain, and enablingusing
the new
pressure to close the gap has caused increased quantitative risk analytics for decision
technology operating platforms that making,
combine
The misalignment between development and building cybersecurity into the business value
vulnerability, as development teams bend rules to many innovations. These innovations include
cybersecurity teams leads to missed business chain, and enabling the new technology operating
work around security policies and standards.
opportunities, as new capabilities are delayed in
agile approaches, robotics, cloud, and DevOps
platforms that combine many innovations. These
McK Risk 8 2019 reaching the market. In some cases, the pressure (the combination of software development and
innovations include agile approaches, robotics,
to close
Cybersecurity digital the gap has caused increased vulnerability,
enterprise IT operations to shorten development times and
cloud, and DevOps (the combination of software
Exhibit 2 of 6 as development teams bend rules to work around deliver newand
development features, fixes, and
IT operations updates aligned
to shorten
security policies and standards. with the business).
development times and deliver new features, fixes,
and updates aligned with the business).
Exhibit 2
Current cybersecurity operating models do not operate at ‘cloud speed.’

Architecture Stage gates
Architecture
and design Implementation
must receive
1 Designing secure architecture
security sign-off
requires special knowledge
1
2 Secure code review, test
design, and implementation
Security review
2 require specially trained
required
Security review developers not available to
3 many teams
required
3 Cloud environments must be

configured to security
Cloud Code standards and instrumented
Deployment deployment review with monitoring before
cycle deployment into production
Separate security Security review

3 2
testing required required
Testing
Activities
Architecture and design Implementation Code review Testing Deployment

– Analyze resource – Instantiate development – Review code – Develop test cases – Instantiate cloud
availability from cloud and testing – Conduct automated – Do continuous testing infrastructure
service provider environments code scanning – Fix bugs and errors; – Establish cloud
– Analyze capacity – Begin solution – Accept code into make changes services
requirements implementation code base – Do regression testing – Deploy production
– Develop initial solution application
design – Do final testing
– Design interfaces
4 How cybersecurity can best support the digital enterprise

Using quantitative risk analytics for decision It includes sophisticated employee and contractor
making segmentation as well as behavioral analysis to
At the quantitative
Using core of cybersecurity are decisions
risk analytics for identify
includes signs of possible
sophisticated employee insider threats, such as
and contractor
about
decision which information risks to accept and
making suspicious as
segmentation patterns of email activity.
well as behavioral analysisIt to
also includes
At the core of cybersecurity are decisions
how to mitigate them. Traditionally, CISOs identify signs of possible insider threats,
risk-based authentication that considers metadata such
about
and which
their information
business riskshave
partners to accept
madeand as –
suspicious
such as user patterns of email
location andactivity.
recentItaccess
also activity
how to mitigate them. Traditionally,
cyberriskmanagement decisions using a CISOs and includes risk-based authentication that
– to determine whether to grant access to critical considers
their business partners have made cyberrisk- metadata—such as user location and recent access
combination of experience, intuition, judgment, systems. Ultimately, companies will start to
management decisions using a combination of activity—to determine whether to grant access to
and qualitative analysis. In today’s digital use management dashboards that tie together
experience, intuition, judgment, and qualitative critical systems. Ultimately, companies will start
enterprises, however, the number of assets business assets, threat intelligence, vulnerabilities,
analysis. In today’s digital enterprises, however, the to use management dashboards that tie together
and processes to protect, and the decreasing
number of assets and processes to protect, and and potential
business mitigation
assets, threat to helpvulnerabilities,
intelligence, senior executives
practicality and efficacy of onesize-
the decreasing practicality and efficacy of one-fits-all and potential mitigation to help senior executivesThey will
make the best cybersecurity investments.
protections, have dramatically
size-fits-all protections, reduced the
have dramatically reduced make be theablebest
to focus those investments
cybersecurity investments.onThey areas
willof the
applicability
the applicabilityof traditional decision-making
of traditional decision-making be business
able to focus thatthose
will yield the most
investments onprotection
areas of thewith the
McK
processes
processesRiskand
8 2019
and heuristics.
heuristics. least disruption
business and
that will yield cost.
the most protection with the
Cybersecurity digital enterprise least disruption and cost.
In response,
Exhibit
In response,3 of companies
6
companies
are starting to strengthen
are starting to strengthen
Building cybersecurity into the business value
their business and technology environments
their business and technology environments with with chain cybersecurity into the business
Building
quantitative risk analytics so they can make
quantitative risk analytics so they can make better, better, Nochain
value institution is an island when it comes to
fact-based decisions. This has many
fact-based decisions. This has many aspects. It aspects. No institution is anEvery
cybersecurity. islandcompany
when it comes of anytocomplexity
exchanges Every
cybersecurity. sensitive
companydata and of anyinterconnects
complexity
Exhibit 3 exchanges
networks sensitive data and interconnects
with customers, suppliers, and other
networks
business with customers,
partners. As suppliers, and other
a result, cybersecurity-
Priority requirements have changed
business
related partners.
questions As ofa result,
trust cybersecurity-
and the burden of
for acquiring Internet of Things related questions of trust and the burden of
products: Cybersecurity has moved to mitigating mitigating protections have become central
protections have become central
to value chains in many sectors. For example,
the top. to value chains in many sectors. For example,
CISOs for pharmacy benefit managers and
Top 5 priorities when buying IoT products,¹ CISOs for pharmacy benefit managers and
health
health insurers
insurers are having
are having to spend
to spend significant
significant
number of survey responses
time
time figuring
figuring out out
howhow to protect
to protect their their customers’
customers’
312 data
data and and
thenthen explaining
explaining it to it to
those those customers.
customers.
290 Likewise,
Likewise, cybersecurity
cybersecurity is absolutely
is absolutely critical
critical to howto
251 how
companies companies
make make
decisions decisions
about about
procuring procuring
group
235
health
group or business
health orinsurance, prime brokerage,
business insurance, primeand
206
many other services. It is the single
brokerage, and many other services. It is the most important
factor
singlecompanies considerfactor
most important when purchasing
companies consider
Internet of Things (IoT) products (Exhibit 3).
when purchasing Internet of Things (IoT) products
(Exhibit 3).
Leading companies are starting to build
Leading companies
cybersecurity are starting
into their customer to build
relationships,
production processes, and supplier interactions.
cybersecurity into their customer relationships,
Strong Reliability Compat- Compat- Ease of Some of their tactics includeand
thesupplier
following:
cyber- ibility with ibility with use by
production processes, interactions.
security existing installed end user Some of their tactics include the following:
enterprise production — Use design thinking to build secure and
software hardware — Use design
convenient thinking
online to build
customer secure and
experiences.
¹ IoT = Internet of Things. Besides basic functionality. Forconvenient
example, oneonline
bankcustomer experiences.
allowed customers to
Source: McKinsey 2019 IoT Pulse Survey of more than 1,400 IoT customize their security
For example, controls,
one bank choosing
allowed customers to
practitioners (from middle managers to C-suite) who are executing
IoT at scale (beyond pilots). Composition was 61% from US, simpler passwords
customize theirifsecurity
they agreed to two-
controls, choosing
20% from China, and 19% from Germany, with organizations of factor authorization.
simpler passwords if they agreed to two-factor
$50 million to more than $10 billion in revenue. This question on
IoT-product purchases received 1,161 responses.
authorization.

— Educate customers about how to interact in — Take a seamless view across traditional
a safe and secure way. One bank has a senior information security and operational
executive whose job it is to travel the world and technology security to eliminate vulnerabilities.
teach high-net-worth customers and family One autoparts supplier found that the system
offices how to prevent their accounts from holding the master version of some of its
being compromised. firmware could serve as an attack vector to the
fuel-injection systems it manufactured. With
—
— Analyze
Educate security
customers surveys
about to howunderstand what
to interact in — Take a seamless viewit across traditional
that knowledge, was able to put additional
enterprise customers
a safe and secure expect
way. One bankand
hascreate
a senior information security and operational technology
protections in place. Pharma companies have
knowledge basesjob
executive whose soitthat
is tosales
travelteams canand
the world security to eliminate vulnerabilities. One auto-
found that an end-toend view of information
respond to customer customers
teach high-net-worth security inquiries during
and family parts supplier found that the system holding
protection across their supply chains was
negotiations
offices how towith minimum
prevent friction. For
their accounts from the master version of some of its firmware could
being compromised. needed
serve as anto address
attack vectorcertain
to thekey vulnerabilities
fuel-injection
instance, one software-as-a-service (SaaS)
(Exhibit
systems 5).
it manufactured. With that knowledge,
— provider found that
Analyze security its customers
surveys insisted
to understand what
on having particularly
enterprise strongand
customers expect data-loss-
create —it was
Useable to put
threat additionalto
intelligence protections in place.
interrogate supplier
Pharma companies have found that an end-to-
prevention (DLP) provisions.
knowledge bases so that sales teams can technology networks externally and assess
respond to customer security inquiries during end view of information protection across their
risk of compromise.
— Treat cybersecurity as a core feature of supply chains was needed to address certain key
negotiations with minimum friction. For
product
instance,design. For instance, a hospital
one software-as-a-service (SaaS) Done in concert,
vulnerabilities these5).
(Exhibit actions yield benefits.
network wouldthat
provider found haveitstocustomers
integrate insisted
a new on —They
Use enhance customertotrust,
threat intelligence accelerating
interrogate suppliertheir
operating-room
having particularly device
stronginto its broader
data-loss-prevention adoption
technologyof digital
networkschannels. They
externally andreduce
assessthe
riskrisk
security environment. Exhibit 4 presents an
(DLP) provisions. ofofcustomers
compromise. or employees trying to circumvent
— example of how security
Treat cybersecurity is embedded
as a core in a
feature of product security controls. They reduce friction and delays
McK Risk 8 2019 product-development process. Done in concert,and
as suppliers these actions yield
customers benefits.
negotiate liability and
design. For instance, a hospital network would
Cybersecurity digitalhave
enterprise
to integrate a new operating-room device They enhance customer trust, accelerating their
Exhibit 4 of 6 into its broader security environment. Exhibit 4 adoption of digital channels. They reduce the risk
presents an example of how security is of customers or employees trying to circumvent
embedded in a product-development process. security controls. They reduce friction and delays
Exhibit 4
How to embed security into a product-development process.

From treating security and privacy as … to incorporating them by designing and building
afterthoughts … an agile security-and-privacy model
Developers are unclear when Product owners don’t consider Prioritize security and privacy Make product owners aware
security and privacy security and privacy tasks tasks according to product risk of need to prioritize security
requirements are mandatory during sprint planning Requirements level and privacy tasks and be
accountable for their inclusion
in releases
Design
Unclear how to handle Chief information-security and Security and privacy champions Add capacity through CISPOs,
distribution of tasks within privacy officers (CISPOs) have (tech leads) assist teams in who clarify security and privacy
development team limited capacity to support Development distributing tasks requirements with champions
development teams and product owners
No unified real-time standardized monitoring of state of security Product-assessment dashboards give developers real-time
and privacy tasks Testing views of security and privacy within products
Security and privacy needs Teams unclear how often to Launch delays eliminated as Simplified predeployment
are often dealt with engage CISPOs security and privacy tasks are activities with CISPOs only for
before deployment, causing Deployment executed across life cycles releases meeting risk criteria
launch delays
Unclear accountability Lack of integration in Define and communicate roles Integrate and automate
Throughout
for security and privacy in security and privacy tool sets and responsibilities during security- and privacy-related
process
product teams introduces complexity agile ceremonies testing and tracking tools

McK Risk 8 2019
Cybersecurity digital enterprise
Exhibit 5 of 6
Exhibit 5
An end-to-end view of information across the pharma supply chain is needed to

address vulnerabilities.
Supply chain
Product flow
Data flow
Dynamic, cloud-based
network optimization
Suppliers Bulk Finishing and Smart-warehouse Customers

manufacturing packaging distribution center
Advanced business capability Resulting cyberrisks
Suppliers Finishing and packaging Overarching technologies

Predictive supplier risk protection Fully integrated and automated production Machine-learning forecasting and integrated
Risk of exposed vendor details and Attack on process, leading to shutdowns production planning
trade secrets or errors Inaccurate business decisions and
Transition from closed to open systems bad-actor access
Bulk manufacturing prompts new security risks
Yield optimization through advanced Real-time monitoring
analytics and digitized operations Customers Unauthorized monitoring of processes and
Hacking of legacy equipment No-touch order management leakage of business decisions
Unauthorized changes in safety or Leak of customer data, leading to loss of
compliance regulations customer trust and competitive data
Loss of intellectual property and
competitive advantage
as suppliers and customers negotiate liability and engineering talent from vendors and giving
responsibility forinformation
responsibility for informationrisks.
risks. They
They build
build Some areself-service
developers getting rid access
of theirtodata centers
infrastructure.
security intrinsicallyinto
security intrinsically intocustomer-facing
customer-facing andand altogether
Some as they
are getting leverage
rid of cloud
their data services.
centers altogetherAll of
operational processes,reducing
operational processes, reducing the
the “deadweight
“deadweight asthis
theyisleverage
being donecloud toservices.
make technology
All of this isfast and
being
loss” associated
loss” associated with
withsecurity
securityprotections.
protections. done to make
scalable technology
enough fast and
to support an scalable
enterprise’senoughdigital
toaspirations.
support an enterprise’s digital aspirations.
In turn, putting a modern technology In
turn, putting a modern technology model in place
Enabling an agile, cloud-based model in place requires a far more flexible,
Enabling an agile, cloud-based requires a far more flexible, responsive,
responsive, and agile cybersecurity operating and agile
operating platform enhanced by
operating platform enhanced cybersecurity operating model. Key tenets of this
model. Key tenets of this model include the
DevOps
by DevOps model include the following:
following:
Many
Many companies seemtotobebetrying
companies seem trying
to to change
change
everything aboutITIToperations.
everything about operations. They
They areare replacing ——Move
replacing Move from
from ticket-based
ticket-based interfaces
interfaces to APIs for
to APIs
traditional software-development
traditional software-development processes
processes for security
security services.
services. This
This requires
requires automating
automating
with
with agile methodologies.
methodologies.TheyThey are
are repatriating
repatriating every possible
every interaction
possible and and
interaction integrating
integrating
engineering talent from vendors and giving cybersecurity into the software-development
developers self-service access to infrastructure. tool chain. That will allow development teams

to perform vulnerability scans, adjust DLP — Build a cloud-native security model that
rules, set up application security, and connect ensures developers can access cloud services
to identify and gain access to management instantly and seamlessly within certain
services via APIs (Exhibit 6). guardrails.
— Organize security teams into agile scrum or — Collaborate with infrastructure and
scrumban teams that manage developer- architecture teams to build required security
recognizable
cybersecurity services, such as identity and
into the software-development services
— Tightly into standardized
integrate solutions
security into enterprise for
end-user
access management
tool chain. (IAM)
That will allow or DLP. Also,
development teams massive
services, soanalytics and RPA.
that employees and contractors can
recruiting
to perform development-team leaders to
vulnerability scans, adjust DLP —easily
Shiftobtain productivity
the talent modeland collaborationthose
to incorporate tools with
serve as product
rules, set owners
up application for security
security, services
and connect via an intuitive, Amazon-like portal.
“e-shaped” skills – cybersecurity professionals
can help, just
to identify and as business
gain access to managers
managementare — Build
witha cloud-native
several areas security
of deepmodel that ensures
knowledge, such
services via APIs (Exhibit 6).
product owners for customer journeys and developers
as in integrative problem solving,instantly
can access cloud services automation,
— customeroriented services.
Organize security teams into agile scrum or and
andseamlessly
developmentwithin–certain guardrails.
as well as security
scrumban teams that manage developer-
— Tightly integrate security into enterprise end- technologies.
— Collaborate with infrastructure and architecture
recognizable services, such as identity and teams to build required security services into
user services, so that employees and contractors
access management (IAM) or DLP. Also, standardized solutions for massive analytics
can easily obtain productivity and collaboration
recruiting development-team leaders to serve and RPA.
tools via an intuitive, Amazon-like portal.
as product owners for security services can
McK Risk 8 2019 — Shift the talent model to incorporate those with
help, just as business managers are product
Cybersecurity digital enterprise “e-shaped” skills—cybersecurity professionals
owners for customer journeys and customer-
Exhibit 6 of 6 with several areas of deep knowledge, such as
oriented services.
Exhibit 6
Automation, orchestration technology, and application programming interfaces can eliminate

manual security processes and interactions.
Automation opportunities in a notionally secure DevOps model
Architecture
and design Implementation Code review Testing Deployment
App API-configurable APIs for configuration Automated code-review Automated and Fully configured,
application application-level controls and debugging systems modified to configurable security test production-ready
programming designed into new (eg, test instrumentation) search for application- cases added to nightly application possible via
interfaces applications added during specific threat scenarios testing regime API calls alone
(APIs) implementation phase
Process New application-level Configurable security Configurable Nightly testing results Predeployment
APIs API options added tests added to nightly automated code reviews collected and curated for security-review process
to deployment- testing regime added to precommit/ individual developers/ replaced by automated
configuration process preacceptance process teams via configurable tests and configuration
for newly written code test-management system checks
Infrastructure API for deployment Configuration options Automated code Cloud environments Security tools and
APIs and instantiation for instantiation of scanning implemented regularly tested for configuration options
processes rearchitected automated, project- for deployed web security via automated applied via API to new
to accommodate new specific development applications to maintain vulnerability assessment environments at
applications environment made quality and code integrity and identification tools deployment time
available
Security-trained developers and engineers enable automation and orchestration throughout cloud-development, -deployment,
and -operations phases

Sidebar
How a large biopharma company built cybersecurity capabilities to enable

a digital enterprise
A large biopharma company had slow or block the capture of business — Collaborating with the broader
recently concluded a major investment opportunities. At the same time, the technology team to create the
program to enhance its foundational cybersecurity team looked at a broad set application programming interfaces
cybersecurity capabilities, dramatically of emerging practices and techniques (APIs) and the template to ensure
reducing its risk profile. However, the from the pharma industry and other secure configuration of systems
business strategy began to evolve in new sectors, including online services, running in the public cloud
ways, with expanding online consumer banking, and advanced manufacturing.
— Dramatically expanding automation
relationships, digitally enabled products, Based on all this, it developed an
of the security environment to reduce
enhanced supply-chain automation, overarching vision for how cybersecurity
time lags and frustrations developers
and massive use of analytics. The could protect and enable the company’s
and users experienced when
company now needed new cybersecurity digital agenda, and it prioritized 25
interacting with the cybersecurity
capabilities that would both address new initiatives. Some of the most important
team
business risks and facilitate business and were the following:
technology innovation. The cybersecurity team then used its
— Collaborating with the commercial
vision and initiatives to articulate to
To get started, the cybersecurity team to build patient trust by
senior management how it could enable
team engaged a broad set of business designing security into online patient
the company’s digital business strategy
partners, capturing current and journeys
and the support and assistance it would
planned strategic initiatives. It then
— Collaborating with the manufacturing require from other organizations to do so.
mapped out the new risks that these
team to enhance transparency into
initiatives would create and the ways in
configuration of plant assets
which cybersecurity protections might
Taken together, these actions will eliminate With digitization, analytics, RPA, agile, DevOps,
roadblocks to building digital-technology and cloud, it is clear that enterprise IT is evolving
operating models and platforms. Perhaps more rapidly and in exciting and value-creating ways.
importantly, they can ensure that new digital This evolution naturally creates tension with
platforms are inherently secure, allowing their existing cybersecurity operating models. For
adoption to reduce risk for the enterprise as organizations to overcome the tension, they
a whole (see sidebar, “How a large biopharma will need to apply quantitative risk analytics
company built cybersecurity capabilities to enable for decision making, create secure business
a digital enterprise”). value chains, and enable operating platforms
that encompass the latest innovations. These
actions will require significant adaptation from
cybersecurity organizations. Many of these
organizations are still in the early stages of this
journey. As they continue, they will become more
and more capable of protecting the companies
while supporting the innovative goals of the
business and IT teams.
James Kaplan is a partner in McKinsey’s New York office, Wolf Richter is a partner in the Berlin office,
and David Ware is an associate partner in the Washington, DC, office.

Create granular, analytic risk management capabilities
The risk-based approach

to cybersecurity
Risk Practice
The risk-based
approach to
cybersecurity
The most sophisticated institutions are moving from a “maturity
Thetomost
based” sophisticated
a “risk institutions
based” approach are moving
for managing from a Here
cyberrisk. “maturity
based”
is how to adoing
they are “risk based”
it. approach for managing cyberrisk. Here is
how they are doing it.
© lvcandy/Getty Images
October 2019
The risk-based approach to cybersecurity 15

Article type and Year
Article Title
Exhibit X of X
TopTop
managers
managers at most
at mostcompanies
companies recognize
recognize Exhibit 1
cyberrisk asas
cyberrisk ananessential
essentialtopic
topiconontheir
their agendas.
agendas.
Cyberthreats are growing in severity
Worldwide,
Worldwide, boards
boards and
andexecutive
executiveleaders
leaders want
to know
to know howhow well
well cyberriskisisbeing
cyberrisk beingmanaged
managed in in
and frequency.
their organizations. In more advanced regions and
their organizations. In more advanced regions Cyberthreat capacity and frequency today,
andsectors,
sectors, leaders
leaders demand,
demand, given years
given of significant
years threat actor
cybersecurity investment, that programs
of significant cybersecurity investment, that also
Capability Frequency
prove their value in risk-reducing terms. Regulators Very high
programs also prove their value in risk-reducing
are challenging the levels of enterprise resilience Nation state Opportunists
terms. Regulators are challenging the levels of
that companies claim to have attained. And nearly
enterprise resilience that companies claim to Organized crime Insider threats
everyone—business executives, regulators,
have attained. And nearly everyone – business
customers, and the general public—agree that Hacktivist groups Competitors
executives,
cyberriskregulators,
is serious and customers, and theattention
calls for constant general
public – agree
(Exhibit 1). that cyberrisk is serious and calls Competitors Hacktivist groups
for constant attention (Exhibit 1).
Insider threats Organized crime
What, exactly, organizations should do is a more
What, exactly, organizations should do is a more
difficult question. This article is advancing a “risk
difficult question. This article is advancing a “risk Opportunists Nation state
based” approach to cybersecurity, which means Very low
based” approach to cybersecurity, which means
that to decrease enterprise risk, leaders must
thatidentify
to decrease enterprise risk, leaders must
and focus on the elements of cyberrisk to Decisions about how best to reduce cyberrisk can
identify and focus on the elements
target. More specifically, the manyof cyberrisk to
components be contentious. Taking into account the overall
target. More specifically,
of cyberrisk the manyand
must be understood components
prioritized enterprise cyberrisk as potential avenues for loss
context in which the enterprise operates, leaders
of cyberrisk mustcybersecurity
for enterprise be understood andWhile
efforts. prioritized
this of confidentiality, integrity, and availability of digital
must decide which efforts to prioritize: Which
for approach
enterprise tocybersecurity
cybersecurity isefforts. While
complex, bestthis assets. By extension, the risk impact of cyberthreats
projects could most reduce enterprise risk? What
approach
practicesto for
cybersecurity is complex,
achieving it are emerging.best includes fraud, financial crime, data loss, or loss of
methodology should be used that will make clear
system availability.
practices for achieving it are emerging.
To understand the approach, a few definitions are to enterprise stakeholders (especially in IT) that
To understand the approach, a few definitions are
in order. First, our perspective is that cyberrisk those priorities
Decisions aboutwill
howhave
bestthe greatest
to reduce risk reducing
cyberrisk can
in order. First,
is “only” our perspective
another is thatrisk.
kind of operational cyberrisk
That is, impact
be contentious. Taking into account the overall in
for the enterprise? That clarity is crucial
is “only” another kind of operational risk.
cyberrisk refers to the potential for business Thatlosses organizing and executing
context in which thoseoperates,
the enterprise cyber projects
leaders in a
is, cyberrisk refers to thereputational,
of all kinds—financial, potential for business
operational, focused way.which efforts to prioritize: Which
must decide
losses of all kinds – financial, reputational,
productivity related, and regulatory related—in the projects could most reduce enterprise risk? What
At the moment, attackers benefit from organiza-
operational, productivity
digital domain. Cyberrisk related,
can alsoand regulatory
cause losses in methodology should be used that will make clear
tional indecision on cyberrisk – including the pre-
to enterprise stakeholders (especially in IT) that
the physical
related – in thedomain, such as damage
digital domain. Cyberrisk to operational
can
vailing lack of clarity
those priorities about
will have the the danger
greatest riskand failure
reducing
alsoequipment.
cause losses But it
inisthe
important
physicaltodomain,
stress that
such
cyberriskto is operational
a form of business risk. But it is toimpact
execute effective cyber controls.
for the enterprise? That clarity is crucial in
as damage equipment.
important to stress that cyberrisk is a form of organizing and
Debilitating executing
attacks those cyberinstitutions
on high-profile projects in aare
Furthermore, cyberrisks are not the same as focused way.
business risk. proliferating globally, and enterprise-wide cyber
cyberthreats, which are the particular dangers that
efforts are needed now with great urgency. It is
Furthermore, cyberrisks
create the potential are not theThreats
for cyberrisk. same as include At the moment, attackers benefit from
widely understood that there is no time to waste:
cyberthreats, which are
privilege escalation, the particular
vulnerability dangersorthat
exploitation, organizational indecision on cyberrisk—including
business leaders everywhere, at institutions of all
the prevailing lack of clarity about the danger
phishing.¹
create Cyberthreats
the potential exist in the
for cyberrisk. contextinclude
Threats of
sizes and in all industries, are earnestly searching
privilege escalation, vulnerability exploitation,
for the optimal means to improve cyber resilience.
or phishing.
1
1
Cyberthreats
Privilege escalation exist
is the exploitation of ainflaw
thein acontext
system for purpose of gaining unauthorized access to protected resources. Vulnerability
We believe we have found a way to help.
of enterprise cyberrisk
exploitation is an as potential
attack that uses avenuestofor
detected vulnerabilities exploit (surreptitiously utilize or damage) the host system.
loss of confidentiality, integrity, and availability

of digital assets. By extension, the risk impact of
cyberthreats includes fraud, financial crime, data
loss, or loss of system availability.
2 The risk-based approach to cybersecurity
1
Privilege escalation is the exploitation of a flaw in a system for purpose of gaining unauthorized access to protected resources.
Vulnerability exploitation is an attack that uses detected vulnerabilities to exploit (surreptitiously utilize or damage) the host system.

The maturity-based cybersecurity employee awareness and training. Yet a maturity-
approach: A dog that’s had its day based model does not call for the organization to
gather enough information to know that it should
Even today, “maturity based” approaches to
divert the funding needed for this from additional
managing cyberrisk are still the norm. These
application monitoring. Spending on both will be
approaches focus on achieving a particular
expected, though the one effort (awareness and
level of maturity by building certain capabilities.
training) may have a disproportionate impact on
To achieve the desired level, for example, an
enterprise-risk reduction relative to the other.
organization might build a security operations
center (SOC) to improve the maturity of assessing, If the objective is to reduce enterprise risk, then
monitoring, and responding to potential threats to the efforts with the best return on investment in
enterprise information systems and applications. risk reduction should draw the most resources.
Or it might implement multifactor authentication This approach holds true across the full control
(MFA) across the estate to improve maturity of landscape, not only for monitoring but also
access control. A maturity-based approach can for privileged-access management, data-loss
still be helpful in some situations: for example, prevention, and so forth. All of these capabilities
to get a program up and running from scratch reduce risk somewhat and somehow, but most
at an enterprise that is so far behind it has to companies are unable to determine exactly how
“build everything.” For institutions that have and by how much.
progressed even a step beyond that, however, a
The final (and most practical) drawback of
maturity-based approach is inadequate. It can
maturity-based programs is that they can create
never be more than a proxy for actually measuring,
paralyzing implementation gridlock. The few
managing, and reducing enterprise risk.
teams or team members capable of performing
A further issue is that maturity-based programs, the hands-on implementation work for the many
as they grow organically, tend to stimulate controls needed become overloaded with demand.
unmanageable growth of control and oversight. Their highly valuable attention is split across too
In monitoring, for example, a maturity-based many efforts. The frequent result is that no project
program will tend to run rampant, aspiring to is ever fully implemented and program dashboards
“monitor everything.” Before long, the number of show perpetual “yellow” status for the full suite of
applications queued to be monitored across the cyber initiatives.
enterprise will outstrip the capacity of analysts
The truth is that in today’s hyperconnected world,
to monitor them, and the installation of monitors
maturity-based cybersecurity programs are no
will bog down application-development teams.
longer adequate for combatting cyberrisks. A
The reality is that some applications represent
more strategic, risk-based approach is imperative
more serious vulnerabilities – and therefore
for effective and efficient risk management
greater potential for risk – than others. To focus
(Exhibit 2).
directly on risk reduction, organizations need
to figure out how to move from a stance of
monitoring everything to one in which particular
Reducing risk to target appetite at
applications with high risk potential are monitored less cost
in particular ways. Another issue related to the The risk-based approach does two critical things
monitor-everything stance is inefficient spending. at once. First, it designates risk reduction as
Controls grow year after year as program planning the primary goal. This enables the organization
for cybersecurity continues to demand more to prioritize investment – including in
spending for more controls. But is enterprise implementationrelated problem solving – based
risk being reduced? Often the right answers squarely on a cyber program’s effectiveness
lie elsewhere: for example, the best return on in reducing risk. Second, the program distills
investment in enterprise-risk reduction is often in top management’s risk-reduction targets into

maturity-based cybersecurity programs are no Second, the program distills top management’s
Risk-based approach
longer adequate for combatting cyberrisks. A more risk-reduction targets into precise, pragmatic
Exhibit 2 of 4
strategic, risk-based approach is imperative for implementation programs with clear alignment
effective and efficient risk management (Exhibit 2). from the board to the front line. Following the risk-
Exhibit 2
For many companies, the risk-based approach is the next stage in their cybersecurity journey.
Proactive cybersecurity
Risk-based Achieve holistic resilience

approach Transform processes and adoption
of next-generation technologies
to reduce detection and response
Maturity-based times to within recovery-time
approach Reduce enterprise risk objectives
Identify, prioritize, deliver, manage,
and measure security and privacy Embed security in technology
controls in line with enterprise-risk- products, services, and processes
Security not management framework from point of inception through to
execution to achieve complete
considered Build capabilities
Set risk-appetite thresholds for “security by design”
Strengthen essential security and
resilience fundamentals to plug gaps linked pairs of key risk indicators
and key performance indicators Fully incorporate customers,
partners, third parties, and
Establish cyber operating model
Include stakeholders from full regulators into management
Security schmecurity and organization to professionalize
enterprise in cyber operating mode of enterprise resilience
Lack of capability and awareness cybersecurity function
throughout organization, including
among senior leadership
Example activities Example activities Example activities Example activities

• Assess cyber maturity (eg, • Build security operations center, • Implement cyberrisk • Deploy advanced analytics and
data protection, access incident-response playbooks, and quantification machine learning for preventative
management) with or without identity- and access-management • Measure and report on detection
benchmarks to highlight function; install multifactor reduction of risk, not progress • Implement security by design with
capability gaps authentication on apps; enable use of capabilities multilayer response-time reduction
• Evaluate cyber awareness across of virtual private network
organization • Create and staff chief information
security officer and connect to
other relevant areas
Foundational Advanced
precise, pragmatic implementation programs with transformation. The excess spending was deemed
clear alignment from the board to the front line. necessary to fulfill a promise to the board to reach
Following the risk-based approach, a company a certain level of maturity that was, in the end,
will no longer “build the control everywhere”; arbitrary. Using the risk-based approach, the
rather, the focus will be on building the appropriate company scaled back controls and spending in
controls for the worst vulnerabilities, to defeat areas where desired digital capabilities were being
the most significant threats – those that target heavily controlled for no risk-reducing reason. A
the business’s most critical areas. The approach particular region of success with the risk-based
allows for both strategic and pragmatic activities approach has been Latin America, where a number
to reduce cyberrisks (Exhibit 3). of companies have used it to leapfrog a generation
of maturity-based thinking (and spending).
Companies have used the risk-based approach to
Instead of recapitulating past inefficiencies, these
effectively reduce risk and reach their target risk
companies are able to build exactly what they need
appetite at significantly less cost. For example,
to reduce risk in the most important areas, right
by simply reordering the security initiatives in its
from the start of their cybersecurity programs.
backlog according to the risk-based approach,
Cyber attackers are growing in number and
one company increased its projected risk reduction
strength, constantly developing destructive new
7.5 times above the original program at no added
stratagems. The organizations they are targeting
cost. Another company discovered that it had
must respond urgently, but also seek to reduce
massively overinvested in controlling new software-
risk smartly, in a world of limited resources.
development capabilities as part of an agile

Risk-based approach
appetite at significantly less cost. For example, particular region of success with the risk-based
Exhibit 3 of 4 by simply reordering the security initiatives in its approach has been Latin America, where a number
backlog according to the risk-based approach, one of companies have used it to leapfrog a generation
company increased its projected risk reduction of maturity-based thinking (and spending). Instead
Exhibit 3
A risk-based approach builds customized controls for a company’s critical vulnerabilities to

defeat attacks at lower overall cost.
Maturity-based versus risk-based cybersecurity
Risk-based approach: Optimizes defensive layers for
Maturity-based approach: Builds highest level of defense risk-reduction and cost. Critical assets are highly protected,
around everything. but at less expense and in ways that improve productivity.
Cyberrisk management and governance Cyberrisk management and governance

Security organization Security organization
Information-security processes Information-security processes
Technology controls Technology controls

Key assets: Critical economic Key assets: Critical economic function,
function, people, data, applications, people, data, applications, infrastructure,
infrastructure, value-producing process value-producing process
Cost of maturity-based defenses Cost of risk-based defenses

€2 million €1.5 million

Total cost Total cost
€14 million €5 million

Note: Costs are illustrative but extrapolated from real-world examples and estimates.

A transformation in sequential actions 4. Understand the relevant “threat actors,” their
capabilities, and their intent.
Companies adopting the risk-based approach and
transforming their “run” and “change” activities 5. Link the controls in “run” activities and
accordingly inevitably face the crucible of how “change” programs to the vulnerabilities that
to move from maturity-based to risk-based they address and determine what new efforts
cybersecurity. From the experience of several are needed.
leading institutions, a set of best-practice actions
6. Map the enterprise risks from the enterprise-
has emerged as the fastest path to achieving this
risk-management framework, accounting for
transformation. These eight actions taken roughly
the threat actors and their capabilities, the
in sequence will align the organization toward the
enterprise vulnerabilities they seek to exploit,
new approach and enable the appropriate efforts
and the security controls of the organization’s
to reduce enterprise risk.
cybersecurity run activities and change
1. Fully embed cybersecurity in the program.
enterpriserisk- management framework.
7. Plot risks against the enterprise-risk appetite;
2. Define the sources of enterprise value across report on how cyber efforts have reduced
teams, processes, and technologies. enterprise risk.
3. Understand the organization’s enterprise-wide 8. Monitor risks and cyber efforts against risk
vulnerabilities – among people, processes, and appetite, key cyberrisk indicators (KRIs), and
technology – internally and for third parties. key performance indicators (KPIs).

1. Fully embed cybersecurity in the enterprise- which it runs – and the vulnerabilities to those
risk-management framework constituent parts can be specified.
A risk-based cyber program must be fully 3. Understand vulnerabilities across
embedded in the enterprise-risk-management the enterprise
framework. The framework should not be used as
Every organization scans its infrastructure,
a general guideline, but rather as the organizing
applications, and even culture for vulnerabilities,
principle. In other words, the risks the enterprise
which can be found in areas such as configuration,
faces in the digital domain should be analyzed
code syntax, or frontline awareness and training.
and categorized into a cyberrisk framework. This
The vulnerabilities that matter most are those
approach demystifies cyberrisk management
connected to a value source that particular threat
and roots it in the language, structure, and
actors with relevant capabilities can (or intend to)
expectations of enterprise-risk management.
exploit. The connection to a source of value can
Once cyberrisk is understood more clearly as
be direct or indirect. A system otherwise rated
business risk that happens in the digital domain,
as having low potential for a direct attack, for
the organization will be rightly oriented to begin
example, might be prone to lateral movement –
implementing the riskbased approach.
a method used by attackers to move through
2. Define the sources of enterprise value systems seeking the data and assets they are
ultimately targeting.
An organization’s most valuable business work
flows often generate its most significant risks. It is Once the organization has plotted the people,
therefore of prime importance to identify these work actions, technology, and third-party components
flows and the risks to which they are susceptible. For of its value-creating processes, then a thorough
instance, in financial services, a loan process is part identification of associated vulnerabilities can
of a value-creating work flow; it is also vulnerable to proceed. A process runs on a certain type of
data leakage, an enterprise risk. A payment process server, for example, that uses a certain operating
likewise creates value but is susceptible to fraud, system (OS). The particular server – OS combi-
another enterprise risk. To understand enterprise nation will have a set of identified common
risks, organizations need to think about the potential vulnerabilities and exposures. The same will be true
impact on their sources of value. for storage, network, and end-point components.
People, process, and third-party vulnerabilities can
Identifying the sources of value is a fairly straight-
be determined by similar methodologies.
forward exercise, since business owners will
have already identified the risks to their business. Of note, vulnerabilities and (effective) controls
Cybersecurity professionals should ask the exist in a kind of reverse symbiosis: where one
businesses about the processes they regard as is present the other is not. Where sufficient
valuable and the risks that they most worry about. control is present, the vulnerability is neutralized;
without the control, the vulnerability persists.
Making this connection between the cybersecurity
Thus, the enterprise’s vulnerabilities are most
team and the businesses is a highly valuable step
practically organized according to the enterprise-
in itself. It motivates the businesses to care more
approved control framework.2 Here synergies
deeply about security, appreciating the bottom-line
begin to emerge. Using a common framework
impact of a recommended control. The approach
and language, the security, risk, IT, and frontline
is far more compelling than the maturity-based
teams can work together to identify what
approach, in which the cybersecurity function
needs to be done to close vulnerabilities, guide
peremptorily informs the business that it is imple-
implementation, and report on improvements
menting a control “to achieve a maturity of 3.0.”
in exactly the same manner and language.
The constituents of each process can be defined – Experience confirms that when the entire
relevant teams, critical information assets (“crown organization shares a common way of thinking
jewels”), the third parties that interact with the about vulnerabilities, security can be significantly
process, and the technology components on enhanced.
2
This can include the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), NIST National Vulnerability
Dataset (NIST 800-53), International Organization for Standardization 27001/2 (standards for information-security-management
systems), and Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT).

Experience confirms that when the
entire organization shares a common
way of thinking about vulnerabilities,
security can be significantly enhanced.
4. Understand relevant threat actors and development. Any new controls needed are added
their capabilities to the program backlog as either stand-alone or
composite initiatives.
The groups or individuals an organization must
worry about – the threat actors – are determined While an organization may not be able to complete
by how well that organization’s assets fit with all initiatives in the backlog in a single year, it will
the attackers’ goals – economic, political, or now be able to choose what to implement from
otherwise. Threat actors and their capabilities – the full spectrum of necessary controls relevant
the tactics, techniques, and procedures they to the enterprise because they are applicable for
use to exploit enterprise security – define the frustrating relevant threat capabilities. The risk-
organization’s threat landscape. based approach importantly bases the scope
of both existing and new initiatives in the same
Only by understanding its specific threatlandscape
control framework. This enables an additional
can an organization reduce risk. Controls are imple-
level of alignment among teams: delivery
mented according to the most significant threats.
teams charged with pushing and reporting on
Threat analysis begins with the question, Which
initiative progress can finally work efficiently
threat actors are trying to harm the organization and
with the second and third lines of defense (where
what are they capable of? In response, organizations
relevant), which independently challenge control
can visualize the vulnerabilities commonly exploited
effectiveness and compliance. When the program-
by relevant threats, and appropriate controls can
delivery team (acting as the first line of defense)
then be selected and applied to mitigate these
sits down with the second and third lines, they will
specific vulnerability areas.
all be speaking the same language and using the
In identifying the controls needed to close specific same frameworks. This means that the combined
gaps, organizations need to size up potential groups can discuss what is and is not working, and
attackers, their capabilities, and their intentions – what should be done.
the threat actors’ strength and will (intention)
6. Map the enterprise-risk ecosystem
to create a risk event. This involves collecting
information on and understanding how the A map of enterprise risks – from the enterpriserisk-
attackers connect, technically and nontechnically, management framework to enterprise vulnera-
to the people, process, and technology bilities and controls to threat actors and their
vulnerabilities within the enterprise. capabilities – makes visible a “golden thread,” from
control implementation to enterprise-risk reduction.
5. Address vulnerabilities
Here the risk-based approach can begin to take
To defeat threat actors, vulnerabilities discovered shape, improving both efficiency in the application
in the third action we describe will either be closed of controls and the effectiveness of those controls
by existing controls – normal run activities or in reducing risks. Having completed actions one
existing change initiatives – or will require new through five, the organization is now in a position
control efforts. For existing controls, the cyber to build the riskbased cybersecurity model. The
governance team (for “run”) and the program analysis proceeds by matching controls to the
management team (for “change”) map their vulnerabilities they close, the threats they defeat,
current activities to the same control framework and the value-creating processes they protect. The
used to categorize vulnerabilities. This will run and change programs can now be optimized
show the controls already in place and those in

according to the current threat landscape, present leadership (such as the board and the risk
vulnerabilities, and existing program of controls. function) can identify an enterprise risk (such as
Optimization here means obtaining the greatest data leakage), and the cybersecurity team can
amount of risk reduction for a given level of report on what is being done about it (such as a
spending. A desired level of risk can be “priced” data-loss prevention control on technology or a
according to the initiatives needed to achieve it, or social-engineering control on a specific team).
the entry point for analysis can be a fixed budget, Each part is connected to the other, and every
which is then structured to achieve the greatest stakeholder along the way can connect to the
reduction
here means inobtaining
risk. the greatest amount of risk conversation.
leadership The
(such as themethodology
board and theand riskmodel is at
function)
reduction for a given level of spending. A desired canthe center,
identify anacting bothrisk
enterprise as a(such
translator
as dataand as an
leakage),
Cybersecurity optimization determines the right
level of risk can be “priced” according to the andoptimizer. The entire
the cybersecurity enterprise
team can reportteam knows
on what is what
level and allocation of spending. Enterprise-risk
initiatives needed to achieve it, or the entry point being
to do,done
from about
the itboard
(suchtoasthe
a data-loss prevention
front line, and can
reduction is directly linked to existing initiatives
for analysis can be a fixed budget, which is then control
moveon in technology
a unified way or atosocial-engineering
do it.
and the initiation
structured of new
to achieve ones. The
the greatest analysisin risk.
reduction control on a specific team). Each part is connected
develops the fact base needed for tactical to7.thePlot risks
other, andagainst risk appetite;
every stakeholder alongreport
the wayon
discussions on overly controlled areas
Cybersecurity optimization determines the right whence risk reduction
can connect to the conversation. The methodology
the
levelorganization
and allocation might pull back
of spending. as well as areas
Enterprise-risk and model is at the center, acting both as a
Once the organization has established a clear
where
reductionbetter control
is directly for value
linked is needed.
to existing initiatives and translator and as an optimizer. The entire enterprise
understanding of and approach to managing
the initiation of new ones. The analysis develops the team knows what to do, from the board to the front
By incorporating all components in a model and cyberrisk, it can ensure that these concepts
fact base needed for tactical discussions on overly line, and can move in a unified way to do it.
using the sources of value and control
controlled areas whence the organization might pullframeworks are easily visualized and communicated to all
as a common language, the business, IT,
back as well as areas where better control for value risk, 7. stakeholders.
Plot risks against Thisrisk
is done through
appetite; reporta risk
on grid,
and cybersecurity
is needed. groups can align. Discussions where the
risk reduction application of controls is sized to the
are framed by applying the enterprise control potential
Once level of risk
the organization has(Exhibit 4). a clear
established
framework to theallhighest
By incorporating componentssources
in aof value.
model andThis understanding of and approach to managing
McK on Risk 8 2019
using thethe
creates sources of value and
golden-thread control
effect. frameworks
Enterprise cyberrisk, it can ensure that these concepts
Risk-based approach
as a common language, the business, IT, risk, are easily visualized and communicated to all
Exhibit 4 of 4 and cybersecurity groups can align. Discussions stakeholders. This is done through a risk grid, where
are framed by applying the enterprise control the application of controls is sized to the potential
framework to the highest sources of value. This level of risk (Exhibit 4).
creates the golden-thread effect. Enterprise
Exhibit 4
The risk-based approach applies controls according to the risk appetite and the likelihood
and potential impact of a risk event.
Risk events by size of impact and likelihood of occurrence
Very high Out of risk appetite
At limit of risk appetite
Within risk appetite
Well within risk appetite
Medium-impact risks must comply with tier-1 controls
Both very-high-impact and high-impact risks must comply

Risk impact with tier-1 and tier-2 controls
Very-high-impact risks must also comply with tier-3 controls

to be within risk appetite
Low-impact and very-low-impact risks do not need to comply

with any controls in order to be within risk appetite. However,
baseline controls should be applied when doing so is a “no
regrets” move (low cost, high impact), and when it is required
for improved productivity or regulatory alignment
Very low Likelihood Very high

The assumption in this use of the classic risk grid is 8. Monitor risks and cyber efforts using risk
that the enterprise-risk appetite has been defined appetite and key cyberrisk and performance
for each enterprise risk. The potential impact for indicators
each enterprise-risk scenario can then be plotted
At this point, the organization’s enterprise risk
on the risk grid. Once the relationships among
posture and threat landscape are understood,
the threats, vulnerabilities, and applied controls
and the risk-based cybersecurity program is in
are modeled and understood, the risks can be
place. The final step is to monitor and manage for
evaluated according to their likelihood. As more
success.
controls are applied, the risk levels are reduced to
the risk appetite. This is the way the cyber program Many companies attempt to measure cyber
can demonstrate impact in terms of enterprise- maturity according to program completion, rather
risk reduction. than by actual reduction of risk. If a security
function reports that the data-loss-prevention
As new threats emerge, new vulnerabilities will
(DLP) program is 30 percent delivered, for
become apparent. Existing controls may become
example, the enterprise assumption is that
ineffective, and enterprise risks can move in the
risk of data leakage is 30 percent reduced. If a
opposite direction – even to the point where
multifactor authentication initiative is 90 percent
riskappetite limits are exceeded. For information-
implemented, the assumption is that the risk of
security-management systems, the risk grid allows
unauthorized access is almost eliminated. These
stakeholders to visualize the dynamic relationships
assumptions are false, however, because actual
among risks, threats, vulnerabilities, and controls
risk-reducing results are not being measured in
and react strategically, reducing enterprise risks to
these examples.
the appropriate risk-appetite level.
Sidebar
Linking a KRI to a KPI

A data-loss-prevention program (KPI) could be the proportion of critical With KRIs and KPIs systematically
(DLP) is a helpful control to reduce assets covered since the last reporting incorporated into a digital dashboard,
the enterprise risk of data leakage. period versus the total expected to be executives have complete risk-
The critical assets identified by the covered. Enterprise leaders will see these based measurement and reporting
enterprise-risk-management function two metrics on the reporting dashboard. at their fingertips. They can actively
as requiring DLP coverage can become They can then assess the progress participate in risk-reduction efforts –
the output metric, or key risk indicator towards the appetite-linked thresholds influencing their progress, projections,
(KRI). Assuming that the KRI is not and with delivery teams discuss what if performance, and achievement of risk
100 percent, then the linked input anything is needed to continue meeting thresholds.
metric, or key performance indicator (or possibly exceeding) expectations.

Metrics need to measure both inputs and outputs; Executives are often forced to make sense of
inputs, in this case, are risk-reduction efforts a long list of sometimes conflicting metrics.
undertaken by the enterprise, while the output is By linking KRIs and KPIs, the cybersecurity
the actual reduction in enterprise risk. The input team gives executives the ability to engage in
metric here is a key performance indicator (KPI): meaningful problem-solving discussions on which
measuring the performance of a program or a risks are within tolerances, which are not, and why
“run” function. The output metric is really a key risk (see the sidebar, “Linking a KRI to a KPI”).
indicator (KRI), measuring the risk level associated
The risk-based approach to cybersecurity is thus
with a potential risk scenario. The thresholds for
ultimately interactive – a dynamic tool to support
the KRIs must be tied directly to risk-appetite
strategic decision making. Focused on business
levels (the KPI thresholds can also be linked in
value, utilizing a common language among the
this way). For example, if risk appetite for data
interested parties, and directly linking enterprise
leakage is zero, then the systemic controls (and
risks to controls, the approach helps translate
corresponding “red” thresholds) must be higher
executive decisions about risk reduction into
than they would be if a certain percentage of
control implementation. The power of the risk-
leakage is allowed over a certain period. Of course,
based approach to optimize for risk reduction
tolerances for cyber incidents may be not always
at any level of investment is enhanced by its
be set at zero. In most cases, it is impossible to
flexibility, as it can adjust to an evolving risk-
stop all cyber attacks, so sometimes controls can
appetite strategy as needed.
be developed that tolerate some incidents.
One way to think about KRIs and KPIs is with
regard to the relationship between altitude and
trajectory. A KRI gives the current risk level of Many leading companies have a cyber-maturity
the enterprise (the “risk altitude”) while the KPI assessment somewhere in their archives; some
indicates the direction towards or away from the still execute their programs to achieve certain
enterprise-risk-appetite level (“risk trajectory”). levels of maturity. The most sophisticated
An enterprise may not yet have arrived at the companies are, however, moving away from the
leadership’s KRI target but a strong KPI trajectory maturity-based cybersecurity model in favor of
would suggest that it will soon. Conversely, an the risk-based approach. This is because the new
enterprise may have hit the desired KRI threshold, approach allows them to apply the right level of
but the KPIs of the run activity may be backsliding control to the relevant areas of potential risk. For
and give cause for concern. senior leaders, boards, and regulators, this means
more economical and effective enterprise-risk
management.
Jim Boehm is an associate partner in McKinsey’s Washington, DC, office; Nick Curcio is a cyber
solutions analyst in the New York office; Peter Merrath is an associate partner in the Frankfurt office,
where Tobias Stähle is a senior expert; and Lucy Shenton is a cyber solutions specialist in the Berlin
office.
The authors wish to thank Rich Isenberg for his contributions to this article.

Enhanced cyberrisk
Risk Practice
EnhancedOpening
reporting: cyberrisk
reporting:
doors Opening
to risk-based
doors to risk-based
cybersecurity
cybersecurity
New cyberrisk management information systems provide
executives with the
New cyberrisk risk transparency
management they need
information systemsto transform
provide executives
organizational cyberresilience.
with the risk transparency they need to transform organizational
cyberresilience.
by Jim Boehm, James Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle
by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle
© me4o/Getty Images
January 2020
Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 25

Executives in all sectors have deepened their Risk managers are flying blind
understanding of the dangers cyberrisk poses
Many companies rely on a patchwork of reports
to their business. As hacks, cyberattacks,
from different sources to manage cyberrisk.
and data leaks proliferate in industry after
Executives at these companies are unable to
industry, a holistic, enterprise-wide approach
assess the returns from their cybersecurity
to cybersecurity has become a priority on
investments. They lack needed information
board agendas. Companies are strengthening
about cyberrisk levels, the effectiveness of
protections around their business models,
countermeasures, and the status of protection
core processes, and sensitive data. Regulators
for key assets. Available data are incomplete,
are applying their own pressures, and privacy
inconsistent, and not reliable as a basis for
demands are sharpening.
decision making. Executives also question the
We asked executives at financial institutions in complexity of their cyberrisk-management tools,
Europe and North America about their actual finding them overly complicated and their results
experiences with cyberrisk management and incomprehensible.
reporting. What they told us was instructive. They
Risk decision makers reserve particular criticism
said cyberrisk management can be effective only
for governance-risk-compliance (GRC) systems.
when the information it is based on is accurate.
These complex software solutions can take years
Yet cyberrisk reporting at many companies is
to implement and rarely produce a satisfying
inadequate, failing to provide executives with the
result. Like many risk-management systems,
facts they need to make informed decisions about
GRC software was created by technicians, and
countermeasures. Because of the information
specialized expertise is required to make sense
gaps, managers often apply a standard set of
of the output. In one survey, more than half
controls to all company assets. As a result, low-
of executive respondents said cybersecurity
priority assets can be overprotected, while critical
reporting was too technical for their purposes.1
assets remain dangerously exposed.
In fact, GRC does not even focus on cyberrisk
Fortunately, some leading organizations are but rather covers a wide range of risk types,
pioneering an effective, efficient approach to including financial, legal, natural, and regulatory
cyberrisk reporting that helps executives increase risks. It therefore cannot create the overview of
corporate resilience – one that also provides cybersecurity that board members and regulators
transparency on cyberrisk and allows companies to need. In effect, many cyberrisk managers are
integrate cyberrisk reporting with legacy systems. flying blind.
1
“How boards of directors really feel about cyber security reports”, Bay Dynamics, June 2016, baydynamics.com.
“We need to bring rigor to the

risks related to data and protect
our top assets effectively.”
—Advanced industries CIO
26 Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

“The current situation is a mess.
We do not have the facts to decide
on actions. This paralysis puts our
business at risk.”
—Financial-services chief information-security officer
At a leading European financial institution, of reliable reporting, the entire cybersecurity

executives were dissatisfied with the existing strategy was undifferentiated: all controls were
cyberrisk-reporting regime. In attempting to being applied to all assets.
improve it, they first assessed their experience:
The chief information-security officer (CISO)
— Cyberrisk reports were compiled by IT did not know whom to contact about a given
specialists for other IT specialists. As a result, issue. Regulators reproached the institution for
the reports were very technical in nature and incomplete information. For example, the institution
provided little to no guidance for executive did not compile data on the share of employees that
decision making. Executives found that had completed mandatory cybersecurity training in
the reports did not help them interpret how any one location. Within the undifferentiated group-
cyberrisk is related to other risks the institution level data, high attendance in one country could
faces, such as legal or financial risks. easily mask low attendance in another. The training
gap could be contributing to unacceptable levels of
— At the same time, the reporting had many gaps:
cyberrisk exposure in that country, which, however,
almost no information was provided on top
would be invisible.
risks, key assets, recent incidents, counter-
risk measures, implementation accountability,
the institution’s resilience in the face of The objectives of effective cyberrisk
cyberthreats, or the return on investments in reporting
cybersecurity. State-of-the-art cyberrisk management requires
an information system that consolidates all relevant
— The reporting was structured by systems,
information in one place. The most important risk
servers, and applications rather than by
metrics – key risk indicators (KRIs) – present a
business units, business processes, functions,
consistent evaluation across assets to enable
countries, or legal entities. Most reports were
the tailored application of cyberrisk controls. A
compiled as stand-alone documents, with no
given asset can be protected with the controls
integrated view of cyberrisk across the group .
appropriate to its importance and the threat levels
The executives had no clear sense of the overall to which it is exposed.
magnitude of the risk from cyberattacks, malware,
To ready their companies for the challenges
and data leaks. Neither did they know what was
of the evolving cyberrisk-threat landscape,
needed to improve protection of their key assets
executives need to upgrade their approach to
against the biggest threats. Several mitigating
cyberrisk reporting and management. To address
initiatives were in progress, but the reporting
the magnitude and the complexity of the threat,
did not make clear what contributions, if any,
companies should build a high-performing
these actions made to reducing risk. Cyberrisk
cyberrisk management information system (MIS)
managers found it difficult to decide on the areas
with three fundamental objectives.2
of focus for cybersecurity investments or to justify
their ultimate decisions to the board. For want
2
See also Thomas Poppensieker and Rolf Riemenschnitter, “A new posture for cybersecurity in a networked world,” McKinsey on Risk,
March 2018, McKinsey.com.

— Transparency on cyberrisk. Make the A strong analytical backbone
cyberrisk status of the institution’s most
Analytics is the backbone of the cyberrisk MIS;
valuable assets fully transparent, with data
having a strong, smart analytical system in place
on the most dangerous threats and most
enables users to integrate data from different
important defenses assembled in a way
sources across a network and aggregate risks as
that’s accessible and comprehensible for
needed. Ideally, the cyberrisk MIS should have
nonspecialists.
a pyramid structure, with risk data organized
— Risk-based enterprise overview. Provide hierarchically. The starting point is a simple
decision makers with a risk-based overview of the overview, with the most important data at the
institution so they can focus their cybersecurity highest level of aggregation. These data would
invest-ments on protecting the most valuable describe, for example, the top global risks,
assets from the most dangerous threats. differentiated by potential loss and probability.
More detailed information can be added as
— Return on cyber investments. Ensure the
needed, including KRIs and countermeasures for
efficiency of counterrisk measures by requiring
individual divisions, countries, assets, processes,
a high return on investment.
and even buildings. The contact details of the
A dedicated cyberrisk MIS is not a substitute people responsible for implementing the specific
for GRC systems but rather a reporting solution countermeasures can also be included.
addressing cyberrisk. It must be compatible
As shown in Exhibit 1, a top-down approach for
with legacy systems and serve decision makers
risk-data aggregation typically involves the use of
rather than specialists. It is designed to provide
qualitative risk assessments based on scenarios.
the information that executives need to prioritize
Top down is a good way to begin: it requires the
threats and devise effective controls; it enables
least amount of data and provides significant
informed board discussions on cyberrisk strategy
insight in a short time. Eventually, enough risk data
and helps optimize the allocation of funds.
will become available to introduce a bottom-up
The cyberrisk MIS should not become a burden on approach.
executives, reduced to yet another software system
The movement from top down to bottom up helps
they must learn. Rather, it should be integrated into
achieve cyberrisk MIS objectives quicker – by
the existing business-intelligence system, drawing
clarifying definitions of the elements of cyberrisk,
initially on existing data sources. A good cyberrisk MIS
providing executives with the information they
should also aspire to be future-proof, adaptable to
need to make strategic decisions, and enhancing
new technologies, and able to integrate more granular
transparency on risk exposure and the efficacy of
data sources and more sophisticated algorithms for
risk-mitigation initiatives.
risk assessment as they become available.
For optimal performance, the cyberrisk MIS should
be tailored to the needs of a given company.
However, even a basic setup can create substantial
impact. This is because a cyberrisk MIS acts as a
catalyst for better, more informed decision making.
Even the process of setting it up forces executives
to come to a common understanding of the level of
cyberrisk the company is willing to tolerate.

McK on Risk 2020
amount of data and provides significant insight in a need to make strategic decisions, and enhancing
Enhanced cyberrisk reporting
short time. Eventually, enough risk data will become transparency on risk exposure and the efficacy of
Exhibit 1 of 4 available to introduce a bottom-up approach. risk-mitigation initiatives.
Exhibit 1
The cyberrisk management information system begins with top-down risk aggregation and
proceeds to a bottom-up approach.
Risk management and reporting
Low in risk appetite In risk appetite At risk appetite Out of risk appetite
Top-down risk aggregation is a good way to The top-down risk approach is phased into a The bottom-up approach allows for more
begin, as it requires the least amount of data and bottom-up approach as the organization matures effective risk mitigation: it provides transparency
provides the most insight in the shortest time and the required data become available sufficient to achieve optimal risk-treatment
decisions for a given budget in line with
Methodologies Methodologies enterprise capabilities
• Scenario-based, qualitive and quantitative • Scenario-based, qualitive, and quantitative
assessments assessments Methodologies
• Business-impact analysis
• Operational-risk-management (ORM) • Inherent and residual risk exposure
methodologies and portfolio-theory • Risk-inheritance modeling
aggregation • ORM methodologies and portfolio-theory
aggregation
• Low-level data processing
1 2 3 5
1 Group enterprise-information risk exposure 2 Data-confidentiality breach 5 Risk exposure for each individual asset and a
3 Data-integrity loss portfolio of assets
4 Insufficient technical-disaster recovery
Reporting dimensions
Business divisions Business processes Asset classes Individual assets Legal entities Regions Buildings
and stacks and countries
Exhibit 2 presents the “path to green”: the risk- aggregated scorecard or the most granular
mitigation initiatives enabled by the mature breakdown of KRIs will be useless if executives do
bottom-up approach that bring risk indicators not rely on the output for decision making. This is
within the risk appetite. why a good cyberrisk MIS should be customized,
reflecting the specific needs of decision makers at
A high-performing cyberrisk MIS is much more than
levels one and two of a company’s hierarchy.
a reporting tool. It is an integrated decision-support
system, creating visibility on all relevant assets –
end-user devices, applications, infrastructure, net- Catalyzing a cybersecurity
works, and buildings. It gives decision makers access transformation
to detailed information on organizational units, The cyberrisk MIS can catalyze a comprehensive
regions, and legal entities. It embodies the principles cybersecurity transformation. This happens
of good cyberrisk governance, from definition and in the MIS implementation, which in itself is an
detection to treatment and measurement. opportunity to transform the ways companies
gather information about cyberrisk and make
Implementation of the cyberrisk MIS is as
decisions about countermeasures.
critically important as its design. Even the finest

McK on Risk 2020KRIs will be useless if executives do not rely on governance and organization should be
the output
Enhanced cyberrisk for decision making. This is why a good
reporting established across the whole company, with
Exhibit 2 of 4 cyberrisk MIS should be customized, reflecting the common standards and best-in-class reporting
specific needs of decision makers at levels one and for systematic risk identification and prioritization.
two of a company’s hierarchy.
Exhibit 2
Risk-mitigation initiatives indicated by the bottom-up aggregation approach provide the ‘path
to green.’
Share of scope
population falling
outside risk appetite,
illustrative
100%
40
32
24
16
8 0
Risk-mitigating Control 1 Control 2 Control 3 Control 4 Control 5

initiatives 2-factor End-user Segregation No generic Additional controls
authentication recertification of duties accounts added as needed
The description of a successful cyberrisk MIS how cyberrisk information is gathered and
implementation is remarkably congruent with that how executives decide on countermeasures.
of a cybersecurity transformation. The steps are as Cybersecurity governance and organization
6 follows:
McKinsey on Risk Number 9, November 2019 should be established across the whole
company, with common standards and
— Define the scope and objectives. Leaders
best-in-class reporting for systematic risk
work up front to define objectives and
identification and prioritization.
deliverables. They begin by taking stock of
“We don’t want to reinvent the wheel.

We need a cyberrisk management
information system that has a user-
friendly interface. It should integrate
the best, most recent data from our
own sources. It has to be a lean
machine. At the same time, it should
give us more transparency
than we have today.”
—Financial-services chief information-security officer

McK on Risk 2020
Enhanced cyberrisk reporting
Exhibit 3 of 4
Exhibit 3
The cybersecurity transformation enabled through a cyberrisk management information

system includes more effective, less costly differentiated controls.
Cyberrisk management information system, example
Control in place
Control not in place
Control recommended
Out of scope
Tier 1: Control A Tier 1: Control B Tier 1: Control C Tier 2: Control D Tier 3: Control E
Multifactor Account Central privileged Account deactivation Data encryption
authentication recertification access within 24 hours
Application 1:
Trading example
Application 2:
Accounting example
Application 3:
Policy portal
Threat- and control- KRI-KCI 1 KRI-KCI 2 KRI-KCI 3 KRI-KCI 4 n/a

related indicators KPI 1 KPI 2 KPI 3 KPI 4 n/a
Effective information-security risk management is based on asset-centric indicators, including key risk indicators (KRIs),
key compliance indicators (KCIs), and key performance indicators (KPIs), revealing compliance issues as well as current and
forecasted residual risk exposure.
— Avoid
control patchwork
regime. solutions.
The company The cyberrisk
subjected only its requirements,
With the andathe
right approach, return MIS
cyberrisk on investments in
most critical, most vulnerable assetsanother
MIS must not be regarded as patch. It
(class one) cybersecurity.
cybersecurity transformation will provide board-
should be comprehensive and more accessible level
to the full arsenal of controls—from multifactor — executives with a concise
Shift to a risk-based and easilyOne
approach. digestible
of the
userthan the previous
authentication assemblage
to deleting, after of
24stand-
hours, overview of top cyberrisks. Exhibit 4 shows
most powerful benefits of a good cyberrisk an
thealone
accountsreports. A good
of anyone whocyberrisk MIS can
left the company. MIS cyberrisk dashboard, with the risk heat-map
MIS is the risk-based approach to controls
accommodate
By contrast, different
it applied only basicdegrees ofto
controls maturity
the in tab open. Other tabs provide the chief risk officer
(Exhibit 3), which replaces the undifferentiated
least critical assets
different business(Exhibit 3). For
units. As aexample,
result of this
a module and the chief information officer with the KRIs,
“all controls for all assets” approach. The
tiered
canapproach,
be includedthe company
that enableswas able to improve
managers to KPIs, controls, and progress reports for different
risk-based approach focuses on the most
compliance with relevant regulatory
upload static reports until dynamic datarequirements functions, organizational levels, and applications.
while reducing the residual risk level. Atupdates.
the same important assets
The transformation and the
will foster thebiggest,
use of a most
become available for automatic
time, it also reduced costs: both direct costs (such probable threats. Decision
common language and a fact-based makers can to
approach then
Generally, the MIS should supply decision
as for software licenses) and indirect costs (such allocate
cyberrisk investments
across accordingly.
the entire institution. Resilience
Over time,
makers with the most pertinent information
as those incurred through the use of cumbersome, is thereby
the institution improved
will accrue thewithout anof
benefits increased
greater
available at any given time.
undifferentiated controls, even those for low- cybersecurity
cyberrisk transparency,budget. In many
improved cases, a state-
cybersecurity
— Enhance
level consistency. With improved
applications). of-the-art
efficiency, cyberrisk
and greater MIS allows reductions in
cyberresilience.
transparency comes improved consistency. operating expenditure as well.
As the transformation proceeds, executives
One company used the fact base it created in
should calibrate their understanding of
implementing its cyberrisk MIS to introduce a
cyberrisk and cybersecurity. They should ask,
tiered control regime. The company subjected only
“As an institution, how much risk are we willing
its most critical, most vulnerable assets (class one)
to accept? What are our biggest threats? What
to the full arsenal of controls – from multifactor
level of protection renders a given asset safe?”
user authentication to deleting, after 24 hours,
8 EvenonaRisk
McKinsey seemingly
Number 9, trivial
Novemberrisk topic can initiate
2019
the accounts of anyone who left the company.
fruitful discussions. For example, in defining
By contrast, it applied only basic controls to the
cyberrisk-warning thresholds, executives
least critical assets (Exhibit 3). As a result of this
can arrive at a common understanding of
tiered approach, the company was able to improve
risk appetite, asset relevance, regulatory

compliance with relevant regulatory requirements MIS cyberrisk dashboard, with the risk heat-map
while reducing the residual risk level. At the same tab open. Other tabs provide the chief risk officer
time, it also reduced costs: both direct costs (such and the chief information officer with the KRIs,
as for software licenses) and indirect costs (such KPIs, controls, and progress reports for different
as those incurred through the use of cumbersome, functions, organizational levels, and applications.
undifferentiated controls, even those for lowlevel The transformation will foster the use of a
applications). common language and a fact-based approach to
McK on Risk 2020
cyberrisk across the entire institution. Over time,
Withreporting
Enhanced cyberrisk the right approach, a cyberrisk MIS cyber-
the institution will accrue the benefits of greater
Exhibit 4 of 4 security transformation will provide board-level
cyberrisk transparency, improved cybersecurity
executives with a concise and easily digestible
efficiency, and greater cyberresilience.
overview of top cyberrisks. Exhibit 4 shows an
Exhibit 4
The cyberrisk dashboard includes a risk heat map.

Cyberrisk dashboard, example
Risk heat map: Current risk exposure according to risk register and assessment of 1st and 2nd lines of defense
Global overview
0 2 2 9
Low Medium High Very high 1. Unauthorized
External incidents
scenarios scenarios scenarios scenarios transactions: internal
Threat landscape 2. Unauthorized
Risk heat map transaction: external
3. Data leakage
Cyber incidents Very high 7 2, 5, 8 1
4. Information gathering by
Group security nation-state
dashboard 5. Loss of data integrity
High 10 4, 6, 12 3 6. 3rd-party breach
Shared financial-
7. Business-process
system projects
disruption
Regulatory updates 8. Insufficient
Severity Medium 9, 11 13 technical-disaster
Data import
recovery
System settings 9. Disruption of services/
denial-of-service attack
Low
10. Physical intrusion
11. Failure of building
environment
Very low 12. Regulatory risk
13. System settings
Very low Low Medium High Very high
Likelihood
The fast track to impact place. In all likelihood, the initial version of a
Themodular
fast track next-generation cyberrisk
be fully MIS will not be fully
The designtoofimpact
the recommended cyberrisk MIS will not customized to the
The modular customized
needs to the
of a given needsbut
company, of aitgiven
will becompany,
a real but
cyberrisk MISdesign
makesofitthe recommended
possible to implement
cyberrisk MIS makes it possible to implement it will beproduct,
working a real working product, not a dummy.
not a dummy.
a viable version in parts over a period of three
a viable version in parts over a period of three The implementation journey begins with a project
to six months, depending on an organization’s
to six months, depending on an organization’s The implementation
team, experts, riskjourney begins
managers, datawith a project
owners, IT, and
needs and complexity. For many companies, the
needs and complexity. For many companies, the team, experts, risk managers, data owners,
other stakeholders jointly determining specific IT, and
most important components – the underlying other stakeholders jointlyprocesses,
determiningand specific
most important components—the underlying requirements, relevant data
data structure, the analytical backbone, and requirements, relevant processes, and data
data structure, the analytical backbone, and the availability. In the building stage, live trial sessions
the visualization interface – are already in
visualization interface—are already in place. In all availability. In the building stage, live trial sessions
likelihood, the initial version of a next-generation are held to give executives a chance to provide

“Step by step, we made the cyber-
risk MIS our own. The whole pro-
cess took less than half a year, and
yet the finished product really feels
like something that was made for
us, not like an off-the-shelf solution.”
—Cyberrisk MIS user
are held to give executives a chance to provide systems have seen significant improvement in the
feedback on MIS utility. After needed adjustments, efficacy of cyberrisk detection and remediation.
the scope is widened and the system is deployed The platform links operational data with groupwide
to the entire organization. enterprise-risk-management information accurately
and consistently. These cyberrisk systems can
become the basis for a comprehensive cybersecurity
transformation and part of a holistic risk-based
Leading institutions that have implemented state- approach to cybersecurity, reducing risk, raising
of-the-art cyberrisk management information resilience, and controlling costs.
Jim Boehm is an associate partner in McKinsey’s New York office, where James Kaplan is a partner;
Peter Merrath is an associate partner in the Frankfurt office, where Tobias Stähle is a senior expert;
and Thomas Poppensieker is a senior partner in the Munich office.
The authors wish to thank Rolf Riemenschnitter for his contributions to this article.

Critical resilience:
Adapting
infrastructure to
repel cyber threats
As the digital world becomes increasingly connected, it is no
longer possible for infrastructure owners and operators to
remain agnostic in the face of evolving cyber threats. Here’s
what they can do to build an integrated cyber defense.
by James Kaplan, Christopher Toomey, and Adam Tyra
Critical resilience: Adapting

34
infrastructure to repel cyber threats
Critical resilience: Adapting infrastructure to repel cyber threats
The BBC recently reported that researchers have are emerging to deliver and operate infrastructure,
discovered major security flaws – which affect these solutions still rely on the operating systems
flood defenses, radiation detection, and traffic common to nearly all sectors.
monitoring – in the infrastructure for major cities
Similarly, infrastructure leaders tend to think
in the United States and Europe.1 Of those flaws,
that they need industry-specific expertise when
nearly ten are deemed “critical,” meaning that
it comes to hiring cybersecurity specialists. But
a cyberattack on these systems would have a
while having industry-specific expertise is helpful,
debilitating impact on essential infrastructure,
it should not be viewed as essential; the tool kits
including power grids, water treatment facilities,
across industries are largely the same. Owners and
and other large-scale systems. It seems like the
operators might not have the resources they need
stuff of disaster films: A major city loses power.
to make significant strides in their cybersecurity
Huge amounts of the population panic. The roads
programs if they focus only on recruiting highly
clog. Planes are grounded. Coordinating a rescue
specialized talent, especially as it relates to people
effort – even communicating with the public –
who can design and execute responses to cyber
would be a colossal task.
threats.
While such scenarios may seem far-fetched, they
As it stands, infrastructure has a long way to go
are indeed reality. In 2015, Ukraine’s power grid
to catch up to other industries in terms of future-
was the target of such an attack – in the hours that
proofing for a cyber threat. To accomplish this,
followed, nearly a quarter-million people were left
cities and organizations will need to integrate
without electricity – yet this and similar stories
their defenses. They will need to recruit and retain
rarely reach the public consciousness.2 As a result,
new talent and develop a cybersecurity program.
there is little pressure from constituents and cyber
Furthermore, ensuring that infrastructure achieves
threat operators are not top of mind.
and sustains resilience to cyberattacks in the
The number and severity of cyber threats continue midst of rapid digitization requires that designers
to grow exponentially as the world becomes and operators make a proactive mindset shift
increasingly connected. According to recent about cybersecurity – before hackers impose one.
estimates from the research firm Gartner, by
2020 there will be 20.4 billion internet-connected Vulnerabilities do not expire or
devices, and approximately 37 percent of these become obsolete
will be used outside consumer settings – including
When considering digitized infrastructure,
large numbers dedicated to infrastructure
owners typically focus their energies on
monitoring and control. 3 While the proliferation of
envisioning the improvements in efficiency and
connected devices has created unprecedented
customer experience that can be realized by new
productivity and efficiency gains, it has also
technologies. Cyber attackers, on the other hand,
exposed previously unreachable infrastructure
focus on uncovering the ways that new technology
systems to attack from a range of malicious groups
use cases rehash the same weaknesses and
with varying motivations.
vulnerabilities of the old. Indeed, the problems
Owners, planners, builders, and financiers faced by cybersecurity professionals – for
routinely channel ample resources into mitigating example, authenticating users or protecting
any number of risks to an infrastructure asset. sensitive data from unauthorized access –
Yet they rarely, if ever, place as much care into largely stay the same over time, regardless of
anticipating potential cybersecurity incidents. the technology in question. In a 2018 report,
There are many reasons for the lack of attention vulnerability scanning firm EdgeScan noted that
to cybersecurity. One is a common consensus approximately 54 percent of the vulnerabilities
in the industry that the technology governing that it identified in customer networks that year
physical infrastructure is fundamentally different originally became publicly known in the past ten or
from the technology used in other industries. In more years. 4 This is the cybersecurity equivalent
reality, it is not. While new technology solutions of allowing yourself to remain susceptible to
1
“Dave Lee, “Warning over ‘panic’ hacks on cities,” BBC, August 9, 2018, bbc.com.
2
“Ukraine power cut ‘was cyber-attack’,” BBC, January 11, 2017, bbc.com.
3
Gartner says 8.4 billion connected “things” will be use in 2017, up 31 percent from 2016, Gartner, 2017.
4
2018 vulnerability statistics report, edgescan, 2018.
Critical resilience: Adapting infrastructure to repel cyber threats 35

an infectious illness a decade after a vaccine redundant power source. In turn, the asset owner
becomes available. As a result, attack patterns will be able to look beyond what would strictly be
that worked during the previous year will likely still considered their responsibility, and consider the
work (in a modified form) against newly digitized broader network in which they are included. By
infrastructure connecting to the internet today. going beyond their “battery limit,” so to speak, the
hotel can gather more information about relevant
The takeaway is that infrastructure owners,
vulnerabilities and threats.
engineers, and operators, many of whom are
acutely aware of cybersecurity vulnerabilities in Moreover, both utility owners and governments
their information technology environments, must can work together in this area to create more –
consider the operational technology that powers and more widely distributed – utility networks.
their digitized infrastructure to be vulnerable to the If they can better isolate network vulnerabilities,
same issues. they can help ensure service to any undamaged
portions.
Hackers have long exploited this insight. In
February 2017, a cybersecurity researcher
developed a ransomware variant that could Start with the assumption that a
successfully target and manipulate the control cyber incident will occur
systems of a water treatment plant. 5 In theory, his Since the March 2011 earthquake and tsunami
malware could be used by an attacker threatening that caused widespread damage to the northeast
to poison a municipal water supply unless the coast of Japan, including the Fukushima Daiichi
ransom was paid. This may sound like a familiar nuclear plant, the country has constructed an
scenario, because ransomware has been an estimated 245 miles of sea walls at a cost of
increasingly common and disruptive cyber threat approximately $12.7 billion. 6 The same prudence
faced by business for the past three years. Even is needed to protect infrastructure from
so, it is not possible for leaders to test for every cyber attacks. As a point of comparison, one
possible risk or outcome. They will need to limit cybersecurity research organization estimates
their attention to the most pressing threats. And that the cost of ransomware damages alone in
the best way to determine those threats is to look 2019 could exceed $11 billion.7 But in spite of
at the issues affecting other, similar deployments an increasing torrent of cyber attacks afflicting
of technology. By identifying similarities internet-connected businesses and individuals
between new and old use cases for technology, globally, infrastructure owners largely continue to
infrastructure designers can ensure that cyber think of a cyber-attack as a mere possibility rather
risks that were resolved in previous years don’t than a certainty.
recur in the infrastructure space.
By starting with an assumption that a future
cyber attack will degrade, disable, or destroy
Building cyber defenses for key infrastructure functionality, owners and
infrastructure contractors can take action early to build resilience
To build adequate defenses, infrastructure owners into their systems. For example, backups can be
and operators should start by assuming that a implemented for critical connected components,
cyber attack is imminent. Then they must build computers can be designed to fail safely and
a unified, integrated cyber defense that best securely when compromised, and preparedness
protects all relevant infrastructure assets. Going exercises can train operators to act decisively
through the process of identifying what is relevant to ensure that cyber attacks aren’t able to
will often require the asset owner to understand compromise connected infrastructure to threaten
what supporting infrastructure is also vulnerable – lives or property.
critical utilities, for instance – and ensure that it is
When planning incident response, leaders should
reasonably protected as well. For example, a hotel
look beyond the infrastructure sector for lessons
that relies entirely on a local utility for its power
learned from cyber incidents that caused outages
supply may decide that it makes sense to find a
in other sectors of the economy. The steps
5
Michael Kan, “Researcher develops ransomware attack that targets water supply,” CSO, February 14, 2017, csoonline.com.
6
Megumi Lim, “Seven years after tsunami, Japanese live uneasily with seawalls,” Reuters, March 8, 2018, reuters.com.
7
Steven Morgan, “Global ransomware damage costs predicted to hit $11.5 billion by 2019,” Cybersecurity Ventures, November 14, 2017,
cybersecurityventures.com.
36 Critical resilience: Adapting infrastructure to repel cyber threats

required for shipping firm Maersk to respond to a Why wasn’t Target’s HVAC system cordoned
June 2017 ransomware outbreak are particularly off from its payment system network? The
informative. In order to purge itself of malware, the efficiencies gained from connecting networks
company executed a ten-day effort to overhaul its are clear and undeniable, so preventing these
entire information technology (IT) infrastructure – types of technology interactions isn’t a practical
a software reinstallation “blitz” that should have option. Instead, infrastructure owners must
taken approximately six months under normal craft a cybersecurity program that takes a
conditions. 8 While infrastructure owners are comprehensive view of all technologies in the
unlikely to have the same technology footprint as a environment by working to understand how
global shipping company, understanding the steps they’re connected to each other and to the outside
required to respond to a major cyber incident world. Then they must deploy security controls
can provide perspective on the level of effort and and defensive countermeasures to mitigate risks
courses of action that may be required to respond attributable to IT and connected infrastructure in a
to an attack in the infrastructure space. prioritized fashion.
Just as designers must take into account the
An integrated defense is the only physical resilience of infrastructure assets,
defense owners should integrate cyber resilience. One
Every infrastructure network has an associated way of ensuring this happens is to make cyber
IT network within which its owners and operators resilience an integral part of the design process.
conduct their day-to-day business, such as In addition to better incorporating protections, the
sending and receiving emails and writing reports. Internet of Things has created a digital, keyboard-
Likewise, most organizations operating an IT based operating culture that is often devoid
environment – and some organizations operating of manual alternatives. Asset owners, notably
a connected infrastructure environment – have those responsible for critical infrastructure, such
cybersecurity programs in place to protect as power plants and hospitals, should consider
their data and technology assets. However, two establishing core functionality that is either
discrete cybersecurity programs can’t match the resistant to cyber attacks or that allows for an
effectiveness of one unified program to protect asset to more readily withstand the impact of a
both environments. cyber attack. Some hospitals in urban areas, for
example, might have digitally controlled HVAC
While the technology components deployed in
systems, including all vents and windows. Having
the IT and infrastructure environments may differ
windows that can be opened manually – with
significantly in their purpose and complexity,
the option to override digital controls and use
they’re vulnerable to the same risks when
mechanical switches or toggles to open them –
connected to the internet. In the best known
could help create ventilation and allow operations
instance of this from recent years, hackers
to continue in the event of a cyber attack.
that breached the network of retailer Target
Stores in 2013 made their initial entry through
an internet-connected control system for the How to get started
stores’ air conditioning systems.9 By connecting We’ve identified three key steps for infrastructure
the infrastructure management network to the owners starting the process of building their
network through which Target executed its integrated cyber defense.
corporate functions and processed credit card Recruit new talent. The cybersecurity industry
payments, IT staff unwittingly elevated a minor risk is already severely constrained for talent, and
into one with the potential to create catastrophic infrastructure owners and operators often
losses. While the Target breach was a case of compete against other industries that offer
attackers traversing an infrastructure environment higher-paying positions. Therefore, infrastructure
to target the IT environment, attackers could groups need to get creative with where they look
just as feasibly have made the opposite leap, for cybersecurity talent. Infrastructure players
compromising an office network before leveraging might look to “cyber utilities,” for instance,
connections to attack infrastructure.
8
Charlie Osborne, “NonPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs,” ZDNet, January 26, 2018, zdnet.com.
9
Brian Krebs, “Target hackers broke in via HVAC company,” Krebs on Security, February 5, 2014, krebsonsecurity.com.

which are industry-aligned working groups clear path forward presents itself. This needs to
that pool information and resources to improve change.
cybersecurity effectiveness for their membership.
Two specific actions are key in beginning and
These member-driven organizations – such as the
subsequently sustaining the mindset shift
Intelligence Sharing and Analysis Centers (ISAC)
required. To begin the mindset shift, organizations
sponsored by the US Department of Homeland
need to develop a perspective on what a cyber
Security – were originally intended to serve as
attack would actually look like for them. Cyber
industry-sector-aligned cyber threat intelligence
war gaming and table top exercises have long
fusion centers for member companies. So, for
been a staple for developing this perspective in
instance, banks could join the financial services
corporate environments, and they can be similarly
ISAC. However, the concept could be employed
effective for infrastructure. Effective exercise
on a smaller scale to allow infrastructure owners
scenarios emulate the actions of timely real-world
in a particular region to share cybersecurity
attackers to impose a series of difficult decisions
talent and resources for cybersecurity functions
on the team, creating numerous (and sometimes
besides intelligence. For example, a cyber utility
painful) learning opportunities. Through cyber
consortium in any given metropolitan area –
war gaming, participants often learn that their
hypothetically comprising a city government, a
organization lacks key response elements such
municipal utility district, and a publicly traded
as clear delineation of responsibilities in crisis
electricity company – could share a single
situations, plans for how and when they should
cybersecurity team, rather than each entity
communicate with stakeholders or the public, and
competing to recruit their own.
even procedures for shutting down compromised
Form a cyber response team. The first hours systems. The best programs deepen learning
after the discovery of a cyber attack are the most by establishing a regular cadence of exercises
critical in effectively mitigating losses, and their (e.g. quarterly or semi-annually) to accustom
importance is magnified in the case of attacks participants to the stress and confusion of a
against infrastructure where loss of life may be crisis situation and to continuously identify
a possible second- or third-order effect. For opportunities for improvement.
this reason, selection and training of an incident
Once organizations begin to understand how bad
response team before an incident occurs is key.
an attack could be for them, they must remain
Teams should include cybersecurity professionals
focused on steady improvement. To sustain
skilled in cyber investigation and analysis, but they
the mindset shift begun with cyber war games,
must also include experts familiar with the broader
infrastructure owners must integrate cyber
functioning of the infrastructure asset itself along
resilience metrics into their regular performance
with leaders who can make timely decisions about
measurement programs. As the cliché goes, “What
issues such as whether to shut down infrastructure
gets measured gets done.” By requiring their
or notify the public about an incident.
teams to continuously evaluate the organization’s
Cyber response teams should be subjected to cyber resilience, leaders can ensure that the topic
regular incident exercises to build the muscle remains front of mind. Leading organizations take
memory necessary to respond effectively and this a step further by integrating cyber metrics into
to uncover potential weaknesses in response the performance metrics for specific individuals,
processes. The cyber utility concept described creating a culture of personal responsibility where
above might be specifically helpful in forming bad cybersecurity can actually affect managers’
a response team, since skill sets such as cyber compensation and prospects for promotion.
forensics are in particularly short supply.
In a world steadily digitizing and becoming more
Cultivate a mindset shift across the interconnected, cyber attacks should be thought
organization. Cybersecurity for infrastructure is of as a certainty akin to the forces of nature. Just
often seen as a trendy topic – every other year as engineers must consider the heaviest rains that
something happens that makes headlines and a dam may need to contain in the next century or
then, weeks later, the industry has returned to the the most powerful earthquake that a skyscraper
status quo. Owners and operators take a hard look must endure, those digitizing infrastructure must
at the situation and then lose interest when no plan for the worst in considering how an attacker
38 Critical resilience: Adapting infrastructure to repel cyber threats

might abuse or exploit systems that enable By starting with the assumption that not only will
infrastructure monitoring and control. This shift cyber attacks against infrastructure occur but also
in thinking will begin to lay the path to connected that they will likely be successful, infrastructure
infrastructure that is resilient by design. designers and operators can learn to trap many
risks before they have the chance to develop into
catastrophes. To do this, infrastructure owners
and operators must first understand how old
Cyber threats don’t become obsolete or irrelevant vulnerabilities will affect new technology and
in the same way that the technology underlying then develop integrated cybersecurity plans to
them does. So, in the context of cybersecurity, apply the appropriate level of protection to their
future-proofing infrastructure is primarily about entire technology environment. The result will be
ensuring that the steps taken to inject resilience safer and more resilient connected infrastructure
into a system remain connected with the relevant delivering reliable services to customers for years
threats of today and yesterday, rather than threats to come.
that may manifest tomorrow.
James Kaplan is a partner in the New York office. Christopher Toomey is a vice president in the Boston
office, and Adam Tyra is an expert in the Dallas office.

Build cybersecurity into business products and processes
The consumer-data
opportunity and the
Risk Practice
The consumer-data
privacy imperative
opportunity and the
privacy imperative
As consumers become more careful about sharing data, and
regulators step up privacy requirements, leading companies
areAs consumers
learning become
that data more careful
protection about can
and privacy sharing data,
create a and regulators
step upadvantage.
business privacy requirements, leading companies are learning that data
protection and privacy can create a business advantage.
© Phil Sharp/Getty Images
April 2020
40 The consumer-data opportunity and the privacy imperative

As consumers increasingly adopt digital Regulation (GDPR) in Europe and the California
technology, the data they generate create both Consumer Privacy Act (CCPA) in that US state.
an opportunity for enterprises to improve their Many others are following suit.
consumer engagement and a responsibility to
The breaches have also promoted the increased
keep consumer data safe. These data, including
use of tools that give people more control over their
location-tracking and other kinds of personally
data. One in ten internet users around the world
identifiable information, are immensely valuable
(and three in ten US users) deploy ad-blocking
to companies: many organizations, for example,
software that can prevent companies from tracking
use data to better understand the consumer’s pain
online activity. The great majority of respondents –
points and unmet needs. These insights help to
87 percent – said they would not do business with
develop new products and services, as well as to
a company if they had concerns about its security
personalize advertising and marketing (the total
practices. Seventy-one percent said they would
global value of digital advertising is now estimated
stop doing business with a company if it gave away
at $300 billion).
sensitive data without permission.
Consumer data are clearly transforming business,
Because the stakes are so high – and awareness
and companies are responsible for managing the
of these issues is growing – the way companies
data they collect. To find out what consumers
handle consumer data and privacy can become
think about the privacy and collection of data,
a point of differentiation and even a source
McKinsey conducted a survey of 1,000 North
of competitive business advantage. The main
American consumers. To determine their views on
findings of our research are presented below.
data collection, hacks and breaches, regulations,
We then offer prescriptive steps for data
communications, and particular industries, we
mapping, operations, and infrastructure, as well
asked them pointed questions about their trust in
as customer-facing best practices. These can
the businesses they patronize.
help companies position themselves to win that
The responses reveal that consumers are competitive advantage.
becoming increasingly intentional about what
types of data they share – and with whom. A matter of trust – or a lack thereof
They are far more likely to share personal data
Consumer responses to our survey led to a number
that are a necessary part of their interactions
of important insights about data management and
with organizations. By industry, consumers are
privacy. First, consumer-trust levels are low overall
most comfortable sharing data with providers
but vary by industry. Two sectors – healthcare
in healthcare and financial services, though no
and financial services – achieved the highest
industry reached a trust rating of 50 percent for
score for trust: 44 percent. Notably, customer
data protection.
interactions in these sectors involve the use of
That lack of trust is understandable given the personal and highly sensitive data. Trust levels
recent history of high-profile consumer-data are far lower for other industries. Only about 10
breaches. Respondents were aware of such percent of consumer respondents said that they
breaches, which informed their survey answers trust consumer-packaged-goods or media and
about trust. The scale of consumer data exposed entertainment companies, for example (Exhibit 1).
in the most catastrophic breaches is staggering.
About two-thirds of internet users in the United
In two breaches at one large corporation, more
States say it is “very important” that the content of
than 3.5 billion records were made public.
their email should remain accessible only to those
Breaches at several others exposed hundreds
whom they authorize and that the names and
of millions of records. The stakes are high for
identities of their email correspondents remain
companies handling consumer data: even
private (Exhibit 2).
consumers who were not directly affected
by these breaches paid attention to the way About half of the consumer respondents said
companies responded to them. they are more likely to trust a company that asks
only for information relevant to its products or
Proliferating breaches and the demand of
that limits the amount of personal information
consumers for privacy and control of their
requested. These markers apparently signal to
own data have led governments to adopt new
consumers that a company is taking a thoughtful
regulations, such as the General Data Protection
approach to data management.
The consumer-data opportunity and the privacy imperative 41

McK on Risk 9 2020
The consumer-data opportunity
Exhibit 1 of 4
Exhibit 1
Consumers view healthcare and financial-services businesses as the most trustworthy.

Respondents choosing a particular industry as most trusted in protecting of privacy and data, % (n = 1,000)
Healthcare Pharmaceuticals/ Retail Advanced Aerospace Automotive Consumer Media and

medical electronics and defense and assembly packaged entertainment
goods
Financial Electric power/ Technology Travel, transport, Telecom- Public Agriculture Oil and
services natural gas and logistics munications sector and gas
government
44 44
22
19
18 17 17
14 13 12 12 11 10 10 10 10
Source: McKinsey Survey of North American Consumers on Data Privacy and Protection, 2019
McK on Risk 9 2020

of their email should remain accessible only to Other issues are of lesser importance in gaining
Exhibit 2 of 4
those whom they authorize and that the names and the consumer’s trust, according to the survey: the
identities of their email correspondents remain level of regulation in a particular industry, whether
private (Exhibit 2). a company has its headquarters in a country with
a trustworthy government, or whether a company
About half of the consumer respondents said they proactively shares cyber practices on websites or in
Exhibit 2
are more likely to trust a company that asks only for advertisements (Exhibit 3).
Consumer privacy and protection
information concerns
relevant to its vary
products or by type
that limits the of digital data.
amount of personal information requested. These
Relative importance by data type, % of respondents (n = 792)
markers apparently signal to consumers that a Consumer empowerment Somewhat and actions
Not too
company is taking a thoughtful approach Very to data
important Given the low overall levels of trust,
important it is not surprising
important N/A
management. that consumers often want to restrict the types of
Content of email 68 13
data that they share with businesses. 15
Consumers 4
Half of our consumer respondents are also more have greater control over their personal information
likely to trust companies that react quickly to62
Identity of email correspondents hacks 16
as a result of the many privacy tools now16available,6
and breaches or actively disclose such incidents including web browsers with built-in cookie blockers,
Content of downloaded filesto the public. These practices have become 55 ad-blocking software 19 (used on more than 21 600 million
5
increasingly important both for companies and devices around the world), and incognito browsers
Location data consumers as the impact of breaches grows 54 and 16 26 4
(used by more than 40 percent of internet users
more regulations govern the timeline for data- globally). However, if a product or service offering—
51
Content, usage of online chatrooms, groups
breach disclosures. for example,12 22
healthcare or money management—is 15
Websites browsed 46 23 28 3
Searches performed 44 25 27 4
Apps and programs used 40 27 28 5

Times of internet usage 33 17 45 5
Source: Internet & American Life Project, Pew Research Center
critically important to consumers, many are willing to example, implemented in Europe in May 2018, gives
42 The aside
set consumer-data opportunity
their privacy and the privacy imperative
concerns. consumers more choices and protections about how
their data are used. The GDPR gives consumers
McK on Risk 9 2020
Exhibit 3 of 4
Exhibit 3
Consumers trust companies that limit the use of personal data and respond quickly to hacks
and breaches.
Respondent trust by practices, % (n = 1,000)
Do not ask for information not relevant to their product 52
React quickly to hacks and breaches 50
Do not ask for too much personal information 48
Proactively report a hack or breach 46
Have a trustworthy brand 43
Do not collect passive data (eg, click or browsing history) 43
Have had few hacks or breaches 42
Do not use tracking cookies 41
Promote privacy for their products (eg, 2-factor

36
authentication)
Have trustworthy leaders 35
Do not operate in countries with untrusted governments 32
Are considered trustworthy by family, friends 32
Share their approach to protecting data 31
Are part of a highly regulated industry 28
Headquarted in a country with a trusted government 28
Publicize their consumer-privacy interest 20
Source: McKinsey Survey of North American Consumers on Data Privacy and Protection, 2019
Half of our consumer respondents are also a trustworthy government, or whether a company
more likely to trust companies that react quickly proactively shares cyber practices on websites or
to hacks and breaches or actively disclose in advertisements (Exhibit 3).
such incidents to the public. These practices
have become increasingly important both for Consumer empowerment and actions
companies and consumers as the impact of
Given the low overall levels of trust, it is not
breaches grows and more regulations govern the
surprising that consumers often want to restrict
timeline for data-breach disclosures.
the types of data that they share with businesses.
Other issues are of lesser importance in gaining Consumers have greater control over their personal
the consumer’s opportunity
The consumer-data trust, according to theimperative
and the privacy survey: the information as a result of the many privacy tools 5
level of regulation in a particular industry, whether now available, including web browsers with built-
a company has its headquarters in a country with in cookie blockers, ad-blocking software (used

on more than 600 million devices around the ePrivacy regulation (an extension of GDPR), which
world), and incognito browsers (used by more than focuses on privacy protection for data transmitted
40 percent of internet users globally). However, electronically. Its status as a regulation (rather
if a product or service offering – for example, than a directive) means that it could be enforced
healthcare or money management – is critically uniformly across EU member states. The ePrivacy
important to consumers, many are willing to set regulation is likely to be enacted in 2020.
aside their privacy concerns.
Beyond Europe
Consumers are not willing to share data for Governments outside Europe have also begun
transactions they view as less important. They to enact data-privacy regulations. In Brazil, for
may even “vote with their feet” and walk away example, the Lei Geral de Proteção de Dados,
from doing business with companies whose or LGPD (General Data Protection Law) will go
data-privacy practices they don’t trust, don’t into effect in August 2020. Brazil’s previous
agree with, or don’t understand. In addition, data-protection regulations were sector based.
while overall knowledge of consumer privacy The LGPD is an overarching, nationwide law
is on the rise, many consumers still don’t know centralizing and codifying rules governing the
how to protect themselves: for example, only collection, use, processing, and storage of
14 percent of internet users encrypt their online personal data. While the fines are less steep than
communications, and only a third change their the GDPR’s, they are still formidable: failing to
passwords regularly (Exhibit 4). comply with the LGPD could cost companies up to
2 percent of their Brazilian revenues.
Evolving regulations In the United States, the California Consumer
Privacy regulations are evolving, with a marked Privacy Act (CCPA) went into effect in the state
shift towards protecting consumers: the GDPR, in January 2020. It gives residents the right to
for example, implemented in Europe in May 2018, know which data are collected about them and
gives consumers more choices and protections to prevent the sale of their data. CCPA is a broad
about how their data are used. The GDPR gives measure, applying to for-profit organizations that
consumers easier access to data that companies do business in California and meet one of the
hold about them and makes it easier for them to following criteria: earning more than half of their
ask companies to delete their data. annual revenues from selling consumers’ personal
information; earning gross revenues of more than
For companies, the GDPR requires meaningful
$50 million; or holding personal information on
changes in the way they collect, store, share,
more than 100,000 consumers, households, or
and delete data. Failure to comply could result
devices.
in steep fines, potentially costing a company up
to 4 percent of its global revenue. One company The CCPA is the strictest consumer-privacy
incurred a fine of $180 million for a data breach regulation in the United States, which as yet has
that included log-in and payment information for no national data-privacy law. The largest fine for
nearly 400,000 people.1 Another was fined mishandling data was, however, issued by the US
Federal Trade Commission (FTC).
$57 million for failure to comply with GDPR. A side
effect of this regulation is an increased awareness Compliance investments
among consumers of their data-privacy rights and Companies are investing hefty sums to ensure that
protections. About six in ten consumers in Europe they are compliant with these new regulations. In
now realize that rules regulate the use of their data total, Fortune Global 500 companies had spent
within their own countries, an increase from only $7.8 billion by 2018 preparing for GDPR, according
four in ten in 2015. to an estimate by the International Association
of Privacy Professionals. Companies have
The GDPR has been considered a bellwether
hired data-protection officers, a newly defined
for data-privacy regulation. Even in Europe,
corporate position mandated by the GDPR for all
policy makers are seeking to enact additional
companies handling large amounts of personal
consumer-privacy measures, including the
data. Despite these measures, few companies
1
The fine was imposed by the Information Commissions Office, the British data regulator, and is currently under regulatory process
review.

McK on Risk 9 2020
Exhibit 4 of 4
Exhibit 4
Consumer concerns over data collection and privacy are mounting, but few take adequate
protective precautions.
Respondents taking action, % (n = 792)
Cleared cookies and browser history 64
Deleted or edited past internet posts 41
Set browser to disable or turn off cookies 41
Not used website because it asked for real name 36
Used temporary user name, email address 26
Posted comments without revealing identity 25
Asked someone to remove an intrusive post 21
Masked identity 18
Used a public computer to browse anonymously 18
Used a false or untraceable user name 18
Encrypted communications 14
Used service that allows anonymous browsing 14
Given inaccurate personal information 13
Source: Internet & American Life Project, Pew Research Center
within their own countries, an increase from only Beyond Europe

feel fully compliant, and many are still working on
four in ten in 2015.
the most restrictive legal requirements as their
Governments outside Europe have also begun
scalable solutions. own
to standard.
enact For most
data-privacy companies
regulations. in the United
In Brazil, for
The GDPRchallenge
A central has been – considered
particularly a bellwether for
for companies example, the Lei Geral de Proteção deguidelines.
States, this means following CCPA’s Dados,
data-privacy regulation. Even in Europe,
that operate internationally – is the patchwork policy or LGPD (General
Another Data Protection
difficult aspect of privacyLaw) will go
regulation
makersof
nature are seeking toRequirements
regulation. enact additional areconsumer-
very into effect in August 2020. Brazil’s previous
has to do with the deletion and porting of data:
different from one jurisdiction or marketregulation
privacy measures, including the ePrivacy to data-protection
regulations allow regulations
consumers were sector based.
to request that their
(an extension
another. of GDPR),
To address which focuses
regulatory diversityon and
privacy The LGPD is an overarching, nationwide
data be deleted or that enterprises provide law user
protection for data transmitted electronically. Its centralizing and codifying rules governing the
anticipate future regulations, many companies data to individual consumers or other services.
status as a regulation (rather than a directive) collection, use, processing, and storage of
have begun systematizing their approach For many companies, these tasks are technically
means that it could be enforced uniformly across EU personal data. While the fines are less steep than
to compliance. Some have begun creating challenging. Corporate data sets are often
member states. The ePrivacy regulation is likely to the GDPR’s, they are still formidable: failing to
regulatory roles and responsibilities within their fragmented across varied IT infrastructure, making
be enacted in 2020.
organizations. Many are trying to implement it difficult to recover all information on individual
future-proof solutions. Rather than meeting consumers. Some data, furthermore, may be
CCPA requirements only in California, Microsoft located outside the enterprise, in affiliate or third-
is applying them to all US citizens, though other party networks. For these reasons, companies
states do not yet have policies as restrictive as can struggle to identify all data from all sources for
the CCPA. This practice will probably become transfer or deletion.
more common, as many companies are using

Companies should develop
clear, standardized procedures
to govern requests for the
removal or transfer of data.
Proactive steps for companies according to their roles, with security-access
levels determined for different data categories.
Several effective actions have emerged for
About one-third of the breaches in recent years
companies that seek to address enhanced
have been attributed to insider threats. This risk
consumer-privacy and data-protection
can be mitigated by ensuring that data sets are
requirements. These span the life cycle of
accessible only to those who need them and that
enterprise data, and include steps in operations,
no one has access to all available data. Even the
infrastructure, and customer-facing practices, and
most robust practices for identity and access
are enabled by data mapping.
management can fail – some breaches can be
Data mapping caused by individuals with approved access – so
Leading companies have created data maps or additional activity monitoring can be helpful.
registers to categorize the types of data they
To act quickly when breaches do occur,
collect from customers. The solution is best
organizations will want to pressure-test their
designed to accommodate increases in the volume
crisis-response processes in advance. People
and range of such data that will surely come.
who will be involved in the response must be
Existing data-cataloging and data-flow-mapping
identified and a strong communications strategy
tools can support the process.
developed. One of the highest predictors of
Companies need to know which data they actually consumer trust is the speed of company reporting
require to serve customers. Much of the data that and response when breaches occur. Indeed, most
is collected is not used for analytics and will not new regulations require companies to disclose
be needed in the future. Companies will mitigate breaches very quickly; the GDPR, for example,
risk by collecting only the data they will probably mandates the announcement of a breach within
need. Another necessary step is to write or revise 72 hours of its discovery.
data-storage and -security policies. The best
Companies should develop clear, standardized
approaches account for the different categories of
procedures to govern requests for the removal or
data, which can require different storage policies.
transfer of data. These should ensure expedited
Of further importance is the growing appetite for compliance with regulations and cover consumer
applied analytics. Today, leading companies need requests for the identification, removal, and
robust analytics policies. Given the proliferation transfer of data. The processes should support
of advanced machine-learning tools, many data discovery in all pertinent infrastructure
organizations will seek to analyze the high volumes environments within a company and across its
of data they collect, especially by experimenting affiliates. Most companies today use manual
with unsupervised algorithms. But unless processes, which creates an opportunity for
companies have advanced model-validation streamlining and automating them to save time
approaches and thoughtfully purposed consumer and resources. This approach also prepares
data, they should proceed with extreme caution, infrastructure environments for future process
probably by focusing specifically on supervised- developments.
learning algorithms to minimize risk.
Working closely with third parties, affiliates, and
Operations vendors, companies can gain an understanding
Leading organizations have developed identity- of how and where their data are stored. This
and access-management practices for individuals knowledge is especially important when third

parties are supporting the development of while features strike a balance with the user
products and features and need access to experience.
consumer data. Some companies are considering
It is important for organizations to communicate
establishing review boards to support decisions
transparently: customers should know when
about sharing data with third parties.
and why their data are being collected. Many
Infrastructure companies are adding consumer privacy to their
Organizations are working to create infrastructure value propositions and carefully crafting the
environments that can readily accommodate the messages in their privacy policies and cookie
increasing volumes of data collected, as well as notices to align with the overall brand.
attending technological innovations. Best practice
is to store data in a limited number of systems,
depending on data type or classification. A smaller Our research revealed that our sample of
systems footprint reduces the chance of breaches. consumers simply do not trust companies to
Customer-facing best practices handle their data and protect their privacy.
Leading companies are building “privacy by Companies can therefore differentiate themselves
design” into consumer-facing applications, with by taking deliberate, positive measures in this
such features as automatic timed logouts and domain. In our experience, consumers respond
requirements for strong passwords. Security and to companies that treat their personal data as
privacy become default options for consumers, carefully as they do themselves.
Venky Anant is a partner in McKinsey’s Silicon Valley office, where Lisa Donchak is a consultant;
James Kaplan is a partner in the New York office; Henning Soller is a partner in the Frankfurt office.

Consumer-data privacy
and personalization at
scale: How leading
Marketing & Sales
retailers and
Consumer-data consumer
privacy and
personalization
brands can at strategize
scale: How
leading
forretailers
both and consumer
brands can strategize for both
Customer
Customer concerns concerns
about aboutand
the security the privacy
securityofand privacy
their onlineof their
data online
can impede
personalizeddata can impede
marketing personalized
at scale. marketing
Best-practice at scale.
companies Best-practice
are building protections
companies are
into their digital properties. building protections into their digital properties.
© Getty Images
November 2019
48 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
Personalization at scale is where retailers and will limit current practices, and 51 percent said
consumer brands are competing to win. But in they don’t think consumers will limit access to their
focusing on “playing offense” to capture value, data (Exhibit 1)—this despite other recent surveys
Personalization at scale is
executives are often overlooking their “defense”: where retailers and
showing regulations
that more than will90
limit current of
percent practices,
consumersand 51
consumer brands are competing to win. But in percent said they don’t think consumers will limit
preserving, protecting, enabling, and accelerating are concerned about their online privacy, and nearly
focusing on “playing offense” to capture value, access to their data (Exhibit 1) – this despite other
the hard-won gains of their digital efforts by 50 percent have limited their online activity because
executives are often overlooking their “defense”: recent surveys showing that more than 90 percent
ensuring that personalization at scale keeps of
preserving, protecting, enabling, and accelerating privacy concerns.¹
of consumers are concerned about their online
personal data secure theand private.
hard-won gains of their digital efforts by privacy, and nearly 50 percent have limited their
ensuring that personalization at scale keeps Getting theonline
security andbecause
activity privacyof ofprivacy
personalization
concerns.1
As the enterprise risk of collecting,
personal holding,
data secure and
and private. wrong can slow time to market for new applications,
Getting the security and privacy of
using consumer data to personalize
As the enterprise riskofferings
of collecting, holding, constrain remarketing
personalization and consumer-data
wrong can slow time to market
grows, so do the business-impairing data to personalize collection, result
and using consumerconsequences for newinapplications,
significant constrain
fines, or—worse—
remarketing and
for those who fail toofferings
get it right. Despite
grows, these
so do the business-impairingcause material harm to brand
consumer-data reputation
collection, through
result in significant
challenges and opportunities,
consequences most marketing
for those negative consumer
who fail to get it right. fines, or –experience.
worse – cause Getting it harm
material right to brand
Despite these challenges
leaders remain surprisingly unconcerned with how and opportunities, reputation through negative
reduces time to market, puts security and privacy consumer experience.
most marketing
to manage data security and privacy. leaders remain surprisingly Getting it right reduces time
at the heart of the company’s value proposition, to market, puts
unconcerned with how to manage data security security and privacy at the heart of the company’s
boosts customer-satisfaction scores, and materially
and privacy. value proposition, boosts customer-satisfaction
In a recent McKinsey survey of senior marketing reduces the likelihood of regulatory fines.
scores, and materially reduces the likelihood of
leaders, 64 percentInsaid
a recent
theyMcKinsey survey
don’t think of senior marketing
regulations regulatory fines.
leaders, 64 percent said they don’t think
1
Brian Byer, “Internet users
1 worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018, entrepreneur.com;
Brian Byer, “Internet users worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018,
and Rafi Goldberg, “Lack ofentrepreneur.com;
trust in internet and
privacy and security
Rafi Goldberg, may
“Lack deter
of trust in economic and other
internet privacy onlinemay
and security activities,” National
deter economic andTelecommunications
other online activities,”
National Telecommunications
Exhibit 1
Many marketers
Many feelconfident
marketers feel confidentthat
thatneither
neitherregulations
regulations nor
nor consumer
consumer
sentimentwill
sentiment will limit
limit data
datacollection
collectionininthe
thefuture.
future.
Marketers’ perspectives on regulations, %
Regulations will not limit current practices 64
Regulations will limit current practices 30
Regulations will make access easier 6
Marketers’ perspectives on consumer attitudes, %
Consumers will not limit data access 51
Consumers will limit data access 26
Consumers to demand transparency but

23
seek new ways to share data
Source: 2018 senior management personalization survey: Based on question 27: How do you expect regulations to affect personalization practices in your industry?
And question 28: How do you expect customer behavior regarding data collection to evolve over the next six years?
Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 49
Where to start — Establishing and enforcing standards on
security and privacy for creative agencies
For most companies, getting security and privacy
right begins with remediating and transforming the — Using best practices for data protection in their
digital-marketing applications and systems that day-to day-work
Where to start
generate, transmit, consume, store, or dispose of
They also put marketing at the center of the
Forconsumer
most companies, getting — Tokenizing
effort, consumer
educating teams data
on the ensuring
value at stakeconsent
data (Exhibit 2).security
Leadingand privacy
brands make
right begins with remediating and transforming thedata through,compliance
for example:
this part of a broader baseline assessment of
digital-marketing applications and systems that — Sanitizing data before using them in outbound
security and privacy across people, processes,
generate, transmit, consume, store, or dispose of — establishing and enforcing standards on
and technology and tie it to business use cases. communications and remarketing
consumer data (Exhibit 2). Leading brands make security and privacy for creative agencies
this part of a broader baseline assessment of data — Being accountable for incidents when they occur
They also put marketing at the center of the effort,
security and privacy across people, processes, and — using best practices for data protection in
educating teams on the value at stake through, for
technology and tie it to business use cases. their day-to day-work
example:
Exhibit 2
The marketing structure should enable digital-property remediation and
The marketing structure should enable digital-property remediation and transformation.
transformation.
Digital properties (consumer-facing

or consumer-touching applications)
Marketing-operations pillars that support digital-property impact
Marketing operations that Content Consumer- Outbound

enable digital-property creation data communications
value creation
A and delivery B acquisition C
and use
Remediation & trans- 1 Digital-property workflows and processes

formation enablers—
the foundation of
2 Technical architecture, infrastructure, and data
marketing
operations
and digital 3 Compliance and risk management
properties
4 Organization design, operating model, and governance
Descriptions (not exhaustive):
a) Content development for consumer-facing brand websites 1 Where and how digital assets/properties should be created and
A
b) Content delivery through e-commerce and merchandising maintained
portraying products and brands in a way that allows the enter-
prise to "do business" with its customers 2 Technical capabilities, such as data lake or discovery scan
tools, to facilitate collection, storage, management, and testing
a) Cookie management to granularly track and collect consumer- of consumer data
behavior data across properties as customers engage with them
B
b) Remarketing by using data to drive portrayal and placement 3 The global vs local policies, processes, and tools to adopt,
of products and brands with which the consumer engages follow, and validate to meet security-and-privacy obligations in
a variety of regulatory environments
a) Using consumer data from digital properties and other 4 Agile organization and operating model that clarifies roles
C
sources to drive outbound marketing (such as pay-per-click, and responsibilities across functions and rationalizes external
advertising, digital display) partners/agencies
The dialogue with marketing and other executive team defend its decisions on where
stakeholders in this context should be ongoing, and how to allocate spend on security and
to match the enterprise’s evolving needs for data privacy. Understanding how properties such as
and technical capabilities and to capture the value information systems and assets map to each other,
from use cases. to the threat landscape, and to the business value
chain also clarifies where eliminating risks can
An imperative on security and privacy can help
enhance enterprise value.
with many things
— tokenizing – fromdata
consumer eliminating tech debt security and privacy functions. Aligning on core
to breaking down silos – by opening iterative Clarify
beliefs anddata strategy,
a framework togovernance, and policies,
approach the effort
dialogue
— ensuringon consent
data needs and new operational
compliance and build
(Exhibit 3) caninhelp
the the
roles and
team requirements
quickly get the to make
requirements between the business and the them conviction
needed work and buy-in.
— sanitizing
security data before
and privacy using them
functions. in outbound
Aligning on core The details of programs for data security and
communications and remarketing
beliefs and a framework to approach the effort privacy may vary by company, industry, or the local
(Exhibit 3) can help the team quickly get the How to move
regulatory quickly
climate. Consumerat scale
and retail enterprises,
— beingconviction
needed accountable
and forbuy-in.
incidents when they Asfor
theexample,
transformation of data
often hold management
consumer is no more
data for
occur piloted
than 13and scaled,in
months, prioritizing a few consumer
order to track key actionspatterns
to
improve security and privacy will ensure outcomes
How to move quickly at scale
The dialogue with marketing and other
through seasons and holidays. Auto retailers, on
that enable rather than disable the business.
the other hand, often hold data longer, to reflect the
As the transformation
stakeholders of data
in this context management
should be ongoing,is
longer time between automotive purchases, which
piloted
to matchand
thescaled, prioritizing
enterprise’s evolvinga needs
few keyforactions
data to Build a risk register for digital properties
and technical capabilities and towill
capture the value tend to be multiyear, not annual. Other companies
improve security and privacy ensure outcomes Taking a risk-back approach can help the
fromenable
use cases. may tailor
executive their
team globalitsprivacy
defend policy
decisions to meet
on where local
and
that rather than disable the business.
regulatory requirements, such as General
how to allocate spend on security and privacy. Data
Build a risk register
An imperative for and
on security digital properties
privacy can help Protection Regulation
Understanding (GDPR)
how properties or the
such California
as information
Taking a risk-back approach can help
with many things—from eliminating tech debt the Consumer Privacy Act (CCPA).
systems and assets map to each other, to the
to breaking down silos—by opening iterative threat landscape, and to the business value chain
dialogue on data needs and new operational also clarifies where eliminating risks can enhance
requirements between the business and the enterprise value.
Exhibit 3
Company
Company alignment
alignment onon thethe core
core principles
principles for transforming
for transforming digital properties
digital properties
will enable personalization at scale.
will enable personalization at scale.
Manage digital property the way you manage your people. Knowing the identity, performance, and safety of
your applications is as important as knowing the identity, performance, and reliability of your people.
? Anchor the approach in use cases. For a successful transformation, understand which business use cases the
transformed digital properties will support, and clarify the architectural gaps you need to fill to support both
properties and use cases.
. Create and maintain a risk-based asset inventory. This will help to clarify your enterprise digital-property
landscape, as well as compliance issues and business risk, and is an essential tool for prioritizing
... transformation initiatives.
Align risk with enterprise appetite. A risk-back, minimum viable approach to building security-and-privacy
protections into the transformation of digital properties is a commercial imperative for personalization at scale.
Clarify roles, responsibilities, decision rights, and talent requirements across the organization. This is the
key to ensuring you can quickly embed the cross-functional capabilities needed to bring new properties to
market.
Implement the transformation by deploying cross-functional teams in agile sprints. This will not only
mitigate execution risk—a requirement, not an option—but also enable you to capture value at scale and
demonstrate that the process is iterative.
4 Consumer-dataprivacy
Consumer-data privacy and
and personalization
personalization at scale:
at scale: HowHow leading
leading retailers
retailers and consumer
and consumer brandsbrands can strategize
can strategize for both for both 51
But some best practices are emerging as developed, which reduced downstream rework,
enterprises focus on data privacy and security. accelerated time to market, and put data
One leading privacy policy is the tokenization protection at the center of the enterprise’s value
and sanitization of data before using them in proposition to consumers.
remarketing. Further, leading institutions will
Create and deliver role-based training on
align on the “minimum viable data and controls”
security and privacy
required to preserve a long-term view of
Given that more than 80 percent of enterprise
consumers and empathetically engage them
cybersecurity incidents begin with a human
at scale. To embed awareness of security and
clicking on malware, regular training tailored
privacy across an enterprise, some companies find
to key roles is essential to reduce the risks of
it useful to create roles for business-information
personalization. Marketing teams, for example,
security and privacy officers (BISPOs) or “security
might need to learn best practices for remarketing,
and privacy ambassadors.” Such programs can
such as parsing data to eliminate personal
not only empower employee teams to become
identifiability while preserving business value.
knowledgeable about organization practices
on security and privacy but also ensure that the There are about 15 core employee behaviors that
integrity of digital properties continues long after can be addressed and transformed through a
they are transformed and remediated. focused campaign of annual training supported
by unpredictable reminders, such as occasional
In the event of a breach of data security or
emails and text messages or antiphishing test
privacy, it is helpful to have in place incident-
campaigns. Similarly, building security and
response plans that are “living documents” formed
privacy standards into performance reviews – for
through the test-and-learn iterative process of
example, setting a threshold for the number of
simulation. These can help executive teams make
security or privacy incidents in a line of business
better decisions faster about managing their
over a period of time – can ensure that the entire
digital properties – and their relationships with
business, not just the experts on security and
regulators.
privacy, owns the problem and the solution.
Build security and privacy into enterprise
Personalize security and privacy for the
analytics and application development
consumer
Consider the example of an enterprise seeking
Leading financial institutions have already
to transform itself into a platform company
unlocked the value of increasing net promoter
using consumer and customer data to cocreate
scores (NPS) by taking the hassle out of consumer
application programming interfaces (APIs) to
validation processes. By reducing hold times,
transform how consumers engaged with the
simplifying and tailoring multifactor authentication
brand. Before the enterprise built security
to meet consumer preferences, and placing
requirements into its application development, it
data-protection controls for consumer-facing
had missed at least one major market opportunity
applications in the hands of the consumer, they
because of regulators’ security concerns,
are improving customer experience without
frequently experienced application launch delays
compromising underlying security and privacy.
because of security-related rework requirements,
and lacked capacity to verify whether around 80 Leading retailers and consumer brands can
percent of the business-support applications it adopt a product-management mind-set and
developed annually complied with its requirements delight consumers by building data-protection
on security and privacy. options into consumer-facing applications and
support functions. By partnering with cutting-
By building those requirements into its software-
edge technology innovators, they can tailor
development policies, the enterprise made the
processes to what is most convenient for the
software-developer team responsible for meeting
consumer. Good places to start are multifactor
them right from the start, in the design phase. The
authentication by text, call, or randomly generated
security-and-privacy team would only involve itself
code, or built-in strong-password-generating
“by exception,” if a development team declined
tools to simplify password recall for consumers
to meet a specified requirement. This approach
accessing a retailer’s direct-to-consumer
ensured that standards on security and privacy
application. Measuring performance over time
were met in more than 90 percent of applications
through commonly available customer-experience
dashboards such as NPS can ensure that attempts 4. How are you managing your data to derive
to build security and privacy into consumer-facing value-creating analytic insight from
applications are refined quickly and iteratively. personalization without causing value-
destroying financial or operational loss due to
The opportunity around personalization at scale
privacy or security incidents?
for consumer brands and retailers has never been
more critical to capture. At the same time, the 5. What is the state of your secure software-
need to create a net positive consumer experience development life cycle program?
while avoiding the downsides of reputational,
6. How are you ensuring the secure operation of
operational, legal, and financial risks is a hard
your cloud environment?
balance to strike. Several core questions can help
clarify where your enterprise stands – and what to 7. How are you ensuring that security and privacy
do about it: are every employee’s responsibility?
1. How does your personalization technology 8. What is your capability aspiration for
measure your customer’s security and privacy customer-data security and privacy, how
experience? are you measuring progress toward that
aspiration, and how are you reporting progress
2. What is your enterprise’s critical-asset or
to the board?
-system risk register for data security and
privacy? By answering these questions, companies can
help ensure that personalization at scale is only a
3. How complete is your security-and-privacy
benefit, not a bane, to any consumer and brand.
technology stack, and how do you determine
this?
Julien Boudet is a partner in McKinsey’s Southern California office, Jess Huang is a partner in the
Silicon Valley office, Kathryn Rathje is an associate partner in the San Francisco office, and Marc Sorel
is a consultant in the Washington, DC, office.
Financial crime
and fraud in the age
Risk Practice
ofFinancial crime
cybersecurity
and fraud in the age of
cybersecurity
As cybersecurity threats compound the risks of financial
crimeAs
and fraud, institutions
cybersecurity threatsare crossing the
compound functional
risks of financial crime
boundaries to enable
and fraud, collaborative
institutions resistance.
are crossing functional boundaries to enable
collaborative resistance.
by Salim Hasham, Shoan Joshi, and Daniel Mikkelsen
by Salim Hasham, Shoan Joshi, and Daniel Mikkelsen
© Cimmerian/Getty Images
October 2019
54 Financial crime and fraud in the age of cybersecurity

In 2018, the World Economic Forum noted that targeting countries, public and private entities,
fraud and financial crime was a trillion-dollar and even individuals. Institutions are finding that
industry, reporting that private companies their existing approaches to fighting such crimes
spent approximately $8.2 billion on anti-money cannot satisfactorily handle the many threats and
laundering (AML) controls alone in 2017. The burdens. For this reason, leaders are transforming
crimes themselves, detected and undetected, their operating models to obtain a holistic view
have become more numerous and costly than of the evolving landscape of financial crime. This
ever. In a widely cited estimate, for every dollar view becomes the starting point of efficient and
of fraud institutions lose nearly three dollars, effective management of fraud risk. The evolution
once associated costs are added to the fraud of fraud and financial crime Fraud and financial
loss itself.1 Risks for banks arise from diverse crime adapt to developments in the domains
factors, including vulnerabilities to fraud and they plunder. (Most financial institutions draw a
financial crime inherent in automation and distinction between these two types of crimes:
digitization, massive growth in transaction for a view on the distinction, or lack thereof, see
volumes, and the greater integration of financial the sidebar “Financial crime or fraud?”) With the
systems within countries and internationally. advent of digitization and automation of financial
Cybercrime and malicious hacking have also systems, these crimes have become more
intensified. In the domain of financial crime, electronically sophisticated and impersonal. One
meanwhile, regulators continually revise rules, series of crimes, the so-called Carbanak attacks
increasingly to account for illegal trafficking beginning in 2013, well illustrates the cyber profile
and money laundering, and governments have of much of present-day financial crime and fraud.
ratcheted up the use of economic sanctions, These were malware-based bank thefts totaling
1
World Economic Forum Annual Meeting, Davos-Klosters, Switzerland, January 23–26, 2018; LexisNexis risk solutions 2018 True Cost of
Fraud study, LexisNexis, August 2018, risk.lexisnexis.com.
Sidebar
Financial crime or fraud?

For purposes of detection, interdiction, financial crime has generally meant and insider threats, involving deception of
and prevention, many institutions draw a money laundering and a few other financial personnel or services to commit
distinction between fraud and financial criminal transgressions, including bribery theft. Financial institutions have generally
crime. Boundaries are blurring, especially and tax evasion, involving the use of approached fraud as a loss problem,
since the rise of cyberthreats, which financial services in support of criminal lately applying advanced analytics for
reveal the extent to which criminal enterprises. It is most often addressed detection and even real-time interdiction.
activities have become more complex as a compliance issue, as when financial As the distinction between these three
and interrelated. What’s more, the institutions avert fines with anti-money categories of crime have become less
distinction is not based on law, and laundering activities. Fraud, on the other relevant, financial institutions need to use
regulators sometimes view it as the result hand, generally designates a host of many of the same tools to protect assets
of organizational silos. Nevertheless, crimes, such as forgery, credit scams, against all of them.
Financial crime and fraud in the age of cybersecurity 55

more than $1 billion. The attackers, an organized A siloed approach to these interconnected risks
criminal gang, gained access to systems through is becoming increasingly untenable; clearly, the
phishing and then transferred fraudulently inflated operating model needs to be rethought.
balances to their
totaling more thanown accounts
$1 billion. The or programmed
attackers, an A As
siloed approach to these interconnected risks
banks begin to align operations to the
ATMs to dispense
organized criminal cash
gang,to waiting
gained accomplices
access to systems isshifting
becoming increasingly untenable; clearly, the
profile of financial crime, they confront
(Exhibit
through1).phishing and then transferred fraudulently operating model needs to be rethought.
the deepening connections between cyber
inflated balances
Significantly, this to theirwas
crime ownoneaccounts or
simultaneous, breaches and most types of financial crime. The
programmed ATMs to dispense cash to waiting As banks begin to align operations to the
coordinated attack against many banks. The cyber element is not new, exactly. Until recently,
accomplices (Exhibit 1). shifting profile of financial crime, they confront
attackers exhibited a sophisticated knowledge for example, most fraud has been transaction
the deepening connections between cyber
of the cyber environment and likely understood based, with criminals exploiting weaknesses in
Significantly, this crime was one simultaneous, breaches and most types of financial crime. The
banking processes, controls, and
coordinated attack against many banks. The even controls.
cyber Banks
element counter
is not such fraud
new, exactly. Until with relatively
recently,
vulnerabilities arising
attackers exhibited from siloed organizations
a sophisticated knowledge forstraightforward, channel-specific,
example, most fraud point-based
has been transaction
and governance. They also made use
of the cyber environment and likely understood of several based, with criminals exploiting weaknesses fraud
controls. Lately, however, identity-based in has
channels, including ATMs, credit
banking processes, controls, and even and debit cards, become more prevalent, as fraudsters develop
controls. Banks counter such fraud with relatively
and wire transfers.
vulnerabilities The
arising attacks
from siloedrevealed that
organizations applications tochannel-specific,
straightforward, exploit natural orpoint-based
synthetic data.
meaningful
and governance.distinctions
They alsoamong
madecyberattacks,
use of several Cyber-enabled
controls. attacksidentity-based
Lately, however, are becoming fraud
more
channels,
fraud, andincluding
financial ATMs, credit
crime are and debit cards,
disappearing. Banks has become in
ambitious more prevalent,
scope as fraudsters
and omnipresent, eroding
McK Risk 8 2019have
and wire transfers.
not yet The attacks
addressed these newrevealed that
intersections, develop applications
the value of personal to exploit natural
information andor synthetic
security
Financial crime which
meaningful distinctions
transgress among cyberattacks,
the boundary lines most have data. Cyber-enabled attacks are becoming
protections.
Exhibit 1 of 6 fraud, and
erected financialthe
between crime
typesareofdisappearing.
crimes (ExhibitBanks
2). more ambitious in scope and omnipresent,
have not yet addressed these new intersections, eroding the value of personal information and
which transgress the boundary lines most have security protections.
erected between the types of crimes (Exhibit 2).
Exhibit 1
The new cyber profile of fraud and financial crime is well illustrated by the Carbanak attacks.
1. Spear phishing 2. Backdoor executed: 3. Machines infected in 4. Admin PC identified,

Employee in targeted credentials stolen search for admin PC clerk screens intercepted
organization receives email Upon opening attachment, Carbanak searches network Attacker watches
with the Carbanak backdoor employee activates and finds admin PC; embeds admin screen to mimic admin
as an attachment the Carbanak backdoor and records behavior for the bank’s
cash-transfer systems
5. Balances inflated and 6. ATM programmed to 7. Cash moved through

inflated amount transferred dispense cash channels by wire transfers,
Attackers alter balances, Attackers program ATMs to e-payments
pocket extra funds ($1k issue cash to waiting Attackers use online and
account enlarged to $10k, accomplices at specific times e-payments to receiver banks
then $9k transferred) to transfer extracted funds

McK Risk 8 2019
Financial crime
Exhibit 2 of 6
Exhibit 2
Crime pathways are converging, blurring traditional distinctions among cyber breaches,
fraud, and financial crimes.
Fraud and insider threats Cyber breaches Financial crimes
• Internal and external • Confidentiality • Money laundering
threats • Integrity • Bribery and corruption
• Retail and nonretail threats • Systems availability • Tax evasion and tax fraud
• Insider threats
• Market abuse and
misbehavior
Example: cyberattack on a central bank

Bank employee’s SWIFT1 Malware surreptitiously Funds routed from bank’s Withdrawals were made Attacks may have been linked to
credentials stolen with installed on the bank’s account at a branch of at the third bank through a known sanctioned entity
the help of insiders computers to prevent another country’s central multiple transactions
discovery of withdrawals bank to a third bank (on a that were not blocked
weekend to ensure until too late
staff absence)
¹ Society for Worldwide Interbank Financial Telecommunication.
In a world where customers infrequently contact cybercrime. Both the front line and back-office
Inbank
a world
staffwhere customers
but rather interactinfrequently
almost entirely contact banks. Risk
operations arefunctions
oriented inandthisregulators
direction ataremanycatching
bank staffdigital
through but rather
channels,interact almost
“digital trust”entirely
has fast on as Risk
banks. well.functions
AML, while andnow mainlyare
regulators addressed
catching as
through
becomedigital channels,
a significant “digital trust”
differentiator has fast
of customer ona regulatory
as well. AML,issue,
whileisnow
seen as being
mainly on theasnext
addressed
become a significant
experience. Banks that differentiator of customer
offer a seamless, secure, ahorizon forissue,
regulatory integration.
is seen Important
as being oninitial steps
the next
and speedy digital interface will see a
experience. Banks that offer a seamless, secure,positive horizon for integration. Important initial
for institutions embarking on an integration steps for
impact
and on revenue,
speedy while those
digital interface that
will seedon’t will erode
a positive institutions embarking on an integration
effort are to define precisely the nature of all effort are
value and potentially lose business. Modern
impact on revenue, while those that don’t will banking torelated
define precisely the nature of all related
riskmanagement activities and to clarify risk-
demands faster risk decisions (such as
erode value and potentially lose business. Modern real-time management
the roles and activities and to clarify
responsibilities the the
across roleslines
and
payments) so banks must strike the right balance responsibilities across the lines of defense. These
banking demands faster risk decisions (such as of defense. These steps will ensure complete,
between managing fraud and handling authorized steps will ensure complete, clearly delineated
real-time payments) so banks must strike the right clearly delineated coverage – by the businesses
transactions instantly. coverage—by the businesses and enterprise
balance between managing fraud and handling and enterprise functions (first line of defense)
functions (first line of defense) and by risk, including
authorized
The growing transactions instantly.
cost of financial crime and fraud risk and by risk,
financial crime,including
fraud, and financial crime, fraud,
cyber operations and
(second
hasgrowing
also overshot expectations, pushed cyber operations
line)—while (second
eliminating line) –ofwhile
duplication eliminating
effort.
The cost of financial crime and upward by
fraud risk
several drivers. As banks focus tightly on reducing duplication of effort.
has also overshot expectations, pushed upward by
liabilities and efficiency costs, losses in areas All risks associated with financial crime involve
several drivers. As banks focus tightly on reducing All risks associated with financial crime involve
such as customer experience, revenue, reputation, three kinds of countermeasures: identifying and
liabilities and efficiency costs, losses in areas such three kinds of countermeasures: identifying and
and even regulatory compliance are being missed authenticating the customer, monitoring and
as customer experience, revenue, reputation, and authenticating the customer, monitoring and
(Exhibit 3). detecting transaction and behavioral anomalies,
even regulatory compliance are being missed detecting transaction and behavioral anomalies,
and responding to mitigate risks and issues. Each
(Exhibit 3). ofand responding
these activities,to mitigate
whether risks
taken in and issues. Each
response
Bringing together financial crime, tooffraud,
thesecybersecurity
activities, whether taken
breaches in response
or attacks, or
Bringing
fraud, andtogether financial crime,
cyber operations to fraud,
other cybersecurity
financial crimes, arebreaches
supportedorbyattacks,
many or
fraud, and
At leading cyberthe
institutions operations
push is on to bring other data
similar financial crimes, areIndeed,
and processes. supported by many
bringing these
similar data and processes. Indeed, bringing these
data sources together with analytics materially
Attogether
leadingefforts on financial
institutions crime,
the push fraud,
is on and
to bring
data sources together with analytics materially
together efforts on financial crime, fraud, and
improves visibility while providing much deeper
cybercrime. Both the front line and back-office
insight to improve detection capability. In many
operations are oriented in this direction at many
4 Financial crime and fraud in the age of cybersecurity instances it also enables prevention efforts.

McK Risk 8 2019
Financial crime
Exhibit 3 of 6
Exhibit 3
Banks often focus on only a fraction of total financial-crime, fraud, and cybersecurity costs.
Example of financial-crime, fraud, and cybersecurity costs, $ million
525
50 Reimbursements if any
Regulatory fines
150
and remediation
100 Regulatory fines
40 System unavailable
40 Failed authentication
Indirect costs and 40 Transaction decline

200
foregone revenue
• Bank is in second quartile on
40 Customer-experience impact/attrition customer satisfaction for fraud cards
• Satisfied customers are twice as
40 Incorrect risk categorization likely to spend more on their cards
16.6 Breaches than are unsatisfied customers
Direct fraud losses 50 16.6 Fraud losses
16.6 Cost of FIU1
41.6 Cyber breach Bank focus areas

• Costs of all three lines of defense
Direct and indirect • Much of the cost is in the first line
125 41.6 Fraud
personal costs • Banks in this region typically
spend 20 to 40 basis points of
41.6 Financial crime
revenue on anti–money laundering
¹ Financial intelligence unit.
improves visibility while providing much deeper Generally speaking, experience shows that
insight to improve detection capability. In many organizational and governance design are the
Ininstances it alsoholistic
taking a more enablesview
prevention efforts.
of the underlying main considerations
Generally speaking,for the development
experience shows of
thatthe
processes, banks can streamline business and operating model. Whatever the particular
organizational and governance design are the choice,
In taking a more holistic view of the underlying institutions will need to bring together the right
technology architecture to support a better main considerations for the development of
processes, banks can streamline business and people in agile teams, taking a more holistic
customer experience, improved risk decision the operating model. Whatever the particular
technology architecture to support a better customer approach to common processes and technologies
making, and greater cost efficiencies. The choice, institutions will need to bring together
experience, improved risk decision making, and and doubling down on analytics—potentially
organizational structure can then be reconfigured
greater cost efficiencies. The organizational structure
the right people in agile teams, taking a more
creating “fusion centers,” to develop more
ascan
needed.
then be(Exhibit 4). as needed. (Exhibit 4).
reconfigured holistic approach
sophisticated to common
solutions. processes
It is entirely feasibleand
that
technologies and doubling down on analytics –
an institution will begin with the collaborative
From collaboration to holistic unification
Frommodels
collaboration to holistic unification potentially
model creatingmove
and gradually “fusion centers,”
toward to develop
greater
Three for addressing financial crime
Three models for addressing financial crime more sophisticated solutions. It is entirely
integration, depending on design decisions. We feasible
are important for our discussion. They are
are important for our discussion. They are that seen
have an institution
many banks willidentify
begin with theintegration
partial collaborative
distinguished by the degree of integration they
distinguished by the degree of integration they as their and
model target state, with
gradually move a view that full
toward AML
greater
represent among processes and operations for
represent among processes and operations integration
integration,is depending
an aspiration.on design decisions. We
the different types of crime (Exhibit 5).
for the different types of crime (Exhibit 5). have seen many banks identify partial integration
as their target state, with a view that full AML
integration is an aspiration.

McK Risk 8 2019
Financial crime
Exhibit 4 of 6
Exhibit 4
At their core, all functions perform the same three roles using similar data and processes.
Identification: “Who is my Monitoring: “What transactions Response: “How do I respond
customer?” are legitimate?” to a threat?”
Financial crime • Client risk rating • Transaction monitoring • Suspicious-activity monitoring

• Client due diligence; • Name screening • Financial intelligence unit
enhanced due diligence • Payments screening • List management
• Do not bank
Fraud • Identity verification, including • Transaction monitoring and • Investigations and resolutions teams
digital and nondigital presence decision making
• Device and voice analytics
Cybersecurity • Credentials management • Security-operations center (SOC) • SOC

and network-operations center, • Forensics
which enable monitoring • Resolution teams
Synergies across • Risk scoring of customers using • Risk scoring of transactions • Common feedback loop to
functions common and similar customer using similar analytics and develop a holistic view on modus
data, such as financials, digital common use cases based on operandi and drive top-down
footprint, nondigital records timing, destination, source, use-case development
value and frequency, device, • Pooling of resources and capabilities
and geolocation intelligence
1. Collaborative model. In this model, which for (including taxonomies) are shared, and
most banks represents the status quo, each similar interdiction processes are deployed.
1. of the domains
Collaborative – financial
model. In this crime,
model, fraud, and
which for ofDeeper
defense.integral advantages
Each unit prevail, including
maintains independence
most banks represents
cybersecurity – maintain the their
statusindependent
quo, each in consistency
this model butinworks
threatfrom a consistent
monitoring and detection
of the responsibilities,
roles, domains—financial andcrime, fraud, and
reporting. Each framework and taxonomy, following
and lower risk of gaps and overlap. Themutually
cybersecurity—maintain their independent
unit builds its own independent framework, roles, accepted
approach rules and responsibilities.
remains, Thus a with
however, consistent
responsibilities, and reporting.
cooperating on risk taxonomy and data andEach unit builds consistent architecture for prevention
the existing organizational structure (such
and little
its own independent framework, cooperating as for customer authentication) is adopted,
analytics for transaction monitoring, fraud, disrupts current operations. Consequently,
on risk taxonomy and data and analytics for risk-identification and assessment processes
and breaches. The approach is familiar to transparency is not increased, since separate
transaction monitoring, fraud, and breaches. (including taxonomies) are shared, and
regulators, but offers banks little of the reporting is maintained. No benefits of scale
The approach is familiar to regulators, but offers similar interdiction processes are deployed.
transparency needed
banks little of the to develop
transparency neededa holistic
to accrue,
Deeper and with
integral smaller operational
advantages units still in
prevail, including
view of financial-crime risk. In addition,
develop a holistic view of financial-crime risk. theIn place, the model is less attractive to
consistency in threat monitoring and detection top talent.
collaborative model oftenmodel leadsoften
to coverage
addition, the collaborative leads to 3. and lower risk
Unified of gaps
model. and fully
In this overlap. The approach
integrated
gaps or overlaps
coverage among the
gaps or overlaps separate
among groups
the separate remains, however, consistent with the existing
approach, the financial crimes, fraud, and
and failsand
groups to achieve the benefits
fails to achieve of scale
the benefits that
of scale organizational structure and little disrupts
cybersecurity operations are consolidated
that come
come withwith greater
greater functional
functional integration.The
integration. current operations. Consequently, transparency
into a single framework, with common assets
The model’s
model’s reliance
reliance on on smaller,
smaller, discreteunits
discrete is not increased, since separate reporting is
unitsalso
also means banks will be less able to attract top
and systems used to manage risk across the
maintained. No benefits of scale accrue, and
means banks will be less able to attract top
leadership talent. enterprise.
with The model
smaller operational hasstill
units a single view
in place, theof the
leadership talent.
customer
model is lessand shares
attractive toanalytics.
top talent. Through risk
2. Partially integrated model for cybersecurity
2. Partially integrated model for cybersecurity convergence, enterprise-wide transparency
and fraud. Many institutions are now working 3. Unified model. In this fully integrated approach,
and fraud. Many institutions are now working on threats is enhanced, better revealing the
toward this model, in which cybersecurity and the financial crimes, fraud, and cybersecurity
toward this model, in which cybersecurity
fraud are partially integrated as the second line and most important
operations underlying
are consolidated intorisks. The unified
a single
fraud are partially integrated as the second line model also captures benefits of scale across
of defense. Each unit maintains independence key roles and thereby enhances the bank’s
in this model but works from a consistent ability to attract and retain top talent. The
framework and taxonomy, following mutually disadvantages of this model are that it entails
6 accepted
Financial rules
crime and fraudand
in theresponsibilities.
age of cybersecurity Thus, a significant organizational change, making
consistent architecture for prevention (such bank operations less familiar to regulators. And
as for customer authentication) is adopted, even with the organizational change and risk
risk-identification and assessment processes convergence, risks remain differentiated.

McK Risk 8 2019
Financial crime
Exhibit 5 of 6
Exhibit 5
The three models address financial crime with progressively greater levels of
operational integration.
Traditional: collaboration Ongoing: partial integration1 Future: complete integration
Model features • Independent reporting, roles, and • Each financial-crime unit • Consolidated unit under a single
responsibilities for each type of maintains independence but framework using common assets and
financial crime uses a consistent framework systems to manage risks:
• Independent framework built and taxonomy with agreed-upon – Single view of the customer
by each unit rules and responsibilities: – Shared analytics
– Fraud and cybersecurity join
on prevention (eg, on
customer authentication)
– Consistent processes for
risk identification and
assessment
– Similar processes
(eg, interdiction)
Pluses and Least disruptive: maintains the More unified approach with lower risk Underlying risks are converging
minuses status quo of gaps/overlaps Enhanced ability to attract and
Regulators most familiar with Consistent organizational structure retain talent
the model with status quo Standard and common framework
Less visibility into overall Limited disruption from current state on what is being done
financial-crime risk Maintains separate reporting; Benefits of scale across key roles
Potential gaps, overlap among groups does not increase transparency Largest organizational change
No scale benefits No scale benefits While converging, risks remain
Smaller units less able to attract Smaller units less able to attract differentiated
top talent top talent Regulators are less familiar with
setup
Banks have begun by closely integrating cybersecurity and fraud while

stopping short of a fully integrated unit
1
Mainly cybersecurity and fraud.
framework, with common assets and systems less familiar to regulators. And even with the
Theused
imperative ofacross
to manage risk integration
the enterprise. The
cybersecurity and financial crime, including AML.
organizational change and risk convergence,
Byrisks
degrees,
remainhowever, increased integration can
The model
integration
has aof fraud
single andofcybersecurity
view the customer and differentiated.
shares analytics. Through risk convergence, improve the quality of risk management, as it
operations is an imperative step now, since the
enterprise-wide transparency on threats is enhances core effectiveness and efficiency in all
crimes themselves are already deeply interrelated.
enhanced, better revealing the most important channels, markets, and lines of business.
The enhanced data and analytics capabilities that The imperative of integration
underlying
integration risks.are
enables Thenow
unified model tools
essential also for the
Strategic
The prevention:
integration of fraud andThreats, prediction,
cybersecurity
captures benefits of scale across key roles
prevention, detection, and mitigation of threats. and controls
operations is an imperative step now, since the
and thereby enhances the bank’s ability to
Most forward-thinking institutions are working crimes
The ideathemselves are already
behind strategic deeply interrelated.
prevention is to predict
attract and retain top talent. The disadvantages
towards such integration, creating in stages a The
riskenhanced datajust
rather than andreact
analytics
to it. capabilities that
To predict where
of this model are that it entails significant
more unified model across the domains, based integration
threats will appear, banks need to redesignthe
enables are now essential tools for
organizational change, making bank operations
on common processes, tools, and analytics. AML prevention,
customer detection,
and internalandoperations
mitigation and
of threats.
processes
activities can also be integrated, but at a slower based on a continuous assessment of actual cases
pace, with focus on specific overlapping areas first. of fraud, financial crime, and cyberthreats. A view
of these is developed according to the customer
The starting point for most banks has been the
journey. Controls are designed holistically, around
collaborative model, with cooperation across
processes rather than points. The approach can7
silos. Some
Financial crimebanks are
and fraud now
in the ageshifting from this
of cybersecurity
significantly improve protection of the bank and its
model to one that integrates cybersecurity and
customers (Exhibit 6).
fraud. In the next horizon, a completely integrated
model enables comprehensive treatment of

McK Risk 8 2019 one that integrates cybersecurity and fraud. In of fraud, financial crime, and cyberthreats. A view
Financial crime the next horizon, a completely integrated model of these is developed according to the customer
Exhibit 6 of 6 enables comprehensive treatment of cybersecurity journey. Controls are designed holistically, around
and financial crime, including AML. By degrees, processes rather than points. The approach can
however, increased integration can improve significantly improve protection of the bank and its
the quality of risk management, as it enhances customers (Exhibit 6).
Exhibit 6
With a ‘customer journey’ view of fraud, banks can design controls with the greatest impact.
Potential fraud attacks in a customer journey, retail-banking example
Open an account Change account Make a payment Make a deposit
Customer- Customer opens a new Customer updates Customer pays self or third Customer makes a transfer or
initiated actions account or adds another existing account, eg, adding party through wire, credit deposit into their account
account through online, a beneficiary or changing or debit card, or online
mobile, branch, or ATM address transaction
channels
Attack channel
ATM • Identity theft • Malware • Card skimming or trapping • Money laundering

• Synthetic ID • Fake PIN pad or terror financing
• Employee-generated • Cash trapping • Malware (balance
account • Shoulder surfing multiplier)
• Malware • Duplicate card
• Malware
• Transaction reversal
Cards and • Account takeover • Card-not-present fraud

e-commerce • Address change • Card skimming
• Secondary card • Malware
• Malware • Cyberattack
E-banking • Addition of false • Cyberattack

and wire beneficiary • Malware
• Account takeover • Employee-driven
• Malware transaction
Branch • Account takeover • n/a

To arrive at a realistic view of these transgressions, Efficiencies of scale and processes
institutions need to think like the criminals. Crime The integrated fraud and cyber-risk functions
takes advantage of a system’s weak points. can improve threat prediction and detection while
Current cybercrime and fraud defenses are eliminating duplication of effort and resources.
focused on point controls or silos but are not Roles and responsibilities can be clarified so that
based on an understanding of how criminals no gaps are left between functions or within the
actually behave. For example, if banks improve second line of defense as a whole. Consistent
defenses around technology, crime will migrate methodologies and processes (including risk
elsewhere – to call centers, branches, or taxonomy and risk identification) can be directed
customers. By adopting this mind-set, banks towards building understanding and ownership
will be able to trace the migratory flow of crime, of risks. Integrating operational processes
looking at particular transgressions or types of and continuously updating risk scores allow
crime from inception to execution and exfiltration, institutions to dynamically update their view on the
mapping all the possibilities. By designing controls riskiness of clients and transactions .
around this principle, banks are forced to bring
Data, automation, and analytics
together disciplines (such as authentication
Through integration, the anti-fraud potential of
and voice-stress analysis), which improves both
the bank’s data, automation, and analytics can
efficacy and effectiveness.
be more fully realized. By integrating the data
of separate functions, both from internal and

external sources, banks can enhance customer has affirmed that banks are held in high regard by
identification and verification. Artificial intelligence their customers for performing well on fraud.
and machine learning can also better enable
Unified risk management for fraud, financial
predictive analytics when supported by aggregate
crime, and cyberthreats thus fosters digital trust,
sources of information. Insights can be produced
a concept that is taking shape as a customer
rapidly – to establish, for example, correlations
differentiator for banks. Security is clearly at the
between credential attacks, the probability
heart of this concept and is its most important
of account takeovers, and criminal money
ingredient. However, such factors as convenience,
movements. By overlaying such insights onto their
transparency, and control are also important
rules-based solutions, banks can reduce the rates
components of digital trust. The weight customers
of false positives in detection algorithms. This
assign to these attributes varies by segment,
lowers costs and helps investigators stay focused
but very often such advantages as hassle-free
on actual incidents.
authentication or the quick resolution of disputes
The aggregation of customer information that are indispensable builders of digital trust.
comes from the closer collaboration of the
A holistic view
groups addressing financial crime, fraud, and
The objective of the transformed operating model
cybersecurity will generally heighten the power of
is a holistic view of the evolving landscape of
the institution’s analytic and detection capabilities.
financial crime. This is the necessary standpoint
For example, real-time risk scoring and
of efficient and effective fraud-risk management,
transaction monitoring to detect transaction fraud
emphasizing the importance of independent
can accordingly be deployed to greater effect. This
oversight and challenge through duties clearly
is one of several improvements that will enhance
delineated in the three lines of defense. Ultimately,
regulatory preparedness by preventing potential
institutions will have to integrate business,
regulatory breaches.
operations, security, and risk teams for efficient
The customer experience and digital trust intelligence sharing and collaborative responses
The integrated approach to fraud risk can also to threats.
result in an optimized customer experience.
Obviously, meaningful improvements in customer How to proceed?
satisfaction help shape customer behavior and
When banks design their journeys toward a unified
enhance business outcomes. In the context of
operating model for financial crime, fraud, and
the risk operating model, objectives here include
cybersecurity, they must probe questions about
the segmentation of fraud and security controls
processes and activities, people and organization,
according to customer experience and needs as
data and technology, and governance (see sidebar
well as the use of automation and digitization to
“The target fraud-risk operating model: Key
enhance the customer journey. Survey after survey
questions for banks”).

Sidebar
The target fraud-risk operating model: Key questions for banks

In designing their target risk operating • What skills and how many people matrix, risk-identification rules,
model for financial crimes, fraud, and are needed to support the taxonomy)? How should they
cybersecurity, leading banks are probing activities? converge?
the following questions.
• What shared activities should be • What systems and applications do
— Processes and activities housed together (for example, in each of the divisions use? Can they
centers of excellence)? be streamlined?
• What are the key processes or
activities to be conducted for • What is the optimal reporting — Governance
customer identification and structure for each type of financial
• What are the governance bodies
authentication, monitoring and crime – directly to the chief risk
for each risk type? How do they
detection of anomalies, and officer? To the chief operations
overlap? For example, does the
responding to risks or issues? officer? To IT?
same committee oversee fraud and
• How frequently should specific — Data, tools, and technologies cybersecurity? Does committee
activities be conducted (such as membership overlap?
• What data should be shared
reporting)?
across cybersecurity, fraud, and • What are the specific, separate
• What activities can be consolidated other financial-crime divisions? responsibilities of the first and
into a “center of excellence”? Can the data sit in the same data second lines of defense?
warehouses to ensure consistency
— People and organization • What measurements are used to
and streamlining of data activities?
set the risk appetite by risk type?
• Who are the relevant stakeholders
• What tools and frameworks should How are they communicated to the
in each line of defense?
converge (for example, riskseverity rest of the organization?
Most banks begin the journey by closely fraud and AML, into a single global utility. The bank
integrating their cybersecurity and fraud has attained a more holistic view of customer risk
units. As they enhance information sharing and reduced operating costs by approximately
and coordination across silos, greater risk $100 million.
effectiveness and efficiency becomes possible.
To achieve the target state they seek, banks are
redefining organizational “lines and boxes” and,
even more important, the roles, responsibilities, As criminal transgressions in the financial-services
activities, and capabilities required across each sector become more sophisticated and break
line of defense. through traditional risk boundaries, banks are
Most have stopped short of fully unifying the risk watching their various risk functions become more
functions relating to financial crimes, though a costly and less effective. Leaders are therefore
few have attained a deeper integration. A leading rethinking their approaches to take advantage of
US bank set up a holistic “center of excellence” the synergies available in integration. Ultimately,
to enable end-to-end decision making across fraud, cybersecurity, and AML can be consolidated
fraud and cybersecurity. From prevention under a holistic approach based on the same data
to investigation and recovery, the bank can and processes. Most of the benefits are available
point to significant efficiency gains. A global in the near term, however, through the integration
universal bank has gone all the way, combining all of fraud and cyber operations.
operations related to financial crimes, including
Salim Hasham is a partner in McKinsey’s New York office, where Shoan Joshi is a senior expert; Daniel
Mikkelsen is a senior partner in the London office.

Critical infrastructure
companies and the
Risk Practice
global cybersecurity
Critical infrastructure
threat
companies and the global
cybersecurity threat
How the energy, mining, and materials industries can meet the
unique
Howchallenges
the energy,ofmining,
protecting themselves
and materials in a digital
industries canworld.
meet the unique
challenges
by Adrian ofDhingra,
Booth, Aman protecting themselves
Sven Heiligtag, in a and
Mahir Nayfeh, digital
Danielworld.
Wallance
by Adrian Booth, Aman Dhingra, Sven Heiligtag, Mahir Nayfeh, and Daniel Wallance
© Milko Marchett/Getty Images
April 2019
64 Critical infrastructure companies and the global cybersecurity threat

Whether they generate or distribute power, Heavy industrials can become collateral
or extract or refine oil, gas, or minerals, damage in broader attacks even when they are
heavy industrial companies comprise critical not the target, given IT security gaps and OT
infrastructure for the global economy. As a result, networks connected to IT networks through new
they are attractive targets for cyber crimes. technologies. Obviously, these threats have become
Already by 2018, nearly 60 percent of relevant a major concern for top managers, boards, and
surveyed organizations had experienced a breach national government bodies.
in their industrial control (ICS) or supervisory
Attacks on national infrastructure
control and data-acquisition (SCADA) systems.1
Among the most significant attacks on critical
Heavy industrials face unique cybersecurity national infrastructure of the past few years are
challenges, given their distributed, decentralized these:
governance structures and large operational
— In 2014, a Western European steel mill suffered
technology (OT) environment – an environment
serious damage in its operational environment
that does not lend itself readily to traditional
from a phishing attack used first to penetrate
cybersecurity controls.2 Furthermore, many heavy
its IT network and then its OT network where
industrials have invested in becoming “cyber
attackers gained control of plant equipment.
mature,” as have other at-risk industries, such as
financial services and healthcare. The investment — The 2015 to 2016 attacks on an Eastern
gap has left most heavy industrials insufficiently European power-distribution grid cut power
prepared for the mounting threats. to 230,000 people. In this case, attackers
compromised a third-party-vendor’s network,
As awareness of the threat environment grows,
which was connected to an energy company’s
however, many top executives at these companies
OT network, allowing the attackers to make
are now sharpening their focus on cybersecurity.
changes to the control system.
They are asking important questions like: What
does it take to transform our cybersecurity — In 2017, attackers gained access to a Middle
capabilities? What investments will address the Eastern petrochemical plant’s ICS and
most risk? How much should we be spending? attempted to sabotage operations and trigger
Leading companies are now rethinking their an explosion.
cybersecurity organizations and governance Recent discoveries in the networks of electrical-
models. Some are taking advantage of new distribution companies based in the European
security tools for OT offered by innovative start- Union and the United States indicate that threat-
ups. Most are adopting a risk-based approach actors established vantage points within OT
to security – identifying their critical assets and networks from which to launch attacks at a future
seeking appropriate controls based on risk levels date. An example of this is the Dragonfly syndicate,
(see sidebar, “A cybersecurity transformation in oil which has been blamed for the breach of EU and
and gas”). US electrical companies to gather intelligence
and build cyber capabilities to compromise OT
Evolution of the threat landscape systems.
Several factors underlie the growing threat Groups like Dragonfly are increasingly procuring
landscape for the heavy industrial sector. One is private-sector offensive tools, enabling them to
the rise in geopolitical tensions, which has led to deliver highly sophisticated cyberattacks. Given
attacks targeting critical national infrastructure. the sensitivity of the targets, this has quickly
1
Forrester consulting study commissioned and published by Fortinet, May 2018.
2
Operational-technology systems include centralized, human-interface control systems such as supervisory control and data-acquisition
systems (SCADA), industrial control systems (ICS), distributed control systems (DCS), industrial Internet of Things (IoT) devices that send
and receive feedback from machinery, and programmable logic controllers (PLC) that relay commands between SCADA and IoT field
devices.
Critical infrastructure companies and the global cybersecurity threat 65

Sidebar
A cybersecurity transformation in oil and gas
A large state-owned oil-and-gas The company suffered a ransomware accompanying this article). The company
company was facing frequent attack, email phishing campaigns, also tailored industrial security standards
cyberattacks, even as it was undertaking and defacement of its website. As the to the oil-and-gas industry and its
a digital transformation that increased company was digitizing many systems, regional context. A security operation
the exposure of its critical systems. A including critical controllers, massive center was established to monitor
successful attack on its assets would amounts of data were exposed to and react to threats, and a data-loss-
harm the economy of an entire nation. potential manipulation that could trigger prevention program was set up to avoid
disastrous accidents. The company leaks.
Over 18 months, this multibillion-dollar
focused on three important steps.
organization was able to protect its assets Third, the company outlined its plan for
and improve its overall digital resilience First, it defined and protected its “crown a holistic cybersecurity transformation,
by transforming its cybersecurity posture. jewels”: its most important assets. It including a three-year implementation
The transformation engaged 30,000 comprehensively mapped its business program with prioritized initiatives,
employees across 450 sites in addressing assets and identified the most critical, estimated budget, and provisions
security issues every day. This experience from automated tank gauges that to integrate cybersecurity into the
offers a good example of how a critical- manage pressure and oil levels on oil rigs digitization effort. To ensure that effort
infrastructure company can meet the to employee health records and customer did not create new vulnerabilities, the
global cybersecurity threat and commit to credit-card information. The company company created the new digital systems
the cyber-resilience journey. created a library of controls to be “secure by design,” creating secure
coding guidelines and principles.
The company operates across the to protect these crown-jewel assets,
industry value chain, upstream, which are now being brought on line. The achievements were impressive. The
midstream, and downstream. It had cybersecurity organization is now fully
Second, the company focused on rapidly
suffered attacks on both its IT and built, with a focus on improving resilience
building capabilities. To address siloed
operational technology (OT) systems, daily. The company is on its way to
IT and OT operations, it created an
which, as in most companies, were siloed ensuring that it can continue to reliably
integrated cybersecurity organization
from each other. Attacks hit IT network supply the energy its nation needs,
under a chief security officer aligned
security and the supervisory control supporting a major share of the country’s
with the risk function (see Exhibit 1
and data-acquisition (SCADA) systems. GDP growth.
become a matter of national security involving In many cases, this digitization has allowed access
government bodies and intelligence agencies. to these OT devices from the wider internet, as
well. According to analysis of production OT
Collateral damage in nonspecific attacks
networks by CyberX, an industrial cybersecurity
The electricity, oil-and-gas, and mining sectors
company, 40 percent of industrial sites have at
have been rapidly digitizing their operational
least one direct connection to the public internet,
value chains. While this has brought them great
and 84 percent of industrial sites have at least one
value from analysis, process optimization, and
remotely accessible device. 3
automation, it has also broadened access to
previously isolated ICS and SCADA devices by
users of the IT network and third parties with
physical and/or remote access to the OT network.
3
CyberX report on global industrial control systems and Internet of Things risk (2018).

In response to the danger, ICS manufacturers can technology. One challenge stems from the digital
analyze USB-born threats to detect and neutralize transformations that many energy and mining
those that could seriously disrupt operations. companies are undertaking. Others relate to their
distributed footprint, their large OT environment,
Ransomware poses an additional threat. One well
and exposure to third-party risk.
known example was WannaCry, which disrupted
80 percent of gas stations of a major Chinese oil The overlooked costs of security in
company by exploiting a vulnerability in a dated digital transformations
and unsupported version of Windows. NotPetya Most heavy industrials are undergoing major
was far more devastating. This malware wiped digital transformations or have recently completed
IT devices around the world, affecting about them. When building the business case for these
25 percent of all oil-and-gas companies. transformations, leaders often overlook the cost of
managing the associated security risks. Security
More recently, botnets with the ability to detect
is not often a central part of the transformation,
and infect SCADA systems have been discovered,
and security architects are brought in only after a
and those targeting Internet of Things (IoT)
new digital product or system has been developed.
devices have become pervasive. The past year
This security-as-afterthought approach increases
has also seen the massive growth of crypto-
the cost of digitization, with delays due to last-
mining malware targeting ICS computers, severely
minute security reviews, new security tools, or
affecting productivity by increasing load on
increases in the load on existing security tools.
industrial systems.
For example, instead of building next-generation
These types of sweeping, nontargeted attacks security stacks in the cloud, most enterprises are
disproportionately affect industries, including still using security tools hosted on premise for
heavy industrial companies with less cyber their cloud infrastructure, limiting the cloud’s cost
maturity and many devices to protect. Moreover, advantages.
heavy industrials have the dual challenge of
Additionally, security capabilities that are bolted
protecting against new digital threats while
on top of technology products and systems are
maintaining a largely legacy OT environment.
inherently less effective than those built in by
Most companies still operate with their founding
design. Bolt-on security can also harm product
cybersecurity initiatives like patch management
usability, causing friction between developers
and asset compliance. More than half of OT
and user-experience designers on one side, and
environments tested in one study had versions
security architects on the other. This sometimes
of Windows for which Microsoft is no longer
results in users circumventing security controls,
providing security patches. Fully 69 percent had
where possible.
passwords traversing OT networks in plain text. 4
Protecting the ‘crown jewels’
Unique security challenges facing The expansive geographical footprint typical
heavy industrials for these heavy industrials can harm their
cybersecurity efforts in several ways. It limits their
Electricity, mining, and oil-and-gas companies
ability to identify and protect their key assets –
have revealed four unique security challenges that
their “crown jewels.” They may have difficulty
are less prevalent in industries of greater cyber
managing vulnerabilities across end devices. And
maturity, such as financial services and
4
Ibid.

while they tend to have a good handle on IT Challenges of protecting operational
assetsmanaged centrally, they have little or no technology
visibility over assets managed by business units Most of today’s OT networks consist of legacy
or third parties. Examples of crown-jewel assets equipment originally designed to be perimeter
include IT, OT, and management assets: protected (“air gapped”) from unsecure networks.
Over time, however, much of it has become
— Information technology: network diagrams,
connected to IT networks. Most security efforts to
system logs, and network access directory
protect OT involve network-based controls such as
— Operational technology: programmable logic firewalls that allow data to leave the OT network for
controllers, SCADA protocols, and system- analysis, but do not allow data or signals to enter it.
configuration information Although important, these perimeter controls are
— Management assets: internal strategy ineffective against attacks originating from within
documents, executive and board the OT network, such as malware on removable
communications, customer and employee devices. Additionally, malware has been discovered
personal information that exploits vulnerabilities in VPNs (virtual private
networks) and network-device software.
Governance structures typically leave central
security leaders without responsibility for security Many traditional security tools cannot be applied
in the business units or operations. Many heavy to the OT environment. In some cases, these tools
industrials we surveyed could not identify a party can harm the sensitive devices that control plant
responsible for OT security. The chief information- equipment. Even merely scanning these devices for
security officer (CISO) may set policy and develop vulnerabilities has led to major process disruptions.
security standards but often has no responsibility Applying security patches (updates) to address
for implementing OT security in the operations, known vulnerabilities in high-availability systems
or for auditing adherence to it. At the same time, presents yet another operational risk, as few sites
many operational units have no clear security have representative backup systems on which
counterpart responsible for deploying, operating, to test the patches. Because of these risks of
and maintaining OT security controls at the plant disruption, operational-unit leaders are hesitant to
level. Therefore, they often neglect OT security. allow changes in their OT environment. This requires
security teams to implement workarounds that are
Many traditional security tools

cannot be applied to the operational
technology environment.

far less effective in managing risk. Adding even results are rarely pursued. OEM vendors that do
more risk and complexity are newer technologies have security features in their products report that
such as industrial IoT devices, cloud services, operational buyers rarely want them. In some cases,
mobile industrial devices, and wireless networking. even if security features are included by default, or
at no additional cost, the buyer does not use them.
Beyond technology is the human factor, as many
industries face a shortage in cybersecurity skills.
The problem is worse for heavy industrials, which Emerging solutions
need to staff both IT and OT security teams, and Considering the complexity of these challenges,
to attract talent to remote operational locations. In companies in heavy industrial sectors have been
a 2017 report on the global information-security slow to invest in cybersecurity programs that span
workforce, the cybersecurity professional both IT and OT, especially when compared with
organization (ISC)2 predicted that the gap between manufacturing and pharmaceutical companies. The
qualified IT professionals and unfilled positions will only exception is the US electricity production and
grow to 1.8 million by 2022. OT security expertise distribution grid, acting in response to emerging
is even more specialized and difficult to acquire, regulation in this sector. The good news is that
making it particularly expensive to staff. solutions for heavy industrials are becoming more
sophisticated. Several incumbent OEM providers,
Exposure to third-party risk
and a growing number of start-ups, have developed
Compared with IT, the OT environment is highly
new approaches and technologies focused on
customized, as it supports a process specific to
protecting the OT environment.
a given operation. The proprietary nature of OT
equipment means that companies rely on the OEM Leaders that deploy these solutions must first
to maintain it and make changes. This equipment is carefully consider the unique challenges and
often a “black box” to its owner, who has no visibility process requirements they face. They can then
into security features or levels of vulnerability. combine the solutions with appropriate operational
Furthermore, companies are increasingly changes. Below we describe the challenges
outsourcing maintenance and operation of OT, or they will have to address along the way and the
adopting build-operate-transfer contracts. These investments that will be needed, both internally
types of relationships require third parties to gain and through OEMs and start-ups, to achieve cyber
physical access to OT networks. Where remote maturity.
maintenance is required, the owner needs to
Integrate cybersecurity earlier, across OT and IT
establish connections to the OEM networks. These
As companies undergo digital transformation,
remote connections are mostly unsupervised by
leaders are integrating cybersecurity earlier, in both
the owner organizations, introducing a blind spot.
the OT and IT environments. If heavy industrials are
Several heavy industrials have reported that third
to manage risk and avoid security-driven delays
parties frequently connect laptops and removable
during their digital transformations, they will need
storage devices directly into the OT network without
to embed security earlier in the process, with
any prior cybersecurity checks, despite the obvious
investments in developer training and oversight.
dangers of infection.
At the same time, these companies should
Vendor assessments and contracts for OEMs expect increased convergence between their OT
often fail to include a cybersecurity review. This and IT systems. Therefore, their investments in
failure prevents companies from enforcing security cybersecurity transformation programs should span
standards without renegotiating contracts. Where both, while they more deeply integrate their security
they do conduct precontract security assessments, functions into both the OT and IT ecosystems.

One way to accomplish this is to create an But in the fourth approach, the CSO role spans
integrated security operations center that covers both IT and OT. The CSO reports directly to the
both OT and IT, housing detailed escalation COO, thus protecting security from IT cost cutting,
protocols and incident response plans for and preventing security from being sidestepped
OT-related attack scenarios. An example comes by IT programs.
from Shell, which is working with some of its
In this optimal approach, the CSO sets policy,
IT networking providers and some OT OEMs
creates standards, and works with process
to develop a unified security-management
engineers to create security architectures that
solution for plant-control systems across 50
incorporate operational specifics. In an ideal
plants. 5 Solutions like these enable centralized
scenario, deployment and operation of OT
asset management, security monitoring, and
security resides in plant-level functions, staffed
compliance, dynamically and in real time.
with OT experts who are cross-skilled in security.
Improving governance and accountability for However, this separation between policy setting
security across IT and OT and deployment can lead to misunderstandings,
The decentralized nature of heavy industries perhaps allowing some risks to fall through the
makes it particularly vital that they integrate cracks. Companies can mitigate this by creating
security into all technology-related decisions local security-review task forces, including
across IT and OT, and deep into different functions tenured business-unit security officers who
and business units. This integration will become represent the security organization regionally or
even more important as they become digital locally. Metrics and reporting structures can be
enterprises. Accomplishing this will require new managed by a company-wide cyber governance
governance models. committee that reports into the board.
For instance, mature heavy industrials have Emerging technical solutions
established architecture-review committees To overcome difficulties in OT security, consider
to vet new technologies introduced into the IT emerging technical solutions. Several providers
or OT environments, and changes to existing focused on protecting the OT environment
technologies. Emerging as a second line of defense are bringing new capabilities to tackle issues.
are teams that do information risk management Although several proofs of concept have resulted
(IRM), including strategy, compliance, and reporting. in successful, large-scale deployments, the
Additionally, some companies have enlisted their technology is still evolving quickly. As companies
internal audit function as a truly independent third compete to differentiate their solutions, winners
line of defense. have yet to emerge. Here, however, are some
solutions to consider:
But few have reached such a level of maturity.
A look at four typical approaches to IT and OT — Firewalls to limit attackers’ ability to move
security reveals that only one approach integrates across the network after one section is
security under a chief security officer (CSO) compromised. Enhancements in controls at
aligned with the risk function (Exhibit 1). In the first the gateway between the OT and IT networks
three, accountabilities are insufficiently defined. enable companies to inspect the traffic
5
“Shell Oil Strengthening Cybersecurity,” ciab.com.

Article Title
Exhibit X of X
Exhibit 1
Of four approaches to IT and OT security, only one integrates them, using a CSO aligned
with the risk function.
Distribution of responsibilities, by security approach Primary responsibility Shared responsibility
Led by a CISO,1 whose location will vary, typically within IT, risk, or security department Led by a CSO2
No clear direction of OT3 so CISO advises and has CISO is accountable, but Single accountability
defaults to operations oversight, operations directs not responsible for execution for IT, OT; cyber is part of
in OT risk agenda
OT security functions CISO Ops IT CRO4 CISO Ops IT CRO CISO Ops IT CRO CSO Ops IT CRO
Policy setting
Standards creation
Security architecture
and engineering
Execution
deployment
Operations/maintenance
(within perimeter)
(perimeter/IT interface)
(physical security)
Adherence
— Earliest stages of maturity; — CISO advises on security — CISO determines policy and — CSO spans IT and OT; owns
OT cybersecurity ownership policy, but has little influence standards centrally security end to end
defaults to business units over operations — Operational units responsible — Collaboration between
— Decentralized policy and — Execution, operations, for execution and operations security and CRO for policy
standard setting and maintenance with setting, architecture,
operational units adherence
1
Chief information-security officer.
2
Chief security officer.
3
Operational technology.
4
Chief risk officer.
between the OT and IT networks enable — Unified identity and access management.
companies to inspect the traffic traversing that These tools allow the company to centralize
gateway. They also automate a system’s ability adding, changing, and removing user access
to execute policy changes and block newly to OT systems and devices. This is linked to the
identified threats. Best practice also calls for organization’s identity-management system,
traversing that gateway. They also automate a — Unified identity and access management.
placing critical assets and systems in separate providing robust authentication. This approach,
system’s ability to execute policy changes and These tools allow the company to centralize
zones to limit the impact from a compromise; for pervasive in IT, has been adopted as a standard
block newly identified threats. Best
example, a fail-safe system in a separate zonepractice adding,
in OT changing,inand
environments the removing usersector.
US electricity accessIt
also
from calls for placing
the SCADA. criticalfirewall
Incumbent assetsproviders
and to OT systems
reduces the risk ofand devices.
attack This is“super-user”
by limiting linked to the
systems in separate
are tailoring zonesfortoOT.
their solutions limit the impact organization’s
accounts. It allowsidentity-management
the company to trace whosystem,
from a compromise; for example, a fail-safe providing robust authentication. This approach,
system in a separate zone from the SCADA. pervasive in IT, has been adopted as a standard
Incumbent firewall providers are tailoring their in OT environments in the US electricity sector. It
solutions for OT. reduces the risk of attack by limiting “super-user”
accounts. It allows the company to trace who

has access to critical assets, and it helps identify such as information sharing and analysis centers
sources of attack. It also has safety applications; (ISACs) have become important in reducing
a Chinese power plant, for instance, uses it to these costs. For instance, the health ISAC, which
allow security administrators to remotely close includes pharmaceutical and medical-device
facility doors for improved safety management. manufacturers with large OT contingents, has
implemented a tool that automates evidence
— Asset inventory and device authorization.
collection and sector-specific risk assessments, to
These tools help keep companies aware of all
measure third-party vendors for security and data
devices connected to their OT network. They can
risk. This ISAC has also created a standardized
identify vulnerabilities in specific devices based
vendor repository for evidence collected by others.
on the device type, manufacturer, and version.
They are also used for controlling authorizations
of devices and communications. In addition to Enablers to drive progress
security applications, these tools can optimize Given the investment required to achieve digital
efficiency and identify faults in connected devices. resilience, and the increasing calls from business
executives to get there, we have identified some
— OT network monitoring and anomaly
important enabling factors that will help drive
detection. A plethora of passive OT network
progress. These include increased cybersecurity
monitoring tools have emerged that monitor
regulation (by industry groups or government),
traffic in a noninvasive way. These tools use
higher and smarter investments in digital
machine-learning algorithms to identify and alert
resilience programs, and greater industry-level
known threats and anomalies.
collaboration.
— Decoys to deceive attackers. These relatively
Evolving cybersecurity regulations
new IT tools, tailored for OT environments,
Among heavy industries, cybersecurity regulation
create asset and user-credential decoys and
is now quite limited. One potential model is
fictitious OT devices, including SCADAs, to
emerging in the United States. An electrical-
throw off attackers.
industry agency, the North American Electric
While all these tools are useful, the organizational Reliability Corporation (NERC), is empowered
issues mentioned above have thus far inhibited in federal law to set standards known as Critical
their adoption. For one thing, security buyers have Infrastructure Protection (CIP). These standards
little or no influence over the OT environment. regulate technical and procedural controls.
Incumbent OT OEMs, who own the relationship NERC issued 12 penalties in 2017, totaling over
with the operational decision makers, have made $1.7 million, and stepped up its work in 2018,
some plays directly, and through partnerships in issuing millions of dollars in penalties that year.
some verticals. However, low cyber awareness One serious violation resulted in a penalty of
among the decision makers has thus far limited the $2.7 million against an electric utility for data
number of such deals. exposure by a vendor. Existing and emerging EU
Third-party risk management and UK regulations for critical infrastructure are
Cost and timing sometimes interfere with a a first step to creating consistency at an industry-
company’s responsibility to assess vendor security wide level. However, most heavy industrial
compliance, both before the contract and on a companies are struggling to develop their own
regular basis. Sector-specific collaboration groups standards for IT and OT security, patching them

together from numerous industry standards. As Cybersecurity spending benchmarks are not the
attacks on critical infrastructure continue, more only factor to consider when deciding on what
regulation in this sector is likely to follow, either investment is required for a particular company. At
the early stages of a cybersecurity transformation,
from industry, government, or both. This will bring
program costs may spike before the company
a much-needed mandate for CISOs and CSOs to
can reach a steady state. Spending mix is another
take action, and create a clearer path to setting
important factor to consider. Companies at lower
consistent standards across industries.
maturity levels tend to spend most of their cyber
Higher and smarter investment in budget on compliance-driven, reactive activities.
cybersecurity programs This mix changes substantially as companies
The average electrical-energy company spends mature, spending far more on forward-looking,
just 4.9 percent of its IT budget on security, with proactive activities such as threat intelligence,
from industry,
mining cominggovernment, or both.
in at 5.4 percent. This
This will bring
is compared program
hunting,costs may spike before
and deception. the company
Companies that conduct
a much-needed
with mandate
an all-industries for CISOs
average of 6.2and CSOsand
percent to can reach a steady state. Spending mix is another
a comprehensive assessment of their current
take action, and create a clearer path to setting
financial services at 7.8 percent (Exhibit 2). important factor to consider. Companies at lower
cyber maturity and sources of vulnerability can
consistent standards across industries. maturity levels tend to spend most of their cyber
drive smarter long-term spending.
budget on compliance-driven, reactive activities.
Higher and smarter investment in This mix changes substantially as companies
cybersecurity programs mature, spending far more on forward-looking,
The average electrical-energy company spends proactive activities such as threat intelligence,
just 4.9 percent of its IT budget on security, with hunting, and deception. Companies that conduct
mining coming in at 5.4 percent. This is compared a comprehensive assessment of their current
with an all-industries average of 6.2 percent and cyber maturity and sources of vulnerability can
financial services at 7.8 percent (Exhibit 2). drive smarter long-term spending.
Cybersecurity spending benchmarks are not the Greater industry-wide collaboration

only factor to consider when deciding on what Knowledge-sharing initiatives have started to
Article Title investment is required for a particular company. At emerge across heavy industrial sectors, but much
Exhibit X of X the early stages of a cybersecurity transformation, more can be done. Some good examples come
Exhibit 2
Heavy industrial companies lag behind most sectors in IT security spending.

IT security spending as a % of all IT spending, 2017
7.8
7.3
Average 6.2
6.5
6.0 5.8 5.7
5.4
5.0 4.9 4.9
4.5
4.3
Banking Education Professional Construction, Transportation Retail and

and financial services materials, wholesale
services Government Insurance Healthcare and natural Government Energy Industrial
(national and providers resources (state and manufacturing
international) local)
Source: IT Key Metrics Data 2018: Key IT Security Measures: By Industry, Gartner.com, 2018

Greater industry-wide collaboration Finally, it is worth noting that neither spending nor
Knowledge-sharing initiatives have started to regulatory compliance are reliable indicators of
emerge across heavy industrial sectors, but much digital resilience. Using the frameworks and tools we
more can be done. Some good examples come from have identified in this article, companies can build
ISACs and other regional and sector-specific that resilience by consistently applying a risk-based
approach – identifying their critical assets and
groups, which have supported rapid maturity building applying controls appropriately based on risk levels.
through information sharing, resource pooling (such This can then help them create cyber transformation
as shared vendor assessments), and capability programs that buy down risk to tolerable levels and
building (such as cross-sector crisis simulations). prioritize the activities that address the most risk per
Although a few ISACs exist for heavy industrials, dollar spent.
companies have much more to do to establish
the high levels of collaboration and value seen in
other sectors. Being part of a digitized, connected
economy, organizations can be successful only if they As senior leaders set the stage for cyber
apply the power of cooperation within and across transformation, they must ensure collaboration and
sectors. Other industries such as financial services, buy-in from both security and risk professionals and
insurance, and healthcare have built robust networks the businesses. With such cooperation, companies
of security professionals, using roundtables and will be truly able to transform cybersecurity, helping
other collaborations to address common threats and keep them out of harm’s way in a digital world.
build a more secure industry for all.
Adrian Booth is a senior partner in McKinsey’s San Francisco office, Aman Dhingra is an associate
partner in the Singapore office, Sven Heiligtag is a senior partner in the Hamburg office, Mahir Nayfeh
is a partner in the Abu Dhabi office, and Daniel Wallance is a consultant in the New York office.
The authors wish to thank Rhea Naidoo and Rolf Riemenschnitter for their contributions to this article.

The cybersecurity
posture of financial-
services companies:
IIF/McKinsey Cyber
Resilience Survey
Cyberrisk has become one of the top risk concerns among financial-
services firms, and new research from the Institute of International
Finance (IIF) and McKinsey can help provide an understanding
of ways firms can enable and strengthen cyber resilience.
The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey 75

A recent joint survey on cyber resilience by cyber resilience, sector-level cyber resilience,
the Institute of International Finance (IIF) and costs and full-time-equivalent employees, and
McKinsey found significant concerns regarding next-generation trends (exhibit). A key theme
third-party security, and our survey determined is around building up cybersecurity controls
that 33 percent of financial-services firms do not around supply chains, including third- or fourth-
have proper vendor remote-access management party risks, in areas such as vendor remote-
with multifactor-authentication controls. access management, activity monitoring, and
concentration risk.
The survey was designed to provide an
understanding of current and planned practices Key challenges reported by firms include
that financial firms are undertaking to enable and regulations, cloud adoption, digitization, and the
strengthen firm- and sector-level cyber resilience. talent gap. Firms said they are active in platforms
Twenty-seven globally active firms participated to share threat intelligence and participate
in the survey, and more than 50 companies frequently in sectorwide cyber exercises.
participated in group discussions in meetings we Automation is seeing extensive adoption, and this
convened with chief risk officers in the Americas, could soon be followed by elements of cognitive
Asia, Europe, and the Middle East. computing. The report also includes a number
of recommendations and industry practices,
The report IIF/McKinsey Cyber Resilience Survey:
collected through the survey, that companies can
Cybersecurity posture of the financial-services
draw on to enhance their cybersecurity posture.
industry focuses on four different areas: firm-level
76 The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey

to supply-chain risk
Operations Practice
management
to supply-chain risk
management
In supply-chain risk management, organizations often don’t
know where to start. We offer a practical approach.
In supply-chain risk management, organizations often don’t
know
by Tucker Bailey,where to start.Arnav
Edward Barriball, WeDey,
offer
and a
Alipractical
Sankur approach.
by Tucker Bailey, Edward Barriball, Arnav Dey, and Ali Sankur
© Phil Leo/Michael Denora/Getty Images
March 2019
A practical approach to supply-chain risk management 77

In the last decade, a number of organizations and monitoring risks in a way that truly minimizes
have been rocked by unforeseen supply-chain business disruption.
vulnerabilities and disruptions, leading to recalls
We believe public- and private-sector
costing hundreds of millions of dollars in industries
organizations have struggled to progress
ranging from pharmaceuticals and consumer
significantly on this topic for several reasons:
goods to electronics and automotive. And multiple
government organizations and private businesses 1. Supply-base transparency is hard (or
have struggled with cybersecurity breaches, impossible) to achieve. In modern multi-
losing critical intellectual property due to failures tier supply chains, hundreds or thousands of
in the supplier ecosystem. suppliers may contribute to a single product.
Even identifying the full set of suppliers from
At the heart of these crises is a common theme
the raw-material sources to a final assembled
– the lack of robust processes to identify and
system can require a significant time
successfully manage growing supply-chain risks
investment.
as the world becomes more interconnected.
New threats, such as cyber-ransom attacks, are 2. The scope and scale of risks is intimidating.
emerging alongside more traditional and longer- The probability and severity of many risks is
acknowledged supplier risks, such as supplier difficult to ascertain (How likely are certain
bankruptcy. weather patterns? How often will a supplier’s
employee be careless in cybersecurity
The challenge of supply-chain risk management
practices?), and therefore difficult to address,
has been exacerbated by globalization, where
quantify, and mitigate.
even sensitive products like defense systems
use raw materials, circuit boards, and related 3. Proprietary data restrictions impede
components that may have originated in countries progress. In complex products, Tier 1 or 2
where the system manufacturer did not even know suppliers may consider their supply chains
it had a supply chain. This increased complexity to be proprietary, limiting visibility at the
has brought with it more potential failure points purchaser or integrating-manufacturer level.
and higher levels of risk. Rather than admiring the problem and these
Yet progress in addressing these risks has difficulties, we suggest organizations begin to
been slow. In our 2010 survey of 639 executives tackle issues in a structured way, cataloging
covering a range of regions and industries, and addressing known risks while improving
71 percent said their companies were more at risk the organization’s resilience for the inevitable
from supply-chain disruption than previously, and unknown risk that becomes a problem in the
72 percent expected those risks to continue to rise future.
(from “The challenges ahead for supply chains:
McKinsey Global Survey Results,” Nov 2010,
A structured approach to supply-
McKinsey.com). In 2018, the United States chain risk management
government stood up multiple agencies and We recommend that organizations start by
task forces to better address supply-chain risk thinking of their risks in terms of known and
(including the Critical Infrastructure Security unknown risks.
and Cybersecurity Agency in the Department of Known risks can be identified and are possible to
Homeland Security and the Protecting Critical measure and manage over time. For instance, a
Technology Task Force at the Department of supplier bankruptcy leading to a disruption in supply
Defense), and the private sector continues to seek would be a known risk. Its likelihood can be estimated
a uniform and proven methodology for assessing based on the supplier’s financial history, and its
78 A practical approach to supply-chain risk management

The challenge of supply-chain
risk management has been
exacerbated by globalization.
impact on your organization can be quantified combined with a risk-aware culture can give an
through consideration of the products and organization this advantage.
markets the supplier would disrupt. Newer risks
Managing known risks
such as cybersecurity vulnerabilities in the supply
Organizations can use a combination of structured
chain are also now quantifiable through systems
problem solving and digital tools to effectively
that use outside-in analysis of a company’s IT
manage their known-risk portfolio through four steps:
systems to quantify cybersecurity risks.
Step 1: Identify and document risks
Organizations should invest time with a cross-
A typical approach for risk identification is to
functional team to catalog a full scope of risks
map out and assess the value chains of all major
they face, building a risk-management framework
products. Each node of the supply chain –
that determines which metrics are appropriate for
suppliers, plants, warehouses, and transport
measuring risks, “what good looks like” for each
routes – is then assessed in detail (Exhibit 1).
metric, and how to rigorously track and monitor
Risks are entered on a risk register and tracked
these metrics. This team can also identify gray
rigorously on an ongoing basis. In this step, parts
areas where risks are hard to understand or define
of the supply chain where no data exist and further
(e.g., tiers of the supply chain where no visibility
investigation is required should also be recorded.
exists). This analysis can dimensionalize the scale
and scope of unknown risks. Step 2: Build a supply-chain risk-management
framework
Unknown risks are those that are impossible or very
Every risk in the register should be scored based
difficult to foresee. Consider the sudden eruption
on three dimensions to build an integrated
of a long dormant volcano that disrupts a supplier
risk-management framework: impact on the
you didn’t know was in your supply chain, or the
organization if the risk materializes, the likelihood
exploitation of a cybersecurity vulnerability buried
of the risk materializing, and the organization’s
deep the firmware of a critical electronic component.
preparedness to deal with that specific risk.
Predicting scenarios like these is likely impossible for
Tolerance thresholds are applied on the risk scores
even the most risk-conscious managers.
reflecting the organization’s risk appetite.
For unknown risks, reducing their probability
It is critical to design and use a consistent scoring
and increasing the speed of response when they
methodology to assess all risks. This allows for
do occur is critical to sustaining competitive
prioritizing and aggregating threats to identify the
advantage. Building strong layers of defense
highest-risk products and value-chain nodes with
the greatest failure potential.

A practical approach to supply-chain risk management
Exhibit 1 of 2
Exhibit 1
Assess value-chain nodes to identify key risks.
• Failure to meet regulatory

standards on quality
• Changes in macroeconomic
environment— recession, • Supply shortfall—capacity
inflation constraints reduce output
• Lack of data and transparecy— • Supply stoppage—

changes in customers’ buying production ceases because • Illegal interference from
behavior of bankruptcy third party—e.g., pilferage
New-product
Plan Source Make Make Deliver
introduction
(internal) (external)
(NPI)
• Production process is not • Failure to meet regulatory • Failure to meet regulatory

robust—lower yields or longer standards on quality standards on quality
time to stability than expected
• Factory shutdown or slowdown • Failure to meet regulatory
• Cost and time exceed forecast— because of equipment or standards on environment,
e.g., for scale-up of production execution failure health, and safety
from R&D
• Process disruption—e.g., • Process disruption—e.g.,
• Failure to meet regulatory lower-than-expected yield lower-than-expected yield
standards on quality
Step 3: Monitor risk cycle times. These 25 indicators were carefully

Once a risk-management framework is weighted to develop a quality risk-exposure score,
established, persistent monitoring is one of the and then tracked on a regular cadence.
critical success factors in identifying risks that may
Step 3: Monitor risk Successful
and monitoring
deviation cycle systems
times. These are customized
25 indicators
damage an organization. The recent emergence
Once a risk-management framework is established, to an
were organization’s
carefully weightedneeds, incorporating
to develop impact,
a quality risk-
of digital tools has made this possible for even exposure score,
persistent monitoring is one of the critical success likelihood, andand then tracked perspectives.
preparedness on a regular Hence,
the most
factors in complex
identifyingsupply chains,
risks that may by identifying
damage an cadence.
while one organization may track deviations on
and tracking the leading indicators
organization. The recent emergence of digital of risk. For
manufacturing lines to predict quality issues,
example, a large
tools has made organization
this possible for operating in a
even the most Successful monitoring systems are customized
another may follow real-time Caribbean weather
regulated industry
complex supply identified
chains, 25 leading
by identifying indicators
and tracking to an organization’s needs, incorporating impact,
reports to monitor hurricane risk at its plants in
of
thequality
leadingissues at itsofplants
indicators and
risk. For contract
example, a large likelihood, and preparedness perspectives. Hence,
Puerto Rico. Regardless, it is critical to have an
organization operating
manufacturers, ranging in afrom
regulated industry
structural drivers while one organization may track deviations on
early warning system to track top risks to maximize
identified 25
including leading indicators
geographical location of quality issuesof
and number at manufacturing lines to predict quality issues,
its plants and contract manufacturers, ranging from
the chances of mitigating, or at the very least
years in operation to operational performance another may follow real-time Caribbean weather
structuralsuch
drivers limiting, the impact from their
risk atoccurrence.
metrics, as including
“right firstgeographical location
time” and deviation reports to monitor hurricane its plants in
and number of years in operation to operational Puerto Rico. Regardless, it is critical to have an early
performance metrics, such as “right first time” warning system to track top risks to maximize the
4 A practical approach to supply-chain risk

Step 4: Institute governance and regular review Building strong defenses
The final critical step is to set up a robust Strong defenses, from request-for-proposal (RFP)
governance mechanism to periodically review language to worker training, all contribute to an
supply chain risks and define mitigating actions, organization identifying and stopping unknown
improving the resilience and agility of the supply risks before they affect operations. Exhibit 2
chain. outlines typical layers of defense organizations
employ to defend against unknown risks.
An effective supply-chain risk-management
governance mechanism is a cross-functional risk Building a risk-aware culture
board with participants representing every node of A risk-aware culture helps an organization both
the value chain. It typically includes line managers establish and maintain strong defensive layers
who double-hat as risk owners for their function, against unknown risks, as well as respond more
giving them ownership of risk identification quickly when an unknown risk surfaces and
and mitigation. In most cases, the risk board threatens operations.
receives additional support from a central risk-
— Acknowledgement. Management and
management function, staffed with experts to
employees need to feel empowered to pass
provide additional guidance on identifying and
on bad news and lessons from mistakes. This
mitigating risks.
openness fosters an environment where it is
An effective board will meet periodically to review okay to voice and deal with issues. Culturally,
the top risks in the supply chain and define the it is critical that the organization not get
mitigation actions. The participants will then discouraged or point fingers when a risk event
own the execution of mitigation actions for their occurs, and instead works harmoniously
respective functional nodes. For example, if the towards a rapid resolution.
board decides to qualify and onboard a new
— Transparency. Leaders must clearly define
supplier for a critical component, the procurement
and communicate an organization’s risk
representative on the board will own the action
tolerance. Risk mitigation often has an
and ensure its execution.
associated incremental cost, and so it is
Additionally, in many organizations the risk board important to align on which risks need to be
will also make recommendations to improve the mitigated and which can be borne by the
agility and resilience of the supply chain, ranging organization. An organization’s culture should
from reconfiguring the supply network, finding also allow for warning signs of both internal
new ways of reducing lead times, or working with and external risks to be openly shared.
suppliers to help optimize their own operations.
— Responsiveness. Employees need to be
Increasing supply-chain agility can be a highly
empowered to perceive and react rapidly
effective mitigation strategy for organizations to
to external change. This can be enabled by
improve their preparedness for a wide range
creating an ownership environment, where
of risks.
members feel responsible for outcome of
Managing unknown risks actions and decisions.
Unknown risks are, by their nature, difficult or
— Respect. Employees’ risk appetites should be
impossible to predict, quantify, or incorporate into
aligned with an organization, so that individuals
the risk-management framework discussed above
or groups do not take risks or actions that
for known risks. In our experience, mitigating
benefit themselves but harm the broader
unknown risks is best achieved through creating
organization.
strong defenses combined with building a risk-
aware culture.

A practical approach to supply-chain risk management
Exhibit 2 of 2
Exhibit 2
Layers of defenses help organizations manage unknown risks.
Significant
operational event
• Irrecoverable
asset damage
Sources
of risk • Catastrophic
personnel injury
• Significant
environmental
or local impact
Design quality, Equipment health, Oversight, Decision-making Worker, operator Event,

Risk configuration performance assurance processes fundamentals emergency
manage- control methods preparedness
ment • Preserving • Overseeing • Developing • Emergent-issue • Frontline skills • Operator,
barriers margins maintenance oversight responses and behaviors organizational
strategies structure readiness
• Protecting the • Operational • Clearly defined
design basis • Monitoring, • Strengthening focus for standards of • Infrastructure,
intervening independence resolution performance materials
• Strictly and quality
controlling • Running and • Risk-informed • Response,
configuration maintaining mitigation
capital assets equipment
Risk processes, standards, competency, organization, and culture
The road ahead risk management is not merely about setting up

The
Globalroad
supply ahead
chains are irreversible, as are the management
processes is not merely
and governance aboutbut
models, setting up
also entails
supply-chain processes
shifts and
in culture andgovernance
mind-sets. Bymodels, but also
employing these
Global supplyrisks thatare
chains globalization hasas
irreversible, brought
are the
with it. Our experience suggests that it has
is critical entails shifts
approaches, in culture and
organizations mind-sets.
increase By
their chances
supply-chain risks that globalization brought
for organizations to build robust programs for ofemploying
minimizing supply-chain disruptions
these approaches, and crises,
organizations
with it. Our experience suggests that it is critical
managing both known and unknown supply- while capturing
increase theirthe full value
chances ofof their supply-chain
minimizing supply-chain
for organizations to build robust programs for
chain risks. Leaders should also recognize that strategies.
disruptions and crises, while capturing the full
managing both known and unknown supplychain
value of their supply-chain strategies.
risks. Leaders should also recognize that risk
Tucker Bailey and Edward Barriball are partners in McKinsey’s Washington, DC office. Arnav Dey is an engagement manager
in the Boston office, and Ali Sankur is a senior practice manager in Chicago.
Designed by Global Editorial Services

Copyright © 2019 McKinsey & Company. All rights reserved.
Tucker Bailey and Edward Barriball are partners in McKinsey’s Washington, DC office. Arnav Dey is an
6
engagement manager in the Boston office, and Ali Sankur is a senior practice manager in Chicago.
A practical approach to supply-chain risk

The race for cyber-

security: Protecting the
McKinsey Center for Future Mobility
The race for

connected car in the era
cybersecurity: Protecting
ofthe
new regulation
connected car in the
era of new regulation
The car industry’s digital transformation exposes new cyber-
security threats. Learn what OEMs can do to protect their cars
and customers from hackers.
The car industry’s digital transformation exposes new cybersecurity
threats. Learn what OEMs can do to protect their cars and customers
from hackers.
© Cogal/Getty Images
October 2019
The race for cybersecurity: Protecting the connected car in the era of new regulation 83
In the past, what happened in your car The cybersecurity playing field tilts
typically stayed in your car. That is no longer in favor of attackers
the case. The influx of digital innovations,
To be sure, the economics of car cybersecurity
from infotainment connectivity to over-the-air
are inherently unfair: with the right state-of-
(OTA) software updates, is turning cars into
theart tools, attacks are relatively affordable,
information clearinghouses. While delivering
loweffort affairs. Mounting a coherent defense
significant customer value, these changes
for the complex value chain and its products,
also expose vehicles to the seamier side of the
on the other hand, requires increasingly higher
digital revolution. Hackers and other black-hat
effort and investment. So far, this reality tilts the
intruders are attempting to gain access to critical
playing field in favor of the attackers. Examples
in-vehicle electronic units and data, potentially
abound across the industry. For example, white-
compromising critical safety functions and
hat hackers took control of the infotainment
customer privacy.
system in an electricvehicle model. They exploited
a vulnerability in the in-car web browser during
Cybersecurity becomes a core product a hacking contest, causing the electric-vehicle
and value-chain issue maker to release a software update to mitigate
Cybersecurity has risen in importance as the the problem. In another white-hat hack, a Chinese
automotive industry undergoes a transformation security company found 14 vulnerabilities in
driven by new personal-mobility concepts, the vehicles of a European premium-car maker
autonomous driving, vehicle electrification, and in 2018. Another global automaker recalled
car connectivity. In fact, it has become a core approximately 1.4 million cars in 2015 in one of
consideration, given the digitization of in-car the first cases involving automotive cybersecurity
systems, the propagation of software, and the risks. The impact of the recall was significant,
creation of new, fully digital mobility services. with a potential cost for the OEM of almost $600
These services include arrays of car apps, online million, based on our calculations.
offerings, vehicle features that customers can
buy and unlock online, and charging stations for The automotive industry lacks a
e-vehicles that “talk” to on-board electronics. standard approach for dealing with
Today’s cars have up to 150 electronic control cybersecurity
units; by 2030, many observers expect them For an industry used to breaking down complex
to have roughly 300 million lines of software challenges and standardizing responses,
code. By way of comparison, today’s cars have cybersecurity remains an unstandardized anomaly.
about 100 million lines of code. To put that into Thus far, automotive suppliers have a hard time
perspective, a passenger aircraft has an estimated dealing with the varying requirements of their OEM
15 million lines of code, a modern fighter jet about customers. Consequently, they try to balance the
25 million, and a mass-market PC operating use of common security requirements that go into
system close to 40 million. This overabundance their core products against those via the software
of complex software code results from both adjustments made for individual OEMs. However,
the legacy of designing electronics systems current supplier relationships and contractual
in specific ways for the past 35 years and the arrangements often do not allow OEMs to test the
growing requirements and increasing complexity end-to-end cybersecurity of a vehicle platform
of systems in connected and autonomous cars. It or technology stack made up of parts sourced
generates ample opportunity for cyberattacks – from various suppliers. That can make it difficult
not only in the car but also along the entire value for both suppliers and OEMs to work together to
chain (Exhibit 1). achieve effective cybersecurity during automotive
software development and testing.
84 The race for cybersecurity: Protecting the connected car in the era of new regulation
Insights 2019
The race for cybersecurity: Protecting the connected car in the era of new regulation
Exhibit 1 of 3
Exhibit 1
The advancement of electrical and electronic architecture and digitalization of the car
ecosystem increases attack surface and leads to increasing cyberrisk.
Vehicle ecosystem, illustrative Emerging cyberrisks, not exhaustive
Vehicle 1 Sensor spoofing: Access autonomous-drive functions, engine, and

brakes through vulnerability in sensors
Handset
5 2 Take over: Take over of safety-critical control units such as engine
control or brakes
1 Sense 3 Infotainment
3 Espionage: Listen to voices in cars by misusing
Compute 4 voice-recognition module
2 Act Connect 4 Physical access: Secure direct access to on-board diagnostics for
manipulation of vehicle data, engine characteristics, and tuning chips
5 Entertainment content: Access infotainment system via Bluetooth,

7 6
USB, or Wi-Fi
6 Telematics: Remotely unlock cargo doors through vulnerability in

external connectivity modules
OEM back end Third-party back end 7 Denial of service: Stop cars that rely on back-end servers to
provide data
8 Over-the-air update Content provider
Remote vehicle function High-definition-map 8 Over the air: Access vehicle software though online updates
provider
Remote diagnostic 7 9 Unauthorized access: Access back-end vehicle services and user data
Traffic data
9 User management
Regulatory data access 10 Data theft: Access car owner’s private information via unsecure
third party
OEM front end Third-party front end
Car configurator Music player

Drive log Weather monitor
Service Map editor
Mobile app 10 Mobile app
Source: McKinsey analysis
Regulatory change in product came into effect, requiring autonomous vehicles

Regulatory
cybersecurity change in product
is imminent tosoftware updates.industry
meet appropriate This willstandards
make cybersecurity
for
cybersecurity is imminent
The difficulty is about to change. Regulators are
a clear requirement
cybersecurity. for future
While these vehicle
regulations sales;
have an the
associated
immediate regulationswill
impact on a limited affect
fleet, new
the vehicle-type
World
preparing
The minimum
difficulty standards
is about for vehicle
to change. software
Regulators are
approvals in more than 60 countries (Exhibit 2).
preparing minimum standards for vehicle software Forum for Harmonization of Vehicle Regulations
and cybersecurity that will affect the entire value
chain. Cybersecuritythat
concerns now the
reach into value Industry
under experts
the United see the
Nations upcoming
Economic UNECE for
Commission
and cybersecurity will affect entire
every modern car in theconcerns
form of demands made regulation
Europe onlyisasexpected
(UNECE) the beginning
in 2020oftoafinalize
new eraitsof
chain. Cybersecurity now reach into
by regulators and type-approval authorities. For regulation
technicalon cybersecurity
compliance and software
regulation in theupdates.
automotive
every modern car in the form of demands made
example, in April 2018, California’s final regulations This will make
sector cybersecurity
addressing a clear and
the increase requirement
significance of
by regulators and type-approval authorities. For for future vehicle sales; the associated regulations
on autonomous-vehicle testing and deployment software and connectivity within the industry.
example, in April 2018, California’s final regulations
on autonomous-vehicle testing and deployment
came into effect, requiring autonomous vehicles Shifting gears to make cybersecurity
to meet appropriate industry standards for a core consideration
cyber-security. While these regulations have an While still relatively new, the in-car cybersecurity
immediate impact on a limited fleet, the World threat will remain an ongoing concern. As such,
Forum
The racefor Harmonization
for cybersecurity: of Vehicle
Protecting Regulations
the connected car in the era of new regulation
automakers must now consider cybersecurity an 3
under the United Nations Economic Commission integral part of their core business functions and
for Europe (UNECE) is expected in 2020 to development efforts.
finalize its regulation on cybersecurity and
Insights 2019 upcoming UNECE regulation only as the beginning While still relatively new, the in-car cybersecurity
The race for cybersecurity:
of a new era ofProtecting the connected
technical compliance car in the
regulation in era of new regulation
threat will remain an ongoing concern. As such,
Exhibit 2 of 3 the automotive sector addressing the increase and automakers must now consider cybersecurity an
significance of software and connectivity within integral part of their core business functions and
the industry. development efforts.
Exhibit 2
More than 24 million cars will be affected under the new World Forum for Harmonization of
Vehicle Regulations on cybersecurity and software updates.
Countries party to
1958 Agreement,1
as of Dec 2018
Top 10 countries party to 1958 Agreement by vehicle sales, 2019 estimate, million
5.2
3.8
2.6 2.6
2.1
1.9 1.8
1.5
1.1
1.0
Japan Germany United France Italy Russia South Spain Australia Thailand
Kingdom Korea
1
Agreement concerning Adoption of Harmonized Technical United Nations Regulations for Wheeled Vehicles, Equipment and Parts which can be Fitted and/or be Used
on Wheeled Vehicles and the Conditions for Reciprocal Recognition of Approvals Granted on the Basis of these United Nations Regulations (original version adopted
in Geneva on Mar 20, 1958).
Source: Automotive sales forecasts, IHS Markit, ihsmarkit.com; “ECE/TRANS/WP.29/343/Rev.27,” United Nations Economic Commission for Europe, March 11, 2019,
unece.org
What is more, the industry can no longer view have a strong record of establishing a culture of
cybersecurity as purely an IT topic. Instead, safety – but not yet in cybersecurity. Looking
automakers need to assign ownership and beyond automotive-industry borders, it becomes
responsibility for it along core value-chain clear that many digital natives have demonstrated
activities (including among their numerous how to build strong security cultures in their
4 suppliers) and embrace a security culture among
The race for cybersecurity: Protecting the connected car in the era of engineering
new regulation departments (not just in IT). At the
core teams. Likewise, suppliers in the automotive best digital companies, everyone understands the
industry need to embrace OEM concerns on importance of cybersecure coding practices, and
cybersecurity, develop capabilities to embed the organizations maintain engineering-outreach
security best practices in their components, and and -education programs that train people in
collaborate effectively with OEMs on integration cybersecurity, enticing them to look below the
and verification of end-to-end cybersecurity surface and raise the cybersecurity bar constantly.
solutions.
This requires the creation of a real, software- Including cybersecurity in design
centric cybersecurity culture, given the from the start
pervasiveness of the cybersecurity threat along Carmakers must securely design vehicle platforms
the entire value chain. Carmakers themselves and related digital mobility services from the start.
That is because the inherent complexity of vehicle
High-tech companies, such as smartphone
platforms, with their long development cycles and
suppliers, currently deal with this issue by
complex supply chains, do not allow for late-stage
releasing software updates and security fixes
architectural changes. Furthermore, regulators
for their products after the initial sales (in many
form strict requirements for OEMs to obtain type
cases, new operating-system fixes also support
approvals for new vehicles (Exhibit 3). some oldergeneration products). However, this is
typically limited to a period of two to three years,
Automotive players must consider cybersecurity
while vehicles have an average service life of a
over the entire product life cycle and not just up
decade or even more. With the advent of OTA
to when the car is sold to a customer, because
software upgrades, automakers could maintain
Insights 2019 new technical vulnerabilities can emerge at any
the fleets on the road in a cost-effective way,
time. These issues can have a direct impact on
The race for cybersecurity: Protecting the connected car in the era of new
in contrast with regulation
the current practice of costly
Exhibit 3 of 3
customers and cars already on the road, thus
reprogramming (“reflashing”) of car electronic
effectively requiring OEMs to provide security-
control units at the dealer.
related software patches well into the car’s
ownership life cycle.
Exhibit 3
Upcoming regulations require automotive OEMs to step up cybersecurity activities along the
entire value chain.
United Nations Economic Commission for Europe cybersecurity requirements
Cybersecurity- Security by design Car cybersecurity Software-update-

management system across value chain monitoring and response management system
Automotive-company value chain
Development Production Postproduction
Identify and manage cyberrisk to vehicle types (includes suppliers and service providers)
Managing Ensure security testing of systems Monitor and respond to

cybersecurity throughout development and production cyberattacks on vehicle types
React to new and evolving cyberthreats and vulnerabilities
Ensure security by design, detail designing and testing

information, and collect evidence across full supply chain
Analyze cyberthreats
and create risk-treatment plan
Securing
vehicles and Build cybersecurity into system design
ecosystems and contain known vulnerabilities in Protect integrity of hardware/software
used hardware/software components components from suppliers (eg, contractual clauses)
Test security of hardware/software Protect access to production environment

components (eg, vulnerability scans, (eg, software servers, flashing process)
pen testing, code analysis) and units received from suppliers
Ensure full traceability of software versions and vehicle configurations

along vehicle life cycle (initial and updated software/configuration)
Providing
secure Identify target vehicles for updates and
software assess impact on certified systems and
updates compatibility with vehicle configuration
Provide software updates without

impact on safety and security
Source: “Draft recommendation on cybersecurity software updates of the task force on cybersecurity and over-the-air issues,” ISO/SAE 21434:2018 Committee, United
Nations Economic Commission for Europe, World Forum for Harmonization of Vehicle Regulations; McKinsey analysis
2. Create a true digital-security-by-design do not follow rigorous software-engineering

culture in engineering, quality assurance, and processes as seen in software-native industries.
other core value-chain functions and promote This security-by-design culture should focus
The automotive industry must therefore develop 3. Ramp up expertise and capabilities to monitor
common cybersecurity standards to keep the cybersecurity of cars on the road. The
development and maintenance costs under focus should include fixing issues in a timely
control. On this issue, OEMs and suppliers must manner without costly product recalls and
speak one language to ensure manageable, end- media scrutiny. That likely means fully managing
to-end secure solutions. the digital life cycle of cars and having full
transparency over a vehicle’s configuration (for
Focusing on four core cybersecurity example, using digital twins) and, ultimately,
themes setting up a security-operations center for
cars that receives data from the vehicles and
We believe automakers should attack the new
the broader digital ecosystem – in line with
cybersecurity and software-update challenges
dataprivacy laws (for instance, back-end
both along the value chain and across the digital
systems). The security-operations center
life cycle of their cars. To do this, they should focus
would use correlation and artificial intelligence
on four core themes:
to detect adverse events and to launch clear
1. Establish a clear baseline to execute against. incidentresponse activities, eventually leading
The essence of a good baseline involves to the provision of software updates to cars.
understanding requirements from relevant
4. Adapt software-engineering practices that
legislation in the OEM markets and leveraging
embrace function-based development, solid
existing international standards around
version control, and integration testing. This
cybersecurity and software engineering. Doing
approach effectively allows an OEM to assess
so will enable OEMs to deliver cybersecurity
the potential impact of individual software
practices as demanded by regulatory authorities
updates to its vehicles and their relevant
and international standards and to develop and
safetyand type-approval systems. Establishing
maintain secure software. A management system
such systems – version control for vehicle
for cybersecurity (CSMS) can help ensuring a
software, configuration management, and
relentless application of cyber practices across
softwareupdate management – thus helps
cars and the digital-mobility ecosystem.
to ensure operational safety when updating
2. Create a true digital-security-by-design software in vehicles. The approach can also
culture in engineering, quality assurance, and help when considering changes to a vehicle’s
other core value-chain functions and promote configuration and assessing the impact on a car.
car-software architectures with security
built-in. This might require OEMs to overhaul
their software engineering and software
quality-assurance practices that oftentimes
Sensing an opportunity, hackers have begun to
do not follow rigorous software-engineering
focus more energy on compromising connected
processes as seen in software-native
cars, posing a new challenge for automakers
industries. This security-by-design culture
and suppliers alike. While consumers will largely
should focus on secure development practices,
take cybersecurity for granted until the first
enhanced software-testing processes, and
consequential breach, regulators will increase
new supplier-audit processes that include
pressure on automakers and suppliers to ensure
cyber issues. Other helpful elements include
greater protection against attacks. The overall
state-of-th-eart supplier contracts that allow
security of modern mobility services will depend
the testing of a component’s cybersecurity,
on how well the industry addresses cyberrisks
and cyber-awareness training for involved
in and around connected cars, as well as on the
technical personnel and customer-facing staff.
strategic actions key players take today to prepare
for future attacks.
Johannes Deichmann is an associate partner in McKinsey’s Stuttgart office, and Benjamin Klein is a
specialist in the Berlin office, where Gundbert Scherf and Rupert Stützle are both partners.
The authors wish to thank Georg Doll, Ralf Garrecht, and Wolf Richter for their contributions to this article.
Defense of the
cyberrealm: How
organizations can
thwart cyberattacks
Governments and companies have much work to do to protect
people, institutions, and even entire cities and countries
from potentially devastating large-scale cyberattacks.
In this episode of the McKinsey Podcast, Simon London speaks with McKinsey senior partner
David Chinn and cybersecurity expert Robert Hannigan, formerly the head of GCHQ (Government
Communications Headquarters), about how to address the major gaps and vulnerabilities in the
global cybersecurity landscape.
Defense of the cyberrealm: How organizations can thwart cyberattacks 89

Podcast transcript Now we’ve got some more regulation forcing
people to be more transparent about the breaches
Simon London: Hello, and welcome to this edition
and the length of time that attackers were inside
of the McKinsey Podcast, with me, Simon London.
networks before being discovered. And it’s not
2018 was a year of good news and bad news in
always clear to those attacked what they’ve lost.
cybersecurity. The year passed without a major
I’m broadly pessimistic.
international incident, certainly nothing on the
scale of the WannaCry ransomware attack, in Simon London: When you think about where the
2017. And yet every few weeks brought news of next tier-one attack might come, what are some of
another big data breach at another big company. the vulnerabilities that in business and government
So where do we stand going into 2019? Are we people are thinking about, talking about?
winning, in any sense? When and where will
Robert Hannigan: I think most of the focus now
the next so-called tier-one attack occur? And,
is on supply-chain and upstream risk, because
importantly, what is the role of government in
even the best-defended companies now realize
helping to ensure national cybersecurity. To find
that their vulnerability is either those who are
out more, I sat down in London with David Chinn,
connected to their vendors, their suppliers, even
a McKinsey senior partner who works with public-
their customers. And, increasingly, government is
and private-sector organizations on these issues,
worrying about the IT infrastructure, so the global
and also with Robert Hannigan, who is the former
supply chain, both hardware and software, and its
head of GCHQ, the UK government’s electronic-
integrity.
surveillance agency. Robert also led the creation
of the UK National Cyber Security Centre, or And some of the state attacks we’ve seen in
NCSC. Today he’s a McKinsey senior adviser. the last couple of years have been against the
Robert and David, welcome to the podcast. backbone of the internet, if you like. Routers,
switches, places that give you massive options to
David Chinn: Thank you, Simon. Glad to be here.
do different things with internet traffic [Exhibit 1].
Robert Hannigan: Thanks. It’s going deeper and more sophisticated.
Simon London: I think for a layperson, the general David Chinn: I think there’s different versions
question around cybersecurity is, probably, are we of what tier one might feel like. I think that the
winning? increasing ability of both criminals and states
to attack critical infrastructure [is one of them].
Robert Hannigan: No, I think we are making
Taking out power to a city might have relatively
progress, but I think it would be very rash to say
limited impact in terms of the actual damage done,
we’re winning. If you look at the two big trends,
but could have a huge impact on the way people
the rise in volume of attacks and the rise in
feel.
sophistication, they are both alarming. On volume,
particularly of crime, there were something like 317 Robert Hannigan: There’s a difference between
million new pieces of malicious code, or malware, a genuinely catastrophic damaging attack and a
[in 2016]. That’s nearly a million a day, so that’s politically sensitive attack that spreads fear and
pretty alarming. terror or a lack of trust in data. It’s fairly easy to
imagine things that will lead to public panic.
On the sophistication, we’ve seen, particularly,
states behaving in an aggressive way and using You’ve seen big public controversies over airlines
very sophisticated state capabilities and that and banks being unable to function, often not
bleeding into sophisticated criminal groups. It’s through cyberattacks. But if you were to multiply
a rise in the sheer tradecraft of attacks. So no, I that and see it as a malicious attack, you could see
don’t think we’re winning, but I think we’re doing genuine public disquiet, a lot of political pressure
the right things to win in the future. to do something about it.
David Chinn: I would agree with Robert. We Simon London: Yes, it’s interesting, because
may not have seen a single attack that brought when you talk about critical infrastructure of the
down multiple institutions in the same way that modern economy, you often think about things,
WannaCry did, but look at the list of institutions like, as you say, the internet backbone.
reporting very sizable breaches of increasingly
It’s those kind of things. Or maybe financial
sensitive data.
services, the financial system. But just talk a little
90 Defense of the cyberrealm: How organizations can thwart cyberattacks

bit more about the supply chain, for example. those is that although they almost certainly
That’s one that I think in the broad conversation weren’t targeting big manufacturing enterprises
and the broad business public is less discussed. in Europe, they effectively disabled quite a lot of
household-name companies. They simply couldn’t
David Chinn: If you think about, at the simplest
do business, couldn’t manufacture for, in one case,
level, how a pint of milk gets onto the supermarket
several weeks. It was a wake-up call to sectors of
shelf, there are many stages in that, from the
the economy who thought they weren’t a target for
farm – by the way, the cows are milked by a
cyberattacks because they didn’t have great IP or
machine, which is probably connected to a
data that was worth stealing.
network – through to the transport network. The
cold chain. The monitoring of the cold chain. The Internet of Things is simply connecting more
processes and more devices to the internet. And it
You don’t need to disrupt anything except the
is quite striking that the level of security built into
record that says the milk was kept cold for it no
those is usually very low because they’re designed
longer to be a product that can be given to the
and built and procured on cost [Exhibit 2]. There
public. The integrity of that data is the essential
will probably be a role for regulation to improve the
glue that sticks it all together.
standards there.
Robert Hannigan: If you think of the big
But it does mean companies are, both through
ransomware attacks of WannaCry and NotPetya
digitization and through the Internet of Things,
a couple of years ago, one of the lessons from
Exhibit 1
It’s those kind ofDefense

things. Or maybe financial services, the financial system. But just talk a little bit
of the cyberrealm: How organizations can thwart cyberattacks 91
more about the supply chain, for example. That’s one that I think in the broad conversation and
increasing their attack surface, making it harder It’s not straightforward to apply, and I think there’s
for them to understand the perimeters of their own a lot of talk about it. The application in particular
networks, harder to see where their vulnerabilities sectors for particular uses is still to be developed,
are. That is a real problem for the next five, ten years. to be honest. But it certainly ought to be a net
gain for security, and particularly for data integrity,
Simon London: And is this one of the reasons
because one of the big future worries is it’s one
that people are very interested, for example, in
thing to destroy data or steal it or ransom it. To
blockchain? The application of blockchain in the
change it and undermine trust in data, particularly
supply chain.
in financial services, could be catastrophic.
Robert Hannigan: Yes, I think blockchain holds
Simon London: Or, indeed, milk, which is what
a massive potential because of the holy grail,
gave me the thought. It’s a very, very simple
really, of having a ledger that is distributed and
example, but it underlines how much of the
unchangeable and visible to everybody. That has
economy runs on trust in that data.
great benefits in cybersecurity. It’s got a bad name
because it’s used for Bitcoin, and Bitcoin has a Robert Hannigan: We’re just seeing criminals
bad name, but I think blockchain technology is moving in this direction and looking at ways of
fantastic. looking at the corruption of data to, for example,
affect stock prices. There’s a huge potential there
Exhibit 2
The Internet of Things is simply connecting more processes and more devices to the internet.
to use the changes to data, or to put out false data, David Chinn: Robert, it’s interesting what you
to affect the value of a company. say because in a sense, government has three
challenges. One, it is an actor in cyberspace in
David Chinn: Fake news is a great example. They
service of national interest, usually in secret.
haven’t affected the integrity of the core data.
They’re just simply putting out noise. In the reports Second, it has to protect itself from cyberattack.
on the attacks of the integrity of the electoral And third, it has to create, at the minimum, an
system in the United States, in a system which is environment which protects the citizens and
highly distributed, where different standards and businesses of the country.
technologies are used across the United States,
My observation would be that, at least reportedly,
there was clear evidence of attempts to penetrate
the UK is very good in the first. Your old institution
electoral registers. You imagine changing the
is a world-class actor in the national interest in
electoral register so that people of a certain party
cyberspace. The second is quite hard, defending
simply didn’t appear. In the hustle and bustle of
government, because there’s so much of it.
Election Day, they probably wouldn’t get to place
their votes. That could dramatically undermine The technical skills of government, government IT,
trust in democracy. are continually in the newspapers and in the public
accounts committee as being something that we
Simon London: Robert, we’re lucky to have you
struggle to do well. Simple things, like putting a
on the podcast today. Why don’t you talk a little bit
working computer on everybody’s desk, let alone
about what is the role of government in all of this?
defending those networks.
Robert Hannigan: It’s a challenge that every
Robert Hannigan: Most governments, including
government is grappling with in different ways
the UK, have focused their attention on protecting
and has been over the last ten years. There are
government networks, sometimes interpreted
a couple of things that make cyber particularly
slightly more broadly to take in some critical bits of
difficult. One is cyberdefense undercuts the
national infrastructure that really, really matter, but
assumption that government can do defense for
to encourage the rest of the economy to get better.
everybody.
So we spent ten, 15 years, in a sense, preaching at
David has spent a lot of his time dealing with companies to get them to raise their standards.
government defense in a traditional sense. And
There was quite a critical shift, certainly in the UK,
you, as a citizen, expect government to defend you
about three or four years ago, where we decided
using the armed forces. It’s unrealistic to expect
that a security model that depended on everybody
government to do cyberdefense in the same way for
and every company doing the right thing all the
the whole economy, because of the scale of it, and
time was almost bound to fail. The whole system
because most of what you’re dealing with is outside
was not designed with security in mind, so the
government. Quite apart from the fact that the skills
people who invented the internet and then the
and resources just aren’t there in government to do
web that sits on it didn’t have security at the front
it on that scale. So that’s one problem.
of mind, and so we are retrofitting that, and have
The other problem is that cyber is crosscutting been over the last 15 years.
in every sense. It is in a new domain, so it’s a bit
Things like scanning websites for vulnerabilities,
like discovering water or air. Every department,
which is, again, being done across government,
every part of the economy, is dependent on this,
you could do nationally, and you could make that
increasingly, as we digitize more and become more
available nationally. One of the problems, I think,
dependent. You can’t really point to a single bit
is that because the internet wasn’t designed with
of government and say, “You’re responsible for
security in mind, security is seen as something you
cyber.” That was the tendency in the early days.
need to add on rather than something that’s built in.
The answer has to be to find a way of organizing
We need to reach a point where security is
government that gives sufficient speed and
designed in and is there by default, particularly
command and control to deal with the pace at
with the Internet of Things. That may require some
which digital networks work and cyberattacks
regulation and certainly will require bits of the
work but that actually drags out the whole of
economy, including insurance, to start to drag up
government to be good at cybersecurity, because
standards.
if any one bit is bad at it, the whole system suffers.

David Chinn: Do you think government’s been Robert Hannigan: I think government, certainly
remiss on regulation? My observation would be that in this country, has been reluctant to regulate, for
GDPR [Exhibit 3], which is not a cyberregulation, all sorts of reasons. In cyber, there’s a particular
but that puts significant penalties on institutions for reason why regulation can be difficult, because it
allowing private information to be misused, which can end up being very prescriptive and very tick
includes being stolen, is having quite a big impact box, and it doesn’t take account of the speed at
already in terms of reporting and transparency, which technology is changing and the particular
which is then going to inevitably lead to more networks that a company may have. We preferred
investment and more focus by organizations on an advisory, “Here are objectives you should
protecting that data. Do you think government meet” – a risk-based approach, I suppose.
missed the boat a little bit on regulation?
Exhibit 3

Simon London: Best practices and these kind of things.
Simon London: Best practices and these kind of Robert Hannigan: That’s true, but I wouldn’t
things. underestimate the creativity and innovation of
criminal groups. They are genuinely creative. They
Robert Hannigan: Yes. Then there is a good
are talking to each other about, “How could we do
case for saying we need a tougher approach
this in a better way? How could we defraud this
on regulation. I think the EU is moving in that
particular bank? What technique is going to work
direction. I think GDPR has been a net benefit,
best? What’s the best way of delivering it?”
because essentially there are two sides to most
cyberattacks. There’s “Did you do the right things They are doing what so many traditional
to prevent it, and then how did you handle it companies are trying to do, which is pull in
afterward?” skills from around the internet. Not necessarily
colocated. They’ve clocked something about how
So GDPR has been particularly strong on the
to harness young innovative skills and do creative
second bit. First of all, it’s removed the debate in
things. We have quite a bit to learn from them, I
companies about whether they reveal the attack
think. I agree that governments have been very
and how long, because they have to. That’s good.
good in quite a small and narrow way, but the
It’s raised awareness in boardrooms and so, to
criminal world is also pretty innovative.
some degree, panic in boardrooms.
David Chinn: I think this is similar, certainly in
But I think the best regulation probably is in the
the UK, to the crisis in STEM education. If people
states. It’s interesting to see that California is
don’t study STEM subjects, we’re just not going to
introducing some hardware-IT supply-chain
have the inflow into the economy, whether it be for
regulation, which will have a big impact, I think,
government or private industry.
given that so much of it is designed there, even
if it’s mostly made in China. There is a place for I’ve been particularly impressed by the way that
regulation, and we probably should have done more Israel has effectively said that this is a national
of it. The difficulty is lack of skills, again. I think most defensive-capability issue, but it’s a national
governments don’t have sufficient skills. industrial-growth issue. The country decided
they wanted to have one of the world’s leading
Simon London: Ah, well, that was going to be my
cyberindustry platforms and that to do that they
next question. Yes. To your point, David, I mean
had to make a massive investment in skills.
government IT doesn’t have a massively positive
reputation in the world at large. Sometimes They started with after-school activities in the
unfairly. But yes, do governments have the most deprived areas, because they recognized
technical skills in cyber to protect their own that if you start young enough in a country where
networks? almost every home has a computer, even those
with very low means, who think that having a
David Chinn: The interesting thing about cyber
computer is important, that you can build those
is that the source of innovation in attacks is
skills, in a sense, in parallel to formal education.
mostly coming from inside governments. Many
governments have very highly skilled people who Many people who are extremely talented in the
when their knowledge leaks into the public domain cyberdomain actually don’t do particularly well at
gets adopted quickly by criminals. We have the school. It’s an outlet for those people, and I think
equivalent of government weapons proliferation it’s been very, very successful. It’s created a great
into cyberspace. pipeline of talent into government and private
industry.
If you follow the cyberindustry, where there’s a
huge number of start-ups, effectively, each year’s Simon London: I think about another interesting
retiring crop of government hackers is bringing question for government is how you manage this
new innovation from inside the secret domains tension between the need for transparency and
of government in an appropriately, hopefully bringing the whole economy with you, and yet
appropriately, modified way to the benefit of at the same time there is an element of secrecy,
those who are under attack, often from other acting in the national interest and so on. How do
governments. One can’t say that there are no skills you manage that tension in practice?
in government. The best skills are probably in
government.

Robert Hannigan: I think the key insight of the last Simon London: Can we just internationalize the
ten years has been that you can’t do cybersecurity conversation a little bit? If you look across the
in secret. You can’t do it behind a wall in the international context, what are other governments
intelligence agencies. For the obvious reason that who are doing this well and innovatively, and who
the attacks are out there in open source in the we can all learn from?
economy, on the internet. It’s all visible. Well, most
Robert Hannigan: I would say Singapore and Israel
of it visible.
are doing it very well, in slightly different models.
It makes no sense to try to do it in the way that Australia has chosen a model that’s similar to the
you’ve tackled traditional security threats, which UK model [Exhibit 4]. Having it all in one place
may be very, very secret and coming from very effectively. Certainly, the operational side of cyber.
sophisticated governments. There is a side of
Most governments are organizing and constantly
that that is true for cyber, but most of it is not.
tweaking the system. There are very different
Most of what people experience in cyber, whether
models, and in Europe, perhaps in Germany
companies or individuals, is crime. Some of it’s
especially, the cyber agencies are purely civilian.
state-backed crime, but still crime. And it simply
doesn’t work to be referring constantly to a secret And then there is a secret-world element of cyber,
world that can’t really communicate. and I think they’re also looking at how to bring
those two together in a way that works for them,
The obvious development here has been to
given the different constitutional setup.
create a national cybersecurity center that was
outside the secret world, but under the aegis The military in many countries has a primacy in
and under the control of GCHQ, which is where cyber, and certainly in Germany they’ve been
the skills sat. And to have a blend of both. In the given a strong lead in cyberdefense. That brings
headquarters you’ve got access to secret systems both opportunities, because the military always
for some people, but the key point is that you have a lot of resources and they’re very good at
have openness to industry, and you have industry organizing stuff. But also challenges, because
people sitting alongside government experts. they’re not used to dealing with defending banks
and the economy, and it’s a culture shock for them.
It goes back to our discussion of regulation.
They don’t necessarily feel that’s part of their
What you need in cyber, you can’t simply have
remit. There are difficulties in the military.
cyberregulators who do it for everybody,
because so much is domain-specific. You need to The US, everybody looks to, but I think it’s so large,
understand the energy sector to regulate or advise with its multiplicity of agencies, that it’s struggling.
on how to do cybersecurity of energy, or for any It has fantastic capabilities, obviously. The private
other sector. It’s different. Therefore, the idea is to sector is probably better organized, particularly in
have experts from those particular sectors sitting financial services, than anywhere in the world. But
literally alongside a deep cyberexpert. you often get the criticism or complaint from the
private sector that the links to government are not
Simon London: To your point, David, it sounds like
quite right yet.
a lot of companies are struggling with this same
cultural pull between the secrecy but the need to That I think reflects partly the fact that it’s still
share information really to be effective, or to be evolving; the Department of Homeland Security,
more effective and to collaborate with your peers that was given this leadership under the Bush
and share information. administration, is still developing. It’s not
straightforward, particularly on that scale. I don’t
David Chinn: Yes, and I think we’ll see the infor-
think anybody has a perfect answer.
mation commissioner shaping the environment
around transparency quite actively in the very near David Chinn: I think the military is a very
future. interesting subset of government because I don’t
think there was even one model in the military.
Simon London: This is your point around
Some countries are creating cybercommands.
regulation?
Others are building cyber in all of their commands.
David Chinn: Yes. I think that will really change
Others are concentrating in their intelligence
people’s understanding of how much they can
services, and then combining those in different
legitimately keep secret.
ways. And that’s also changing over time.

Exhibit 4
Robert Hannigan: I would say Singapore and Israel are doing it very well, in slightly different
models. Australia has chosen a model that’s similar to the UK model [Exhibit 4]. Having it all in
one place effectively. Certainly, the operational side of cyber.
Most governments are organizing and constantly tweaking the system. There are very different
models, and in Europe, perhaps in Germany especially, the cyber agencies are purely civilian.
And then there is a secret-world element of cyber, and I think they’re also looking at how to
Simon London: It sounds like we’re in an era of “Yes, there are things that we could do at national
institutional innovation, in many ways – to some scale.”
degree, institutional improvisation to try and figure
The problem, I suppose, at the risk of sort of
out what models work in what context.
making excuses, is that the nature of cyberspace,
Robert Hannigan: Absolutely. I think the military’s however defined, makes politicians feel quite
a very good example, particularly outside the US. impotent, because it cuts across jurisdictions.
The US is ahead of anybody, I think, in developing They can pass laws in their own parliament that
cyberskills in the military at scale. really have zero effect. They can regulate their own
companies, but not necessarily others. That is a
On the broader point about civilian structures
real problem.
and civilian/military, I think the one thing that is
probably key is that many of the questions are For cybercrime, for example, most of it is based in
the same, starting with, “What does government countries which are either endemically corrupt or
actually want to achieve?” And not being unwilling to do anything about it for geopolitical
overambitious in what government can achieve, reasons. What do you do about that? I mean
and what’s the appropriate role of government, is there’s a much bigger context here of international
a good starting point. And trying to define what relations, and we are a million miles from getting
people expect from their government. Things any kind of international agreements on the
like a single source of advice, incident response, security and safety of cyberspace.
protection of certain networks. I think that is a
Simon London: David, you were the rousing voice
conversation that just about every government is
of critique just now. What should be done?
having in different ways.
David Chinn: First, a sophisticated debate around
David Chinn: But I think there’s a paradox here,
the legislative and regulatory environment. The
because if you were to interview the chairman or
use of product liability has been very effective
chief executive of any large corporation and ask
in other sectors for changing the game for the
them what’s their top three risks, cyber would be
manufacturers. A robust thinking about product
on that top three, for every single one. And for
liabilities, extension to the technology arena,
many of them, it would be number one. Yet, if we
would frankly have quite a chastening effect on
look at what governments are doing, this is the one
industry.
area of national security, of crime prevention and
prosecution of critical national infrastructure, that Simon London: In other words, selling a product
governments have, to a large extent, abdicated that has technology embedded that is deemed to
their responsibility. Great, some small steps. And be insecure could be breaking the law.
sorry, I don’t mean to be critical of what was a David Chinn: Well, not necessarily breaking the
big small step. But exalting the private sector law, but would expose you to civil action that could
to do better feels like a very different role that have severe financial consequences. Effectively, it
government takes in almost every aspect of life would create a market mechanism for valuing more
that would feature for most people in their top secure products. Second, there is room for some
three risks. I think there’s a lot more to do, but better and some more regulation. For example, if
unfortunately we may have to wait for a genuine you want to sell anything to the UK government,
event – people talk of the cyber 9/11 – to create a you have to meet a minimum standard called Cyber
big change in focus, understanding, spending, and Essentials. This is not the most sophisticated, but,
so on. as we’ve discussed, most of the attacks are not the
Simon London: Let me just put that back to you. most sophisticated attacks.
What should be done? These kind of standards are very helpful because
David Chinn: What would your list be, Robert? they’re easily adopted by people for their own
supply chains. I think a promulgation of standards,
Robert Hannigan: Your criticism is very fair. I
ideally with some degree of harmonization. And it’s
mean I think the government has moved from an
very interesting, in the US the national standards
absolutely sort of hands-off position to say, “Well,
organization, NIST (National Institute of Standards
we’ll look after our networks, but everybody else
and Technology), has created a number of models,
should get better.” And sort of slightly hectoring
which have got global acceptance. Once an
them when they’re not good enough. To saying,
authority puts it out there in a world where

there’s a lot of uncertainty, there’s a lot of demand Robert Hannigan: Yes, either trust or an attack
for good standards. that leads to loss of life. It might not be massive
loss of life, but it would put huge pressure, as
The traditional tools of government around
terrorism does, on politicians to react.
legislation, regulation, standards setting, and
so on could be used quite a lot more, without Simon London: So what’s that Churchill phrase,
throttling innovation. Industry always says, “You’re this is not the beginning of the end. This is the end
going to throttle innovation.” What they mean is it’s of the beginning?
going to cost them more. But the cost to society of
Robert Hannigan: Well, I don’t think it’s even
insecurity is high and is going to get higher.
really the end of the beginning. I think we’re still
Simon London: One of my takeaways from this at very early stages of this technology. For most
conversation, tell me if this is right or wrong, is people, it’s 15, 20 years old. Even if you look back
that there will be one or more significant tier-one, to the ARPANET (Advanced Research Projects
we might call them attacks, on critical national Agency Network.), it’s, what, 40, 50 years old?
infrastructure. We’re recording this in London, but That’s not long, and it’s developing incredibly fast.
it may not be based in the UK. But that will come.
We are about to add a massive amount of new
We know where it will come. And that will probably
processing power, and therefore new data to the
shift the debate into a higher gear. That probably
system, mostly through the Internet of Things. We
will shift the international debate about what is to
have a whole new issue emerging with quantum
be done and, in some ways, get this taken more
computing, and people have not quite woken up,
seriously, perhaps at government policy and
including the regulators, to the fact that current
regulatory level. Is that a correct takeaway?
encryption will cease to be useful once quantum
Robert Hannigan: I think for most people, arrives.
most of what they would experience, and most
We need now to be building in quantum-safe
companies, is still crime. So that’s the volume, but
encryption standards, which are available through
everybody understandably gets excited about the
NIST and through others. But if we don’t do that,
catastrophic attack and that there is a range of
everything, every company’s records, every bit
possibilities for and the insurance industry worries
of financial data, every transaction is going to be
a lot about systemic failure. So systemic failure of
readable from the moment that quantum computing
cloud providers, for example. Systemic failure of
really arrives at scale. It’s a wonderful innovation,
some major financial institutions, two or three of
and it has obviously lots of possibilities on the other
which would bring down the system or could bring
side of the equation, but it is one that we need to
down the system. So those are the kind of real
start thinking about in regulatory terms now.
tier one. But there may be some political tier-one
problems and attacks that will have the kind of Simon London: All right. Well, I think that’s all
effect that David was talking about earlier, of panic we have time for. Robert and David, thank you so
and political pressure. much, and thanks, as always, to you, our listeners,
for tuning in. To learn more about our work on
Simon London: Trust.
cybersecurity, technology, and related matters,
please go to McKinsey.com.
David Chinn is a senior partner in McKinsey’s London office, and Robert Hannigan, the former head of
GCHQ, is a senior adviser to McKinsey. Simon London, a member of McKinsey Publishing, is based in
McKinsey’s Silicon Valley office.

Enable digital technology delivery
Understanding the
uncertainties of
cybersecurity: Questions
for chief information-
security officers
Given the dynamic nature of the cybersecurity environment, CISOs need
to address a set of questions that will shape their strategies over time.
by Venky Anant, Tucker Bailey, Rich Cracknell, James Kaplan, and Andreas Schwarz
100 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers
At a highly dynamic moment of change in the and which perceptions and actions (or failures to
way companies use technology, cybersecurity act) might heighten their concerns.
is probably the most dynamic of all corporate
2. How will different regulatory, political, and
technology domains. The field and the companies
cultural expectations about data protection
that rely on it are being transformed as an uncertain
across national boundaries shape the security
geopolitical environment emboldens potential
environment?
cyberattackers, rapid technological innovation
Perhaps paradoxically, while consumers have
creates new ways to launch and repel cyberattacks,
been relatively blithe about their data, privacy and
and cybersecurity’s emergence as a critical
security have continued to be hot-button political
business function prompts experimentation with
and regulatory issues. Jurisdictions such as Brazil,
organizational and operating models alike.
California, and the European Union have started
In such an environment, perfect foresight is to implement tough new requirements on data
impossible. Yet business, technology, and privacy. But regulations in different jurisdictions
security executives all have a responsibility to may contradict each other or create conflicts
understand the important uncertainties and to between compliance and security – particularly by
develop practical working hypotheses about how constraining the forensics a company can perform
to manage them. To help these senior managers, on its own network to identify insider threats or
we’ve compiled a list of the key questions they compromised accounts. (Regulators might perceive
ought to ask over the next 12 to 18 months. those actions as inimical to the privacy rights of
employees.) Authoritarian states may demand that
Evolving market expectations companies limit security or privacy protections
for their customers or employees as a condition of
Two of these questions focus on market
doing business in those places. That in turn may
expectations: whether consumers will start to
spark public frustration and anger elsewhere.
care about security issues and the way differing
regulatory, political, and cultural expectations Going forward, companies will certainly have to
about data protection shape security across think about tailoring their security models to the
national boundaries. requirements of different national markets. Some
may have to make tough choices about whether
1. Will consumers start to care about privacy
they can reconcile expectations about privacy and
and security?
security in all the markets where they might ideally
Anyone who has observed the procurement
like to do business.
of group health insurance, pharmacy-benefits
management, prime brokerage, or IT-outsourcing
services knows that corporate customers care Evolving risks
a lot about how their suppliers protect sensitive The next set of questions focuses on evolving
data. But with a few exceptions – such as high- risks: whether companies will be collateral
net-worth or mass-affluent purchasers of financial damage, coopted or directly targeted by nation-
services – the consumer market just doesn’t seem state actors; how companies will protect their data
to care about privacy or security. Most breaches in a world of pervasive sensors and protect their
involving personally identifiable information machine-learning capabilities; and how quickly
haven’t affected revenues or market share in any quantum computing will become a security threat.
sustained way.
3. To what extent will companies be collateral
Yet in view of the relentless attention to privacy damage, coopted or directly targeted by
and security issues in the press and the political nation-state actors?
arena, this indifference could certainly change. As the NotPetya attack showed, nation states
Companies have a responsibility to protect all increasingly use cybertools as weapons of
consumer data, but when senior executives think domestic and military tradecraft. Originally
through their risk appetites, levels of investment, directed at targets in Ukraine, NotPetya wreaked
and incident-response plans, they must consider havoc on unprotected networks around the world.
not only how sensitive consumers in general are Another harbinger of what’s to come: it has been
but also who may be the most sensitive consumers widely reported that NotPetya was derived from
Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 101
a stolen exploit originally developed by the US 5. How can companies protect their machine-
National Security Agency.1 learning capabilities?
Businesses are racing to implement machine-
In an era of renewed great-power conflict, countries
learning systems to detect fraud, improve pricing,
increasingly promote their global interests by
rationalize supply chains, and optimize dozens
means other than war. During the past several
of other business decisions. For all these use
years, asymmetric approaches (such as cybertheft,
cases, decision algorithms improve over time as
cyberattacks, malign influence, and media
more data generate better insights about the
manipulation) have taken advantage of unsuspecting
connections between inputs and the objective
content providers, critical national-infrastructure
function to be optimized. This is a fundamental
operators, and intellectual-property producers.
change – analysts can no longer replicate
When global tensions rise and economic algorithms on a pad of graph paper, as they could
interventions become increasingly common in with traditional decision tools. It may therefore
great-power conflict, companies will be collateral be all but impossible to determine whether a
damage; in fact, they will probably be targeted cyberattack has subtly compromised a business
directly in state-against-state cybercampaigns. capability (by reducing the ability to detect fraud,
Similarly, nation states may increasingly use for example). Security organizations and their
for-profit companies as proxies, partners, and business partners may need to develop new
conduits for asymmetric activities. Businesses ways to ensure the validity of machine-learning
must therefore determine how much risk they face algorithms.
from either intentional state-sponsored attacks
6. How quickly will quantum computing create
on them or, as collateral damage, from attacks on
security threats?
other targets.
All security relies on encryption – and on the
4. How will companies protect data in a world of assumption that massive computing resources
pervasive sensors? would be required to decrypt data protected by
The Internet of Things (IoT) dramatically raises even a moderately capable encryption algorithm.
the stakes for cybersecurity – at least potentially, But quantum computers that could crack the RSA-
cyberattackers could manipulate devices that are 1024 encryption standard in less than 24 hours
now becoming connected to networks: for instance, may be only a decade away.2 At a stroke, many
automobiles; heating, cooling, and ventilation of the security technologies the modern world
systems; and industrial machinery. The IoT involves depends on would become ineffective: for example,
huge numbers of network-connected sensors that what would happen to investments in business
will generate massive amounts of sensitive data. processes based on blockchain if the encryption it
The security functions of companies will have to requires could be compromised quickly?
understand what kind of data the devices installed
Of course, defensive capabilities advance just as
on their networks collect, who might benefit from
offensive ones do, and quantum encryption will
compromising the data, and how to secure a whole
probably attempt to protect users against quantum
new technological environment.
decryption. Yet the National Academy of Sciences
Although that goal is challenging, it is at least estimates that it will take 20 years to make
more straightforward than protecting sensitive enterprise networks less vulnerable to quantum-
information in the consumer IoT. Companies based attacks.3 That time frame, and the risk that
prohibit their executives and managers from some attackers may have access to quantum
working with sensitive documents on any personal capabilities well before the next decade’s end,
device and from transmitting them via personal mean that companies – especially in critical
email accounts. Will companies also have to infrastructure sectors – have a responsibility
prevent employees from making or receiving to start early planning for the transition to a
company-related telephone calls at home in rooms quantum world.
with voice-activated smart devices?
1
Andy Greenberg, “The untold story of NotPetya, the most devastating cyberattack in history,” Wired, August 22, 2018, wired.com.
2
Martin Giles, “Quantum computers pose a security threat that we’re still totally unprepared for,” MIT Technology Review, December 3,
2018, technologyreview.com.
3
Emily Grumbling and Mark Horowitz, editors; Quantum Computing: Progress and Prospects, Washington, DC: National Academies
Press, 2019, nap.edu.
Evolving security protections and What might a postpassword world look like? It
platforms would probably combine biometric authentication
or authentication based on devices (such as
The next group of questions addresses evolving
phones, which use biometrics) with behavioral
security protections and platforms: how quickly
analytics that can determine, probabilistically, if
a zero-trust model could be adopted, the future
users are legitimate. The advent of the WebAuthn
of passwords, the evolution of the security-tech
standard for using devices to authenticate online
market, and the security problems of cloud
services might be a critical enabler. 5
services.
But a successful transition will require device
7. How quickly could zero trust be adopted?
manufacturers, service providers, and
Most chief information-security officers (CISOs)
commercial-software developers to adopt
have believed for years that the perimeter is less
relevant standards and incorporate them into their
important than it used to be, though they continue
offerings. In many cases, companies may want to
to make investments in perimeter-based controls.
develop the behavioral analytics to complement
Now, as companies start to accelerate their move
biometric authentication. Given the momentum,
into the public cloud, these traditional perimeters
CISOs and other executives may want to start
may become irrelevant for larger and larger parts
putting plans in place now.
of the corporate environment.
9. How will the security-technology market
In the zero-trust model, applications base no
evolve?
trust assumptions on whether a user (or another
The cybersecurity-tooling market has recently
application) is inside the network perimeter. This
been among the most fragmented in enterprise
has several advantages: organizations can set the
technology. Systems architects might have only a
right level of protection for each application and
few practical choices for app servers or database-
dramatically limit the ability of attackers to move
management systems. But their security colleagues
laterally across technology environments.
must sort through dozens of endpoint-protection
Yet companies have decades worth of legacy or antimalware products. Despite the problematic
applications that assume the existence of a complexity, attempts to create integrated security
network perimeter, and very few technology platforms have met with limited success, to date.
organizations have developers with the skills to
Enterprise security leaders planning investments
develop zero-trust applications. Less than 10
should ask the larger market participants to
percent of the CISOs McKinsey surveyed believed
explain what makes their integrated offerings
they could adopt the zero-trust model, even for
compelling. If they can’t, it isn’t clear whether
cloud applications, in the next two or three years. 4
proprietary products will continue to dominate
The key to success in zero trust is the ability to
this space or companies will seek to optimize
understand and go on tracking users, assets,
their security expenditures by adopting open-
and controls simply, but at a granular level – or,
source products. Equally important, how will the
if necessary, to reengineer or reshape them.
answers to these questions differ across market
CISOs will have to caucus with their application-
segments – say, between larger and smaller
development and infrastructure colleagues to
companies or between companies facing threats
determine how quickly their companies can
that are more sophisticated or less sophisticated?
develop the required capabilities.
10. When will large companies be able to
8. When will we finally be able to kill passwords?
consume cloud services securely?
Passwords are terrible. Users hate them, forget
The case for public-cloud infrastructure is exciting:
them, write them down on publicly displayed sticky
access to innovative services for developers,
notes, and use them across accounts – including
near-infinite capacity on demand, and (at least
consumer accounts from providers with security
potentially) lower costs. Yet for large, complicated
vulnerabilities. Eliminating passwords could both
companies – especially in heavily regulated
reduce that vulnerability and improve the user
industries – the pace of adoption has been slow.
experience dramatically.
4
Arul Elumalai, James Kaplan, Mike Newborn, and Roger Roberts, “Making a secure transition to the public cloud,” January 2018,
McKinsey.com.
5
Francis Navarro, “A world without passwords? The web’s weakest link gets long-overdue fix,” komando.com.
Some companies with thousands of applications 12. Will the cyberinsurance market protect
(and more than 100,000 servers) desperately want against material cyberrisks?
to leverage the infrastructure of the public cloud For the past decade, market observers have
but have succeeded only in running fewer than ten suggested that cyberinsurance is the next major
applications there. growth area for insurance carriers. Sceptics
have rejoined that it will always be the next
Legacy applications never designed to run
major growth area. For now, the sceptics seem
efficiently in the cloud are part of the problem, but
to be right: the cyberinsurance market has
security is a major bottleneck as well. Security
grown only incrementally and still doesn’t cover
teams are racing to perform risk assessments
most cyberrisks except customer-data-breach
of hundreds of cloud services – first to learn
mitigation and regulatory penalties. Direct costs,
if capabilities such as identity and access
reputational risks, and intellectual-property theft
management (I&AM) and monitoring work in them
do not get meaningful coverage. Since companies
and, second, to build the level of automation that
cannot effectively hedge cyberrisks, they adopt
would make it possible to configure systems
new technologies relatively slowly for fear of their
securely in the cloud. Companies thus need to
adverse cybersecurity implications.
determine just how quickly they can build cloud-
enabled security capabilities, which acceleration As for the insurance carriers, they don’t have good
opportunities they have, and what that means for actuarial data for cyberthreats, know how to model
the overall journey to the cloud. cyberrisks well, or truly understand the cyberrisks
they would insure or the returns on the relevant
11. Will smaller companies use cloud services to
investments. However, new quantitative methods
reduce their security footprint dramatically?
are emerging to assess the likelihood of long-
Some security professionals talk about the
tail cyberevents, and one or more carriers may
cybersecurity poverty line: companies that
succeed in quantifying and insuring cyberrisks. If
annually spend even $50 million or $100 million
so, companies may be able to transfer risks they
a year on IT may struggle to afford all the cyber-
have so far been accepting or mitigating at high
security tools they need and to attract the talent
cost. But that will come to pass only if carriers can
to deploy and manage them. The transition to
dramatically improve their underwriting.
cloud services has challenged larger companies
scrambling to recast their security architectures 13. How will the scope of security organizations
and operations to support a cloud-based develop?
infrastructure. Cybersecurity has become a more important issue
for boards and senior management teams alike.
But the cloud may be a security godsend for
Many companies have therefore started to expand
smaller companies. Their technology executives
the remit of what used to be the information-
(or counterparts in small, independent divisions
security organization, recasting it as the IT-risk
of larger companies) should ask themselves if
group, responsible not only for information
they could dramatically reduce their internally
security but also for technology compliance,
managed technology footprint, their surface area,
the quality of software, disaster recovery, and
and therefore their level of risk by accelerating
business continuity. The goal is to have one
the transition to business applications based on
executive and one team make integrated decisions
software as a service (SaaS) and to SaaS-based
about protecting corporate information and
desktop environments, voice communications,
systems from both accidents and attacks.
and network connectivity. This question will be
especially relevant for private-equity firms, which Other companies, thinking that no clear line
invest in many midmarket companies. separates cybersecurity from physical security in
an increasingly digital world, have integrated them.
Evolving security operating models A few companies have combined cybersecurity
with fraud control because they think that most
The final set of questions focuses on evolving
fraud has an online component and want integrated
operating models for security: whether the
analytics to oppose it. A few other companies
cyberinsurance market will protect against
combine the security and privacy teams, on the
cyberrisks, how the scope of security
theory that customers care only about the misuse
organizations will develop, and how cybersecurity
of their data and don’t distinguish between
talent pools will react to demand.
security and privacy. Meanwhile, many companies available and whether it aligns with their overall
have moved much of their security-related strategy. People with low-end cybersecurity skills,
service delivery and technology support into the for example, may become more available long
technology-infrastructure organization, so that before companies can find enough experts with
CISOs and their teams can focus on strategy and the advanced skills required to face off against
risk management. business leaders on cybersecurity issues or to
direct the automation of cybersecurity.
In short, the organizational structure for
cybersecurity hasn’t stabilized. Senior managers
must watch developments in their industries to see
which organizational structures succeed.
Policy decisions, investment choices, and security
14. How will cybersecurity talent pools evolve in
incidents now confront security, business, and
relation to demand?
technology executives with pressing (and often
CISOs disagree on many things, but they almost
exhausting) cybersecurity issues they must address
universally believe that cybersecurity talent is
in the short – and sometimes very short – term. Yet
in short supply. When people chose majors and
in view of the cybersecurity environment’s highly
courses of study in the past, almost nobody
dynamic nature, CISOs and other executives have
expected cybersecurity to be as big an issue as it
a responsibility to think through the longer-term
is today. But for several years now, demand signals
questions raised in this article.
indicating a pressing need for cybersecurity
expertise have been penetrating the talent Companies can address some of the issues
marketplace. Computer-science students are described here – for instance, quantum
beginning to take cybersecurity courses, security computing, pervasive sensors, and the
specialists trained in the military have entered cyberinsurance market – as events unfold in
civilian labor markets, and lawyers and other coming years. Other issues, such as evolving
professionals have gone back to school to retrain consumer expectations and regulatory demands,
themselves as cybersecurity experts. require more immediate attention because they
could have a dramatic impact in the next year or
Technology executives should think about
two. To withstand the coming security onslaught,
their cybersecurity operating models: what to
companies will have to change in important ways.
outsource, how aggressively to automate, and
The questions posed in this article are the natural
which skills to foster internally. As they do, they
starting point.
must know how much cybersecurity talent is
Venky Anant is a partner in Silicon Valley office of McKinsey. Tucker Bailey is a partner in McKinsey’s
Washington DC office. Rich Cracknell is a manager of solution delivery in Silicon Valley. James Kaplan is
a partner in the New York office, where Andreas Schwarz is an expert.
Protecting the business:

Views from the CIO’s
and CISO’s offices
Protecting the business:
Views from the CIO’s
and CISO’s offices
At JPMorgan Chase, CISOs and CIOs work together
to align cybersecurity with business goals.
At JPMorgan Chase, CISOs and CIOs work together to align cybersecurity
by James Kaplan
with business goals.
March 2020
106 Protecting the business: Views from the CIO’s and CISO’s offices
In an increasingly digital era, protecting information Then you need to translate this into digestible
and systems from cyberattack is one of the most content for a non-technical audience, which
important and challenging responsibilities of every requires good soft skills as well.
IT organization. In some cases, business-unit chief
A CISO drives and controls an agenda, and
information officers (CIOs) and enterprise chief
building trust is critical in implementing that
information security officers (CISOs) can have
agenda, because trust is a force multiplier. As a
very different perspectives and agendas, creating
CISO, my priorities are to protect the firm, enable
friction and reducing organizational effectiveness.
the firm to drive growth, and make this growth as
At JPMorgan Chase & Co., which has one of seamless as possible from a security standpoint.
the world’s largest private-sector technology
George Sherman: I think the best CISOs are the
environments, two of the four business-unit CIOs
ones who have learned about policy and controls
have previously served as the bank’s enterprise
but at their core are very strong technologists. The
CISO.
CISO role must evolve with the threat landscape
McKinsey’s James Kaplan spoke with several and technologies. You must understand the
members of JPMorgan Chase’s Global Technology technical side of cybersecurity. But information
leadership team, led by Lori Beer, Global CIO and security and protecting against cyberthreats
member of the company’s Operating Committee, are also about people and process, not just
about effective collaboration between the security technology, so you have to understand all three
and business-unit technology functions, what dimensions in order to fully appreciate what you
makes a good CISO, and how being a CISO can be have to do to protect the firm.
valuable preparation for being a CIO.
Sometimes you have to go slow to go fast. It’s the
Rohan Amin is CIO of Consumer & Community old race-car analogy. You can go really fast in a
Banking, Anish Bhimani is CIO of Commercial race car because you’re wearing a fireproof suit,
Banking, George Sherman is CIO of Global you’re in a protective cage, you have an automatic
Technology Infrastructure, and Jason Witty is fire-extinguishing system, and you were trained.
JPMorgan Chase’s global CISO. All are managing This allows you to drive superfast.
directors. Prior to their current roles, both Amin and
But getting to that point can feel slow. CISOs who
Bhimani served as JPMorgan Chase’s global CISO..1
“get it” spend a little bit more time up front being
thoughtful about their execution.
The attributes of an effective CISO
Jason Witty: Being a successful CISO these days The changing role of the CISO
involves wearing many hats, from business to risk
Jason Witty: The role of the CISO has already
to technology to software engineer. You must be
changed. It’s about measured risk taking, not risk
aware of the threat landscape and understand
elimination. This measured risk taking must also
human behavior. You also have to know how to
evolve with the availability of new technologies.
work with regulators and gain trust from multiple
You must constantly adapt, train, and educate
stakeholders.
so that you can adjust the control environment
Doing those things gives you a firmwide view of to enable the things the business is trying to
what’s going on in the business, what’s going on accomplish.
in technology, what’s going on in risk, and what’s
Rohan Amin: If you want to help the builders, you
going on in the legal and regulatory landscape.
have to know how to build. As a CISO, if you are
This allows you to connect the dots in a way that
not close to the modernization agenda—modern
other roles simply do not provide.
architectures, cloud, data, machine learning,
You must constantly be shifting, adapting, and and so on—then it’s hard to effectively guide an
learning. I spend about two hours every morning organization in the right direction.
just digesting what’s changed since I went to bed,
be it new threats, bad actors, or vulnerabilities.
1
r the full interviews with each interviewee, see “The benefits of a CISO background to a business-unit CIO” (Rohan Amin), “Enterprise-
wide security is both a technology and business issue” (Anish Bhimani), “Robust cybersecurity requires much more than great
technology” (George Sherman), and “The modern CISO: Managing scale, building trust, and enabling the business” (Jason Witty), March
2020, McKinsey.com.
Protecting the business: Views from the CIO’s and CISO’s offices 107
George Sherman: You can go back a decade require that security and controls be embedded into
and see how much has changed. Everything all the technology we deliver.
seemed much simpler. The successful CISOs
I use my technical-security skills on a daily basis.
of the future can’t be process managers. They
With new technology and connectivity platforms,
must have a deep understanding of technology.
many of our older security paradigms are being
Imagine leading thousands of software engineers
stressed. In the past, you could get away with not
but never having actually written a line of code.
having the most robust identity or authorization
At some point, you have to ask yourself how you
constructs and authentication and authorization
can relate to that community. And how will that
metrics. This is no longer the case, as the dynamic
community relate to you? Those questions are just
nature of these modern technologies requires
as relevant to today’s and tomorrow’s CISOs.
dynamic management of the trust chain.
Anish Bhimani: I used to go to the board of
If you add to this the complexity of the multivendor
directors and the audit committee annually for
cloud environments connecting into our
about 20 minutes. We now meet with the board
companies, you must have a strong understanding
eight times a year for at least an hour each time.
of the “threatscape” and how you deal with
cybersecurity issues. Everyone within the
The value of CISO experience to CIOs organization must understand that cybersecurity
Anish Bhimani: Every CIO should spend time in a is non-negotiable. We have to get it right all the
security role, since it makes you think differently. time. The bad actors only have to get it right once.
Regardless of your role, you’re never out of security.
With new technologies, including automation, How being CISO helped in becoming
security is a layered process. It’s built into the fabric a CIO
of the organization, from process to people.
Anish Bhimani: I spent my entire career aspiring
Rohan Amin: When we think about what matters to be the CISO of a large bank, and when I got
most to our customers, running a disciplined the job, it was a significant accomplishment in
environment with stability, resiliency, controls, and my career. When I then became a CIO, it meant
data privacy are non-negotiables. Being in the shifting to more of an implementation approach,
CISO role obviously instilled a lot of that in me. and I was eager to work with the business. But
The other aspect that’s helpful in having a CISO back- despite my excitement, I was clear that job number
ground is a deep understanding of non-functional one is having a secure operating environment. If
requirements and how to make them easier to adopt. you don’t do job one, you don’t earn the right to do
For example, modernizing our applications and job two, which is to deliver value to the business.
striving for platform-centric thinking help to focus our Rohan Amin: In the CIO role, you get a deep
engineers on the most relevant business functions, appreciation for the importance of the control
which are the features and value for customers. environment and security. You learn that everyone
As a CISO, you have a global view of risk and what understands the importance of controls but wants
the issues are and how you think about enterprise control adoption to be more seamless and part of
management in the application-development the engineering process.
context. Some CISOs are policy and governance Security and controls teams face a continuing
focused only, while others have a stronger challenge to figure out how to make this stuff
technical and business background. Having a simple and easy to use. This requires the
technical background and being able to effectively engineering work to make it easy to adopt, easy to
communicate complex issues to the business have innovate on the platform, and easy for engineers
served me well. to do the right thing. People can’t be forced to
George Sherman: We are unique and fortunate in read thousands of pages of policy to figure out
that three of our CIOs are former CISOs. This makes the right thing to do. The right thing to do should
the current CISO’s life much easier, specifically as it be easy and baked into the platforms and enabled
relates to how you design, deliver, and execute the via software, so that something as simple as “you
business-process automation efforts. Thanks to our should encrypt your data” isn’t something every
security background, we tend to think about data engineering team has to figure out for itself. Make
protection and security earlier in our processes and security the easy answer, not the hard answer.
108 Protecting the business: Views from the CIO’s and CISO’s offices
The impact of the cloud Focusing on the future
Anish Bhimani: When moving to the cloud, the Jason Witty: “Deepfakes” ar e a concern, so
first priority is figuring out your technology and having the ability to prove that who you are
business priorities and then striking a balance. talking to is actually the person you think you are
Services and architecture templates need to be talking to is vital. Artificial-intelligence (AI) and
validated and automated for cloud configuration. natural-language-processing algorithms are also
Secondly, cloud security can be a business advancing rapidly, posing new reputational and
enabler, and we know that businesses need to financial threats in addition to opening new doors
grow and thus must move fast. for business growth.
Why do you have brakes on a car? It’s not to stop. Safely enabling AI and maintaining our ability to
It’s so you can go fast, secure in the knowledge keep up with the velocity of automated attacks
that you can stop whenever you want or need to. is also something being much discussed. We’ll
Security done right enables businesses to go at continue to modernize software engineering
the speed they want while being able to manage around the cloud to ensure security and resiliency
risk appropriately. and to further unlock its business value. Finally,
we’re looking into crypto-agility and decoupling
George Sherman: Technology is going to become
the encryption process from the software-
more segmented but also more hyperconnected.
development process.
You can see that in the evolution of the private,
public, and hybrid cloud and with a combination Rohan Amin: Authentication is often the first
of infrastructure-as-a-service, platform-as-a- experience a consumer has with an organization,
service, and software-as-a-service providers so we’re working on the authentication strategy of
clamoring to support new growth. But with this the future. Previously, authentication was thought
hyperconnectivity comes hypercomplexity, and about as a channel-specific thing, meaning how
with that comes fragility. Fragility leads to reliability do we authenticate you in the branch? How do
and security issues. The enemy of a good security we authenticate you when you call in? How do we
program is complexity. If we’re not careful in our authenticate you online or on mobile?
execution, CISOs could end up with a “least common
We’re working to bring these experiences together
denominator” problem where their environments are
in a secure and more integrated manner. We’re
only as secure as their weakest controls.
thinking about ways of putting the customers at the
front of the design and about the multichannel ways
Cybersecurity advice for newcomers people interact with us differently than in the past.
Rohan Amin: Spend time with the folks in the
George Sherman: Resiliency, availability, and
business who have to use the stuff you’re creating.
security are everyone’s responsibility, regardless
If your objective is to help the business—which is
of whether you’re involved with infrastructure,
what it should be—then you need to spend time in
applications, or both. Everyone must believe that
the business to understand what it takes to deliver
operational risk and information security are core
something to a customer. If you spend time only
requirements of their role, so you need to invest
in security land, you really don’t understand the
in training and move this to the forefront of your
complexities the builders go through to deliver.
team’s minds, or you will end up with yet another
Knowing what I know now, building simplicity into
remediation program.
security-control adoption is where I’d recommend
they focus. Secure by design is critical. You can build systems
that are reliable and available, but they may
Anish Bhimani: My first advice is that life never
not necessarily be secure. But when you build
moves in a straight line. You need to be able to
secure systems, you often end up with ones that
adapt to constantly changing circumstances.
are both reliable and available. The disciplines
Well-roundedness is critical, and everything you
around security tend to lend themselves to the
do should get you a step closer to your goals.
same disciplines as resiliency and availability or
Rotations are valuable in gaining experience in
operational efficiency and effectiveness.
security and infrastructure.
James Kaplan is a partner in McKinsey’s New York office.
Protecting the business: Views from the CIO’s and CISO’s offices 109
The modern CISO:

Managing scale, building
trust,
The and CISO:
modern enabling the
businessscale, building
Managing
trust,
The modernand enabling
CISO is uniquely the
positioned to bridge gaps across
business
technology, processes, automation, and cybersecurity.
The modern CISO is uniquely positioned to bridge gaps across technology,

processes, automation, and cybersecurity.
March 2020
110 The modern CISO: Managing scale, building trust, and enabling the business
Securing the information of a multibillion-dollar getting bogged down. You also have to have very
enterprise with more than a quarter of a million strong leaders under you that you can trust. I am
employees is a daily Herculean labor. Enterprise fortunate to have a fantastic team.
chief information security officers (CISOs) must
James Kaplan: How are you addressing security
manage myriad cybersecurity threats, automation,
concerns amid increasing automation and
regulatory compliance, and ever-evolving
continuous controls monitoring?
technologies. Jason Witty, global CISO, JPMorgan
Chase, discusses his role and these challenges Jason Witty: We put a lot of effort around controls
with McKinsey’s James Kaplan. as code, or policies as code, ensuring the ubiquity
of modern software engineering practices across
This interview is part of a series of interviews on
the firm. All of our applications are in the process
the evolving relationship between the CISO and
of being rearchitected to support a modern
CIO. (See “Protecting the business: Views from the
software environment, with automated, self-
CIO’s and CISO’s offices,” on McKinsey.com.)
evidencing controls built in.
James Kaplan: How do you define the role of
We have hundreds of engineers on the security
a CISO?
side dedicated to automation, such as by making
Jason Witty: A CISO drives and controls an agenda, controls seamless and integrating security tools
and building trust is critical in implementing that within the product, platform, and service pipeline.
agenda, because trust is a force multiplier. As a
It’s all about data and code now. This ensures
CISO, my priorities are to protect the firm, enable
strong integration and collaboration with the
the firm to drive growth, and make this growth as
businesses as well. Security is thought of as a
seamless as possible from a security standpoint.
part of each technology capability or product
Being a successful CISO these days involves rollout, which is a tremendous advance compared
wearing many hats, from business to risk to to a decade ago, when security was viewed as a
technology to software engineer. You must be hindrance.
aware of the threat landscape and understand
James Kaplan: In years past, security was
human behavior. You also have to know how to
fragmented. How have the organizational structure
work with regulators and gain trust from multiple
and lines of responsibility evolved?
stakeholders.
Jason Witty: DevOps has significantly changed
Doing those things gives you a firmwide view of
the way that IT in general thinks about product
what’s going on in the business, what’s going on
management, application development, and
in technology, what’s going on in risk, and what’s
production support. Site reliability engineering
going on in the legal and regulatory landscape.
(SRE) is a big focus, along with our product
This allows you to connect the dots in a way that
journey. It’s a change in traditional telemetry
other roles simply do not provide.
management from years ago, when it was very
You must constantly be shifting, adapting, and fragmented and siloed. Our software environment
learning. I spend about two hours every morning provides transparency, which enables people to
just digesting what’s changed since I went to bed, respond quickly to issues.
be it new threats, bad actors, or vulnerabilities.
We’re simultaneously integrating core functions
Then you need to translate this into digestible
with SRE, as well as modernizing the environment.
content for a nontechnical audience, which
This means more colocation and cocreation, which
requires good soft skills as well.
spur both product and security innovation. We’re
James Kaplan: How do you manage the complexity completely aligned on the customer and client
of an institution the size of JPMorgan Chase? experience.
Jason Witty: You manage scale. You build James Kaplan: How are new technologies like
trust. You have command of the details without cloud impacting the institution?
The modern CISO: Managing scale, building trust, and enabling the business 111
Jason Witty: Today’s modern software environ- James Kaplan: Are you experiencing the talent or
ment is faster from a business-capability stand- skills gap that we hear about in the cybersecurity
point. You have more incremental change and space?
faster release cycles; you can also know earlier
Jason Witty: Yes. We have myriad ways we try
when something goes wrong, which means you
to address that. We have programs specifically
can respond faster.
focused on bringing in non-computer-science
James Kaplan: There’s often an overlap between talent, who we put through coding boot camps
infrastructure and security engineering. How have and upskill. We also have a Cyber Kids school
you addressed this collaboration? program that goes into schools and provides basic
skills training on internet safety and security.
Jason Witty: The product model supersedes
We hope to help spur interest in STEM-related
departmental silos. When you have multiple teams
activities and careers. We also recruit talent from
working on the same set of issues, it completely
the military and affinity groups to attract the best
transcends organizational boundaries. If everyone
talent available. We were a founding sponsor of
involved understands the end objectives and how
the Financial Services Information Sharing and
they are measured, then they’re all pointing the
Analysis Center’s (FS-ISAC’s) scholarship program
needle in the same direction. It’s a combination of
for female university students looking to pursue a
site reliability engineering and product that makes
career in cybersecurity. Recruiting the right people
the process more seamless.
is critical, but retaining them is also important,
James Kaplan: As the product model becomes hence our emphasis on upskilling, training, and
more pervasive, how does the role of the CISO continuing education.
change over time?
James Kaplan: If you look down the road for the
Jason Witty: The role of the CISO has already next three or four years, what keeps you up at
changed. It’s about measured risk taking, not risk night?
elimination. This measured risk taking must also
Jason Witty: “Deepfakes” are a concern, so
evolve with the availability of new technologies.
having the ability to prove that who you are
You must constantly adapt, train, and educate
talking to is actually the person you think you are
so that you can adjust the control environment
talking to is vital. Artificial-intelligence (AI) and
to enable the things the business is trying to
natural-language-processing algorithms are also
accomplish.
advancing rapidly, posing new reputational and
James Kaplan: Talk about the collaboration financial threats in addition to opening new doors
around regulatory compliance. for business growth.
Jason Witty: We take compliance very seriously. Safely enabling AI and maintaining our ability to
We are constantly mapping and cross-mapping keep up with the velocity of automated attacks
international regulations to our control is also something being much discussed. We’ll
environment and legal obligations. We’re always continue to modernize software engineering
looking for better ways of automating that around the cloud to ensure security and resiliency
process. We’re adopting the Bank Policy Institute’s and to further unlock its business value. Finally,
Financial Services Sector Cybersecurity Profile we’re looking into crypto-agility and decoupling
as our framework of frameworks in 2020 and the encryption process from the software-
encouraging regulators to start auditing against development process.
the profile, which has the potential to be an
industry-wide game changer.
112 The modern CISO: Managing scale, building trust, and enabling the business
The benefits of a
CISO background to
a business-unit
The CIO
benefits of a CISO
background to a
business-unit CIO
March 2020
The benefits of a CISO background to a business-unit CIO 113

Although chief information security officers Rohan Amin: I’m still getting up to speed! It is a
(CISOs) focus on technology and chief information behemoth of a business, with more than 52 million
officers (CIOs) concentrate on the business, their digitally active consumers. I have never been the
missions are inextricably linked. A CIO with a foot CIO of a consumer bank. That I am, I think, is a
in each world enjoys a unique perspective that testament to how the organization thinks about
can only enhance effectiveness and better serve talent development and mobility. Second, I wanted
the enterprise. Rohan Amin, CIO, Consumer & to do something where I was forced to learn a lot
Community Banking, JPMorgan Chase, explains of new things and was intellectually stimulated and
to McKinsey’s James Kaplan how his CISO fully engaged. I got all of that.
background prepared him for the CIO role.
James Kaplan: Having been a CISO provides an
This interview is part of a series of interviews on interesting background for a CIO role. Was there
the evolving relationship between the CISO and anything about your CISO experience that made
CIO. (See “Protecting the business: Views from the you a more effective business-unit CIO?
Rohan Amin: When we think about what matters
James Kaplan: What was it like making the most to our customers, running a disciplined
transition from CISO to business-unit CIO? What environment with stability, resiliency, controls, and
was unexpected once you moved into the CIO role? data privacy are non-negotiables. Being in the
CISO role obviously instilled a lot of that in me.
Rohan Amin: I had the technical background, but
the main learning curve was getting much closer to The other aspect that’s helpful in having a CISO
the technology that supports the business – and, background is a deep understanding of non-
of course, the business processes – itself. I’m functional requirements and how to make them
thankful I get to work with an incredible team, and easier to adopt. For example, modernizing our
they have been very supportive of me in my new applications and striving for platform-centric
role. In a CISO role, you can be a step removed, so thinking help to focus our engineers on the most
it’s been a great learning experience for me. relevant business functions, which are the features
and value for customers.
James Kaplan: Where has the learning curve been
the fastest? Where has it been the steepest? As a CISO, you have a global view of risk and what
the issues are and how you think about enterprise
Rohan Amin: I began my career as a software
management in the application-development
engineer and have led large development teams,
context. Some CISOs are policy and governance
so that was a more comfortable part of the
focused only, while others have a stronger
transition. The greater learning curve has been
technical and business background. Having a
around the business itself and the business
technical background and being able to effectively
strategy. In my previous CISO role, the primary
communicate complex issues to the business have
set of relationships I had were mostly with the
served me well.
technology risk-and-controls community. While
I did have a presence at the business table, most James Kaplan: What advice do you have for CISOs
day-to-day interaction was with our technology who may aspire to someday become CIOs?
teams. In my current CIO role, I am balancing
Rohan Amin: In the CISO role, you get a deep
across two senior teams, so my interaction with
appreciation for the importance of the control
different stakeholder communities has increased
environment and security. You learn that everyone
dramatically.
understands the importance of controls but wants
James Kaplan: How long did it take you to get control adoption to be more seamless and part of
up to speed on the consumer banking side of the the engineering process.
business?
114 The benefits of a CISO background to a business-unit CIO

Security-and-controls teams face a continuous complexities the builders go through to deliver.
challenge to figure out how to make this stuff Knowing what I know now, building simplicity into
simple and easy to use. This requires the security-control adoption is where I’d recommend
engineering work to make it easy to adopt, easy to they focus.
innovate on the platform, and easy for engineers
James Kaplan: What do you know now that you
to do the right thing. People can’t be forced to
wish you had known a year or two ago?
read thousands of pages of policy to figure out
the right thing to do. The right thing to do should Rohan Amin: I have a much greater appreciation
be easy and baked into the platforms and enabled for our engineering and development teams and
via software, so that something as simple as “you the challenges they face in trying to do the right
should encrypt your data” isn’t something every thing. There are so many things hitting them
engineering team has to figure out for itself. Make at once – modernization, cloud, data security,
security the easy answer, not the hard answer. controls, resiliency, regulatory, and, of course,
business functionality. I would have had a far
James Kaplan: Do you think the skill sets of CISOs
greater sense of urgency about what a difficult
and CIOs will converge over time?
environment we create for builders if we’re not
Rohan Amin: To some degree, yes. If you want putting them first and thinking about them as
to help the builders, you have to know how customers. That’s a different mindset, one I would
to build. As a CISO, if you are not close to the have acted on faster if I’d had the insights into their
modernization agenda – modern architectures, challenges that I do now.
cloud, data, machine learning, and so on – then
James Kaplan: How do you advance the skill sets
it’s hard to effectively guide an organization in the
of development teams?
right direction. That said, the risk-and-controls
discipline is also rapidly evolving, with increasing Rohan Amin: Your development teams’ training
focus on data governance, privacy, and operational should be balanced with what you ask those
resiliency in a world powered by the cloud and development teams to focus on. You can’t train for
machine learning. everything, and the evolving complexity demands
that we make this easier for engineers. For
James Kaplan: What advice would you have for a
example, typically you run your software through a
business-unit CIO who’s never been a CISO about
scanning tool designed to highlight vulnerabilities,
establishing an effective relationship with a CISO?
and typically, the security tool reports thousands
Rohan Amin: Take the time to understand in of things you need to fix. But when you go through
detail what those teams are seeing. Because data sets and reports, there’s simply too much
when you’re on the outside of that, it’s sometimes to handle. A good security team will say, “Here
difficult to appreciate the full extent of the problem are the discrete actions you need to focus on
they’re trying to solve. It’s unlike other aspects and take,” as opposed to, “Here are 5,000 things
of the technology organization. Understand the that you need to figure out the importance of
challenges those teams face as they try to keep addressing.”
the bank and the firm safe. That’s an eye-opener in
James Kaplan: How do you address security
terms of thinking through how you build software
training for developers?
and the values that you instill in the organization.
Rohan Amin: Increasingly, we’re baking those
James Kaplan: Is there any advice you would give
requirements into the software-development life
to folks newly entering the security domain?
cycle itself, so you don’t deploy software that has
Rohan Amin: Spend time with the folks in the issues. That, to me, is the ultimate way to solve this
business who have to use the stuff you’re creating. problem. You need the training, but you also have
If your objective is to help the business – which is the tool chain and the telemetry. Enforce what you
what it should be – then you need to spend time in want through a controls-and-security perspective.
the business to understand what it takes to deliver With cloud applications, these platforms are
something to a customer. If you spend time only automatically enforcing the control environment.
in security land, you really don’t understand the
The benefits of a CISO background to a business-unit CIO 115

So if you’re not compliant, your workload won’t get about as a channel-specific thing, meaning how
deployed or run in production. That’s a big change do we authenticate you in the branch? How do
in mindset. And to be clear, I’m referring to cloud we authenticate you when you call in? How do we
generically – private or public. authenticate you online or on mobile?
James Kaplan: Authentication is an incredibly We’re working to bring these experiences together
important part of the consumer-banking experience. in a secure and more integrated manner. We’re
What are your thoughts about managing that? thinking about ways of putting the customers at the
front of the design and about the multichannel ways
Rohan Amin: Authentication is often the first
people interact with us differently than in the past.
experience a consumer has with an organization,
so we’re working on the authentication strategy of
the future. Previously, authentication was thought
116 The benefits of a CISO background to a business-unit CIO

Robust cybersecurity
requires much more
than great technology
Robust cybersecurity
requires much more
than great technology
© Getty Images
March 2020
Robust cybersecurity requires much more than great technology 117

It’s easy to view the 21st-century “threatscape” race car because you’re wearing a fireproof suit,
through a purely technological lens. But today’s you’re in a protective cage, you have an automatic
chief information security officers (CISOs) fire-extinguishing system, and you were trained.
and chief information officers (CIOs) need to This allows you to drive superfast. But getting to
understand and appreciate the people and that point can feel slow. CISOs who “get it” spend a
process elements as well. George Sherman, CIO little bit more time up front being thoughtful about
of Global Technology Infrastructure, JPMorgan their execution.
Chase, discusses his multiprong outlook on
James Kaplan: Does that need to understand
information security with McKinsey’s James
the technology environment holistically at every
Kaplan.
layer in the stack provide a good background for a
This interview is part of a series of interviews on future business-unit CIO?
George Sherman: We are unique and fortunate
in that three of our CIOs are former CISOs. This
makes the CISO’s life much easier, specifically as
James Kaplan: How does your security back- it relates to how you design, deliver, and execute
ground shape your approach to your current role? the business-process automation efforts. Thanks
to our security background, we tend to think
George Sherman: I use my technical-security
about data protection and security earlier in our
skills on a daily basis. With new technology
processes and require that security and controls
and connectivity platforms, many of our older
be embedded into all the technology we deliver.
security paradigms are being stressed. In the
past, you could get away with not having the most James Kaplan: Given all that’s changing,
robust identity or authorization constructs and particularly around cloud and digitization, how
authentication and authorization metrics. This different will the skill set of a CISO be in a decade?
is no longer the case, as the dynamic nature of
George Sherman: You can go back a decade
these modern technologies requires dynamic
and see how much has changed. Everything
management of the trust chain.
seemed much simpler. The successful CISOs
If you add to this the complexity of the multivendor of the future can’t be process managers. They
cloud environments connecting into our must have a deep understanding of technology.
companies, you must have a strong understanding Imagine leading thousands of software engineers
of the “threatscape” and how you deal with but never having actually written a line of code.
cybersecurity issues. Everyone within the At some point, you have to ask yourself how you
organization must understand that cybersecurity can relate to that community. And how will that
is non-negotiable. We have to get it right all the community relate to you? Those questions are just
time. The bad actors only have to get it right once. as relevant to today’s and tomorrow’s CISOs.
James Kaplan: What makes for a good CISO? Also, the technology is going to become more
segmented but also more hyperconnected.
George Sherman: I think the best CISOs are the
You can see that in the evolution of the private,
ones who have learned about policy and controls
public, and hybrid cloud, and with a combination
but at their core are very strong technologists. The
of infrastructure-as-a-service, platform-as-a-
CISO role must evolve with the threat landscape
service, and software-as-a-service providers
and technologies. You must understand the
clamoring to support new growth. But with this
technical side of cybersecurity. But information
hyperconnectivity comes hypercomplexity,
security and protecting against cyberthreats
and with that comes fragility. Fragility leads to
are also about people and process, not just
reliability and security issues. The enemy of a
technology, so you have to understand all three
good security program is complexity. If we’re not
dimensions in order to fully appreciate what you
careful in our execution, CISOs could end up with a
have to do to protect the firm.
“least common denominator” problem where their
Sometimes you have to go slow to go fast. It’s the environments are only as secure as their weakest
old race-car analogy. You can go really fast in a controls.
118 Robust cybersecurity requires much more than great technology

James Kaplan: CISO and infrastructure George Sherman: Resiliency, availability, and
responsibilities often overlap – for example, in security are everyone’s responsibility, regardless
patch management. How do you deal with this? of whether you’re involved with infrastructure,
applications, or both. Everyone must believe that
George Sherman: Having clear lanes of
operational risk and information security are core
responsibility is important. If you view patching
requirements of their role, so you need to invest
and life-cycle management as a tax or a duty,
in training and move this to the forefront of your
then you really don’t understand the need to
team’s minds, or you will end up with yet another
keep software current and manage it in a near-
remediation program.
real-time way. This mindset translates into your
organization’s view of these functions as a burden. Secure by design is critical. You can build systems
A CIO has the responsibility to design and direct that are reliable and available, but they may
their organization to understand that this isn’t not necessarily be secure. But when you build
a burden but instead a core part of their team’s secure systems, you often end up with ones that
job. Protecting the firm, keeping it patched and are both reliable and available. The disciplines
updated, is everyone’s responsibility. around security tend to lend themselves to the
same disciplines as resiliency and availability or
James Kaplan: Where does security fit into
operational efficiency and effectiveness.
people’s roles in IT?
Robust cybersecurity requires much more than great technology 119

Enterprise-wide security
is both a technology
and business issue
Enterprise-wide security
is both a technology and
business issue
CISOs have important skills that can position them
for the CIO role.
CISOs have important skills that can position them for the CIO role.
March 2020
120 Enterprise-wide security is both a technology and business issue

A chief information security officer (CISO) focuses new digital platforms. And as regulatory scrutiny
on creating a secure operating environment, intensified around technology, we paid more
while a chief information officer (CIO) strives to attention to technology control than to security.
deliver value to the business. But if you don’t Since then, our level of focus on cybersecurity in
get the former right, it becomes impossible to the entire organization has been fantastic.
do the latter. Anish Bhimani, CIO, Commercial
James Kaplan: Are there things you know now
Banking, JPMorgan Chase, has filled both roles.
that you wish you had known then in your CISO role
He discusses how they interact – and how they are
that could have made you more effective?
evolving – with McKinsey’s James Kaplan.
Anish Bhimani: What I realize now is that a
This interview is part of a series of interviews on
lot of the things we try to do centrally have a
tremendous impact on people. I can now set
and drive the tone for the organization so that
we get in front of security issues, remediate,
James Kaplan: Tell us about your cybersecurity and move on to the next challenge. I also did not
journey. fully appreciate the transition from developing
policy to implementing policy. Finally, we probably
Anish Bhimani: I joined JPMorgan Chase in 2003,
should have pushed business leaders harder much
nominally as the CISO. I say “nominally,” because
earlier by stressing that security was not just a
when I got here, we were heavily outsourcing our
technology issue, but a business issue as well.
cybertechnology. My role was largely a policy-
vetting job, and I had 12 people working for me. James Kaplan: Technology has changed. In years
past, it was a 15-minute conversation in passing.
Everything changed dramatically when we
By the early 2000s, you’d have a daylong strategy
merged with Bank One. The role became much
session. How is the topic being addressed at the
more technology oriented and transformed into
highest levels of the organization?
execution as well as policy. We were initially
responsible for issues such as threat response, Anish Bhimani: I used to go to the board of
vulnerability management, security infrastructure, directors and the audit committee annually for
and so on. At that point, we didn’t have a CISO, so about 20 minutes. We now meet with the board
the challenge was getting the right level of buy-in eight times a year for at least an hour each time.
from the CIOs, and we were pushing hard to get
James Kaplan: Discuss your transition from CISO
people to pay attention to cybersecurity matters.
to CIO.
In 2009, the role was made into a proper CIO-
Anish Bhimani: I spent my entire career aspiring
level role, as it is today. It was at that point
to be the CISO of a large bank, and when I got
that cybersecurity had more visibility. Cyber
the job, it was a significant accomplishment in
became visible across the entire organization,
my career. When I then became a CIO, it meant
with leadership driving the tone. It felt like a
shifting to more of an implementation approach,
remediation exercise. We began to see an increase
and I was eager to work with the business. But
in denial-of-service attacks and malware, and
despite my excitement, I was clear that job number
leadership said, “This is more than a technology
one is having a secure and resilient operating
problem; it’s a business problem. Let’s fix it.”
environment. If you don’t do job one, you don’t
James Kaplan: What happened when internal earn the right to do job two, which is to deliver
stakeholders realized that cybersecurity was a value to the business.
business-critical issue?
James Kaplan: What do you miss about your
Anish Bhimani: We began putting the right CISO role?
resources behind it. Businesses were trying to
Anish Bhimani: You always miss the cat-and-
find a balance between security and the growth of
mouse challenge, the game theory, as well as the
Enterprise-wide security is both a technology and business issue 121

problem solving and intellectual curiosity. There Understand your business’s priorities. One of
is also a very active peer and industry community the things I am most proud of is the professional
for best-practice sharing, since everyone is facing development of my direct reports. During my time
many of the same challenges. It’s amazing how the as CISO, 21 of the people I managed went on to
CISO role has evolved. serve as CISOs elsewhere. So you must develop
the people, not just their roles.
James Kaplan: How do you see the CIO role
evolving? James Kaplan: It sounds like one of the biggest
priorities is security remediation.
Anish Bhimani: The ongoing debate is where
security should report. Some say security can’t Anish Bhimani: It’s less remediation and more
report to IT, because it’s a conflict of interest. about how you proactively build controls. For
Others say there’s no way you can get the job example, several years ago, when we found a
done reporting outside of IT. I think that, in years serious issue with some systems, we would run
to come, security will become more embedded a remediation program that took days or weeks.
within the IT fabric of any organization as standard Now, a similar incident is opened and fixed before
operating practice. people go home.
There is also the client impact. As we become James Kaplan: Talk about the movement to cloud
better at securing systems, the point of applications.
vulnerability moves from the system to the person.
Anish Bhimani: When moving to the cloud, the
Security becomes every employee’s responsibility.
first priority is figuring out your technology and
Cyber organizations are now building frameworks,
business priorities and then striking a balance.
working across infrastructure with developers on
Services and architecture templates need to be
systems such as cloud. So the architecture of how
validated and automated for cloud configuration.
the CIO goes about implementing infrastructure
Second, cloud security can be a business enabler,
and security policies will evolve with the role itself.
and we know that businesses need to grow and
A security organization will always attempt to be
thus must move fast.
agile, but it’s very challenging when you’re moving
at the speed of light. Why do you have brakes on a car? It’s not just
to stop. It’s so you can go fast, secure in the
James Kaplan: Do you see the CISO and CIO roles
knowledge that you can stop whenever you want
integrating?
or need to. Security done right enables businesses
Anish Bhimani: Every CIO should spend time to go at the speed they want while being able to
in a security role, since it makes you think manage risk appropriately.
differently. Regardless of your role, you’re never
James Kaplan: What type of advice would you
out of security. With new technologies, including
offer someone who is just beginning their career
automation, security is a layered process. It’s built
in cyber?
into the fabric of the organization, from process
to people. Anish Bhimani: My first advice is that life never
moves in a straight line. You need to be able to
James Kaplan: What advice can you offer on
adapt to constantly changing circumstances.
breaking down silos and managing talent?
Well-roundedness is critical, and everything you
Anish Bhimani: Understand how to navigate do should get you a step closer to your goals.
the organization. Manage conflicts. Keep your Rotations are valuable in gaining experience in
objectives in mind while managing these conflicts. security and infrastructure.
122 Enterprise-wide security is both a technology and business issue

Securing software
as a service
Risk Practice
Securing software as
a service
HereHere
is howis SaaS
how SaaS providers
providers can meet
can meet the security needs of their
the security
needsenterprise customers.
of their enterprise customers.
by Rich Cracknell, James Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart
by Rich Cracknell, James M. Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart
© jjaakk/Getty Images
September 2019
Securing software as a service 123

Companies are rapidly adopting software as a The security challenges of software as
service (SaaS) in place of purchasing commercial a service for adopting companies
off-the-shelf software (COTS). Companies
Our survey polled chief information-security
using SaaS rely on SaaS vendors to host their
officers (CISOs) and other cybersecurity
applications in the cloud instead of running them in
professionals from more than 60 companies of
their own data centers. Industry analysts estimate
varying size in a range of industries. We wanted
that the SaaS market will grow by more than
to understand how companies experienced SaaS
20 percent annually, reaching nearly $200 billion
offerings and how they responded to security
by 2024, a level that would represent nearly one-
challenges. Almost universally, respondents
third of the overall enterprise-software market.
confirmed what we had suspected: they have
With enterprise values for SaaS businesses
increased their focus on security for SaaS
reaching approximately seven times forward
offerings, emphasizing capabilities at the
revenue, software companies are racing to convert
intersection of the vendor’s and their own security
from on-premises to SaaS-based delivery models.1
environments. They expressed a fair amount
Most companies, therefore, will eventually of frustration with shortcomings in vendors’
confront the cybersecurity risks inherent in the cybersecurity capabilities, which often caused
SaaS approach. These are different risks from delays in contracting and implementation. In their
those posed by on-premises COTS. In building view, SaaS vendors need to take a much more
COTS, the vendor takes responsibility for removing customer-centric approach to security, making
security vulnerabilities from the application code. it easier to understand their products’ security
The customer, however, installs the software, capabilities, easier to integrate them with the rest
configures it, and takes responsibility for running of the enterprise-security environment, and easier
it in a secure infrastructure. For SaaS offerings, to configure them in a secure and compliant way.
the vendor takes on many of the security
All the companies we spoke with had already
responsibilities previously assumed by the
begun to make the transition to SaaS offerings.
customer.
About half had used products from 20 or fewer
Companies do not always feel comfortable with SaaS vendors, about a quarter from more
the indirect relationship to cybersecurity risk than 80. Almost all companies surveyed were
that SaaS presents, mediated as it is through deploying SaaS offerings in at least one major
vendorbased protections. More important, area, especially office automation, IT-service
SaaS vendors have not always ensured that management, and niche business applications
their products meet their customers’ security (Exhibit 1).
requirements. That is the story that emerged from
Many security executives said that their
our survey of cyber professionals from companies
organizations were not ready to use SaaS in
seeking to adopt SaaS solutions.2 Their responses
some critical domains, however, because of
also provide insights into how enterprises
the potential risks. These include enterprise-
should think about security in an SaaS world and
resource-planning applications, where downtime
important clues for SaaS vendors on how to earn
can prevent the entire business from functioning.
the confidence of their enterprise customers.
Similar concerns were raised for engineering- or
manufacturer-related applications. For health-
related applications and applications that may
contain M&A information, the biggest barriers to
SaaS adoption concern data confidentiality.
1
KBV research cited in “Software as a service (SaaS) market to reach a market size of $185.8 billion by 2024: KBV Research,” PR
Newswire, December 19, 2018, prnewswire.com; Enterprise software market research report – global forecast 2023, Market Research
Future, May 2019, marketresearchfuture.com; “Just where are SaaS companies priced after the 2018 correction?,” Tomasz Tunguz,
December 26, 2018,tomtunguz.com.
2
2019 McKinsey Customer Perspectives on SaaS Survey of chief information-security officers (and managers responsible for cloud
security or vendor security) from more than 60 organizations. More than half of the participants were from companies in financial
services, insurance, pharma, and health services, with the rest spread across the government, industrial, and tech sectors. Each third
(approximately) of the responding companies had respective annual IT budgets of $500 million and above, $50 million to $500 million,
and less than $50 million. Most respondents were from companies based in the United States. Differences in size, geography, and sector
apart, however, the companies largely expressed similar concerns.
124 Securing software as a service

McKinsey on Risk 8
Securing the path to software
Exhibit 1 of 3
Exhibit 1
Surveyed enterprises most commonly used software as a service for office automation,
IT-services support, and niche business applications.
Level of SaaS¹ adoption by usage type, % of respondents (n = 61)
Enterprise Customer Governance, Other (eg,
Office IT-services Human resource relationship risk, and marketing and
automation support resources planning management compliance sales, R&D)
92 84 61 49 44 25 93
¹ Software as a service.
Source: McKinsey Customer Perspectives on SaaS survey
Priorities in attempting
related applications to secure
and applications that may providers
revealed thatto hostcompanies,
most and manage their security
especially large keys.
software as a service
contain M&A information, the biggest barriers to Thedo
ones, majority prefer
not entrust SaaSto hold their to
providers keys
hostonand
premises
SaaS adoption concern data confidentiality. manage
through their security keys.
a hardware The majority
security module,prefer
retainto
In their relationships with SaaS vendors, most hold their keys oncontrol
premises through a hardware
management of cloud-hosted keys, or
respondents use questionnaires to gauge security module, retain management control ofThese
use a combination of methods (Exhibit 3).
security
Prioritiescapabilities but criticize
in attempting tothe approach as cloud-hosted keys, or use a combination of methods
secure approaches allow companies to control access
imprecise,
softwareincomplete,
as a service and overly time consuming. (Exhibit 3). These approaches allow companies
to sensitive information. It also ensures that
Security executiveswith
In their relationships tendSaaS
to focus on four
vendors, mostkey to control access to sensitive information. It
government agencies cannot gain access to and
issues when use
respondents confronting SaaS to
questionnaires capabilities:
gauge security also ensures that government agencies cannot
unencrypt their data without contacting them first.
gain access to and unencrypt their data without
encryption
capabilities and key management,
but criticize the approachidentity and
as imprecise,
access management
incomplete, and overly (IAM), security monitoring,
time consuming. Security contacting
The survey them first. revealed that companies want
further
executives
and incidenttend to focus (Exhibit
response on four key
2). issues when
Notable is that a degree of sophistication in key management
confronting
each of these SaaS capabilities:
issues has more encryption
to do withandthe
key The
sosurvey further
that they canrevealed that companies
grant access to data forwant
a a
management, identity and access management (IAM), degree of sophistication in key management so that
interface between the customer and the SaaS certain period of time or revoke access quickly.
security monitoring, andproviders’
incident response they can grant access to data for a certain period of
provider than with the intrinsic(Exhibit
technical This preference again emphasizes that most
2). Notable is that each of these issues has more time or revoke access quickly. This preference again
protections, such as code security and endpoint respondents want to exercise full control over their
to do with the interface between the customer and emphasizes that most respondents want to exercise
protection.
the SaaS provider than with the providers’ intrinsic fullsensitive information.
control over their sensitive information.
Encryption and key such
technical protections, management
as code security and Identity and access management
endpoint protection.
Applications running in the cloud and data Identity
Identityand access management
management is the act of confirming that
Identity management is the act of confirming that
stored there are not protected by a traditional each user is the person he or she purports to be.
Encryption and keyperimeter
management each user is the person he or she purports to be.
corporatesecurity of firewalls and the Access management is the determination that a
Applications running in the cloud and data stored Access management is the determination that a user
like. As a result, security becomes essentially user does or does not have legitimate rights to
there are not protected by a traditional corporate- does or does not have legitimate rights to retrieve
reliant on encryption and management of the retrieve
data or usedata or use an application.
an application. As importantAs
as important
both
security perimeter of firewalls and the like. As a
keys that provide access to encrypted data. as both identity and access management
identity and access management are on company are on
result, security becomes essentially reliant on
Our interviews
encryption and revealed
managementthatofmost companies,
the keys that company premises, they are even more important
premises, they are even more important for cloud-
especially large ones, do not entrust SaaS
provide access to encrypted data. Our interviews for cloud-based
based applications. applications.

McKinsey on Risk 8
Exhibit 2 of 3
Exhibit 2
Enterprise customers focus on the interface between software-as-a-service providers and their
own security environments.
Capabilities that respondents would like to see from SaaS¹ vendors, % of respondents (n = 61)
Encryption and Advanced identity Granular security telemetry Incident response

encryption key and access management and integration with tools requirements are
management options, (IAM) capabilities, including used in the security operations starting to extend
including self-managing, integration with federated center and security incident beyond simple notifica-
SaaS vendor-to-host IAM and role-based IAM and event management tions, to include shared
managed, and hybrids (SOC/SEIM) platform information and joint
simulations
Encryption and Integration with Role-based IAM Monitoring Integration Incident-response

key management federated IAM (employee side) and logging with SOC/SIEM capabilities
56 54 54 52 49 49
Data Business Application-level Country-based User-behavior

residency resilience encryption at rest employees analytics, insider threat
33 26 26 10 5
¹ Software as a service.
Source: McKinsey Customer Perspectives on SaaS survey and interviews with more than 60 industry leaders
Security executives emphasized that two IAM including the ability to provide selected people with
capabilities are especially important to them. First, the authority to access certain data or undertake
Security executives emphasized that two IAM Security telemetry and monitoring
they want tight, easily implementable integration certain transactions within an application.
capabilities are especially important to them. First, Increasingly, CISOs acknowledge that they
between SaaS applications and widely adopted
they want tight, easily implementable integration cannot prevent every instance in which security
Security telemetry and monitoring
enterprise IAM tools. Companies deploy hundreds
between SaaSofapplications
or thousands applications, and widely
dozens adopted
of which are is compromised.
Increasingly, They therefore
CISOs acknowledge thatwant
they the
enterprise IAM tools.
SaaS applications. Companies
They deploy
cannot expect hundreds
users to necessary
cannot preventtransparency
every instance toinidentify and assess
which security is
or thousands
memorize yet of applications,
another password dozens of new
for each whichSaaS emerging security
compromised. risks quickly
They therefore want theandnecessary
thoroughly. As
are SaaSthat
offering applications.
is adopted.They
Theycannot
want to expect users
allow users companies to
transparency adopt SaaS
identify andofferings, data from SaaS
assess emerging
totomemorize yet another
sign into SaaS password
applications for each new
via enterprise-wide providers
security risksabout
quicklyusage patterns become
and thoroughly. critical to
As companies
IAM platforms, which will provide additional
SaaS offering that is adopted. They want to features
allow adopt SaaS offerings,
this analysis. data from SaaS providers
like two-factor
users to sign intoauthentication. Second,
SaaS applications they
via need
enterprise- about usage patterns become critical to this analysis.
sophisticated, role-based
Security reporting is the baseline capability
wide IAM platforms, whichaccess management,
will provide additional
CISOs demand. They want a clear view – usually
features like two-factor authentication. Second,
consolidated in a dashboard – of the users that
they need sophisticated, role-based access
have been accessing their data and what they have
4 management,
Securing softwareincluding
as a service the ability to provide
done with it. Without this kind of transparency,
selected people with the authority to access
implementing even the best security concepts
certain data or undertake certain transactions
can be a “nightmare,” as one security executive
within an application.
remarked.

McKinsey on Risk 8
Exhibit 3 of 3
Exhibit 3
Most enterprises do not fully entrust software-as-a-service providers with hosting and
managing encryption keys and so use different control methods.
Preferences for hosting and managing encryption keys, by level of estimated IT spending,¹ % of respondents (n = 44)
SaaS² hosted
but customer Hybrid (varies by vendor
On-premise, managed by customer managed SaaS hosted and managed size, maturity)
High IT spend 33 14 24 29
Companies with a high Some companies allow Some companies may trust Other companies prefer A variety of hybrid
SaaS adoption rate vendors to host keys large vendors to host and to utilize 3rd-party approaches to
and high IT spending but prefer to retain manage keys but prefer to key management, so that encryption key
prefer to manage their access management retain control rather than neither they nor the management are
keys on-premises relinquish it to an unproven vendor manages keys being used
or niche vendor
Low IT spend 29 46 25
On-premises, managed by customer SaaS hosted and managed Hybrid (varies by vendor
size, maturity)
1
All IT-spending estimates rely on information from “IT key metrics data 2019: Executive summary,” Gartner, December 17, 2018, gartner.com.
² Software as a service.
Source: McKinsey Customer Perspectives on SaaS survey and interviews with more than 60 industry leaders
Many
Securitysecurity
reporting teams seek
is the to integrate
baseline data on
capability Incident
and response platforms (SIEMs). As a
event-management
SaaS
CISOsusagedemand.with external-threat
They intelligence
want a clear view—usually Every company
health-services canexplained,
CISO be breached. Therefore,
“On-premises
and information
consolidated in a from the rest ofthe
dashboard—of their technology
users that security
security teamsare
controls must implement
getting extended tools
intoand
the
environment to determine the
have been accessing their data and what actions they must
have cloud. Only a few SaaS providers allow us to resolving
practices for managing, mitigating, and pull
take
doneto protect
with it. Withouttheirthis
company. To accomplish
kind of transparency, incidents.
logs to go intoNaturally,
our SIEM.”security
A bankingmonitoring
CISO said, plays
“I a
implementing
this, the security eventeams
the best security
need SaaSconcepts
providers can
tobe want to integrate
significant role with SOC/SIEM.
in this, as greater I want something
transparency
a “nightmare,”
offer application as one security executive
programming remarked.
interfaces (APIs), flexible
enables enough
better toincident
work withresponse.
hardened SIEM tools,
which will allow them to pull data into their security and something capable of integrating as well.” In
Many security teams(SOCs)
seek toand
integrate data on Mostwords,
other organizations
CISOs want focus
theiron SOC and
vendors SIEMit
to make
operations centers security-incident
SaaS usage with external-threat intelligence integration. The more sophisticated
easier to use APIs for integration. They also wantsecurity
and event-management platforms (SIEMs). As a
and information from the rest of their technology organizations
timely we spoke
service provision withashave
as well dramatically
accurate security
health-services CISO explained, “On-premises
environment to determine the actions they must broadened
information their
from incident-response
their requirements
SaaS providers included in
security controls are getting extended into the
take to protect their company. To accomplish this, to include joint
service-level simulations,
agreements joint forensic activity,
(SLAs).
cloud. Only a few SaaS providers allow us to
the security teams need SaaS providers to offer and intelligence sharing. One company even
pull logs to go into our SIEM.” A banking
(APIs),CISO Incident
application programming interfaces which securedresponse
the right from one provider to send
said, “I want to integrate with SOC/SIEM.
will allow them to pull data into their security- I want Every company canprovider’s
be breached. Therefore,
personnel to the SOC in the event of a
something flexible enough to work
operations centers (SOCs) and security- incident with hardened security teams must implement tools and practices
major breach.
SIEM tools, and something capable of integrating
as well.” In other words, CISOs want their vendors
to make it easier to use APIs for integration. They
also want timely service provision as well as accurate
security information from their SaaS providers
included in service-level agreements (SLAs).

Broader security concerns and adequate clarity on the data-privacy protections
pain points in their offerings. One medical-products CISO
pointed out that SaaS providers struggled to fulfill
CISOs also stated broader concerns with SaaS
data-residency requirements – identifying the
vendors’ security capabilities. These include a lack
countries where the data are stored. Companies
of readiness of many SaaS offerings for integration
need to know the residency to meet local data
with the company’s larger security environment, as
regulations.
well as insufficient transparency on whether SaaS
products meet local data-privacy requirements. A CISOs often cannot tell whether SaaS products
further concern surrounds the experience of SaaS properly meet new data-privacy mandates,
sales forces, which CISOs say can be ill informed including the European Union’s General Data
and sometimes even outwardly deceptive about Protection Regulation (GDPR), Brazil’s General
security-related issues. Data Protection Law, and the California Consumer
Privacy Act. Companies need to know this
Integration is challenging
information to configure critical features, like
Nearly two-thirds of companies express frustration
encryption, data purging, and data logging, as they
with the process of integrating SaaS products with
ensure compliance.
the rest of their security environments. The trouble
spots cited are as follows: Respondents say that the claims SaaS providers
make about product compliance are often
— Lack of preexisting connectors to commonly
overstated, so they don’t necessarily trust them. A
used IAM and SIEM platforms
technology company’s CISO said, “For things like
— Insufficient functionality of APIs for obtaining GDPR, everyone is trying to figure it out; if anyone
the information required, especially log claims that they are mature in their process around
visibility at the platform level GDPR, I would question this. I would prefer a sense
— Poor API documentation, confusing API-usage of openness [and] honesty around what SaaS
semantics, and a shortage of relevant code providers are doing and why they believe they are
samples compliant.”
— Differently designed APIs for products from Uninformative sales interactions

the same vendor Security executives assert that their interactions
with SaaS-provider teams on security issues are
— Lack of trained vendor personnel to assist in difficult and frustrating. They say that sales reps
using APIs. make security claims that don’t appear to be
CISOs complained of APIs that are not delivered, backed up by fact, and that vendors don’t have
integration that is not achieved, even when the security experts they can talk to. Such experts,
road map is followed, missing documentation, a who would know the technical specifications of the
lack of active support, and no vendor response offerings, are needed to help companies decide
when a problem develops. A biotech CISO how to configure SaaS offerings in a secure way.
emphasized “the lack of security monitoring: [SaaS More than 70 percent of respondents said that
vendors] forget about the confidentiality and uninformed or misleading claims about security
integrity aspects of the monitoring.” capabilities were a cause of dissatisfaction.
Reportedly, some sales representatives
Limited focus on data privacy
even misrepresent certifications or customer
As major data breaches proliferate and regulatory
references. One manufacturing company’s CISO
attention mounts, data privacy is becoming an
said, “I am sick of receiving glossy marketing
issue in the decision-making process for SaaS
materials, which are essentially snake oil when it
contracting and implementation. Security teams,
comes to security features . . . many, many vendors
meanwhile, find vendors scrambling to provide
will claim their security features are better than

[what] a very simple assessment will reveal.” integration. After the company had devoted
Another pointed out examples where simply significant resources to use the required APIs,
checking a reference proved that the referenced it gave up and reverted to the existing version
company had not used security features in the way of the application in order to ensure required
the sales team had described. performance. In another example, new charges for
security-related features were significant enough
Implications on software as a service to sour the business case for adoption of a SaaS
purchasing and contracting offering, causing the company to continue using
the on-premises version.
SaaS vendors’ shortcomings in security
capabilities are shaping the ways enterprise
customers contract for and use SaaS products. Actions software-as-a-service
Negotiations about security terms and conditions providers can take to meet the
(T&C) can add weeks or months to contracting security requirements of their
processes. Survey respondents said the most enterprise customers
challenging issues debated included financial For all the value that SaaS promises, security
liability for breach events, required cyber- concerns limit enterprise customers seeking to
insurance policies, and preferred location for legal make the transition from on-premises solutions to
proceedings. SaaSbased ones. Fortunately, providers can take
Security issues often disqualify providers from the following steps to remove barriers to SaaS
consideration. For those that are considered, adoption.
security remains a major concern; a few of our 1. Build agile security capabilities
respondents told us that they had reverted to a Every company surveyed expected its SaaS
provider’s on-premises solution because they providers to have a robust solution in place,
could not become comfortable with the security including a secure development life cycle and
provisions of the SaaS offering. When deploying a secure stack for hosting its application in
SaaS offerings, security executives cited the cost production. However, changes in software-
and complexity of the compensating controls they delivery models have disrupted existing security
had to put in place to manage the accompanying practices and architectures. As established
risk. Many decide to invest in specialized third- software vendors adopt agile development
party tools to manage encryption keys, ensure methods to improve time to market, earlier
compliance with corporate policies, analyze practices supporting a waterfall development
vulnerabilities, enhance encryption, or track data process – sometimes put in place over decades –
usage for SaaS offerings. CISOs also say that are becoming increasingly irrelevant. Since
they must expend scarce talent and resources in software companies provide their applications via
configuring and managing security offerings to their cloud but also host them on infrastructure
meet their standards. provided by hyperscale cloud companies, years
In a few reported cases, large companies called off and decades of experience designing secure
planned migrations from an on-premises platform on-premise infrastructure stacks also become
to an SaaS offering for security reasons. In one less relevant. Finally, the security organization can
case, the vendor failed to meet commitments no longer “inspect for security,” since this delays
to make the APIs mature for IAM and SIEM the process.
Security issues often disqualify

providers from consideration.

SaaS providers must take a number of steps to Level 3. Create a specialized team to respond
build agile security capabilities. They must design to sales-force inquiries, supported by a robust
and build security into their agile development knowledge base to help answer more complicated
processes. This includes automating security questions. Given the importance of API-based
into the development tool chain, placing security integration, this group should act as a developer-
champions on scrum teams, and training support function in many respects. It should also
every developer on secure coding. They must invest in developing code samples and other
furthermore build an infrastructure-operating artifacts that will make it easier for the customer’s
model with a clear understanding of security security teams to implement the vendor’s
ownership, determining what their cloud- products.
infrastructure provider for security will do and
Level 4. Provide a clear escalation path to security
what they must do themselves. A secure system
engineers who can answer the most complicated
configuration in the cloud will be especially critical
questions about IAM, telemetry, key management,
here. Finally, underpinning all this, SaaS providers
and other issues.
must build an agile security organization, one that
enables the business by providing automated Level 5. Prepare for customer T&C requests.
security services, rather than slowing it down with Customers will ask about the assumption of
inspections and rework. liability, preferred legal venues, and other
issues. Vendors need to develop protocols for
2. Adopt a multilevel model for addressing
the circumstances under which they will accept
security-related customer inquiries
requests, such as which requests will be accepted
When asked about the characteristics of bestin-
and from whom. Just as enterprise customers
class SaaS vendors on security, 70 percent of
seek to assign prices to security risk, vendors
cyber professionals cited transparency on security
may want to assign costs to special T&C requests.
capabilities. They said that in selling, vendors
Even if they cannot pass that cost along to the
can distinguish themselves by giving informed,
customer, this type of accounting tool can provide
straightforward responses regarding security
an indication of whether a deal is worth making.
capabilities and aftersales onboarding. They also
said that vendors should provide transparency 3. Aggressively facilitate integrations
regarding updates and expected implications for The day of the stand-alone, monolithic application
customer systems. Software vendors can meet ended years ago, for security features as well as
these expectations with a multilevel model for for the enterprise-technology environment. SaaS
addressing security-related customer inquiries. vendors should thus make it easier to integrate
their offerings with the rest of their customers’
Level 1. Partner with third-party security assess-
security environments. This requires several
ment vendors to make data about security capa-
actions.
bilities easily available at a low cost. Some third-
party platforms capture more than 1,200 data Build a comprehensive set of connectors to
points about each vendor’s security capabilities. relevant security tools. Major SaaS providers
SaaS providers have no reason to refrain from need to have pre-wired integration capabilities
sharing this information with potential customers. for every major enterprise IAM platform, cloud
IAM platform, privileged-access-management
Level 2. Train the sales force in the basic security
platform (PAM), and SIEM platform. So equipped,
features of the offerings and ensure that they
providers will enable customers to implement their
respond to security inquiries accurately and
products more quickly, less expensively, and with
intelligently. In addition, vendors need to provide
greater confidence that they are not introducing
incentives to sales people that encourage them to
new security vulnerabilities.
ask for expert help rather than provide incorrect or
incomplete information.

Invest in building better APIs. Too often, SaaS
vendors pay little attention to security APIs.
Instead, they should create a consistent security-
API model across the products they offer. They Over time, SaaS will largely replace traditional
should work with customers’ security teams on-premises COTS applications, with enterprises
to provide the granular capabilities required in benefiting from faster innovation, reduced
the areas of encryption, key management, and complexity, lower operating costs, and massively
telemetry. They should deploy simple, easy- reduced management spending on obsolete
to-understand API semantics backed up by technologies. However, SaaS disrupts the
documentation. traditional relationship between vendors and
customers on security. With the vendor taking on
Enhance security-related customer-success
much more security responsibility than before, the
teams. Nearly two-thirds of security executives
security team is put right in the middle of SaaS-
said that leading vendors were distinguished by
adoption decisions. Moreover, companies cannot
the superior technical expertise of their support
accept SaaS products as security “black boxes.”
organizations. This means that vendors should
As we have emphasized, they must be able to
enhance the security skills of the teams that help
determine how to integrate them into the rest of
customers implement their products. In addition
their security environments.
to improving customer outcomes, enhanced
customer support could lead to more sales. Our survey indicates that many SaaS vendors
have yet to understand this new reality. They do
4. Help customers address data privacy
not communicate well with customers on security;
With expanding market and regulatory demands
their products are hard to integrate with the rest
for data privacy, CISOs believe that SaaS vendors
of the customers’ security environments; and
have not demonstrated sufficient leadership in
they have not taken the lead in helping customers
this area. They need these vendors to research
comply with data-privacy expectations. Security
thoroughly the regulatory expectations in
issues are causing companies to eliminate
the markets they participate in and identify
certain vendors from consideration, extending
the specific actions required to comply. They
procurement processes by weeks and months,
need vendors to invest in the encryption, key-
and adding significant cost and complexity to
management, logging, data-tracking, and data-
SaaS deployments. By actively addressing these
purging capabilities necessary for compliance.
issues, providers will speed the ongoing migration
They should also guide CISOs on how to implement
from traditional on-premises applications to SaaS.
their products to minimize regulatory risk.
Rich Cracknell is a manager of solution delivery in McKinsey’s Silicon Valley office; James Kaplan
is a partner in the New York office, where Celina Stewart is a cyber solutions senior analyst; and
Wolf Richter is a partner in the Berlin office, where Lucy Shenton is a cyber solutions specialist.

Agile, reliable, secure,

compliant IT: Fulfilling
the promise
Agile, reliable,ofsecure,
DevSecOps
compliant IT: Fulfilling
the promise of DevSecOps
By integrating security into DevOps, companies can
step
By up the speed
integrating andinto
security frequency
DevOps, ofcompanies
software releases
can step up the
without compromising controls or increasing
speed and frequency of software releases without compromisingrisk.
controls
by Santiagoor increasingJames
Comella-Dorda, risk.Kaplan, Ling Lau, and Nick McNamara
by Santiago Comella-Dorda, James Kaplan, Ling Lau, and Nick McNamara
© Getty Images
May 2020
132 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps
As digital technologies transform industry after What is DevSecOps?
industry, businesses are increasingly adopting
Pioneered by digital-native companies,
modern software-engineering practices
DevSecOps is based on the principle of integrating
pioneered by tech companies. Agile, DevOps, and
development, security, infrastructure, and
other methods enable organizations to test, refine,
operations at every stage in a product’s life cycle,
and release new products and functionality more
from planning and design to ongoing use and
rapidly and frequently than ever before. However,
support (exhibit). This enables engineers to tackle
the speed and frequency of releases can come
security and reliability issues more quickly and
into conflict with established methods of handling
effectively, making organizations more agile and
security and compliance. How can organizations
their digital products and services more secure
resolve this tension?
and reliable. Security, reliability, and compliance
We think the answer lies in DevSecOps, a method considerations are built into every agile sprint
for integrating security into agile processes and rather than being handled separately or left until
DevOps efforts across the whole product life the end of the development process.
cycle. Properly implemented, DevSecOps (literally,
Adopting a DevSecOps approach has implications
development, Ssecurity, operations) offers
for each stage of the product life cycle:
enormous advantages.
— Planning. From the inception of a new product,
Companies can increase the frequency of
teams are aware of their security and reliability
software releases from quarterly to weekly,
responsibilities and trained to handle them.
or even daily, without compromising their risk
For significant efforts, teams start by quickly
posture. They can cut mean time to remediate
modeling threats and risks and then identifying
vulnerabilities from weeks or months to hours as
and prioritizing backlog2 items needed to make
well as eliminate delays, cost overruns, product
the product secure, reliable, and compliant.
defects, and vulnerabilities. Last, but not least,
Where possible, teams take advantage of
getting security and compliance right from the
existing architectural designs that have been
outset is imperative as companies’ growing
developed in collaboration with security and
dependence on digital technologies makes them
reliability experts, thereby ensuring that best
more vulnerable to cyberattack, especially in the
practices are observed, as well as speeding up
wake of the uncertainty and confusion wrought by
planning and design.
the coronavirus pandemic.1
— Coding. To improve code quality, developers
In our experience, the companies that are most
constantly develop and update their
successful at extracting the full value from
knowledge of secure and resilient coding
DevSecOps commit to managing technology
practices. They take full advantage of
differently. They have an integrated operating
reusable coding patterns, components, and
model made up of teams of people – including
microservices to quickly build the functionality
those from security and compliance – with the full
and services needed to meet common security
range of necessary capabilities, make practical
and resiliency requirements for encryption,
use of automation, develop secure modular
authentication, availability, and observability.
services that are easy to use, and conceive of and
build digital products that are secure by design.
1
See Jim Boehm, James Kaplan, and Nathan Sportsman, “Cybersecurity’s dual mission during the coronavirus crisis,” March 2020,
McKinsey.com.
2
A backlog is a prioritized list of the features that an agile product team is planning to build and work on.
Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 133
Web 2019
Agile, reliable, and compliant IT: Integrating security into DevOps
Exhibit 1 of 1
Exhibit
Securityisisintegrated
Security integrated
intointo
everyevery step
step in in the product-development
the product-development life cycle. life cycle.
Best practices in DevSecOps
Agile teams are aware of their security responsibilities

from the outset; security champions are embedded in teams Real-time monitoring of app run time ensures
Teams quickly model threats for all significant efforts potential security issues are identified
Backlog items are created, prioritized, and tracked to Host and network-based intrusion detection is
meet security and reliability requirements implemented
Secure architecture designs are preapproved for Compliance validation and evidence gathering are
implementation automated
Planning
Operate
and design Code
Engineering teams work to Developers upgrade their skills in

Product-
progressively improve the Deploy secure and resilient coding practices
development
path to production Reusable coding patterns,
life cycle
Secure hosting environments components, and microservices
“as code” ensure efficiency and Review are deployed to improve security
repeatability and agility
Strong encryption and
authentication are built in Test
Security is reviewed as part of every
sprint and code release
Automated code analysis tools
Security test cases are developed and (SAST1) are used to validate security
automated by agile team members Senior developers with secure coding
Automated penetration testing expertise conduct peer reviews
(including DAST and IAST²) is performed
as part of the development process
¹ Static application security testing.

² Dynamic application security testing and interactive application security testing.
— Reviewing. Instead of having a specialist group checks. After automated code-analysis tools
— Reviewing.
scrutinizeInstead of having
a product a specialist
for security group
vulnerabilities checks.
such asAfter automated
SonarQube andcode-analysis
Fortify havetools
looked
scrutinize a product
and resiliency for security
issues vulnerabilities
once it emerges from such
for as SonarQube
known and Fortify
vulnerabilities andhave looked
issues, senior
and resiliency
months issues once itteams
of development, emerges fromcode
review fordevelopers
known vulnerabilities
conduct peerandreviews
issues, senior
to discuss
months of development,
as often teams review
as every two weeks as partcode
of regular developers conduct peer reviews to discuss
the results and ensure the software meets
asagile
oftensprints,
as every two weeks as part
using both automated of regular
and manual theappropriate
results andstandards.
ensure the software meets
agile sprints, using both automated and manual appropriate standards.
— Testing. Engineers create automated security To illustrate what these shifts look like in practice,
tests to be run alongside automated functional we’ll draw on examples from two organizations
and performance tests. This not only ensures that have recently adopted DevSecOps principles:
that testing is consistent and efficient but also a global software-and-services company and a
makes security requirements explicit, so that large financial-services provider. The software-
developers don’t waste time puzzling over and-services company was already using agile
how to satisfy ill-defined policies laid down by methods to develop digital products and manage
separate groups. Common security tests, such infrastructure, but it was striving to improve
as penetration tests that look for security holes the resiliency of its products while making its
in systems, are conducted automatically as internal processes more efficient. By contrast,
part of every sprint and release cycle. the financial-services firm still relied on traditional
waterfall methods to deliver its projects, and it
— Deployment. Code is delivered to production
saw DevSecOps as a way to improve performance,
hosting environments, not through manual
accelerate software releases, and streamline
processes itemized in checklists, but via well-
controls without increasing risk.
engineered automated processes that ensure
the right software is built and that it is deployed Organization and talent: Integrated cross-
securely and reliably. In addition, best-practice functional teams
companies have secure production hosting When organizations struggle with the tensions
environments that can be rapidly invoked between being agile and maintaining security,
through application programming interfaces reliability, and compliance, it’s often because
(APIs), eliminating wait times and reducing risk. the skills and accountabilities for developing,
operating, and securing products and validating
— Operations. Once software is in production,
compliance are split between different groups.
automated processes – including real-time
The answer is to break down these silos by setting
monitoring, host- and network-intrusion
up integrated agile teams charged with solving all
detection, and compliance validation, and
the requirements of the products in their scope,
evidence attestation – are used to increase
regardless of any functional, security, reliability,
efficiency and detect vulnerabilities. If defects
or compliance issues they may pose. These teams
or vulnerabilities are discovered, resolutions
should be staffed not with specialists but with
are identified, prioritized, and tracked to
well-rounded “full-stack” engineers who can work
make sure product reliability and security are
across disciplines and pick up new skills quickly.
constantly improved.
Every team member must be responsible for the
security and reliability of the code they create,
Adopting DevSecOps principles whether it’s for customer-facing products or
Capturing the potential of DevSecOps isn’t easy. internal shared services.
It relies on tight collaboration both within IT and
The software-and-services company mentioned
across IT, security, compliance, and risk. To get
earlier reconfigured its product-development
it right, companies need to make four shifts
teams to own their code bases from end to end
in the way they manage technology: create a
instead of relying on separate teams to address
more integrated operating model, build secure
maintenance and defects. The company also set
“consumable” services, automate development
up site reliability engineering (SRE) teams to help
and release processes, and evolve product
improve the way products were developed and
architectures.
operated. The two teams worked closely together,
shared objectives and key results (OKRs), and
took part in joint agile events to stay aligned on
how to improve the security and reliability of the so on) and continuous integration and continuous
company’s products. delivery (CICD) pipelines for getting code safely
and securely to production. Thanks to these
The financial-services firm took a slightly
efforts, it managed to cut setup times for hosting
different approach, embedding SREs in product-
environments from three months to 15 minutes, as
development teams instead of having them in a
well as automating deployments that previously
separate team. But similar to the software-and-
required eight hours of manual release work.
services company, it introduced security and
reliability OKRs for those product teams as well Similarly, the financial-services firm focused on
as common service metrics to drive alignment and creating a secure CICD pipeline, which had to be
accountability. able to handle the high level of controls needed
to satisfy regulatory requirements. Implementing
Consumable services: Developer-owned
the pipeline cut software release times by half.
operations
By introducing mechanisms such as automated
In the past, the accountability for a digital
security test cases, the firm also streamlined con-
product’s functionality, operations, reliability,
trols by 50 to 80 percent without increasing risk.
security, and compliance was split. A development
team created an application, an infrastructure Development and release: Automated pipelines
team operated it, and a maintenance team took with built-in security controls
care of reliability. With a DevSecOps approach, The traditional path to production for software
on the other hand, a single team is given as much code was lengthy and prone to error. Developers
accountability and ownership as possible for all wrote code, and then quality-assurance engineers
aspects of a product. tested it – usually manually and in settings that
bore little resemblance to the environment in
In this approach, central enablement teams build
which it would eventually be used. Shepherding
shared consumable services for development,
code through these processes involved many
infrastructure, and security. They equip these
manual steps. Most testing took the form of basic
services with guardrails and transparency so that
functional and regression tests. Some defects and
subsequent product developers can use them
vulnerabilities slipped through and were caught
safely, securely, and efficiently in their operations.
only after the software was released.
Central checks and validations are still performed
to ensure that correct procedures and best Over the past decade, the DevOps movement
practices are implemented, but the goal is to make has striven to make the path to production more
teams accountable for the products they own. efficient and more effective at catching defects
This involves providing them with the tools they as early as possible, when they are cheaper to
need to meet their responsibilities – tools that are address. Leading companies have adopted CICD
convenient to use and designed to ensure that the pipelines to automate workflows and enable best
easiest path for developers is also the most secure engineering practices to be followed in the writing,
and reliable route. reviewing, testing, and deployment of code. In
addition to this, DevSecOps companies need to go
Building these consumable services takes time,
further by integrating an extra layer of testing into
so companies need to prioritize those with the
their CICD pipelines to analyze code for potential
greatest impact and assign agile teams to build
security issues, run security test cases, and
and own them. The software-and-services
conduct light penetration tests.
company decided to prioritize two key services:
life-cycle management for its on-premise hosting
environments (including provisioning, patching, and
To improve their development and release Both the software-and-services company and
processes, the software-and-services company the financial-services firm had legacy systems
and the financial-services firm adopted similar they needed to support, and both pursued an
approaches. In designing and implementing evolutionary approach to modernizing their
automated CICD pipelines for deployments to application landscape. They used their new
both the cloud and on-premise environments, they processes to build new “greenfield” digital
took care to involve their security and compliance products and incrementally adapted older
specialists to ensure that controls would not be products to support DevSecOps best practices,
compromised in any way. They also used OKRs including the use of microservices, unit tests,
and metrics dashboards to encourage adoption of security test cases, static code analyses, and
the pipelines and increase the levels of automated resiliency patterns.
test coverage.
Product architecture: Secure by design Common pitfalls to avoid
Traditionally, applications have been built from The best path for an organization to take in
scratch, with all capabilities locked inside a single adopting DevSecOps depends on many factors,
code package and security not usually tackled ranging from its size to its familiarity with agile and
until late in the development process. Adding a DevOps methods. But regardless of their starting
new feature required extensive testing across the point, all organizations should take care, as they
whole system, making upgrades slow and complex set out on their transformation journey, to avoid a
to execute. Since applications were seldom few common pitfalls.
designed to scale in a linear fashion as additional
Pitfall 1: Focusing on tooling alone
load was put on the system, maintaining reliability
Companies should beware of assuming they can
was often a challenge.
realize the potential of DevSecOps merely by
With DevSecOps, by contrast, digital products implementing tools such as a CICD orchestration
are conceived and built from the ground up to system or a static code analysis tool. To capture
be secure by design. Security requirements and the full benefit, they need to make the four
best practices are factored into all elements of a shifts described earlier. Without that broader
product, from the code itself to the infrastructure transformation, new tooling is unlikely to be used
it runs on. Engineers take advantage of existing effectively or consistently across the organization.
components built by enablement or shared-
Pitfall 2: Failing to secure leadership buy-in
service teams, such as container templates and
If teams are to change their way of working, the
standardized monitoring APIs. They also draw
leaders of the technology organization must play
on open-source libraries released by web-scale
an active part in steering the transformation.
industry leaders – such as Netflix’s Hystrix library
In turn, development leaders must model and
for improving fault tolerance – to incorporate best-
reinforce target behaviors and equip their teams
practice resiliency patterns. Following a “systems of
to deliver on their new objectives. Finally, security
systems” approach, they integrate pre-engineered
and compliance leaders need to be fully involved
microservices via loosely coupled interfaces based
to ensure that greater agility doesn’t come at
on well-maintained APIs. All of this improves agility
the cost of higher risk. To help gain leadership
as well as security. Instead of struggling to build
buy-in, successful companies develop a baseline
their own code, waiting for reviews by security and
understanding of their agile and DevSecOps
compliance teams, and iterating until they pass
maturity and communicate the business case for
audit checks, product teams reuse code built with
improvement. Adding key stakeholders to the team
expert input and oversight.
leading the transformation is another way to make
leaders feel accountable for ensuring its success.
Pitfall 3: Focusing only on greenfield new capabilities, they need to make a major
development cultural shift by learning to take ownership for
Though DevSecOps principles are easiest to adopt their product’s security, reliability, and compliance,
in new development efforts, applying them more no matter which team they are on. At the same
broadly can deliver significant value. For instance, time, they need to acquire knowledge and skills
secure CICD pipelines can support larger, more in creating and operating resilient products to
monolithic applications, which can in turn be meet their new objectives. Culture and capability
gradually broken down into loosely coupled building can reinforce one another: when
microservices. Organizations should constantly engineers know that the teams they work with
explore where they can best deploy DevSecOps to expect them to have particular skills, they will be
increase agility, security, and reliability. more motivated to develop them.
Pitfall 4: Taking too long to deliver value In addition to avoiding these pitfalls, best-practice
In successful DevSecOps transformations, value organizations ensure they pursue a structured
is captured from an early stage. Leaders quickly approach to change management. They use
identify any changes that need to be made to dedicated change-management and capability-
product teams and decide which consumable building workstreams as part of the transformation
services they need to launch. When rolling out ,and roll teams out in waves that allow enough
changes, they prioritize products and services time for training, team alignment, and planning
that will drive the highest impact or reduce the activities, such as agile sprint 0s. 3
most risk. By identifying quick wins in the first two
or three months, they showcase the value of the
transformation and gain support from engineers
and the broader organization. Once a niche practice confined to Silicon Valley
Pitfall 5: Overlooking capability building and start-ups, DevSecOps has matured to become a
culture priority for traditional enterprises, too. Adopting
Engineers operating in traditional technology the principles outlined in this article will help
organizations are likely to find adopting companies not only acquire the agility to stay
DevSecOps a challenge. As well as developing current but also strengthen their security to
withstand exposure to cyberattacks in the future.
Santiago Comella-Dorda is a partner in McKinsey’s Boston office, James Kaplan is a partner in the
New York office, Ling Lau is a partner in the New Jersey office, and Nick McNamara is an associate
partner in the Chicago office.
The authors wish to thank Nagendra Bommadevara, Daniel Brosseau, Alharith Hussin, Steve Jansen,
Jesus Mathus Garza, Mark Mintz, Thomas Newton, Jan Shelly Brown, Marc Sorel, Kevin Telford, and
Charles Wisniewski for their contributions to this article.
3
Agile sprint 0s are short efforts before a team starts working together, used to create a common vision, align on team norms, and create
a product backlog for what they plan to build.
Help business to address impact of global pandemic
Cybersecurity’s
dual mission during
Risk Practice
Cybersecurity’s
the coronavirus
dual crisis
mission during
the coronavirus crisis
Chief information-security officers must balance two priorities to
respond to the pandemic: protecting against new cyberthreats and
Chief information-security officers must balance two priorities to
maintaining business continuity. Four strategic principles can help.
respond to the pandemic: protecting against new cyberthreats and
by Jimmaintaining business
Boehm, James Kaplan, continuity.
and Nathan Sportsman Four strategic principles can help.
by Jim Boehm, James Kaplan, and Nathan Sportsman
© Fabian Schmidt/EyeEm/Getty Images
March 2020
Cybersecurity’s dual mission during the coronavirus crisis 139

The extraordinary efforts of many organizations — Working from home has opened multiple
to protect workers and serve customers during vectors for cyberattacks. A broad shift
the COVID-19 pandemic have also increased their toward work-from-home arrangements
exposure to cyberthreats. Large-scale adoption has amplified long-standing cybersecurity
of work-from-home technologies, heightened challenges: unsecured data transmissions
activity on customer-facing networks, and greater by people who aren’t using VPN software,
use of online services all present fresh openings, weak enforcement of risk-mitigating
which cyberattackers have been quick to exploit. behaviors (the “human firewall”), and physical
and psychological stressors that compel
The overarching challenge for chief information-
employees to bypass controls for the sake of
security officers (CISOs) and cybersecurity teams
getting things done. The more that homebound
will be protecting their institutions while enabling
employees struggle to access data and
operations to go on without interruption. For
systems, the more they will attempt to use
example, cybersecurity teams at companies that
risky work-arounds (exhibit). Cybersecurity
provide web-based services to consumers must
teams will need to secure work-from-home
adjust their security programs to match scaled-up
systems and test and scale VPNs and
operations while securing a massive shift to work-
incident-response tools. In addition, they may
from-home tools. At the same time, CISOs must
wish to revisit access-management policies
make it possible for security-team members to
so that employees can connect to critical
look after themselves and their families during a
infrastructure via personal devices or open,
health crisis.
internet-facing channels.
Addressing these diverse and sometimes
— Social-engineering ploys are on the rise. In
competing needs at once won’t be easy. But
social-engineering gambits, attackers attempt
recent conversations with cybersecurity leaders
to gain information, money, or access to
suggest that some governing principles are
protected systems by tricking legitimate users.
helping them meet the challenge. This article
Companies have seen more malware-laced
recommends four such principles: focusing
email-phishing campaigns that borrow the
on critical operating needs, testing plans
identities of health, aid, and other benevolent
for managing security and technology risks,
organizations. Scammers posing as corporate
monitoring for new cyberthreats, and balancing
help-desk teams ask workers for their security
protection with business continuity.
credentials using text phishing (“smishing”)
and voice phishing (“vishing”). Email fraudsters
How the response to COVID-19 has have tried to get executives to move money to
increased cyberrisk fund vendors, operations, and virus-related-
As organizations and people have curtailed response activities.
travel and in-person gatherings, they have
— Cyberattackers are using websites with
shifted a great deal of activity into the digital
weak security to deliver malware. With the
realm. Workers and students are staying home,
creation of new domains and websites to
using videoconferencing services, collaboration
spread information and resources to combat
platforms, and other digital tools to do business
the coronavirus, attackers are exploiting
and schoolwork. In their free time, they are going
the weak security controls on many of
online to shop, read, chat, play, and stream.
these sites to spread malware via drive-by
All these behaviors put immense stress on
downloads. A common approach hides readily
cybersecurity controls and operations. Several
available malware (such as AZORult) inside
major vulnerabilities stand out:
coronavirus heat maps or early-warning
140 Cybersecurity’s dual mission during the coronavirus crisis

Cybersecurity’s dual mission during the coronavirus crisis
Exhibit 1 of 1
Exhibit
Shifting to work-from-home arrangements can open multiple vectors

for cyberattacks.
Changes in app-access rights Use of personal devices Lack of social control

and tools
l Under existing policies, access to apps differs l Some employees may have lClick-through
based on criticality and cyberrisk appetite (eg, been enabled to work from rates for phishing
data infiltration, data-protection loss), from less their own personal devices, emails and
critical apps accessible from almost anywhere (eg, but because these devices success rates of
public network) to apps accessible through are not centrally controlled fake call-center
extranet, apps accessible only through VPN, and, (for patching, network- agents can
ultimately, critical apps accessible only on site (eg, access control, and increase if
trading, treasury) endpoint data-protection employees no
systems), they can introduce longer maintain a
l Remote working can require organizations to cybersecurity vulnerabilities “human protection
widen access rights by enabling off-site access shield” by asking
to some of the most critical apps, which can l To get work done, many coworkers about
increase cyberrisk employees use consumer- suspicious emails
grade tools, accounts, and or calls
l Some users might not have strong multifactor devices and share data over
authentication, because their access rights nonsecure and
are usually limited; change in access rights, noncontrolled channels
combined with weak authentication, constitutes
a further threat
instance, a threatapplications.
actor targeted In one instance, a threat actorservices and
a public-sector services
issuingand issuing misinformation
misinformation to the to the
targeted a public-sector
entity by embedding malware in a pandemic- entity by embedding public. A major hospital in Europe
public. A major hospital in Europe was hit with was hit
a
malware in a pandemicrelated
related document and disguising it as an document with a cyberattack that forced
cyberattack that forced it to suspend scheduled it to suspend
and disguising it as an official communiqué scheduled operations, shut down its IT
official communiqué from another part of the operations, shut down its IT network, and move
from another part of the government. Once network, and move acute-care patients
government. Once installed, such a malicious acute-care patients to another facility. And a
installed, such a malicious application steals to another facility. And a department of a
application stealsaauser’s
user’sconfidential
confidential data
data (for example, department of agovernment
local local government had itsencrypted
had its website website
(for example, personal information,
personal information, credit-card encrypted by
credit-card information, byransomware,
ransomware,preventing
preventing officials
officials from
information, and bitcoin-wallet keys). Some
and bitcoin-wallet keys). Some malware from posting information for the public
posting information for the public andand keeping
malware applications launch ransomware attacks, keeping employees
launch ransomware
applications employeesfromfromaccessing certainfiles.
accessing certain files.
attacks, which lock a user’s system until they pay
which lock a user’s system until they pay a
As the COVID-19 outbreak progresses and alters
certain
a certain amount of money amount
to theofattacker.
money to the attacker. As the COVID-19 outbreak
the functioning ofprogresses and alters
our socioeconomic systems,
— Public-sector organizations are experiencing the functioning of our socioeconomic
cyberattackers systems,
will continue their efforts to
— Public-sector organizations
acute pressure. are experiencing cyberattackers
A large government entity will
exploit ourcontinue
fears andtheir efforts
our digital to
vulnerabilities. To
acute pressure. Ainlarge
North government
America suffered exploit our remain
entityfrom a distributed fears and our and
vigilant digital vulnerabilities.
effective, CISOs will need new
denial-of-service
in North America suffered attack aimed at disrupting
from a distributed approaches.
To remain vigilant and effective, CISOs will need
denial-of-service attack aimed at disrupting new approaches.

Employees on the front line will play an
especially important role in keeping the
organization safe as normal on-premise
security measures become less relevant.
How to address the challenge: disaster recovery, talent succession, and vendor
Strategic practices for chief succession – then test them right away. If your
information-security officers organization doesn’t have adequate plans in
place, create them and then test them. You
While many CISOs and other executives have
must determine whether your organization’s
drawn on their experiences with past crises to
riskresponse approach is effective and efficient.
respond to the early stages of the COVID-19
Eliminating risk events is impossible, but you
outbreak, the pandemic’s vast scale and
can reduce the exacerbated risk associated
unpredictable duration are highly unusual. There
with a poor response.
is no playbook that CISOs can open for guidance.
Nevertheless, the CISOs and senior cybersecurity — Monitor. Consider mustering all available
managers we have spoken to have found it resources to help with monitoring, which
especially helpful to follow four practices: enables risk response and recovery to begin.
Areas for stepped-up monitoring can include
— Focus. Security- and technology-risk
remote monitoring of collaboration tools,
teams should focus on supporting only
monitoring networks for new and novel strains
those technology and security features,
of malware, and monitoring employees and
capabilities, and service rollouts that are
endpoints to catch data-related incidents
critical to operations. Examples of focus areas
before they result in operational risk.
that may justify a surge in capacity over the
coming weeks include maintaining security — Balance. Cybersecurity teams are likely
operations, mitigating risks of remote access to receive a flood of urgent requests for
to sensitive data and software-development cybersecurity-policy exceptions that will
environments, and implementing multifactor allow teams elsewhere in the organization
authentication to enable employees to work to get work done (for example, to approve
from home. Organizations should also reiterate the installation of new apps and allow the
to employees their safe remote-working use of USB drives). While CISOs might be
protocols and their procedures for threat inclined to deny such requests for the sake
identification and escalation. Employees on of preventing undue risk, they must also
the front line will play an especially important bear in mind the importance of maintaining
role in keeping the organization safe as normal business continuity during a fluid and
on-premises security measures become less challenging time for their colleagues. To
relevant. support continued operations, CISOs may
need to tolerate slightly higher risk in the
— Test. If your organization has security- or tech-
short term by granting waivers or temporarily
nology-risk plans of any kind – such as plans
relaxing some controls. An accommodating
for incident response, business continuity,
142 Cybersecurity’s dual mission during the coronavirus crisis

approach will encourage colleagues to make The COVID-19 crisis is a human challenge
intelligent risk trade-offs. That said, CISOs above all else. Everyone is juggling
shouldn’t allow these exceptions to weaken professional responsibilities with important
an organization’s risk posture permanently. personal ones. The coming weeks and
If CISOs grant waivers or relax controls, they months are likely to bring more uncertainty.
should establish formal evaluation and review By adhering to the practices we described –
processes and implement time limits to force focus, test, monitor, and balance – CISOs
periodic reevaluation or limit the exceptions to can fulfill their responsibilities to uphold their
particular user groups. institutions’ security and maintain business
continuity while also meeting their obligations
to their teams.
Jim Boehm is a partner in McKinsey’s Washington, DC, office. James Kaplan is a partner in the New
York office, and Nathan Sportsman is the founder and CEO of Praetorian.
McKinsey and Praetorian have entered into a strategic alliance to help clients solve complex cyber-
security challenges and promote innovation. As a part of this alliance, McKinsey is a minority investor
in Praetorian.

Help business to address impact of global pandemic
for the coronavirus
Risk Practice
pandemic
for the coronavirus
pandemic
security and business continuity. But new tactics can help
cybersecurity leaders to safeguard their organizations.
security and business continuity. But new tactics can help
cybersecurity
by Jim leaders
Boehm, James Kaplan, to safeguard
Marc Sorel, theirand
Nathan Sportsman, organizations.
Trevor Steen
by Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen
© Gorodenkoff/Getty Images
March 2020
144 Cybersecurity tactics for the coronavirus pandemic

The COVID-19 pandemic has presented chief — Scale up multifactor authentication.
information security officers (CISOs) and their Employees working remotely should be
teams with two immediate priorities. One is required to use multifactor authentication
securing work-from-home arrangements on an (MFA) to access networks and critical
unprecedented scale now that organizations have applications. Scaling up MFA can be
told employees to stop traveling and gathering, challenging: the protection it will add calls for a
and government officials in many places have surge in short-term capacity. Several practices
advised or ordered their people to stay home make the rollout of MFA more manageable.
as much as possible. The other is maintaining One is to prioritize users who have elevated
the confidentiality, integrity, and availability of privileges (such as domain and sys admins,
consumer-facing network traffic as volumes and application developers) and work with
spike – partly as a result of the additional time critical systems (for instance, money transfers).
people are spending at home. Targeting those users in pilot rollouts of
modest scale will allow cybersecurity
Recent discussions with cybersecurity leaders
teams to learn from the experience and use
suggest that certain actions are especially helpful
that knowledge to shape more extensive
to fulfill these two priorities. In this article, we set out
implementation plans. Cybersecurity teams
the technology modifications, employeeengagement
can also benefit from using MFA technologies,
approaches, and process changes that cybersecurity
such as the application gateways offered
leaders have found effective.
by several cloud providers, that are already
integrated with existing processes.
Securing work-from-home
arrangements at scale — Install compensating controls for facility-
based applications migrated to remote
The rapid, widespread adoption of work-fromhome
access. Some applications, such as bank-
tools has put considerable strain on security
teller interfaces and cell-center wikis, are
teams, which must safeguard these tools without
available only to users working on-site at
making it hard or impossible for employees to
their organizations’ facilities. To make such
work. Conversations with CISOs in Asia, Europe,
facility-based applications available to remote
and North America about how they are securing
workers, companies must protect those apps
these new work-at-home arrangements highlight
with special controls. For example, companies
the changes these executives are making in three
might require employees to activate VPNs and
areas: technology, people, and processes.
use MFA to reach what would otherwise be
Technology: Make sure required controls are in facility-based assets while permitting them to
place use MFA alone when accessing other parts of
As companies roll out the technologies that enable the corporate environment.
employees to work from home and maintain
— Account for shadow IT. At many companies,
business continuity, cybersecurity teams can take
employees use so-called shadow IT systems,
these actions to mitigate cybersecurity risks:
which they set up and administer without
— Accelerate patching for critical systems. formal approval or support from the IT
Shortening patch cycles for systems, such department. Extended work-from-home
as virtual private networks (VPNs), end- operations will expose such systems because
point protection, and cloud interfaces, that business processes that depend on shadow IT
are essential for remote working will help in the office will break down once employees
companies eliminate vulnerabilities soon after find themselves unable to access those
their discovery. Patches that protect remote resources. IT and security teams should be
infrastructure deserve particular attention. prepared to transition, support, and protect
Cybersecurity tactics for the coronavirus pandemic 145

business-critical shadow assets. They should consumer web services) they believe they need
also keep an eye out for new shadow-IT to do their jobs is counterproductive. Instead,
systems that employees use or create to security teams must explain the benefits, such
ease working from home, to compensate for as security and productivity, of using approved
in-office capabilities they can’t access, or to messaging, file-transfer, and document-
get around obstacles. management tools to do their jobs. To further
encourage safe behavior, security teams can
— Quicken device virtualization. Cloud-based
promote the use of approved devices – for
virtualized desktop solutions can make it
example, by providing stipends to purchase
easier for staff to work from home because
approved hardware and software.
many of them can be implemented more
quickly than on-premises solutions. Bear in — Increase awareness of social engineering.
mind that the new solutions will need strong COVID-19-themed phishing, vishing (voice
authentication protocols – for example, a phishing), and smishing (text phishing)
complex password, combined with a second campaigns have surged. Security teams must
authentication factor. prepare employees to avoid being tricked.
These teams should not only notify users that
People: Help employees understand the risks
attackers will exploit their fear, stress, and
Even with stronger technology controls,
uncertainty, but also consider shifting to crisis-
employees working from home must still exercise
specific testing themes for phishing, vishing,
good judgment to maintain information security.
and smishing campaigns.
The added stress many people feel can make
them more prone to social-engineering attacks. — Identify and monitor high-risk user groups.
Some employees may notice that their behavior Some users, such as those working with
isn’t monitored as it is in the office, and therefore personally identifiable information or other
choose to engage in practices that open them to confidential data, pose more risk than others.
other threats, such as visiting malicious websites High-risk users should be identified and
that office networks block. Building a “human monitored for behavior (such as unusual
firewall” will help ensure that employees who work bandwidth patterns or bulk downloads of
from home do their part to keep the enterprise enterprise data) that can indicate security
secure. breaches.
— Communicate creatively. A high volume Processes: Promote resilience
of crisis-related communications can easily Few business processes are designed to support
drown out warnings of cybersecurity risks. extensive work from home, so most lack the right
Security teams will need to use a mix of embedded controls. For example, an employee
approaches to get their messages across. who has never done high-risk remote work and
These might include setting up two-way hasn’t set up a VPN might find it impossible to
communication channels that let users post do so because of the in-person VPN-initiation
and review questions, report incidents in requirements. In such cases, complementary
real time, and share best practices; posting security-control processes can mitigate risks.
announcements to pop-up or universal-lock Such security processes include these:
screens; and encouraging the innovative use of
— Supporting secure remote-working tools.
existing communication tools that compensate
Security and IT help desks should add
for the loss of informal interactions in hallways,
capacity while exceptionally large numbers of
break rooms, and other office settings.
employees are installing and setting up basic
— Focus on what to do rather than what not to security tools, such as VPNs and MFA. It might
do. Telling employees not to use tools (such as be practical to deploy security-team members

Even with stronger technology controls,
employees working from home must still
exercise good judgment to maintain
information security.
temporarily at call centers to provide added to a VPN. Depending on the security stack,
frontline support. organizations that do not require the use of a
VPN or require it only to access a limited set
— Testing and adjusting IR and BC/DR
of resources may go largely unprotected. To
capabilities. Even with increased traffic,
expand monitoring, security teams should
validating remote communications and
update security-information- and-event-
collaboration tools allows companies to
management (SIEM) systems with new rule
support incident-response (IR), and business-
sets and discovered hashes for novel malware.
continuity (BC)/disaster-recovery (DR) plans.
They should also increase staffing in the
But companies might have to adjust their plans
security operations center (SOC) to help
to cover scenarios relevant to the current crisis.
compensate for the loss of network-based
To find weak points in your plans, conduct a
security capabilities, such as end-point
short IR or BC/DR tabletop exercise with no
protections of noncompany assets. If network-
one in the office.
based security capabilities are found to be
— Securing physical documents. In the office, degraded, teams should expand their IR and
employees often have ready access to digital BC/DR plans accordingly.
document-sharing mechanisms, as well
— Clarify incident-response protocols. When
as shredders and secure disposal bins for
cybersecurity incidents take place, SOC teams
printed materials. At home, where employees
must know how to report them. Cybersecurity
might lack the same resources, sensitive
leaders should build redundancy options into
information can end up in the trash. Set norms
response protocols so that responses don’t
for the retention and destruction of physical
stall if decision makers can’t be reached or
copies, even if that means waiting until the
normal escalation pathways are interrupted
organization resumes business as usual.
because people are working from home.
— Expand monitoring. Widening the scope
— Confirm the security of third parties.
of organization-wide monitoring activities,
Nearly every organization uses contractors
particularly for data and end points, is
and off-site vendors, and most integrate IT
important for two reasons. First, cyberattacks
systems and share data with both contract and
have proliferated. Second, basic boundary-
noncontract third parties, such as tax or law-
protection mechanisms, such as proxies, web
enforcement authorities. When organizations
gateways, or network intrusion-detection
assess which controls must be extended to
systems (IDS) or intrusion-prevention systems
employees to secure new work-from-home
(IPS), won’t secure users working from home,
protocols, they should do the same for third-
off the enterprise network, and not connected
party users and connections, who are likely to

be managing similar shifts in their operations enterprise activities. For example, to find out
and security protocols. For example, ask if attackers are becoming more interested in
providers whether they have conducted any an organization’s web-facing technologies,
remote IR or BC/DR tabletop drills and, if they organizations can conduct increased passive
have, ask them to share the results. Should domain-name scans to test for new malicious
any third parties fail to demonstrate adequate signatures tailored to the enterprise domain or
security controls and procedures, consider for the number of adversarial scans targeting
limiting or even suspending their connectivity the enterprise network, among other threats.
until they remediate their weaknesses.
— Improve capacity management.
— Sustain good procurement practices. Overextended web-facing technologies
Fast-track procurement intended to close are harder to monitor and more susceptible
key security gaps related to work-from- to attacks. Security teams can monitor the
home arrangements should follow standard performance of applications to identify
duediligence processes. The need for certain suspected malware or low-value security
security and IT tools may seem urgent, but agents or even recommend the removal
poor vendor selection or hasty deployment of features (such as noncritical functions
could do more harm than good. or graphics on customer portals) that hog
network capacity.
Supporting high levels of consumer- Processes: Integrate and standardize security
facing network traffic activities
Levels of online activity that challenge the Customers, employees, and vendors all play some
confidentiality, integrity, and availability (CIA) part in maintaining the confidentiality, integrity,
of network traffic are accelerating. Whether and availability of web-facing networks. Several
your organization provides connectivity, serves steps can help organizations to ensure that the
consumers, or supports transactions, securing activities of these stakeholders are consistent and
the CIA of network activity should be a top priority well integrated:
for any executive team that wants to protect
— Integrate fraud-prevention capabilities
consumers from cyberbreaches during this period
with the SOC. Organizations that support
of heightened vulnerability. Much as organizations
the execution of financial transactions should
are stepping up internal protections for enterprise
consider integrating their existing fraud
networks, security teams in organizations that
analytics with SOC workflows to accelerate
manage consumer-facing networks and the
the inspection and remediation of fraudulent
associated technologies will need to scale up their
transactions.
technological capabilities and amend processes
quickly. — Account for increased costs. Many SOC
tools and managed-security-service providers
Technology: Ensure sufficient capacity
base charges for monitoring on usage – for
Companies that make it possible for employees
example, the volume of log records analyzed.
to work from home must enable higher online
As usage increases with expanded network
networktraffic and transaction volumes by putting
traffic, organizations with usage-based fee
in place technical building blocks such as a web-
arrangements will need to account for any
application firewall, secure-sockets-layer (SSL)
corresponding increase in costs.
certification, network monitoring, anti-distributed
denial of service, and fraud analytics. As web- — Help consumers solve CIA problems
facing traffic grows, organizations should take themselves. For media providers, enabling
additional actions to minimize cyberrisks: customers to access content without
interruption is essential, but increased usage
— Enhance web-facing threat-intelligence
levels can jeopardize availability. Companies
monitoring. To anticipate threats and take
may wish to offer guides to show users how to
preventive measures, security teams must
mitigate access problems, particularly during
understand how heightened consumer traffic
periods of peak use.
changes the threat environment for web-facing

Securing remote-working arrangements and describe in this article, while not comprehensive,
sustaining the CIA of customer-facing networks have helped many organizations to overcome the
are essential to ensure the continuity of operations security difficulties they face and maintain their
during this disruptive time. The actions we standing with customers and other stakeholders.
Jim Boehm is a partner in McKinsey’s Washington, DC, office. James Kaplan is a partner in the New
York office, and Marc Sorel is a partner in the Boston office. Nathan Sportsman is the founder and CEO
of Praetorian, where Trevor Steen is a senior security engineer.
The authors wish to thank Wolf Richter and Mahir Nayfeh for their contributions to this article.
McKinsey and Praetorian have entered into a strategic alliance to help clients solve complex cyber-
security challenges and secure innovation. As a part of this alliance, McKinsey is a minority investor
in Praetorian.

Contacts
Asia Middle East

Aman Dhingra, Associate Partner Ayman Al Issa, Senior Expert
Aman_Dhingra@mckinsey.com Ayman_Alissa@mckinsey.com
Juan Hincapie, Expert Associate Partner Mahir Nayfeh, Partner

Juan_Hincapie@mckinsey.com Mahir_Nayfeh@mckinsey.com
Patrick Nagel, Expert Associate Partner North America

Patrick_Nagel@mckinsey.com
Bharath Aiyer, Expert Associate Partner
Europe Bharath_Aiyer@mckinsey.com
Vito Di Leo, Expert Associate Partner Venky Anant, Partner

Vito_Di_Leo@mckinsey.com Venky_Anant@mckinsey.com
Peter Merrath, Senior Solution Leader Tucker Bailey, Partner

and Associate Partner Tucker_Bailey@mckinsey.com
Peter_Merrath@mckinsey.com
Jim Boehm, Partner
Thomas Poppensieker, Senior Partner Jim_Boehm@mckinsey.com
Thomas_Poppensieker@mckinsey.com
Kevin Buehler, Senior Partner
Wolf Richter, Partner Kevin_Buehler@mckinsey.com
Wolf_Richter@mckinsey.com
Rich Isenberg, Partner
Gundbert Scherf, Partner Rich_Isenberg@mckinsey.com
Gundbert_Scherf@mckinsey.com
Piotr Kaminski, Senior Partner
Latin America Piotr_Kaminski@mckinsey.com
Julen Baztarrica, Partner James Kaplan, Partner

Julen_Baztarrica@mckinsey.com James_Kaplan@mcKinsey.com
Cristian Berner, Partner Merlina Manocaran, Partner

Christian_Berner@mckinsey.com Merlina_Manocaran@mckinsey.com
Elias Goraieb, Partner Marc Sorel, Partner

Elias_Goraieb@mckinsey.com Marc_Sorel@mckinsey.com
Beltran Simo, Partner David Ware, Partner

Beltran_Simo@mckinsey.com David_Ware@mckinsey.com
150
Digital McKinsey and Global Risk Practice
June 2020
Copyright © McKinsey & Company
Designed by Visual Media Europe
www.mckinsey.com

.McKnsy - 2020 - Cybersecurity in A Digital Era

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

.McKnsy - 2020 - Cybersecurity in A Digital Era

Uploaded by

Copyright:

Available Formats

Digital McKinsey and Global Risk Practice

Kevin Buehler Venky Anant Tucker Bailey

James Kaplan Mahir Nayfeh Wolf Richter

Table of contents As companies digitize businesses and automate operations,

by James Kaplan, Wolf Richter, and David Ware

Create granular, ana-

Marketing & Sales

Consumer-data privacy and

The consumer-data15 personalization at scale: How 25 Financial crime 34

The risk-based approach Enhanced cyberrisk reporting: cybersecurity

brands can strategize for both Critical resilience: Adapting infra-

infrastructure to repel cyber threats

As the digital world becomes increasingly connected, it Hasham,

processes Partner, New York

29 Global Infrastructure Initiative

Critical infrastructure 40 48 54 Operations Practice

and the privacy imperative personalization at scale: How

McKinsey Center for Future Mobility

The race for

McKinsey Cyber Resilience Survey

Protecting the connected car in How organizations can thwart

chief information-security officers offices enabling the business

Securing software as Agile, reliable, secure,

by Santiago Comella-Dorda, James Kaplan, Ling Lau, and Nick McNamara

© Fabian Schmidt/EyeEm/Getty Images March 2020

during the coronavirus crisis coronavirus pandemic

© Chad Baker/Getty Images

6 Cybersecurity: Linchpin of the digital enterprise

Cybersecurity: Linchpin of the digital enterprise 7

Asset Usage Labor

Overall Digital- Business Market Digital spend Digital Digitization

How cybersecurity can best support the digital enterprise 3

8 Cybersecurity: Linchpin of the digital enterprise

Current cybersecurity operating models do not operate at ‘cloud speed.’

3 Cloud environments must be

Separate security Security review

Architecture and design Implementation Code review Testing Deployment

4 How cybersecurity can best support the digital enterprise

Cybersecurity: Linchpin of the digital enterprise 9

How cybersecurity can best support the digital enterprise 5

10 Cybersecurity: Linchpin of the digital enterprise

How to embed security into a product-development process.

6 How cybersecurity can best support the digital enterprise

An end-to-end view of information across the pharma supply chain is needed to

Suppliers Bulk Finishing and Smart-warehouse Customers

Advanced business capability Resulting cyberrisks

Suppliers Finishing and packaging Overarching technologies

12 Cybersecurity: Linchpin of the digital enterprise

Automation, orchestration technology, and application programming interfaces can eliminate

8 How cybersecurity can best support the digital enterprise

How a large biopharma company built cybersecurity capabilities to enable

14 Cybersecurity: Linchpin of the digital enterprise

The risk-based approach

The risk-based approach to cybersecurity 15

loss of confidentiality, integrity, and availability

2 The risk-based approach to cybersecurity

16 The risk-based approach to cybersecurity

The risk-based approach to cybersecurity 17

Risk-based Achieve holistic resilience

Example activities Example activities Example activities Example activities

18 The risk-based approach to cybersecurity

A risk-based approach builds customized controls for a company’s critical vulnerabilities to

Cyberrisk management and governance Cyberrisk management and governance