Professional Documents
Culture Documents
.McKnsy - 2020 - Cybersecurity in A Digital Era
.McKnsy - 2020 - Cybersecurity in A Digital Era
Cybersecurity
in a Digital Era
June 2020
Introduction
Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ-
ment as they sought to protect their institutions from cyberattack, without degrading their ability to
innovate and extract value from technology investments. CISOs and their partners in business and IT
functions have had to think through how to protect increasingly valuable digital assets, how to assess
threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent
customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models
as companies adopt agile development and cloud computing.
We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular:
1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity
is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza-
tion, but also from application development, infrastructure, product development, customer care,
finance, human resources, procurement and risk. A successful cybersecurity strategy supports the
business, highlights the actions required from across the enterprise – and perhaps most importantly
captures the imagination of the executive in how it can manage risk and also enable business innovation.
2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities
to address and more protections you can consider than you will have capacity to implement. Even
companies with large and increasing cybersecurity budgets face constraints in how much change
the organization can absorb. Therefore, better cybersecurity requires the ability to make rigorous,
fact-based decisions about a company’s most critical risks – and which cybersecurity investments it
should make.
3. Build cybersecurity into business products and processes. For digital businesses – and almost
every company we know of aspires to be a digital business – cybersecurity is an important driver of
product value proposition, customer experience and supply chain configuration. Digital businesses
need, for example, design security into IoT products, build secure and convenient customer
interaction processes and create digital value chains that protect customer data.
4. Enable digital technology delivery. Digital businesses cannot let slow technology delivery get in
the way of business innovation, so they are scrambling to adopt agile development, DevOps, cloud
computing. However, most companies have built their security architectures and processes to
support waterfall development and on-premises infrastructure – creating a disconnect that can
both increase risk and decelerate innovation. Forward-leaning CISOs are moving to agile security
organizations that enable much more innovation technology organizations.
5. Help the business address impacts of a global pandemic. COVID-19 created three imperatives
for cybersecurity teams: supporting continued business operations by enabling remote working,
mitigating immediate risks – and helping their business partners transition to the next normal.
2
Over the past year, we’ve sought to publish cybersecurity articles in each of these areas that will help
senior executives consider their options and make pragmatic decisions about how to move forward in
making the right tradeoffs in managing technology risks. We hope you find this compendium of articles
interesting and helpful. We, and our colleagues in McKinsey’s cybersecurity practice, have appreciated
the opportunity to comment on what we consider to be one of the most complex and important business
issues today.
Thank you,
3
Risk Practice
Cybersecurity: Linchpin
of the digital enterprise
Get a strategy
in place that
will activate the
organization
Risk Practice
The risk-based 6
Risk Practice
Enhanced cyberrisk
approach to reporting: Opening
Cybersecurity: Linchpin of the
cybersecurity
© Chad Baker/Getty Images
doors to risk-based
July 2019
digital The
enterprise
most sophisticated institutions are moving from a “maturity
cybersecurity
based” to a “risk based” approach for managing cyberrisk. Here is
how they are doing it. New cyberrisk management information systems provide executives
with the risk transparency they need to transform organizational
by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
cyberresilience.
by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle
October 2019
privacy imperative © lvcandy/Getty Images
Build cybersecurity
they can do to build an integrated cyber defense.
into business
products and James Kaplan Christopher Toomey Adam Tyra
Risk Practice
A practical approach
Thecompanies and the
consumer-data global
opportunity Consumer-data privacy and Financialtocrime
supply-chain
and fraud risk
in the
© Getty Images
© Phil Sharp/Getty Images
cybersecurity threat
April 2020 November 2019
management
© Cimmerian/Getty Imag
How the energy, mining, and materials industries can meet the unique
age of cybersecurity
challenges of protecting themselves in a digital world.
leading retailers and consumer In supply-chain risk management, organizations often don’t
know where to start. We offer a practical approach.
by Adrian Booth, Aman Dhingra, Sven Heiligtag, Mahir Nayfeh, and Daniel Wallance
brands can strategize for both by Tucker Bailey, Edward Barriball, Arnav Dey, and Ali Sankur
March 2019
© Phil Leo/Michael Denora/Getty Images
era ofand
companies new regulation
the global financial-services companies: IIF/ chain risk management
cybersecurity threatThe car industry’s digital transformation exposes new cybersecurity
83 89
The race for cyber-security: Defense of the cyberrealm:
© Cogal/Getty Images
October 2019
Enable digital
technology delivery
The benefits of a CISO 100 Robust cybersecurity 106 Enterprise-wide security 110
background the
Understanding to auncertainties requires
Protectingmuch more Views is both
the business: a technology
The modern and
CISO: Managing
than great technology business issue
March 2020
of cybersecurity: CIO
business-unit
March 2020
Questions for
A deep understanding of cybersecurity is a competitive advantage.
from the CIO’s and CISO’s
Security is increasingly an interdisciplinary capability.
scale, building trust, and
CISOs have important skills that can position them for the CIO role.
Risk Practice
Risk Practice
Cybersecurity’s
Risk Practice
Cybersecurity tactics
dual mission during 123 for the coronavirus 132
the coronavirus crisis pandemic
Securing software as a service © jjaakk/Getty Images Agile, reliable, secure, compliant IT: © Getty Images
May 2020
September 2019 Chief information-security officers must balance two priorities to
Fulfilling the promise of DevSecOps
The pandemic has made it harder for companies to maintain
respond to the pandemic: protecting against new cyberthreats and security and business continuity. But new tactics can help
maintaining business continuity. Four strategic principles can help. cybersecurity leaders to safeguard their organizations.
by Jim Boehm, James Kaplan, and Nathan Sportsman by Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen
Help business
address impact of
global pandemic
139 144
Cybersecurity’s dual mission Cybersecurity tactics for the
© Gorodenkoff/Getty Images
March 2020
5
Get a strategy in place that will activate the organization
Cybersecurity: Linchpin
of the digital enterprise
Risk Practice
Cybersecurity: Linchpin
of the digital enterprise
As companies
As companiesdigitize businesses
digitize businesses andand
automate operations,
automate operations,
cyberrisks proliferate;
cyberrisks here
proliferate; is how
here thethe
is how cybersecurity
cybersecurity organization can
support acan
organization secure digitala agenda.
support secure digital agenda.
by James Kaplan, Wolf Richter, and David Ware
by James Kaplan, Wolf Richter, and David Ware
July 2019
1
An API is software that allows applications to communicate with each other, sharing information for a purpose.
Exhibit 1
Across sectors, companies are digitizing, with profound implications for cybersecurity functions.
Digitization levels
Low digitization High digitization
Media
Professional
services
Finance and
insurance
Wholesale
trade
Personal and
local services
Government
Transportation
and warehousing
Healthcare
Entertainment
and recreation
Source: Appbrain; Blue Wolf; ContactBabel; eMarketer; Gartner; IDC; LiveChat; US Bureau of Economic Analysis; US Bureau of Labor Statistics; US Census Bureau;
Global Payments Map by McKinsey; McKinsey Social Technology Survey; McKinsey analysis; McKinsey Global Institute analysis
actions, however, exist in tension with the emerging At one financial institution, development teams
digital-enterprise model—the outcome of an end- were frustrated with the long period needed
All thesedigital
to-end actions have proven absolutely
transformation—from necessary
the customer bypole in the tent”
the security team– to
the most intractable
validate and approvepart of the
to the security
interface of an
through theorganization. Without them,
back-office processes. As problem ofitems
incremental standing applications
in their on provider’s
cloud service public cloud
cybersecurity
companies seek breaches occurcloud
to use public moreservices,
frequently
they– infrastructure.
catalog for production usage. Developers at other
and often,
often withsecurity
find that more severe consequences.
is the “long The
pole in the tent”— companies have puzzled over the fact that they can
At one financial institution, development teams
the mostactions,
needed intractable part of exist
however, the problem of standing
in tension with the spin up a server in minutes but must wait weeks
were frustrated with the long period needed by the
applications
emerging on public cloud infrastructure.
digital-enterprise model – the outcome for the vulnerability scan required to promote
security team to validate and approve incremental
of an end-to-end digital transformation – from
items in their cloud service provider’s catalog for
the customer interface through the back-office
production usage. Developers at other companies
processes. As companies seek to use public cloud
have puzzled over the fact that they can spin
services, they often find that security is the “long
up a server in minutes but must wait weeks
Exhibit 2
Testing
Activities
Exhibit 4
Developers are unclear when Product owners don’t consider Prioritize security and privacy Make product owners aware
security and privacy security and privacy tasks tasks according to product risk of need to prioritize security
requirements are mandatory during sprint planning Requirements level and privacy tasks and be
accountable for their inclusion
in releases
Design
Unclear how to handle Chief information-security and Security and privacy champions Add capacity through CISPOs,
distribution of tasks within privacy officers (CISPOs) have (tech leads) assist teams in who clarify security and privacy
development team limited capacity to support Development distributing tasks requirements with champions
development teams and product owners
No unified real-time standardized monitoring of state of security Product-assessment dashboards give developers real-time
and privacy tasks Testing views of security and privacy within products
Security and privacy needs Teams unclear how often to Launch delays eliminated as Simplified predeployment
are often dealt with engage CISPOs security and privacy tasks are activities with CISPOs only for
before deployment, causing Deployment executed across life cycles releases meeting risk criteria
launch delays
Unclear accountability Lack of integration in Define and communicate roles Integrate and automate
Throughout
for security and privacy in security and privacy tool sets and responsibilities during security- and privacy-related
process
product teams introduces complexity agile ceremonies testing and tracking tools
Exhibit 5
Dynamic, cloud-based
network optimization
as suppliers and customers negotiate liability and engineering talent from vendors and giving
responsibility forinformation
responsibility for informationrisks.
risks. They
They build
build Some areself-service
developers getting rid access
of theirtodata centers
infrastructure.
security intrinsicallyinto
security intrinsically intocustomer-facing
customer-facing andand altogether
Some as they
are getting leverage
rid of cloud
their data services.
centers altogetherAll of
operational processes,reducing
operational processes, reducing the
the “deadweight
“deadweight asthis
theyisleverage
being donecloud toservices.
make technology
All of this isfast and
being
loss” associated
loss” associated with
withsecurity
securityprotections.
protections. done to make
scalable technology
enough fast and
to support an scalable
enterprise’senoughdigital
toaspirations.
support an enterprise’s digital aspirations.
In turn, putting a modern technology In
turn, putting a modern technology model in place
Enabling an agile, cloud-based model in place requires a far more flexible,
Enabling an agile, cloud-based requires a far more flexible, responsive,
responsive, and agile cybersecurity operating and agile
operating platform enhanced by
operating platform enhanced cybersecurity operating model. Key tenets of this
model. Key tenets of this model include the
DevOps
by DevOps model include the following:
following:
Many
Many companies seemtotobebetrying
companies seem trying
to to change
change
everything aboutITIToperations.
everything about operations. They
They areare replacing ——Move
replacing Move from
from ticket-based
ticket-based interfaces
interfaces to APIs for
to APIs
traditional software-development
traditional software-development processes
processes for security
security services.
services. This
This requires
requires automating
automating
with
with agile methodologies.
methodologies.TheyThey are
are repatriating
repatriating every possible
every interaction
possible and and
interaction integrating
integrating
engineering talent from vendors and giving cybersecurity into the software-development
developers self-service access to infrastructure. tool chain. That will allow development teams
How cybersecurity can best support the digital enterprise 7
Exhibit 6
Architecture
and design Implementation Code review Testing Deployment
App API-configurable APIs for configuration Automated code-review Automated and Fully configured,
application application-level controls and debugging systems modified to configurable security test production-ready
programming designed into new (eg, test instrumentation) search for application- cases added to nightly application possible via
interfaces applications added during specific threat scenarios testing regime API calls alone
(APIs) implementation phase
Process New application-level Configurable security Configurable Nightly testing results Predeployment
APIs API options added tests added to nightly automated code reviews collected and curated for security-review process
to deployment- testing regime added to precommit/ individual developers/ replaced by automated
configuration process preacceptance process teams via configurable tests and configuration
for newly written code test-management system checks
Infrastructure API for deployment Configuration options Automated code Cloud environments Security tools and
APIs and instantiation for instantiation of scanning implemented regularly tested for configuration options
processes rearchitected automated, project- for deployed web security via automated applied via API to new
to accommodate new specific development applications to maintain vulnerability assessment environments at
applications environment made quality and code integrity and identification tools deployment time
available
Security-trained developers and engineers enable automation and orchestration throughout cloud-development, -deployment,
and -operations phases
Taken together, these actions will eliminate With digitization, analytics, RPA, agile, DevOps,
roadblocks to building digital-technology and cloud, it is clear that enterprise IT is evolving
operating models and platforms. Perhaps more rapidly and in exciting and value-creating ways.
importantly, they can ensure that new digital This evolution naturally creates tension with
platforms are inherently secure, allowing their existing cybersecurity operating models. For
adoption to reduce risk for the enterprise as organizations to overcome the tension, they
a whole (see sidebar, “How a large biopharma will need to apply quantitative risk analytics
company built cybersecurity capabilities to enable for decision making, create secure business
a digital enterprise”). value chains, and enable operating platforms
that encompass the latest innovations. These
actions will require significant adaptation from
cybersecurity organizations. Many of these
organizations are still in the early stages of this
journey. As they continue, they will become more
and more capable of protecting the companies
while supporting the innovative goals of the
business and IT teams.
James Kaplan is a partner in McKinsey’s New York office, Wolf Richter is a partner in the Berlin office,
and David Ware is an associate partner in the Washington, DC, office.
The risk-based
approach to
cybersecurity
The most sophisticated institutions are moving from a “maturity
Thetomost
based” sophisticated
a “risk institutions
based” approach are moving
for managing from a Here
cyberrisk. “maturity
based”
is how to adoing
they are “risk based”
it. approach for managing cyberrisk. Here is
how they are doing it.
by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle
© lvcandy/Getty Images
October 2019
TopTop
managers
managers at most
at mostcompanies
companies recognize
recognize Exhibit 1
cyberrisk asas
cyberrisk ananessential
essentialtopic
topiconontheir
their agendas.
agendas.
Cyberthreats are growing in severity
Worldwide,
Worldwide, boards
boards and
andexecutive
executiveleaders
leaders want
to know
to know howhow well
well cyberriskisisbeing
cyberrisk beingmanaged
managed in in
and frequency.
their organizations. In more advanced regions and
their organizations. In more advanced regions Cyberthreat capacity and frequency today,
andsectors,
sectors, leaders
leaders demand,
demand, given years
given of significant
years threat actor
cybersecurity investment, that programs
of significant cybersecurity investment, that also
Capability Frequency
prove their value in risk-reducing terms. Regulators Very high
programs also prove their value in risk-reducing
are challenging the levels of enterprise resilience Nation state Opportunists
terms. Regulators are challenging the levels of
that companies claim to have attained. And nearly
enterprise resilience that companies claim to Organized crime Insider threats
everyone—business executives, regulators,
have attained. And nearly everyone – business
customers, and the general public—agree that Hacktivist groups Competitors
executives,
cyberriskregulators,
is serious and customers, and theattention
calls for constant general
public – agree
(Exhibit 1). that cyberrisk is serious and calls Competitors Hacktivist groups
for constant attention (Exhibit 1).
Insider threats Organized crime
What, exactly, organizations should do is a more
What, exactly, organizations should do is a more
difficult question. This article is advancing a “risk
difficult question. This article is advancing a “risk Opportunists Nation state
based” approach to cybersecurity, which means Very low
based” approach to cybersecurity, which means
that to decrease enterprise risk, leaders must
thatidentify
to decrease enterprise risk, leaders must
and focus on the elements of cyberrisk to Decisions about how best to reduce cyberrisk can
identify and focus on the elements
target. More specifically, the manyof cyberrisk to
components be contentious. Taking into account the overall
target. More specifically,
of cyberrisk the manyand
must be understood components
prioritized enterprise cyberrisk as potential avenues for loss
context in which the enterprise operates, leaders
of cyberrisk mustcybersecurity
for enterprise be understood andWhile
efforts. prioritized
this of confidentiality, integrity, and availability of digital
must decide which efforts to prioritize: Which
for approach
enterprise tocybersecurity
cybersecurity isefforts. While
complex, bestthis assets. By extension, the risk impact of cyberthreats
projects could most reduce enterprise risk? What
approach
practicesto for
cybersecurity is complex,
achieving it are emerging.best includes fraud, financial crime, data loss, or loss of
methodology should be used that will make clear
system availability.
practices for achieving it are emerging.
To understand the approach, a few definitions are to enterprise stakeholders (especially in IT) that
To understand the approach, a few definitions are
in order. First, our perspective is that cyberrisk those priorities
Decisions aboutwill
howhave
bestthe greatest
to reduce risk reducing
cyberrisk can
in order. First,
is “only” our perspective
another is thatrisk.
kind of operational cyberrisk
That is, impact
be contentious. Taking into account the overall in
for the enterprise? That clarity is crucial
is “only” another kind of operational risk.
cyberrisk refers to the potential for business Thatlosses organizing and executing
context in which thoseoperates,
the enterprise cyber projects
leaders in a
is, cyberrisk refers to thereputational,
of all kinds—financial, potential for business
operational, focused way.which efforts to prioritize: Which
must decide
losses of all kinds – financial, reputational,
productivity related, and regulatory related—in the projects could most reduce enterprise risk? What
At the moment, attackers benefit from organiza-
operational, productivity
digital domain. Cyberrisk related,
can alsoand regulatory
cause losses in methodology should be used that will make clear
tional indecision on cyberrisk – including the pre-
to enterprise stakeholders (especially in IT) that
the physical
related – in thedomain, such as damage
digital domain. Cyberrisk to operational
can
vailing lack of clarity
those priorities about
will have the the danger
greatest riskand failure
reducing
alsoequipment.
cause losses But it
inisthe
important
physicaltodomain,
stress that
such
cyberriskto is operational
a form of business risk. But it is toimpact
execute effective cyber controls.
for the enterprise? That clarity is crucial in
as damage equipment.
important to stress that cyberrisk is a form of organizing and
Debilitating executing
attacks those cyberinstitutions
on high-profile projects in aare
Furthermore, cyberrisks are not the same as focused way.
business risk. proliferating globally, and enterprise-wide cyber
cyberthreats, which are the particular dangers that
efforts are needed now with great urgency. It is
Furthermore, cyberrisks
create the potential are not theThreats
for cyberrisk. same as include At the moment, attackers benefit from
widely understood that there is no time to waste:
cyberthreats, which are
privilege escalation, the particular
vulnerability dangersorthat
exploitation, organizational indecision on cyberrisk—including
business leaders everywhere, at institutions of all
the prevailing lack of clarity about the danger
phishing.¹
create Cyberthreats
the potential exist in the
for cyberrisk. contextinclude
Threats of
sizes and in all industries, are earnestly searching
privilege escalation, vulnerability exploitation,
for the optimal means to improve cyber resilience.
or phishing.
1
1
Cyberthreats
Privilege escalation exist
is the exploitation of ainflaw
thein acontext
system for purpose of gaining unauthorized access to protected resources. Vulnerability
We believe we have found a way to help.
of enterprise cyberrisk
exploitation is an as potential
attack that uses avenuestofor
detected vulnerabilities exploit (surreptitiously utilize or damage) the host system.
1
Privilege escalation is the exploitation of a flaw in a system for purpose of gaining unauthorized access to protected resources.
Vulnerability exploitation is an attack that uses detected vulnerabilities to exploit (surreptitiously utilize or damage) the host system.
Exhibit 2
For many companies, the risk-based approach is the next stage in their cybersecurity journey.
Proactive cybersecurity
Foundational Advanced
precise, pragmatic implementation programs with transformation. The excess spending was deemed
clear alignment from the board to the front line. necessary to fulfill a promise to the board to reach
4 The risk-based approach to cybersecurity
Following the risk-based approach, a company a certain level of maturity that was, in the end,
will no longer “build the control everywhere”; arbitrary. Using the risk-based approach, the
rather, the focus will be on building the appropriate company scaled back controls and spending in
controls for the worst vulnerabilities, to defeat areas where desired digital capabilities were being
the most significant threats – those that target heavily controlled for no risk-reducing reason. A
the business’s most critical areas. The approach particular region of success with the risk-based
allows for both strategic and pragmatic activities approach has been Latin America, where a number
to reduce cyberrisks (Exhibit 3). of companies have used it to leapfrog a generation
of maturity-based thinking (and spending).
Companies have used the risk-based approach to
Instead of recapitulating past inefficiencies, these
effectively reduce risk and reach their target risk
companies are able to build exactly what they need
appetite at significantly less cost. For example,
to reduce risk in the most important areas, right
by simply reordering the security initiatives in its
from the start of their cybersecurity programs.
backlog according to the risk-based approach,
Cyber attackers are growing in number and
one company increased its projected risk reduction
strength, constantly developing destructive new
7.5 times above the original program at no added
stratagems. The organizations they are targeting
cost. Another company discovered that it had
must respond urgently, but also seek to reduce
massively overinvested in controlling new software-
risk smartly, in a world of limited resources.
development capabilities as part of an agile
Exhibit 3
2
This can include the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), NIST National Vulnerability
Dataset (NIST 800-53), International Organization for Standardization 27001/2 (standards for information-security-management
systems), and Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT).
Exhibit 4
The risk-based approach applies controls according to the risk appetite and the likelihood
and potential impact of a risk event.
Risk events by size of impact and likelihood of occurrence
Sidebar
Jim Boehm is an associate partner in McKinsey’s Washington, DC, office; Nick Curcio is a cyber
solutions analyst in the New York office; Peter Merrath is an associate partner in the Frankfurt office,
where Tobias Stähle is a senior expert; and Lucy Shenton is a cyber solutions specialist in the Berlin
office.
The authors wish to thank Rich Isenberg for his contributions to this article.
Enhanced cyberrisk
Risk Practice
EnhancedOpening
reporting: cyberrisk
reporting:
doors Opening
to risk-based
doors to risk-based
cybersecurity
cybersecurity
New cyberrisk management information systems provide
executives with the
New cyberrisk risk transparency
management they need
information systemsto transform
provide executives
organizational cyberresilience.
with the risk transparency they need to transform organizational
cyberresilience.
by Jim Boehm, James Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle
by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle
© me4o/Getty Images
January 2020
1
“How boards of directors really feel about cyber security reports”, Bay Dynamics, June 2016, baydynamics.com.
2
See also Thomas Poppensieker and Rolf Riemenschnitter, “A new posture for cybersecurity in a networked world,” McKinsey on Risk,
March 2018, McKinsey.com.
Exhibit 1
The cyberrisk management information system begins with top-down risk aggregation and
proceeds to a bottom-up approach.
Risk management and reporting
Low in risk appetite In risk appetite At risk appetite Out of risk appetite
Top-down risk aggregation is a good way to The top-down risk approach is phased into a The bottom-up approach allows for more
begin, as it requires the least amount of data and bottom-up approach as the organization matures effective risk mitigation: it provides transparency
provides the most insight in the shortest time and the required data become available sufficient to achieve optimal risk-treatment
decisions for a given budget in line with
Methodologies Methodologies enterprise capabilities
• Scenario-based, qualitive and quantitative • Scenario-based, qualitive, and quantitative
assessments assessments Methodologies
• Business-impact analysis
• Operational-risk-management (ORM) • Inherent and residual risk exposure
methodologies and portfolio-theory • Risk-inheritance modeling
aggregation • ORM methodologies and portfolio-theory
aggregation
• Low-level data processing
1 2 3 5
1 Group enterprise-information risk exposure 2 Data-confidentiality breach 5 Risk exposure for each individual asset and a
3 Data-integrity loss portfolio of assets
4 Insufficient technical-disaster recovery
Reporting dimensions
Business divisions Business processes Asset classes Individual assets Legal entities Regions Buildings
and stacks and countries
Exhibit 2 presents the “path to green”: the risk- aggregated scorecard or the most granular
mitigation initiatives enabled by the mature breakdown of KRIs will be useless if executives do
bottom-up approach that bring risk indicators not rely on the output for decision making. This is
Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 5
within the risk appetite. why a good cyberrisk MIS should be customized,
reflecting the specific needs of decision makers at
A high-performing cyberrisk MIS is much more than
levels one and two of a company’s hierarchy.
a reporting tool. It is an integrated decision-support
system, creating visibility on all relevant assets –
end-user devices, applications, infrastructure, net- Catalyzing a cybersecurity
works, and buildings. It gives decision makers access transformation
to detailed information on organizational units, The cyberrisk MIS can catalyze a comprehensive
regions, and legal entities. It embodies the principles cybersecurity transformation. This happens
of good cyberrisk governance, from definition and in the MIS implementation, which in itself is an
detection to treatment and measurement. opportunity to transform the ways companies
gather information about cyberrisk and make
Implementation of the cyberrisk MIS is as
decisions about countermeasures.
critically important as its design. Even the finest
Exhibit 2
Risk-mitigation initiatives indicated by the bottom-up aggregation approach provide the ‘path
to green.’
Share of scope
population falling
outside risk appetite,
illustrative
100%
40
32
24
16
8 0
The description of a successful cyberrisk MIS how cyberrisk information is gathered and
implementation is remarkably congruent with that how executives decide on countermeasures.
of a cybersecurity transformation. The steps are as Cybersecurity governance and organization
6 follows:
McKinsey on Risk Number 9, November 2019 should be established across the whole
company, with common standards and
— Define the scope and objectives. Leaders
best-in-class reporting for systematic risk
work up front to define objectives and
identification and prioritization.
deliverables. They begin by taking stock of
Exhibit 3
Control in place
Control not in place
Control recommended
Out of scope
Tier 1: Control A Tier 1: Control B Tier 1: Control C Tier 2: Control D Tier 3: Control E
Multifactor Account Central privileged Account deactivation Data encryption
authentication recertification access within 24 hours
Application 1:
Trading example
Application 2:
Accounting example
Application 3:
Policy portal
Effective information-security risk management is based on asset-centric indicators, including key risk indicators (KRIs),
key compliance indicators (KCIs), and key performance indicators (KPIs), revealing compliance issues as well as current and
forecasted residual risk exposure.
— Avoid
control patchwork
regime. solutions.
The company The cyberrisk
subjected only its requirements,
With the andathe
right approach, return MIS
cyberrisk on investments in
most critical, most vulnerable assetsanother
MIS must not be regarded as patch. It
(class one) cybersecurity.
cybersecurity transformation will provide board-
should be comprehensive and more accessible level
to the full arsenal of controls—from multifactor — executives with a concise
Shift to a risk-based and easilyOne
approach. digestible
of the
userthan the previous
authentication assemblage
to deleting, after of
24stand-
hours, overview of top cyberrisks. Exhibit 4 shows
most powerful benefits of a good cyberrisk an
thealone
accountsreports. A good
of anyone whocyberrisk MIS can
left the company. MIS cyberrisk dashboard, with the risk heat-map
MIS is the risk-based approach to controls
accommodate
By contrast, different
it applied only basicdegrees ofto
controls maturity
the in tab open. Other tabs provide the chief risk officer
(Exhibit 3), which replaces the undifferentiated
least critical assets
different business(Exhibit 3). For
units. As aexample,
result of this
a module and the chief information officer with the KRIs,
“all controls for all assets” approach. The
tiered
canapproach,
be includedthe company
that enableswas able to improve
managers to KPIs, controls, and progress reports for different
risk-based approach focuses on the most
compliance with relevant regulatory
upload static reports until dynamic datarequirements functions, organizational levels, and applications.
while reducing the residual risk level. Atupdates.
the same important assets
The transformation and the
will foster thebiggest,
use of a most
become available for automatic
time, it also reduced costs: both direct costs (such probable threats. Decision
common language and a fact-based makers can to
approach then
Generally, the MIS should supply decision
as for software licenses) and indirect costs (such allocate
cyberrisk investments
across accordingly.
the entire institution. Resilience
Over time,
makers with the most pertinent information
as those incurred through the use of cumbersome, is thereby
the institution improved
will accrue thewithout anof
benefits increased
greater
available at any given time.
undifferentiated controls, even those for low- cybersecurity
cyberrisk transparency,budget. In many
improved cases, a state-
cybersecurity
— Enhance
level consistency. With improved
applications). of-the-art
efficiency, cyberrisk
and greater MIS allows reductions in
cyberresilience.
transparency comes improved consistency. operating expenditure as well.
As the transformation proceeds, executives
One company used the fact base it created in
should calibrate their understanding of
implementing its cyberrisk MIS to introduce a
cyberrisk and cybersecurity. They should ask,
tiered control regime. The company subjected only
“As an institution, how much risk are we willing
its most critical, most vulnerable assets (class one)
to accept? What are our biggest threats? What
to the full arsenal of controls – from multifactor
level of protection renders a given asset safe?”
user authentication to deleting, after 24 hours,
8 EvenonaRisk
McKinsey seemingly
Number 9, trivial
Novemberrisk topic can initiate
2019
the accounts of anyone who left the company.
fruitful discussions. For example, in defining
By contrast, it applied only basic controls to the
cyberrisk-warning thresholds, executives
least critical assets (Exhibit 3). As a result of this
can arrive at a common understanding of
tiered approach, the company was able to improve
risk appetite, asset relevance, regulatory
Exhibit 4
Risk heat map: Current risk exposure according to risk register and assessment of 1st and 2nd lines of defense
Global overview
0 2 2 9
Low Medium High Very high 1. Unauthorized
External incidents
scenarios scenarios scenarios scenarios transactions: internal
Threat landscape 2. Unauthorized
Risk heat map transaction: external
3. Data leakage
Cyber incidents Very high 7 2, 5, 8 1
4. Information gathering by
Group security nation-state
dashboard 5. Loss of data integrity
High 10 4, 6, 12 3 6. 3rd-party breach
Shared financial-
7. Business-process
system projects
disruption
Regulatory updates 8. Insufficient
Severity Medium 9, 11 13 technical-disaster
Data import
recovery
System settings 9. Disruption of services/
denial-of-service attack
Low
10. Physical intrusion
11. Failure of building
environment
Very low 12. Regulatory risk
13. System settings
Likelihood
The fast track to impact place. In all likelihood, the initial version of a
Themodular
fast track next-generation cyberrisk
be fully MIS will not be fully
The designtoofimpact
the recommended cyberrisk MIS will not customized to the
The modular customized
needs to the
of a given needsbut
company, of aitgiven
will becompany,
a real but
cyberrisk MISdesign
makesofitthe recommended
possible to implement
cyberrisk MIS makes it possible to implement it will beproduct,
working a real working product, not a dummy.
not a dummy.
a viable version in parts over a period of three
a viable version in parts over a period of three The implementation journey begins with a project
to six months, depending on an organization’s
to six months, depending on an organization’s The implementation
team, experts, riskjourney begins
managers, datawith a project
owners, IT, and
needs and complexity. For many companies, the
needs and complexity. For many companies, the team, experts, risk managers, data owners,
other stakeholders jointly determining specific IT, and
most important components – the underlying other stakeholders jointlyprocesses,
determiningand specific
most important components—the underlying requirements, relevant data
data structure, the analytical backbone, and requirements, relevant processes, and data
data structure, the analytical backbone, and the availability. In the building stage, live trial sessions
the visualization interface – are already in
visualization interface—are already in place. In all availability. In the building stage, live trial sessions
likelihood, the initial version of a next-generation are held to give executives a chance to provide
are held to give executives a chance to provide systems have seen significant improvement in the
feedback on MIS utility. After needed adjustments, efficacy of cyberrisk detection and remediation.
the scope is widened and the system is deployed The platform links operational data with groupwide
to the entire organization. enterprise-risk-management information accurately
and consistently. These cyberrisk systems can
become the basis for a comprehensive cybersecurity
transformation and part of a holistic risk-based
Leading institutions that have implemented state- approach to cybersecurity, reducing risk, raising
of-the-art cyberrisk management information resilience, and controlling costs.
Jim Boehm is an associate partner in McKinsey’s New York office, where James Kaplan is a partner;
Peter Merrath is an associate partner in the Frankfurt office, where Tobias Stähle is a senior expert;
and Thomas Poppensieker is a senior partner in the Munich office.
The authors wish to thank Rolf Riemenschnitter for his contributions to this article.
Critical resilience:
Adapting
infrastructure to
repel cyber threats
As the digital world becomes increasingly connected, it is no
longer possible for infrastructure owners and operators to
remain agnostic in the face of evolving cyber threats. Here’s
what they can do to build an integrated cyber defense.
by James Kaplan, Christopher Toomey, and Adam Tyra
1
“Dave Lee, “Warning over ‘panic’ hacks on cities,” BBC, August 9, 2018, bbc.com.
2
“Ukraine power cut ‘was cyber-attack’,” BBC, January 11, 2017, bbc.com.
3
Gartner says 8.4 billion connected “things” will be use in 2017, up 31 percent from 2016, Gartner, 2017.
4
2018 vulnerability statistics report, edgescan, 2018.
5
Michael Kan, “Researcher develops ransomware attack that targets water supply,” CSO, February 14, 2017, csoonline.com.
6
Megumi Lim, “Seven years after tsunami, Japanese live uneasily with seawalls,” Reuters, March 8, 2018, reuters.com.
7
Steven Morgan, “Global ransomware damage costs predicted to hit $11.5 billion by 2019,” Cybersecurity Ventures, November 14, 2017,
cybersecurityventures.com.
8
Charlie Osborne, “NonPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs,” ZDNet, January 26, 2018, zdnet.com.
9
Brian Krebs, “Target hackers broke in via HVAC company,” Krebs on Security, February 5, 2014, krebsonsecurity.com.
James Kaplan is a partner in the New York office. Christopher Toomey is a vice president in the Boston
office, and Adam Tyra is an expert in the Dallas office.
The consumer-data
opportunity and the
Risk Practice
The consumer-data
privacy imperative
opportunity and the
privacy imperative
As consumers become more careful about sharing data, and
regulators step up privacy requirements, leading companies
areAs consumers
learning become
that data more careful
protection about can
and privacy sharing data,
create a and regulators
step upadvantage.
business privacy requirements, leading companies are learning that data
protection and privacy can create a business advantage.
by Venky Anant, Lisa Donchak, James Kaplan, and Henning Soller
by Venky Anant, Lisa Donchak, James Kaplan, and Henning Soller
April 2020
Exhibit 1
Financial Electric power/ Technology Travel, transport, Telecom- Public Agriculture Oil and
services natural gas and logistics munications sector and gas
government
44 44
22
19
18 17 17
14 13 12 12 11 10 10 10 10
Source: McKinsey Survey of North American Consumers on Data Privacy and Protection, 2019
Websites browsed 46 23 28 3
Searches performed 44 25 27 4
critically important to consumers, many are willing to example, implemented in Europe in May 2018, gives
42 The aside
set consumer-data opportunity
their privacy and the privacy imperative
concerns. consumers more choices and protections about how
their data are used. The GDPR gives consumers
McK on Risk 9 2020
The consumer-data opportunity
Exhibit 3 of 4
Exhibit 3
Consumers trust companies that limit the use of personal data and respond quickly to hacks
and breaches.
Source: McKinsey Survey of North American Consumers on Data Privacy and Protection, 2019
Half of our consumer respondents are also a trustworthy government, or whether a company
more likely to trust companies that react quickly proactively shares cyber practices on websites or
to hacks and breaches or actively disclose in advertisements (Exhibit 3).
such incidents to the public. These practices
have become increasingly important both for Consumer empowerment and actions
companies and consumers as the impact of
Given the low overall levels of trust, it is not
breaches grows and more regulations govern the
surprising that consumers often want to restrict
timeline for data-breach disclosures.
the types of data that they share with businesses.
Other issues are of lesser importance in gaining Consumers have greater control over their personal
the consumer’s opportunity
The consumer-data trust, according to theimperative
and the privacy survey: the information as a result of the many privacy tools 5
level of regulation in a particular industry, whether now available, including web browsers with built-
a company has its headquarters in a country with in cookie blockers, ad-blocking software (used
1
The fine was imposed by the Information Commissions Office, the British data regulator, and is currently under regulatory process
review.
Exhibit 4
Consumer concerns over data collection and privacy are mounting, but few take adequate
protective precautions.
Masked identity 18
Encrypted communications 14
Venky Anant is a partner in McKinsey’s Silicon Valley office, where Lisa Donchak is a consultant;
James Kaplan is a partner in the New York office; Henning Soller is a partner in the Frankfurt office.
Consumer-data privacy
and personalization at
scale: How leading
Marketing & Sales
retailers and
Consumer-data consumer
privacy and
personalization
brands can at strategize
scale: How
leading
forretailers
both and consumer
brands can strategize for both
Customer
Customer concerns concerns
about aboutand
the security the privacy
securityofand privacy
their onlineof their
data online
can impede
personalizeddata can impede
marketing personalized
at scale. marketing
Best-practice at scale.
companies Best-practice
are building protections
companies are
into their digital properties. building protections into their digital properties.
by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel
by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel
© Getty Images
November 2019
48 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
Personalization at scale is where retailers and will limit current practices, and 51 percent said
consumer brands are competing to win. But in they don’t think consumers will limit access to their
focusing on “playing offense” to capture value, data (Exhibit 1)—this despite other recent surveys
Personalization at scale is
executives are often overlooking their “defense”: where retailers and
showing regulations
that more than will90
limit current of
percent practices,
consumersand 51
consumer brands are competing to win. But in percent said they don’t think consumers will limit
preserving, protecting, enabling, and accelerating are concerned about their online privacy, and nearly
focusing on “playing offense” to capture value, access to their data (Exhibit 1) – this despite other
the hard-won gains of their digital efforts by 50 percent have limited their online activity because
executives are often overlooking their “defense”: recent surveys showing that more than 90 percent
ensuring that personalization at scale keeps of
preserving, protecting, enabling, and accelerating privacy concerns.¹
of consumers are concerned about their online
personal data secure theand private.
hard-won gains of their digital efforts by privacy, and nearly 50 percent have limited their
ensuring that personalization at scale keeps Getting theonline
security andbecause
activity privacyof ofprivacy
personalization
concerns.1
As the enterprise risk of collecting,
personal holding,
data secure and
and private. wrong can slow time to market for new applications,
Getting the security and privacy of
using consumer data to personalize
As the enterprise riskofferings
of collecting, holding, constrain remarketing
personalization and consumer-data
wrong can slow time to market
grows, so do the business-impairing data to personalize collection, result
and using consumerconsequences for newinapplications,
significant constrain
fines, or—worse—
remarketing and
for those who fail toofferings
get it right. Despite
grows, these
so do the business-impairingcause material harm to brand
consumer-data reputation
collection, through
result in significant
challenges and opportunities,
consequences most marketing
for those negative consumer
who fail to get it right. fines, or –experience.
worse – cause Getting it harm
material right to brand
Despite these challenges
leaders remain surprisingly unconcerned with how and opportunities, reputation through negative
reduces time to market, puts security and privacy consumer experience.
most marketing
to manage data security and privacy. leaders remain surprisingly Getting it right reduces time
at the heart of the company’s value proposition, to market, puts
unconcerned with how to manage data security security and privacy at the heart of the company’s
boosts customer-satisfaction scores, and materially
and privacy. value proposition, boosts customer-satisfaction
In a recent McKinsey survey of senior marketing reduces the likelihood of regulatory fines.
scores, and materially reduces the likelihood of
leaders, 64 percentInsaid
a recent
theyMcKinsey survey
don’t think of senior marketing
regulations regulatory fines.
leaders, 64 percent said they don’t think
1
Brian Byer, “Internet users
1 worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018, entrepreneur.com;
Brian Byer, “Internet users worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018,
and Rafi Goldberg, “Lack ofentrepreneur.com;
trust in internet and
privacy and security
Rafi Goldberg, may
“Lack deter
of trust in economic and other
internet privacy onlinemay
and security activities,” National
deter economic andTelecommunications
other online activities,”
National Telecommunications
Exhibit 1
Many marketers
Many feelconfident
marketers feel confidentthat
thatneither
neitherregulations
regulations nor
nor consumer
consumer
sentimentwill
sentiment will limit
limit data
datacollection
collectionininthe
thefuture.
future.
Source: 2018 senior management personalization survey: Based on question 27: How do you expect regulations to affect personalization practices in your industry?
And question 28: How do you expect customer behavior regarding data collection to evolve over the next six years?
Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 49
Where to start — Establishing and enforcing standards on
security and privacy for creative agencies
For most companies, getting security and privacy
right begins with remediating and transforming the — Using best practices for data protection in their
digital-marketing applications and systems that day-to day-work
Where to start
generate, transmit, consume, store, or dispose of
They also put marketing at the center of the
Forconsumer
most companies, getting — Tokenizing
effort, consumer
educating teams data
on the ensuring
value at stakeconsent
data (Exhibit 2).security
Leadingand privacy
brands make
right begins with remediating and transforming thedata through,compliance
for example:
this part of a broader baseline assessment of
digital-marketing applications and systems that — Sanitizing data before using them in outbound
security and privacy across people, processes,
generate, transmit, consume, store, or dispose of — establishing and enforcing standards on
and technology and tie it to business use cases. communications and remarketing
consumer data (Exhibit 2). Leading brands make security and privacy for creative agencies
this part of a broader baseline assessment of data — Being accountable for incidents when they occur
They also put marketing at the center of the effort,
security and privacy across people, processes, and — using best practices for data protection in
educating teams on the value at stake through, for
technology and tie it to business use cases. their day-to day-work
example:
Exhibit 2
The marketing structure should enable digital-property remediation and
The marketing structure should enable digital-property remediation and transformation.
transformation.
a) Content development for consumer-facing brand websites 1 Where and how digital assets/properties should be created and
A
b) Content delivery through e-commerce and merchandising maintained
portraying products and brands in a way that allows the enter-
prise to "do business" with its customers 2 Technical capabilities, such as data lake or discovery scan
tools, to facilitate collection, storage, management, and testing
a) Cookie management to granularly track and collect consumer- of consumer data
behavior data across properties as customers engage with them
B
b) Remarketing by using data to drive portrayal and placement 3 The global vs local policies, processes, and tools to adopt,
of products and brands with which the consumer engages follow, and validate to meet security-and-privacy obligations in
a variety of regulatory environments
a) Using consumer data from digital properties and other 4 Agile organization and operating model that clarifies roles
C
sources to drive outbound marketing (such as pay-per-click, and responsibilities across functions and rationalizes external
advertising, digital display) partners/agencies
Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 3
50 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
The dialogue with marketing and other executive team defend its decisions on where
stakeholders in this context should be ongoing, and how to allocate spend on security and
to match the enterprise’s evolving needs for data privacy. Understanding how properties such as
and technical capabilities and to capture the value information systems and assets map to each other,
from use cases. to the threat landscape, and to the business value
chain also clarifies where eliminating risks can
An imperative on security and privacy can help
enhance enterprise value.
with many things
— tokenizing – fromdata
consumer eliminating tech debt security and privacy functions. Aligning on core
to breaking down silos – by opening iterative Clarify
beliefs anddata strategy,
a framework togovernance, and policies,
approach the effort
dialogue
— ensuringon consent
data needs and new operational
compliance and build
(Exhibit 3) caninhelp
the the
roles and
team requirements
quickly get the to make
requirements between the business and the them conviction
needed work and buy-in.
— sanitizing
security data before
and privacy using them
functions. in outbound
Aligning on core The details of programs for data security and
communications and remarketing
beliefs and a framework to approach the effort privacy may vary by company, industry, or the local
(Exhibit 3) can help the team quickly get the How to move
regulatory quickly
climate. Consumerat scale
and retail enterprises,
— beingconviction
needed accountable
and forbuy-in.
incidents when they Asfor
theexample,
transformation of data
often hold management
consumer is no more
data for
occur piloted
than 13and scaled,in
months, prioritizing a few consumer
order to track key actionspatterns
to
improve security and privacy will ensure outcomes
How to move quickly at scale
The dialogue with marketing and other
through seasons and holidays. Auto retailers, on
that enable rather than disable the business.
the other hand, often hold data longer, to reflect the
As the transformation
stakeholders of data
in this context management
should be ongoing,is
longer time between automotive purchases, which
piloted
to matchand
thescaled, prioritizing
enterprise’s evolvinga needs
few keyforactions
data to Build a risk register for digital properties
and technical capabilities and towill
capture the value tend to be multiyear, not annual. Other companies
improve security and privacy ensure outcomes Taking a risk-back approach can help the
fromenable
use cases. may tailor
executive their
team globalitsprivacy
defend policy
decisions to meet
on where local
and
that rather than disable the business.
regulatory requirements, such as General
how to allocate spend on security and privacy. Data
Build a risk register
An imperative for and
on security digital properties
privacy can help Protection Regulation
Understanding (GDPR)
how properties or the
such California
as information
Taking a risk-back approach can help
with many things—from eliminating tech debt the Consumer Privacy Act (CCPA).
systems and assets map to each other, to the
to breaking down silos—by opening iterative threat landscape, and to the business value chain
dialogue on data needs and new operational also clarifies where eliminating risks can enhance
requirements between the business and the enterprise value.
Exhibit 3
Company
Company alignment
alignment onon thethe core
core principles
principles for transforming
for transforming digital properties
digital properties
will enable personalization at scale.
will enable personalization at scale.
Manage digital property the way you manage your people. Knowing the identity, performance, and safety of
your applications is as important as knowing the identity, performance, and reliability of your people.
? Anchor the approach in use cases. For a successful transformation, understand which business use cases the
transformed digital properties will support, and clarify the architectural gaps you need to fill to support both
properties and use cases.
. Create and maintain a risk-based asset inventory. This will help to clarify your enterprise digital-property
landscape, as well as compliance issues and business risk, and is an essential tool for prioritizing
... transformation initiatives.
Align risk with enterprise appetite. A risk-back, minimum viable approach to building security-and-privacy
protections into the transformation of digital properties is a commercial imperative for personalization at scale.
Clarify roles, responsibilities, decision rights, and talent requirements across the organization. This is the
key to ensuring you can quickly embed the cross-functional capabilities needed to bring new properties to
market.
Implement the transformation by deploying cross-functional teams in agile sprints. This will not only
mitigate execution risk—a requirement, not an option—but also enable you to capture value at scale and
demonstrate that the process is iterative.
4 Consumer-dataprivacy
Consumer-data privacy and
and personalization
personalization at scale:
at scale: HowHow leading
leading retailers
retailers and consumer
and consumer brandsbrands can strategize
can strategize for both for both 51
But some best practices are emerging as developed, which reduced downstream rework,
enterprises focus on data privacy and security. accelerated time to market, and put data
One leading privacy policy is the tokenization protection at the center of the enterprise’s value
and sanitization of data before using them in proposition to consumers.
remarketing. Further, leading institutions will
Create and deliver role-based training on
align on the “minimum viable data and controls”
security and privacy
required to preserve a long-term view of
Given that more than 80 percent of enterprise
consumers and empathetically engage them
cybersecurity incidents begin with a human
at scale. To embed awareness of security and
clicking on malware, regular training tailored
privacy across an enterprise, some companies find
to key roles is essential to reduce the risks of
it useful to create roles for business-information
personalization. Marketing teams, for example,
security and privacy officers (BISPOs) or “security
might need to learn best practices for remarketing,
and privacy ambassadors.” Such programs can
such as parsing data to eliminate personal
not only empower employee teams to become
identifiability while preserving business value.
knowledgeable about organization practices
on security and privacy but also ensure that the There are about 15 core employee behaviors that
integrity of digital properties continues long after can be addressed and transformed through a
they are transformed and remediated. focused campaign of annual training supported
by unpredictable reminders, such as occasional
In the event of a breach of data security or
emails and text messages or antiphishing test
privacy, it is helpful to have in place incident-
campaigns. Similarly, building security and
response plans that are “living documents” formed
privacy standards into performance reviews – for
through the test-and-learn iterative process of
example, setting a threshold for the number of
simulation. These can help executive teams make
security or privacy incidents in a line of business
better decisions faster about managing their
over a period of time – can ensure that the entire
digital properties – and their relationships with
business, not just the experts on security and
regulators.
privacy, owns the problem and the solution.
Build security and privacy into enterprise
Personalize security and privacy for the
analytics and application development
consumer
Consider the example of an enterprise seeking
Leading financial institutions have already
to transform itself into a platform company
unlocked the value of increasing net promoter
using consumer and customer data to cocreate
scores (NPS) by taking the hassle out of consumer
application programming interfaces (APIs) to
validation processes. By reducing hold times,
transform how consumers engaged with the
simplifying and tailoring multifactor authentication
brand. Before the enterprise built security
to meet consumer preferences, and placing
requirements into its application development, it
data-protection controls for consumer-facing
had missed at least one major market opportunity
applications in the hands of the consumer, they
because of regulators’ security concerns,
are improving customer experience without
frequently experienced application launch delays
compromising underlying security and privacy.
because of security-related rework requirements,
and lacked capacity to verify whether around 80 Leading retailers and consumer brands can
percent of the business-support applications it adopt a product-management mind-set and
developed annually complied with its requirements delight consumers by building data-protection
on security and privacy. options into consumer-facing applications and
support functions. By partnering with cutting-
By building those requirements into its software-
edge technology innovators, they can tailor
development policies, the enterprise made the
processes to what is most convenient for the
software-developer team responsible for meeting
consumer. Good places to start are multifactor
them right from the start, in the design phase. The
authentication by text, call, or randomly generated
security-and-privacy team would only involve itself
code, or built-in strong-password-generating
“by exception,” if a development team declined
tools to simplify password recall for consumers
to meet a specified requirement. This approach
accessing a retailer’s direct-to-consumer
ensured that standards on security and privacy
application. Measuring performance over time
were met in more than 90 percent of applications
through commonly available customer-experience
52 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both
dashboards such as NPS can ensure that attempts 4. How are you managing your data to derive
to build security and privacy into consumer-facing value-creating analytic insight from
applications are refined quickly and iteratively. personalization without causing value-
destroying financial or operational loss due to
The opportunity around personalization at scale
privacy or security incidents?
for consumer brands and retailers has never been
more critical to capture. At the same time, the 5. What is the state of your secure software-
need to create a net positive consumer experience development life cycle program?
while avoiding the downsides of reputational,
6. How are you ensuring the secure operation of
operational, legal, and financial risks is a hard
your cloud environment?
balance to strike. Several core questions can help
clarify where your enterprise stands – and what to 7. How are you ensuring that security and privacy
do about it: are every employee’s responsibility?
1. How does your personalization technology 8. What is your capability aspiration for
measure your customer’s security and privacy customer-data security and privacy, how
experience? are you measuring progress toward that
aspiration, and how are you reporting progress
2. What is your enterprise’s critical-asset or
to the board?
-system risk register for data security and
privacy? By answering these questions, companies can
help ensure that personalization at scale is only a
3. How complete is your security-and-privacy
benefit, not a bane, to any consumer and brand.
technology stack, and how do you determine
this?
Julien Boudet is a partner in McKinsey’s Southern California office, Jess Huang is a partner in the
Silicon Valley office, Kathryn Rathje is an associate partner in the San Francisco office, and Marc Sorel
is a consultant in the Washington, DC, office.
Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 53
Build cybersecurity into business products and processes
Financial crime
and fraud in the age
Risk Practice
ofFinancial crime
cybersecurity
and fraud in the age of
cybersecurity
As cybersecurity threats compound the risks of financial
crimeAs
and fraud, institutions
cybersecurity threatsare crossing the
compound functional
risks of financial crime
boundaries to enable
and fraud, collaborative
institutions resistance.
are crossing functional boundaries to enable
collaborative resistance.
by Salim Hasham, Shoan Joshi, and Daniel Mikkelsen
© Cimmerian/Getty Images
October 2019
1
World Economic Forum Annual Meeting, Davos-Klosters, Switzerland, January 23–26, 2018; LexisNexis risk solutions 2018 True Cost of
Fraud study, LexisNexis, August 2018, risk.lexisnexis.com.
Sidebar
Exhibit 1
The new cyber profile of fraud and financial crime is well illustrated by the Carbanak attacks.
Exhibit 2
Crime pathways are converging, blurring traditional distinctions among cyber breaches,
fraud, and financial crimes.
Fraud and insider threats Cyber breaches Financial crimes
• Internal and external • Confidentiality • Money laundering
threats • Integrity • Bribery and corruption
• Retail and nonretail threats • Systems availability • Tax evasion and tax fraud
• Insider threats
• Market abuse and
misbehavior
In a world where customers infrequently contact cybercrime. Both the front line and back-office
Inbank
a world
staffwhere customers
but rather interactinfrequently
almost entirely contact banks. Risk
operations arefunctions
oriented inandthisregulators
direction ataremanycatching
bank staffdigital
through but rather
channels,interact almost
“digital trust”entirely
has fast on as Risk
banks. well.functions
AML, while andnow mainlyare
regulators addressed
catching as
through
becomedigital channels,
a significant “digital trust”
differentiator has fast
of customer ona regulatory
as well. AML,issue,
whileisnow
seen as being
mainly on theasnext
addressed
become a significant
experience. Banks that differentiator of customer
offer a seamless, secure, ahorizon forissue,
regulatory integration.
is seen Important
as being oninitial steps
the next
and speedy digital interface will see a
experience. Banks that offer a seamless, secure,positive horizon for integration. Important initial
for institutions embarking on an integration steps for
impact
and on revenue,
speedy while those
digital interface that
will seedon’t will erode
a positive institutions embarking on an integration
effort are to define precisely the nature of all effort are
value and potentially lose business. Modern
impact on revenue, while those that don’t will banking torelated
define precisely the nature of all related
riskmanagement activities and to clarify risk-
demands faster risk decisions (such as
erode value and potentially lose business. Modern real-time management
the roles and activities and to clarify
responsibilities the the
across roleslines
and
payments) so banks must strike the right balance responsibilities across the lines of defense. These
banking demands faster risk decisions (such as of defense. These steps will ensure complete,
between managing fraud and handling authorized steps will ensure complete, clearly delineated
real-time payments) so banks must strike the right clearly delineated coverage – by the businesses
transactions instantly. coverage—by the businesses and enterprise
balance between managing fraud and handling and enterprise functions (first line of defense)
functions (first line of defense) and by risk, including
authorized
The growing transactions instantly.
cost of financial crime and fraud risk and by risk,
financial crime,including
fraud, and financial crime, fraud,
cyber operations and
(second
hasgrowing
also overshot expectations, pushed cyber operations
line)—while (second
eliminating line) –ofwhile
duplication eliminating
effort.
The cost of financial crime and upward by
fraud risk
several drivers. As banks focus tightly on reducing duplication of effort.
has also overshot expectations, pushed upward by
liabilities and efficiency costs, losses in areas All risks associated with financial crime involve
several drivers. As banks focus tightly on reducing All risks associated with financial crime involve
such as customer experience, revenue, reputation, three kinds of countermeasures: identifying and
liabilities and efficiency costs, losses in areas such three kinds of countermeasures: identifying and
and even regulatory compliance are being missed authenticating the customer, monitoring and
as customer experience, revenue, reputation, and authenticating the customer, monitoring and
(Exhibit 3). detecting transaction and behavioral anomalies,
even regulatory compliance are being missed detecting transaction and behavioral anomalies,
and responding to mitigate risks and issues. Each
(Exhibit 3). ofand responding
these activities,to mitigate
whether risks
taken in and issues. Each
response
Bringing together financial crime, tooffraud,
thesecybersecurity
activities, whether taken
breaches in response
or attacks, or
Bringing
fraud, andtogether financial crime,
cyber operations to fraud,
other cybersecurity
financial crimes, arebreaches
supportedorbyattacks,
many or
fraud, and
At leading cyberthe
institutions operations
push is on to bring other data
similar financial crimes, areIndeed,
and processes. supported by many
bringing these
similar data and processes. Indeed, bringing these
data sources together with analytics materially
Attogether
leadingefforts on financial
institutions crime,
the push fraud,
is on and
to bring
data sources together with analytics materially
together efforts on financial crime, fraud, and
improves visibility while providing much deeper
cybercrime. Both the front line and back-office
insight to improve detection capability. In many
operations are oriented in this direction at many
4 Financial crime and fraud in the age of cybersecurity instances it also enables prevention efforts.
Exhibit 3
Banks often focus on only a fraction of total financial-crime, fraud, and cybersecurity costs.
Example of financial-crime, fraud, and cybersecurity costs, $ million
525
50 Reimbursements if any
Regulatory fines
150
and remediation
100 Regulatory fines
40 System unavailable
40 Failed authentication
improves visibility while providing much deeper Generally speaking, experience shows that
insight to improve detection capability. In many organizational and governance design are the
Ininstances it alsoholistic
taking a more enablesview
prevention efforts.
of the underlying main considerations
Generally speaking,for the development
experience shows of
thatthe
processes, banks can streamline business and operating model. Whatever the particular
organizational and governance design are the choice,
In taking a more holistic view of the underlying institutions will need to bring together the right
technology architecture to support a better main considerations for the development of
processes, banks can streamline business and people in agile teams, taking a more holistic
customer experience, improved risk decision the operating model. Whatever the particular
technology architecture to support a better customer approach to common processes and technologies
making, and greater cost efficiencies. The choice, institutions will need to bring together
experience, improved risk decision making, and and doubling down on analytics—potentially
organizational structure can then be reconfigured
greater cost efficiencies. The organizational structure
the right people in agile teams, taking a more
creating “fusion centers,” to develop more
ascan
needed.
then be(Exhibit 4). as needed. (Exhibit 4).
reconfigured holistic approach
sophisticated to common
solutions. processes
It is entirely feasibleand
that
technologies and doubling down on analytics –
an institution will begin with the collaborative
From collaboration to holistic unification
Frommodels
collaboration to holistic unification potentially
model creatingmove
and gradually “fusion centers,”
toward to develop
greater
Three for addressing financial crime
Three models for addressing financial crime more sophisticated solutions. It is entirely
integration, depending on design decisions. We feasible
are important for our discussion. They are
are important for our discussion. They are that seen
have an institution
many banks willidentify
begin with theintegration
partial collaborative
distinguished by the degree of integration they
distinguished by the degree of integration they as their and
model target state, with
gradually move a view that full
toward AML
greater
represent among processes and operations for
represent among processes and operations integration
integration,is depending
an aspiration.on design decisions. We
the different types of crime (Exhibit 5).
for the different types of crime (Exhibit 5). have seen many banks identify partial integration
as their target state, with a view that full AML
integration is an aspiration.
Financial crime and fraud in the age of cybersecurity 5
Exhibit 4
At their core, all functions perform the same three roles using similar data and processes.
Identification: “Who is my Monitoring: “What transactions Response: “How do I respond
customer?” are legitimate?” to a threat?”
Fraud • Identity verification, including • Transaction monitoring and • Investigations and resolutions teams
digital and nondigital presence decision making
• Device and voice analytics
Synergies across • Risk scoring of customers using • Risk scoring of transactions • Common feedback loop to
functions common and similar customer using similar analytics and develop a holistic view on modus
data, such as financials, digital common use cases based on operandi and drive top-down
footprint, nondigital records timing, destination, source, use-case development
value and frequency, device, • Pooling of resources and capabilities
and geolocation intelligence
1. Collaborative model. In this model, which for (including taxonomies) are shared, and
most banks represents the status quo, each similar interdiction processes are deployed.
1. of the domains
Collaborative – financial
model. In this crime,
model, fraud, and
which for ofDeeper
defense.integral advantages
Each unit prevail, including
maintains independence
most banks represents
cybersecurity – maintain the their
statusindependent
quo, each in consistency
this model butinworks
threatfrom a consistent
monitoring and detection
of the responsibilities,
roles, domains—financial andcrime, fraud, and
reporting. Each framework and taxonomy, following
and lower risk of gaps and overlap. Themutually
cybersecurity—maintain their independent
unit builds its own independent framework, roles, accepted
approach rules and responsibilities.
remains, Thus a with
however, consistent
responsibilities, and reporting.
cooperating on risk taxonomy and data andEach unit builds consistent architecture for prevention
the existing organizational structure (such
and little
its own independent framework, cooperating as for customer authentication) is adopted,
analytics for transaction monitoring, fraud, disrupts current operations. Consequently,
on risk taxonomy and data and analytics for risk-identification and assessment processes
and breaches. The approach is familiar to transparency is not increased, since separate
transaction monitoring, fraud, and breaches. (including taxonomies) are shared, and
regulators, but offers banks little of the reporting is maintained. No benefits of scale
The approach is familiar to regulators, but offers similar interdiction processes are deployed.
transparency needed
banks little of the to develop
transparency neededa holistic
to accrue,
Deeper and with
integral smaller operational
advantages units still in
prevail, including
view of financial-crime risk. In addition,
develop a holistic view of financial-crime risk. theIn place, the model is less attractive to
consistency in threat monitoring and detection top talent.
collaborative model oftenmodel leadsoften
to coverage
addition, the collaborative leads to 3. and lower risk
Unified of gaps
model. and fully
In this overlap. The approach
integrated
gaps or overlaps
coverage among the
gaps or overlaps separate
among groups
the separate remains, however, consistent with the existing
approach, the financial crimes, fraud, and
and failsand
groups to achieve the benefits
fails to achieve of scale
the benefits that
of scale organizational structure and little disrupts
cybersecurity operations are consolidated
that come
come withwith greater
greater functional
functional integration.The
integration. current operations. Consequently, transparency
into a single framework, with common assets
The model’s
model’s reliance
reliance on on smaller,
smaller, discreteunits
discrete is not increased, since separate reporting is
unitsalso
also means banks will be less able to attract top
and systems used to manage risk across the
maintained. No benefits of scale accrue, and
means banks will be less able to attract top
leadership talent. enterprise.
with The model
smaller operational hasstill
units a single view
in place, theof the
leadership talent.
customer
model is lessand shares
attractive toanalytics.
top talent. Through risk
2. Partially integrated model for cybersecurity
2. Partially integrated model for cybersecurity convergence, enterprise-wide transparency
and fraud. Many institutions are now working 3. Unified model. In this fully integrated approach,
and fraud. Many institutions are now working on threats is enhanced, better revealing the
toward this model, in which cybersecurity and the financial crimes, fraud, and cybersecurity
toward this model, in which cybersecurity
fraud are partially integrated as the second line and most important
operations underlying
are consolidated intorisks. The unified
a single
fraud are partially integrated as the second line model also captures benefits of scale across
of defense. Each unit maintains independence key roles and thereby enhances the bank’s
in this model but works from a consistent ability to attract and retain top talent. The
framework and taxonomy, following mutually disadvantages of this model are that it entails
6 accepted
Financial rules
crime and fraudand
in theresponsibilities.
age of cybersecurity Thus, a significant organizational change, making
consistent architecture for prevention (such bank operations less familiar to regulators. And
as for customer authentication) is adopted, even with the organizational change and risk
risk-identification and assessment processes convergence, risks remain differentiated.
Exhibit 5
The three models address financial crime with progressively greater levels of
operational integration.
Traditional: collaboration Ongoing: partial integration1 Future: complete integration
Model features • Independent reporting, roles, and • Each financial-crime unit • Consolidated unit under a single
responsibilities for each type of maintains independence but framework using common assets and
financial crime uses a consistent framework systems to manage risks:
• Independent framework built and taxonomy with agreed-upon – Single view of the customer
by each unit rules and responsibilities: – Shared analytics
– Fraud and cybersecurity join
on prevention (eg, on
customer authentication)
– Consistent processes for
risk identification and
assessment
– Similar processes
(eg, interdiction)
Pluses and Least disruptive: maintains the More unified approach with lower risk Underlying risks are converging
minuses status quo of gaps/overlaps Enhanced ability to attract and
Regulators most familiar with Consistent organizational structure retain talent
the model with status quo Standard and common framework
Less visibility into overall Limited disruption from current state on what is being done
financial-crime risk Maintains separate reporting; Benefits of scale across key roles
Potential gaps, overlap among groups does not increase transparency Largest organizational change
No scale benefits No scale benefits While converging, risks remain
Smaller units less able to attract Smaller units less able to attract differentiated
top talent top talent Regulators are less familiar with
setup
1
Mainly cybersecurity and fraud.
framework, with common assets and systems less familiar to regulators. And even with the
Theused
imperative ofacross
to manage risk integration
the enterprise. The
cybersecurity and financial crime, including AML.
organizational change and risk convergence,
Byrisks
degrees,
remainhowever, increased integration can
The model
integration
has aof fraud
single andofcybersecurity
view the customer and differentiated.
shares analytics. Through risk convergence, improve the quality of risk management, as it
operations is an imperative step now, since the
enterprise-wide transparency on threats is enhances core effectiveness and efficiency in all
crimes themselves are already deeply interrelated.
enhanced, better revealing the most important channels, markets, and lines of business.
The enhanced data and analytics capabilities that The imperative of integration
underlying
integration risks.are
enables Thenow
unified model tools
essential also for the
Strategic
The prevention:
integration of fraud andThreats, prediction,
cybersecurity
captures benefits of scale across key roles
prevention, detection, and mitigation of threats. and controls
operations is an imperative step now, since the
and thereby enhances the bank’s ability to
Most forward-thinking institutions are working crimes
The ideathemselves are already
behind strategic deeply interrelated.
prevention is to predict
attract and retain top talent. The disadvantages
towards such integration, creating in stages a The
riskenhanced datajust
rather than andreact
analytics
to it. capabilities that
To predict where
of this model are that it entails significant
more unified model across the domains, based integration
threats will appear, banks need to redesignthe
enables are now essential tools for
organizational change, making bank operations
on common processes, tools, and analytics. AML prevention,
customer detection,
and internalandoperations
mitigation and
of threats.
processes
activities can also be integrated, but at a slower based on a continuous assessment of actual cases
pace, with focus on specific overlapping areas first. of fraud, financial crime, and cyberthreats. A view
of these is developed according to the customer
The starting point for most banks has been the
journey. Controls are designed holistically, around
collaborative model, with cooperation across
processes rather than points. The approach can7
silos. Some
Financial crimebanks are
and fraud now
in the ageshifting from this
of cybersecurity
significantly improve protection of the bank and its
model to one that integrates cybersecurity and
customers (Exhibit 6).
fraud. In the next horizon, a completely integrated
model enables comprehensive treatment of
Exhibit 6
With a ‘customer journey’ view of fraud, banks can design controls with the greatest impact.
Potential fraud attacks in a customer journey, retail-banking example
Customer- Customer opens a new Customer updates Customer pays self or third Customer makes a transfer or
initiated actions account or adds another existing account, eg, adding party through wire, credit deposit into their account
account through online, a beneficiary or changing or debit card, or online
mobile, branch, or ATM address transaction
channels
Attack channel
Most banks begin the journey by closely fraud and AML, into a single global utility. The bank
integrating their cybersecurity and fraud has attained a more holistic view of customer risk
units. As they enhance information sharing and reduced operating costs by approximately
and coordination across silos, greater risk $100 million.
effectiveness and efficiency becomes possible.
To achieve the target state they seek, banks are
redefining organizational “lines and boxes” and,
even more important, the roles, responsibilities, As criminal transgressions in the financial-services
activities, and capabilities required across each sector become more sophisticated and break
line of defense. through traditional risk boundaries, banks are
Most have stopped short of fully unifying the risk watching their various risk functions become more
functions relating to financial crimes, though a costly and less effective. Leaders are therefore
few have attained a deeper integration. A leading rethinking their approaches to take advantage of
US bank set up a holistic “center of excellence” the synergies available in integration. Ultimately,
to enable end-to-end decision making across fraud, cybersecurity, and AML can be consolidated
fraud and cybersecurity. From prevention under a holistic approach based on the same data
to investigation and recovery, the bank can and processes. Most of the benefits are available
point to significant efficiency gains. A global in the near term, however, through the integration
universal bank has gone all the way, combining all of fraud and cyber operations.
operations related to financial crimes, including
Salim Hasham is a partner in McKinsey’s New York office, where Shoan Joshi is a senior expert; Daniel
Mikkelsen is a senior partner in the London office.
Critical infrastructure
companies and the
Risk Practice
global cybersecurity
Critical infrastructure
threat
companies and the global
cybersecurity threat
How the energy, mining, and materials industries can meet the
unique
Howchallenges
the energy,ofmining,
protecting themselves
and materials in a digital
industries canworld.
meet the unique
challenges
by Adrian ofDhingra,
Booth, Aman protecting themselves
Sven Heiligtag, in a and
Mahir Nayfeh, digital
Danielworld.
Wallance
by Adrian Booth, Aman Dhingra, Sven Heiligtag, Mahir Nayfeh, and Daniel Wallance
April 2019
1
Forrester consulting study commissioned and published by Fortinet, May 2018.
2
Operational-technology systems include centralized, human-interface control systems such as supervisory control and data-acquisition
systems (SCADA), industrial control systems (ICS), distributed control systems (DCS), industrial Internet of Things (IoT) devices that send
and receive feedback from machinery, and programmable logic controllers (PLC) that relay commands between SCADA and IoT field
devices.
A large state-owned oil-and-gas The company suffered a ransomware accompanying this article). The company
company was facing frequent attack, email phishing campaigns, also tailored industrial security standards
cyberattacks, even as it was undertaking and defacement of its website. As the to the oil-and-gas industry and its
a digital transformation that increased company was digitizing many systems, regional context. A security operation
the exposure of its critical systems. A including critical controllers, massive center was established to monitor
successful attack on its assets would amounts of data were exposed to and react to threats, and a data-loss-
harm the economy of an entire nation. potential manipulation that could trigger prevention program was set up to avoid
disastrous accidents. The company leaks.
Over 18 months, this multibillion-dollar
focused on three important steps.
organization was able to protect its assets Third, the company outlined its plan for
and improve its overall digital resilience First, it defined and protected its “crown a holistic cybersecurity transformation,
by transforming its cybersecurity posture. jewels”: its most important assets. It including a three-year implementation
The transformation engaged 30,000 comprehensively mapped its business program with prioritized initiatives,
employees across 450 sites in addressing assets and identified the most critical, estimated budget, and provisions
security issues every day. This experience from automated tank gauges that to integrate cybersecurity into the
offers a good example of how a critical- manage pressure and oil levels on oil rigs digitization effort. To ensure that effort
infrastructure company can meet the to employee health records and customer did not create new vulnerabilities, the
global cybersecurity threat and commit to credit-card information. The company company created the new digital systems
the cyber-resilience journey. created a library of controls to be “secure by design,” creating secure
coding guidelines and principles.
The company operates across the to protect these crown-jewel assets,
industry value chain, upstream, which are now being brought on line. The achievements were impressive. The
midstream, and downstream. It had cybersecurity organization is now fully
Second, the company focused on rapidly
suffered attacks on both its IT and built, with a focus on improving resilience
building capabilities. To address siloed
operational technology (OT) systems, daily. The company is on its way to
IT and OT operations, it created an
which, as in most companies, were siloed ensuring that it can continue to reliably
integrated cybersecurity organization
from each other. Attacks hit IT network supply the energy its nation needs,
under a chief security officer aligned
security and the supervisory control supporting a major share of the country’s
with the risk function (see Exhibit 1
and data-acquisition (SCADA) systems. GDP growth.
become a matter of national security involving In many cases, this digitization has allowed access
government bodies and intelligence agencies. to these OT devices from the wider internet, as
well. According to analysis of production OT
Collateral damage in nonspecific attacks
networks by CyberX, an industrial cybersecurity
The electricity, oil-and-gas, and mining sectors
company, 40 percent of industrial sites have at
have been rapidly digitizing their operational
least one direct connection to the public internet,
value chains. While this has brought them great
and 84 percent of industrial sites have at least one
value from analysis, process optimization, and
remotely accessible device. 3
automation, it has also broadened access to
previously isolated ICS and SCADA devices by
users of the IT network and third parties with
physical and/or remote access to the OT network.
3
CyberX report on global industrial control systems and Internet of Things risk (2018).
4
Ibid.
5
“Shell Oil Strengthening Cybersecurity,” ciab.com.
Exhibit 1
Of four approaches to IT and OT security, only one integrates them, using a CSO aligned
with the risk function.
Distribution of responsibilities, by security approach Primary responsibility Shared responsibility
Led by a CISO,1 whose location will vary, typically within IT, risk, or security department Led by a CSO2
No clear direction of OT3 so CISO advises and has CISO is accountable, but Single accountability
defaults to operations oversight, operations directs not responsible for execution for IT, OT; cyber is part of
in OT risk agenda
OT security functions CISO Ops IT CRO4 CISO Ops IT CRO CISO Ops IT CRO CSO Ops IT CRO
Policy setting
Standards creation
Security architecture
and engineering
Execution
deployment
Operations/maintenance
(within perimeter)
Operations/maintenance
(perimeter/IT interface)
Operations/maintenance
(physical security)
Adherence
— Earliest stages of maturity; — CISO advises on security — CISO determines policy and — CSO spans IT and OT; owns
OT cybersecurity ownership policy, but has little influence standards centrally security end to end
defaults to business units over operations — Operational units responsible — Collaboration between
— Decentralized policy and — Execution, operations, for execution and operations security and CRO for policy
standard setting and maintenance with setting, architecture,
operational units adherence
1
Chief information-security officer.
2
Chief security officer.
3
Operational technology.
4
Chief risk officer.
between the OT and IT networks enable — Unified identity and access management.
companies to inspect the traffic traversing that These tools allow the company to centralize
gateway. They also automate a system’s ability adding, changing, and removing user access
to execute policy changes and block newly to OT systems and devices. This is linked to the
identified threats. Best practice also calls for organization’s identity-management system,
traversing that gateway. They also automate a — Unified identity and access management.
placing critical assets and systems in separate providing robust authentication. This approach,
system’s ability to execute policy changes and These tools allow the company to centralize
zones to limit the impact from a compromise; for pervasive in IT, has been adopted as a standard
block newly identified threats. Best
example, a fail-safe system in a separate zonepractice adding,
in OT changing,inand
environments the removing usersector.
US electricity accessIt
also
from calls for placing
the SCADA. criticalfirewall
Incumbent assetsproviders
and to OT systems
reduces the risk ofand devices.
attack This is“super-user”
by limiting linked to the
systems in separate
are tailoring zonesfortoOT.
their solutions limit the impact organization’s
accounts. It allowsidentity-management
the company to trace whosystem,
from a compromise; for example, a fail-safe providing robust authentication. This approach,
system in a separate zone from the SCADA. pervasive in IT, has been adopted as a standard
Incumbent firewall providers are tailoring their in OT environments in the US electricity sector. It
solutions for OT. reduces the risk of attack by limiting “super-user”
accounts. It allows the company to trace who
Exhibit 2
7.8
7.3
Average 6.2
6.5
6.0 5.8 5.7
5.4
5.0 4.9 4.9
4.5
4.3
Source: IT Key Metrics Data 2018: Key IT Security Measures: By Industry, Gartner.com, 2018
Adrian Booth is a senior partner in McKinsey’s San Francisco office, Aman Dhingra is an associate
partner in the Singapore office, Sven Heiligtag is a senior partner in the Hamburg office, Mahir Nayfeh
is a partner in the Abu Dhabi office, and Daniel Wallance is a consultant in the New York office.
The authors wish to thank Rhea Naidoo and Rolf Riemenschnitter for their contributions to this article.
The cybersecurity
posture of financial-
services companies:
IIF/McKinsey Cyber
Resilience Survey
Cyberrisk has become one of the top risk concerns among financial-
services firms, and new research from the Institute of International
Finance (IIF) and McKinsey can help provide an understanding
of ways firms can enable and strengthen cyber resilience.
A practical approach
to supply-chain risk
Operations Practice
A practical approach
management
to supply-chain risk
management
In supply-chain risk management, organizations often don’t
know where to start. We offer a practical approach.
In supply-chain risk management, organizations often don’t
know
by Tucker Bailey,where to start.Arnav
Edward Barriball, WeDey,
offer
and a
Alipractical
Sankur approach.
March 2019
Exhibit 1
Assess value-chain nodes to identify key risks.
New-product
Plan Source Make Make Deliver
introduction
(internal) (external)
(NPI)
Exhibit 2
Layers of defenses help organizations manage unknown risks.
Significant
operational event
• Irrecoverable
asset damage
Sources
of risk • Catastrophic
personnel injury
• Significant
environmental
or local impact
Tucker Bailey and Edward Barriball are partners in McKinsey’s Washington, DC office. Arnav Dey is an engagement manager
in the Boston office, and Ali Sankur is a senior practice manager in Chicago.
Tucker Bailey and Edward Barriball are partners in McKinsey’s Washington, DC office. Arnav Dey is an
6
engagement manager in the Boston office, and Ali Sankur is a senior practice manager in Chicago.
A practical approach to supply-chain risk
© Cogal/Getty Images
October 2019
The race for cybersecurity: Protecting the connected car in the era of new regulation 83
In the past, what happened in your car The cybersecurity playing field tilts
typically stayed in your car. That is no longer in favor of attackers
the case. The influx of digital innovations,
To be sure, the economics of car cybersecurity
from infotainment connectivity to over-the-air
are inherently unfair: with the right state-of-
(OTA) software updates, is turning cars into
theart tools, attacks are relatively affordable,
information clearinghouses. While delivering
loweffort affairs. Mounting a coherent defense
significant customer value, these changes
for the complex value chain and its products,
also expose vehicles to the seamier side of the
on the other hand, requires increasingly higher
digital revolution. Hackers and other black-hat
effort and investment. So far, this reality tilts the
intruders are attempting to gain access to critical
playing field in favor of the attackers. Examples
in-vehicle electronic units and data, potentially
abound across the industry. For example, white-
compromising critical safety functions and
hat hackers took control of the infotainment
customer privacy.
system in an electricvehicle model. They exploited
a vulnerability in the in-car web browser during
Cybersecurity becomes a core product a hacking contest, causing the electric-vehicle
and value-chain issue maker to release a software update to mitigate
Cybersecurity has risen in importance as the the problem. In another white-hat hack, a Chinese
automotive industry undergoes a transformation security company found 14 vulnerabilities in
driven by new personal-mobility concepts, the vehicles of a European premium-car maker
autonomous driving, vehicle electrification, and in 2018. Another global automaker recalled
car connectivity. In fact, it has become a core approximately 1.4 million cars in 2015 in one of
consideration, given the digitization of in-car the first cases involving automotive cybersecurity
systems, the propagation of software, and the risks. The impact of the recall was significant,
creation of new, fully digital mobility services. with a potential cost for the OEM of almost $600
These services include arrays of car apps, online million, based on our calculations.
offerings, vehicle features that customers can
buy and unlock online, and charging stations for The automotive industry lacks a
e-vehicles that “talk” to on-board electronics. standard approach for dealing with
Today’s cars have up to 150 electronic control cybersecurity
units; by 2030, many observers expect them For an industry used to breaking down complex
to have roughly 300 million lines of software challenges and standardizing responses,
code. By way of comparison, today’s cars have cybersecurity remains an unstandardized anomaly.
about 100 million lines of code. To put that into Thus far, automotive suppliers have a hard time
perspective, a passenger aircraft has an estimated dealing with the varying requirements of their OEM
15 million lines of code, a modern fighter jet about customers. Consequently, they try to balance the
25 million, and a mass-market PC operating use of common security requirements that go into
system close to 40 million. This overabundance their core products against those via the software
of complex software code results from both adjustments made for individual OEMs. However,
the legacy of designing electronics systems current supplier relationships and contractual
in specific ways for the past 35 years and the arrangements often do not allow OEMs to test the
growing requirements and increasing complexity end-to-end cybersecurity of a vehicle platform
of systems in connected and autonomous cars. It or technology stack made up of parts sourced
generates ample opportunity for cyberattacks – from various suppliers. That can make it difficult
not only in the car but also along the entire value for both suppliers and OEMs to work together to
chain (Exhibit 1). achieve effective cybersecurity during automotive
software development and testing.
84 The race for cybersecurity: Protecting the connected car in the era of new regulation
Insights 2019
The race for cybersecurity: Protecting the connected car in the era of new regulation
Exhibit 1 of 3
Exhibit 1
The advancement of electrical and electronic architecture and digitalization of the car
ecosystem increases attack surface and leads to increasing cyberrisk.
Vehicle ecosystem, illustrative Emerging cyberrisks, not exhaustive
under the United Nations Economic Commission integral part of their core business functions and
for Europe (UNECE) is expected in 2020 to development efforts.
finalize its regulation on cybersecurity and
The race for cybersecurity: Protecting the connected car in the era of new regulation 85
Insights 2019 upcoming UNECE regulation only as the beginning While still relatively new, the in-car cybersecurity
The race for cybersecurity:
of a new era ofProtecting the connected
technical compliance car in the
regulation in era of new regulation
threat will remain an ongoing concern. As such,
Exhibit 2 of 3 the automotive sector addressing the increase and automakers must now consider cybersecurity an
significance of software and connectivity within integral part of their core business functions and
the industry. development efforts.
Exhibit 2
More than 24 million cars will be affected under the new World Forum for Harmonization of
Vehicle Regulations on cybersecurity and software updates.
Countries party to
1958 Agreement,1
as of Dec 2018
Top 10 countries party to 1958 Agreement by vehicle sales, 2019 estimate, million
5.2
3.8
2.6 2.6
2.1
1.9 1.8
1.5
1.1
1.0
Japan Germany United France Italy Russia South Spain Australia Thailand
Kingdom Korea
1
Agreement concerning Adoption of Harmonized Technical United Nations Regulations for Wheeled Vehicles, Equipment and Parts which can be Fitted and/or be Used
on Wheeled Vehicles and the Conditions for Reciprocal Recognition of Approvals Granted on the Basis of these United Nations Regulations (original version adopted
in Geneva on Mar 20, 1958).
Source: Automotive sales forecasts, IHS Markit, ihsmarkit.com; “ECE/TRANS/WP.29/343/Rev.27,” United Nations Economic Commission for Europe, March 11, 2019,
unece.org
What is more, the industry can no longer view have a strong record of establishing a culture of
cybersecurity as purely an IT topic. Instead, safety – but not yet in cybersecurity. Looking
automakers need to assign ownership and beyond automotive-industry borders, it becomes
responsibility for it along core value-chain clear that many digital natives have demonstrated
activities (including among their numerous how to build strong security cultures in their
4 suppliers) and embrace a security culture among
The race for cybersecurity: Protecting the connected car in the era of engineering
new regulation departments (not just in IT). At the
core teams. Likewise, suppliers in the automotive best digital companies, everyone understands the
industry need to embrace OEM concerns on importance of cybersecure coding practices, and
cybersecurity, develop capabilities to embed the organizations maintain engineering-outreach
security best practices in their components, and and -education programs that train people in
collaborate effectively with OEMs on integration cybersecurity, enticing them to look below the
and verification of end-to-end cybersecurity surface and raise the cybersecurity bar constantly.
solutions.
This requires the creation of a real, software- Including cybersecurity in design
centric cybersecurity culture, given the from the start
pervasiveness of the cybersecurity threat along Carmakers must securely design vehicle platforms
the entire value chain. Carmakers themselves and related digital mobility services from the start.
86 The race for cybersecurity: Protecting the connected car in the era of new regulation
That is because the inherent complexity of vehicle
High-tech companies, such as smartphone
platforms, with their long development cycles and
suppliers, currently deal with this issue by
complex supply chains, do not allow for late-stage
releasing software updates and security fixes
architectural changes. Furthermore, regulators
for their products after the initial sales (in many
form strict requirements for OEMs to obtain type
cases, new operating-system fixes also support
approvals for new vehicles (Exhibit 3). some oldergeneration products). However, this is
typically limited to a period of two to three years,
Automotive players must consider cybersecurity
while vehicles have an average service life of a
over the entire product life cycle and not just up
decade or even more. With the advent of OTA
to when the car is sold to a customer, because
software upgrades, automakers could maintain
Insights 2019 new technical vulnerabilities can emerge at any
the fleets on the road in a cost-effective way,
time. These issues can have a direct impact on
The race for cybersecurity: Protecting the connected car in the era of new
in contrast with regulation
the current practice of costly
Exhibit 3 of 3
customers and cars already on the road, thus
reprogramming (“reflashing”) of car electronic
effectively requiring OEMs to provide security-
control units at the dealer.
related software patches well into the car’s
ownership life cycle.
Exhibit 3
Upcoming regulations require automotive OEMs to step up cybersecurity activities along the
entire value chain.
United Nations Economic Commission for Europe cybersecurity requirements
Identify and manage cyberrisk to vehicle types (includes suppliers and service providers)
Analyze cyberthreats
and create risk-treatment plan
Securing
vehicles and Build cybersecurity into system design
ecosystems and contain known vulnerabilities in Protect integrity of hardware/software
used hardware/software components components from suppliers (eg, contractual clauses)
Providing
secure Identify target vehicles for updates and
software assess impact on certified systems and
updates compatibility with vehicle configuration
Source: “Draft recommendation on cybersecurity software updates of the task force on cybersecurity and over-the-air issues,” ISO/SAE 21434:2018 Committee, United
Nations Economic Commission for Europe, World Forum for Harmonization of Vehicle Regulations; McKinsey analysis
Johannes Deichmann is an associate partner in McKinsey’s Stuttgart office, and Benjamin Klein is a
specialist in the Berlin office, where Gundbert Scherf and Rupert Stützle are both partners.
The authors wish to thank Georg Doll, Ralf Garrecht, and Wolf Richter for their contributions to this article.
88 The race for cybersecurity: Protecting the connected car in the era of new regulation
Build cybersecurity into business products and processes
Defense of the
cyberrealm: How
organizations can
thwart cyberattacks
Governments and companies have much work to do to protect
people, institutions, and even entire cities and countries
from potentially devastating large-scale cyberattacks.
In this episode of the McKinsey Podcast, Simon London speaks with McKinsey senior partner
David Chinn and cybersecurity expert Robert Hannigan, formerly the head of GCHQ (Government
Communications Headquarters), about how to address the major gaps and vulnerabilities in the
global cybersecurity landscape.
Exhibit 1
Exhibit 2
The Internet of Things is simply connecting more processes and more devices to the internet.
to use the changes to data, or to put out false data, David Chinn: Robert, it’s interesting what you
to affect the value of a company. say because in a sense, government has three
challenges. One, it is an actor in cyberspace in
David Chinn: Fake news is a great example. They
service of national interest, usually in secret.
haven’t affected the integrity of the core data.
They’re just simply putting out noise. In the reports Second, it has to protect itself from cyberattack.
on the attacks of the integrity of the electoral And third, it has to create, at the minimum, an
system in the United States, in a system which is environment which protects the citizens and
highly distributed, where different standards and businesses of the country.
technologies are used across the United States,
My observation would be that, at least reportedly,
there was clear evidence of attempts to penetrate
the UK is very good in the first. Your old institution
electoral registers. You imagine changing the
is a world-class actor in the national interest in
electoral register so that people of a certain party
cyberspace. The second is quite hard, defending
simply didn’t appear. In the hustle and bustle of
government, because there’s so much of it.
Election Day, they probably wouldn’t get to place
their votes. That could dramatically undermine The technical skills of government, government IT,
trust in democracy. are continually in the newspapers and in the public
accounts committee as being something that we
Simon London: Robert, we’re lucky to have you
struggle to do well. Simple things, like putting a
on the podcast today. Why don’t you talk a little bit
working computer on everybody’s desk, let alone
about what is the role of government in all of this?
defending those networks.
Robert Hannigan: It’s a challenge that every
Robert Hannigan: Most governments, including
government is grappling with in different ways
the UK, have focused their attention on protecting
and has been over the last ten years. There are
government networks, sometimes interpreted
a couple of things that make cyber particularly
slightly more broadly to take in some critical bits of
difficult. One is cyberdefense undercuts the
national infrastructure that really, really matter, but
assumption that government can do defense for
to encourage the rest of the economy to get better.
everybody.
So we spent ten, 15 years, in a sense, preaching at
David has spent a lot of his time dealing with companies to get them to raise their standards.
government defense in a traditional sense. And
There was quite a critical shift, certainly in the UK,
you, as a citizen, expect government to defend you
about three or four years ago, where we decided
using the armed forces. It’s unrealistic to expect
that a security model that depended on everybody
government to do cyberdefense in the same way for
and every company doing the right thing all the
the whole economy, because of the scale of it, and
time was almost bound to fail. The whole system
because most of what you’re dealing with is outside
was not designed with security in mind, so the
government. Quite apart from the fact that the skills
people who invented the internet and then the
and resources just aren’t there in government to do
web that sits on it didn’t have security at the front
it on that scale. So that’s one problem.
of mind, and so we are retrofitting that, and have
The other problem is that cyber is crosscutting been over the last 15 years.
in every sense. It is in a new domain, so it’s a bit
Things like scanning websites for vulnerabilities,
like discovering water or air. Every department,
which is, again, being done across government,
every part of the economy, is dependent on this,
you could do nationally, and you could make that
increasingly, as we digitize more and become more
available nationally. One of the problems, I think,
dependent. You can’t really point to a single bit
is that because the internet wasn’t designed with
of government and say, “You’re responsible for
security in mind, security is seen as something you
cyber.” That was the tendency in the early days.
need to add on rather than something that’s built in.
The answer has to be to find a way of organizing
We need to reach a point where security is
government that gives sufficient speed and
designed in and is there by default, particularly
command and control to deal with the pace at
with the Internet of Things. That may require some
which digital networks work and cyberattacks
regulation and certainly will require bits of the
work but that actually drags out the whole of
economy, including insurance, to start to drag up
government to be good at cybersecurity, because
standards.
if any one bit is bad at it, the whole system suffers.
Exhibit 3
Robert Hannigan: I would say Singapore and Israel are doing it very well, in slightly different
models. Australia has chosen a model that’s similar to the UK model [Exhibit 4]. Having it all in
one place effectively. Certainly, the operational side of cyber.
Most governments are organizing and constantly tweaking the system. There are very different
models, and in Europe, perhaps in Germany especially, the cyber agencies are purely civilian.
Defense of the cyberrealm: How organizations can thwart cyberattacks 97
And then there is a secret-world element of cyber, and I think they’re also looking at how to
Simon London: It sounds like we’re in an era of “Yes, there are things that we could do at national
institutional innovation, in many ways – to some scale.”
degree, institutional improvisation to try and figure
The problem, I suppose, at the risk of sort of
out what models work in what context.
making excuses, is that the nature of cyberspace,
Robert Hannigan: Absolutely. I think the military’s however defined, makes politicians feel quite
a very good example, particularly outside the US. impotent, because it cuts across jurisdictions.
The US is ahead of anybody, I think, in developing They can pass laws in their own parliament that
cyberskills in the military at scale. really have zero effect. They can regulate their own
companies, but not necessarily others. That is a
On the broader point about civilian structures
real problem.
and civilian/military, I think the one thing that is
probably key is that many of the questions are For cybercrime, for example, most of it is based in
the same, starting with, “What does government countries which are either endemically corrupt or
actually want to achieve?” And not being unwilling to do anything about it for geopolitical
overambitious in what government can achieve, reasons. What do you do about that? I mean
and what’s the appropriate role of government, is there’s a much bigger context here of international
a good starting point. And trying to define what relations, and we are a million miles from getting
people expect from their government. Things any kind of international agreements on the
like a single source of advice, incident response, security and safety of cyberspace.
protection of certain networks. I think that is a
Simon London: David, you were the rousing voice
conversation that just about every government is
of critique just now. What should be done?
having in different ways.
David Chinn: First, a sophisticated debate around
David Chinn: But I think there’s a paradox here,
the legislative and regulatory environment. The
because if you were to interview the chairman or
use of product liability has been very effective
chief executive of any large corporation and ask
in other sectors for changing the game for the
them what’s their top three risks, cyber would be
manufacturers. A robust thinking about product
on that top three, for every single one. And for
liabilities, extension to the technology arena,
many of them, it would be number one. Yet, if we
would frankly have quite a chastening effect on
look at what governments are doing, this is the one
industry.
area of national security, of crime prevention and
prosecution of critical national infrastructure, that Simon London: In other words, selling a product
governments have, to a large extent, abdicated that has technology embedded that is deemed to
their responsibility. Great, some small steps. And be insecure could be breaking the law.
sorry, I don’t mean to be critical of what was a David Chinn: Well, not necessarily breaking the
big small step. But exalting the private sector law, but would expose you to civil action that could
to do better feels like a very different role that have severe financial consequences. Effectively, it
government takes in almost every aspect of life would create a market mechanism for valuing more
that would feature for most people in their top secure products. Second, there is room for some
three risks. I think there’s a lot more to do, but better and some more regulation. For example, if
unfortunately we may have to wait for a genuine you want to sell anything to the UK government,
event – people talk of the cyber 9/11 – to create a you have to meet a minimum standard called Cyber
big change in focus, understanding, spending, and Essentials. This is not the most sophisticated, but,
so on. as we’ve discussed, most of the attacks are not the
Simon London: Let me just put that back to you. most sophisticated attacks.
What should be done? These kind of standards are very helpful because
David Chinn: What would your list be, Robert? they’re easily adopted by people for their own
supply chains. I think a promulgation of standards,
Robert Hannigan: Your criticism is very fair. I
ideally with some degree of harmonization. And it’s
mean I think the government has moved from an
very interesting, in the US the national standards
absolutely sort of hands-off position to say, “Well,
organization, NIST (National Institute of Standards
we’ll look after our networks, but everybody else
and Technology), has created a number of models,
should get better.” And sort of slightly hectoring
which have got global acceptance. Once an
them when they’re not good enough. To saying,
authority puts it out there in a world where
David Chinn is a senior partner in McKinsey’s London office, and Robert Hannigan, the former head of
GCHQ, is a senior adviser to McKinsey. Simon London, a member of McKinsey Publishing, is based in
McKinsey’s Silicon Valley office.
Understanding the
uncertainties of
cybersecurity: Questions
for chief information-
security officers
Given the dynamic nature of the cybersecurity environment, CISOs need
to address a set of questions that will shape their strategies over time.
by Venky Anant, Tucker Bailey, Rich Cracknell, James Kaplan, and Andreas Schwarz
100 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers
At a highly dynamic moment of change in the and which perceptions and actions (or failures to
way companies use technology, cybersecurity act) might heighten their concerns.
is probably the most dynamic of all corporate
2. How will different regulatory, political, and
technology domains. The field and the companies
cultural expectations about data protection
that rely on it are being transformed as an uncertain
across national boundaries shape the security
geopolitical environment emboldens potential
environment?
cyberattackers, rapid technological innovation
Perhaps paradoxically, while consumers have
creates new ways to launch and repel cyberattacks,
been relatively blithe about their data, privacy and
and cybersecurity’s emergence as a critical
security have continued to be hot-button political
business function prompts experimentation with
and regulatory issues. Jurisdictions such as Brazil,
organizational and operating models alike.
California, and the European Union have started
In such an environment, perfect foresight is to implement tough new requirements on data
impossible. Yet business, technology, and privacy. But regulations in different jurisdictions
security executives all have a responsibility to may contradict each other or create conflicts
understand the important uncertainties and to between compliance and security – particularly by
develop practical working hypotheses about how constraining the forensics a company can perform
to manage them. To help these senior managers, on its own network to identify insider threats or
we’ve compiled a list of the key questions they compromised accounts. (Regulators might perceive
ought to ask over the next 12 to 18 months. those actions as inimical to the privacy rights of
employees.) Authoritarian states may demand that
Evolving market expectations companies limit security or privacy protections
for their customers or employees as a condition of
Two of these questions focus on market
doing business in those places. That in turn may
expectations: whether consumers will start to
spark public frustration and anger elsewhere.
care about security issues and the way differing
regulatory, political, and cultural expectations Going forward, companies will certainly have to
about data protection shape security across think about tailoring their security models to the
national boundaries. requirements of different national markets. Some
may have to make tough choices about whether
1. Will consumers start to care about privacy
they can reconcile expectations about privacy and
and security?
security in all the markets where they might ideally
Anyone who has observed the procurement
like to do business.
of group health insurance, pharmacy-benefits
management, prime brokerage, or IT-outsourcing
services knows that corporate customers care Evolving risks
a lot about how their suppliers protect sensitive The next set of questions focuses on evolving
data. But with a few exceptions – such as high- risks: whether companies will be collateral
net-worth or mass-affluent purchasers of financial damage, coopted or directly targeted by nation-
services – the consumer market just doesn’t seem state actors; how companies will protect their data
to care about privacy or security. Most breaches in a world of pervasive sensors and protect their
involving personally identifiable information machine-learning capabilities; and how quickly
haven’t affected revenues or market share in any quantum computing will become a security threat.
sustained way.
3. To what extent will companies be collateral
Yet in view of the relentless attention to privacy damage, coopted or directly targeted by
and security issues in the press and the political nation-state actors?
arena, this indifference could certainly change. As the NotPetya attack showed, nation states
Companies have a responsibility to protect all increasingly use cybertools as weapons of
consumer data, but when senior executives think domestic and military tradecraft. Originally
through their risk appetites, levels of investment, directed at targets in Ukraine, NotPetya wreaked
and incident-response plans, they must consider havoc on unprotected networks around the world.
not only how sensitive consumers in general are Another harbinger of what’s to come: it has been
but also who may be the most sensitive consumers widely reported that NotPetya was derived from
Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 101
a stolen exploit originally developed by the US 5. How can companies protect their machine-
National Security Agency.1 learning capabilities?
Businesses are racing to implement machine-
In an era of renewed great-power conflict, countries
learning systems to detect fraud, improve pricing,
increasingly promote their global interests by
rationalize supply chains, and optimize dozens
means other than war. During the past several
of other business decisions. For all these use
years, asymmetric approaches (such as cybertheft,
cases, decision algorithms improve over time as
cyberattacks, malign influence, and media
more data generate better insights about the
manipulation) have taken advantage of unsuspecting
connections between inputs and the objective
content providers, critical national-infrastructure
function to be optimized. This is a fundamental
operators, and intellectual-property producers.
change – analysts can no longer replicate
When global tensions rise and economic algorithms on a pad of graph paper, as they could
interventions become increasingly common in with traditional decision tools. It may therefore
great-power conflict, companies will be collateral be all but impossible to determine whether a
damage; in fact, they will probably be targeted cyberattack has subtly compromised a business
directly in state-against-state cybercampaigns. capability (by reducing the ability to detect fraud,
Similarly, nation states may increasingly use for example). Security organizations and their
for-profit companies as proxies, partners, and business partners may need to develop new
conduits for asymmetric activities. Businesses ways to ensure the validity of machine-learning
must therefore determine how much risk they face algorithms.
from either intentional state-sponsored attacks
6. How quickly will quantum computing create
on them or, as collateral damage, from attacks on
security threats?
other targets.
All security relies on encryption – and on the
4. How will companies protect data in a world of assumption that massive computing resources
pervasive sensors? would be required to decrypt data protected by
The Internet of Things (IoT) dramatically raises even a moderately capable encryption algorithm.
the stakes for cybersecurity – at least potentially, But quantum computers that could crack the RSA-
cyberattackers could manipulate devices that are 1024 encryption standard in less than 24 hours
now becoming connected to networks: for instance, may be only a decade away.2 At a stroke, many
automobiles; heating, cooling, and ventilation of the security technologies the modern world
systems; and industrial machinery. The IoT involves depends on would become ineffective: for example,
huge numbers of network-connected sensors that what would happen to investments in business
will generate massive amounts of sensitive data. processes based on blockchain if the encryption it
The security functions of companies will have to requires could be compromised quickly?
understand what kind of data the devices installed
Of course, defensive capabilities advance just as
on their networks collect, who might benefit from
offensive ones do, and quantum encryption will
compromising the data, and how to secure a whole
probably attempt to protect users against quantum
new technological environment.
decryption. Yet the National Academy of Sciences
Although that goal is challenging, it is at least estimates that it will take 20 years to make
more straightforward than protecting sensitive enterprise networks less vulnerable to quantum-
information in the consumer IoT. Companies based attacks.3 That time frame, and the risk that
prohibit their executives and managers from some attackers may have access to quantum
working with sensitive documents on any personal capabilities well before the next decade’s end,
device and from transmitting them via personal mean that companies – especially in critical
email accounts. Will companies also have to infrastructure sectors – have a responsibility
prevent employees from making or receiving to start early planning for the transition to a
company-related telephone calls at home in rooms quantum world.
with voice-activated smart devices?
1
Andy Greenberg, “The untold story of NotPetya, the most devastating cyberattack in history,” Wired, August 22, 2018, wired.com.
2
Martin Giles, “Quantum computers pose a security threat that we’re still totally unprepared for,” MIT Technology Review, December 3,
2018, technologyreview.com.
3
Emily Grumbling and Mark Horowitz, editors; Quantum Computing: Progress and Prospects, Washington, DC: National Academies
Press, 2019, nap.edu.
102 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers
Evolving security protections and What might a postpassword world look like? It
platforms would probably combine biometric authentication
or authentication based on devices (such as
The next group of questions addresses evolving
phones, which use biometrics) with behavioral
security protections and platforms: how quickly
analytics that can determine, probabilistically, if
a zero-trust model could be adopted, the future
users are legitimate. The advent of the WebAuthn
of passwords, the evolution of the security-tech
standard for using devices to authenticate online
market, and the security problems of cloud
services might be a critical enabler. 5
services.
But a successful transition will require device
7. How quickly could zero trust be adopted?
manufacturers, service providers, and
Most chief information-security officers (CISOs)
commercial-software developers to adopt
have believed for years that the perimeter is less
relevant standards and incorporate them into their
important than it used to be, though they continue
offerings. In many cases, companies may want to
to make investments in perimeter-based controls.
develop the behavioral analytics to complement
Now, as companies start to accelerate their move
biometric authentication. Given the momentum,
into the public cloud, these traditional perimeters
CISOs and other executives may want to start
may become irrelevant for larger and larger parts
putting plans in place now.
of the corporate environment.
9. How will the security-technology market
In the zero-trust model, applications base no
evolve?
trust assumptions on whether a user (or another
The cybersecurity-tooling market has recently
application) is inside the network perimeter. This
been among the most fragmented in enterprise
has several advantages: organizations can set the
technology. Systems architects might have only a
right level of protection for each application and
few practical choices for app servers or database-
dramatically limit the ability of attackers to move
management systems. But their security colleagues
laterally across technology environments.
must sort through dozens of endpoint-protection
Yet companies have decades worth of legacy or antimalware products. Despite the problematic
applications that assume the existence of a complexity, attempts to create integrated security
network perimeter, and very few technology platforms have met with limited success, to date.
organizations have developers with the skills to
Enterprise security leaders planning investments
develop zero-trust applications. Less than 10
should ask the larger market participants to
percent of the CISOs McKinsey surveyed believed
explain what makes their integrated offerings
they could adopt the zero-trust model, even for
compelling. If they can’t, it isn’t clear whether
cloud applications, in the next two or three years. 4
proprietary products will continue to dominate
The key to success in zero trust is the ability to
this space or companies will seek to optimize
understand and go on tracking users, assets,
their security expenditures by adopting open-
and controls simply, but at a granular level – or,
source products. Equally important, how will the
if necessary, to reengineer or reshape them.
answers to these questions differ across market
CISOs will have to caucus with their application-
segments – say, between larger and smaller
development and infrastructure colleagues to
companies or between companies facing threats
determine how quickly their companies can
that are more sophisticated or less sophisticated?
develop the required capabilities.
10. When will large companies be able to
8. When will we finally be able to kill passwords?
consume cloud services securely?
Passwords are terrible. Users hate them, forget
The case for public-cloud infrastructure is exciting:
them, write them down on publicly displayed sticky
access to innovative services for developers,
notes, and use them across accounts – including
near-infinite capacity on demand, and (at least
consumer accounts from providers with security
potentially) lower costs. Yet for large, complicated
vulnerabilities. Eliminating passwords could both
companies – especially in heavily regulated
reduce that vulnerability and improve the user
industries – the pace of adoption has been slow.
experience dramatically.
4
Arul Elumalai, James Kaplan, Mike Newborn, and Roger Roberts, “Making a secure transition to the public cloud,” January 2018,
McKinsey.com.
5
Francis Navarro, “A world without passwords? The web’s weakest link gets long-overdue fix,” komando.com.
Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 103
Some companies with thousands of applications 12. Will the cyberinsurance market protect
(and more than 100,000 servers) desperately want against material cyberrisks?
to leverage the infrastructure of the public cloud For the past decade, market observers have
but have succeeded only in running fewer than ten suggested that cyberinsurance is the next major
applications there. growth area for insurance carriers. Sceptics
have rejoined that it will always be the next
Legacy applications never designed to run
major growth area. For now, the sceptics seem
efficiently in the cloud are part of the problem, but
to be right: the cyberinsurance market has
security is a major bottleneck as well. Security
grown only incrementally and still doesn’t cover
teams are racing to perform risk assessments
most cyberrisks except customer-data-breach
of hundreds of cloud services – first to learn
mitigation and regulatory penalties. Direct costs,
if capabilities such as identity and access
reputational risks, and intellectual-property theft
management (I&AM) and monitoring work in them
do not get meaningful coverage. Since companies
and, second, to build the level of automation that
cannot effectively hedge cyberrisks, they adopt
would make it possible to configure systems
new technologies relatively slowly for fear of their
securely in the cloud. Companies thus need to
adverse cybersecurity implications.
determine just how quickly they can build cloud-
enabled security capabilities, which acceleration As for the insurance carriers, they don’t have good
opportunities they have, and what that means for actuarial data for cyberthreats, know how to model
the overall journey to the cloud. cyberrisks well, or truly understand the cyberrisks
they would insure or the returns on the relevant
11. Will smaller companies use cloud services to
investments. However, new quantitative methods
reduce their security footprint dramatically?
are emerging to assess the likelihood of long-
Some security professionals talk about the
tail cyberevents, and one or more carriers may
cybersecurity poverty line: companies that
succeed in quantifying and insuring cyberrisks. If
annually spend even $50 million or $100 million
so, companies may be able to transfer risks they
a year on IT may struggle to afford all the cyber-
have so far been accepting or mitigating at high
security tools they need and to attract the talent
cost. But that will come to pass only if carriers can
to deploy and manage them. The transition to
dramatically improve their underwriting.
cloud services has challenged larger companies
scrambling to recast their security architectures 13. How will the scope of security organizations
and operations to support a cloud-based develop?
infrastructure. Cybersecurity has become a more important issue
for boards and senior management teams alike.
But the cloud may be a security godsend for
Many companies have therefore started to expand
smaller companies. Their technology executives
the remit of what used to be the information-
(or counterparts in small, independent divisions
security organization, recasting it as the IT-risk
of larger companies) should ask themselves if
group, responsible not only for information
they could dramatically reduce their internally
security but also for technology compliance,
managed technology footprint, their surface area,
the quality of software, disaster recovery, and
and therefore their level of risk by accelerating
business continuity. The goal is to have one
the transition to business applications based on
executive and one team make integrated decisions
software as a service (SaaS) and to SaaS-based
about protecting corporate information and
desktop environments, voice communications,
systems from both accidents and attacks.
and network connectivity. This question will be
especially relevant for private-equity firms, which Other companies, thinking that no clear line
invest in many midmarket companies. separates cybersecurity from physical security in
an increasingly digital world, have integrated them.
Evolving security operating models A few companies have combined cybersecurity
with fraud control because they think that most
The final set of questions focuses on evolving
fraud has an online component and want integrated
operating models for security: whether the
analytics to oppose it. A few other companies
cyberinsurance market will protect against
combine the security and privacy teams, on the
cyberrisks, how the scope of security
theory that customers care only about the misuse
organizations will develop, and how cybersecurity
of their data and don’t distinguish between
talent pools will react to demand.
104 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers
security and privacy. Meanwhile, many companies available and whether it aligns with their overall
have moved much of their security-related strategy. People with low-end cybersecurity skills,
service delivery and technology support into the for example, may become more available long
technology-infrastructure organization, so that before companies can find enough experts with
CISOs and their teams can focus on strategy and the advanced skills required to face off against
risk management. business leaders on cybersecurity issues or to
direct the automation of cybersecurity.
In short, the organizational structure for
cybersecurity hasn’t stabilized. Senior managers
must watch developments in their industries to see
which organizational structures succeed.
Policy decisions, investment choices, and security
14. How will cybersecurity talent pools evolve in
incidents now confront security, business, and
relation to demand?
technology executives with pressing (and often
CISOs disagree on many things, but they almost
exhausting) cybersecurity issues they must address
universally believe that cybersecurity talent is
in the short – and sometimes very short – term. Yet
in short supply. When people chose majors and
in view of the cybersecurity environment’s highly
courses of study in the past, almost nobody
dynamic nature, CISOs and other executives have
expected cybersecurity to be as big an issue as it
a responsibility to think through the longer-term
is today. But for several years now, demand signals
questions raised in this article.
indicating a pressing need for cybersecurity
expertise have been penetrating the talent Companies can address some of the issues
marketplace. Computer-science students are described here – for instance, quantum
beginning to take cybersecurity courses, security computing, pervasive sensors, and the
specialists trained in the military have entered cyberinsurance market – as events unfold in
civilian labor markets, and lawyers and other coming years. Other issues, such as evolving
professionals have gone back to school to retrain consumer expectations and regulatory demands,
themselves as cybersecurity experts. require more immediate attention because they
could have a dramatic impact in the next year or
Technology executives should think about
two. To withstand the coming security onslaught,
their cybersecurity operating models: what to
companies will have to change in important ways.
outsource, how aggressively to automate, and
The questions posed in this article are the natural
which skills to foster internally. As they do, they
starting point.
must know how much cybersecurity talent is
Venky Anant is a partner in Silicon Valley office of McKinsey. Tucker Bailey is a partner in McKinsey’s
Washington DC office. Rich Cracknell is a manager of solution delivery in Silicon Valley. James Kaplan is
a partner in the New York office, where Andreas Schwarz is an expert.
Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 105
Enable digital technology delivery
March 2020
106 Protecting the business: Views from the CIO’s and CISO’s offices
In an increasingly digital era, protecting information Then you need to translate this into digestible
and systems from cyberattack is one of the most content for a non-technical audience, which
important and challenging responsibilities of every requires good soft skills as well.
IT organization. In some cases, business-unit chief
A CISO drives and controls an agenda, and
information officers (CIOs) and enterprise chief
building trust is critical in implementing that
information security officers (CISOs) can have
agenda, because trust is a force multiplier. As a
very different perspectives and agendas, creating
CISO, my priorities are to protect the firm, enable
friction and reducing organizational effectiveness.
the firm to drive growth, and make this growth as
At JPMorgan Chase & Co., which has one of seamless as possible from a security standpoint.
the world’s largest private-sector technology
George Sherman: I think the best CISOs are the
environments, two of the four business-unit CIOs
ones who have learned about policy and controls
have previously served as the bank’s enterprise
but at their core are very strong technologists. The
CISO.
CISO role must evolve with the threat landscape
McKinsey’s James Kaplan spoke with several and technologies. You must understand the
members of JPMorgan Chase’s Global Technology technical side of cybersecurity. But information
leadership team, led by Lori Beer, Global CIO and security and protecting against cyberthreats
member of the company’s Operating Committee, are also about people and process, not just
about effective collaboration between the security technology, so you have to understand all three
and business-unit technology functions, what dimensions in order to fully appreciate what you
makes a good CISO, and how being a CISO can be have to do to protect the firm.
valuable preparation for being a CIO.
Sometimes you have to go slow to go fast. It’s the
Rohan Amin is CIO of Consumer & Community old race-car analogy. You can go really fast in a
Banking, Anish Bhimani is CIO of Commercial race car because you’re wearing a fireproof suit,
Banking, George Sherman is CIO of Global you’re in a protective cage, you have an automatic
Technology Infrastructure, and Jason Witty is fire-extinguishing system, and you were trained.
JPMorgan Chase’s global CISO. All are managing This allows you to drive superfast.
directors. Prior to their current roles, both Amin and
But getting to that point can feel slow. CISOs who
Bhimani served as JPMorgan Chase’s global CISO..1
“get it” spend a little bit more time up front being
thoughtful about their execution.
The attributes of an effective CISO
Jason Witty: Being a successful CISO these days The changing role of the CISO
involves wearing many hats, from business to risk
Jason Witty: The role of the CISO has already
to technology to software engineer. You must be
changed. It’s about measured risk taking, not risk
aware of the threat landscape and understand
elimination. This measured risk taking must also
human behavior. You also have to know how to
evolve with the availability of new technologies.
work with regulators and gain trust from multiple
You must constantly adapt, train, and educate
stakeholders.
so that you can adjust the control environment
Doing those things gives you a firmwide view of to enable the things the business is trying to
what’s going on in the business, what’s going on accomplish.
in technology, what’s going on in risk, and what’s
Rohan Amin: If you want to help the builders, you
going on in the legal and regulatory landscape.
have to know how to build. As a CISO, if you are
This allows you to connect the dots in a way that
not close to the modernization agenda—modern
other roles simply do not provide.
architectures, cloud, data, machine learning,
You must constantly be shifting, adapting, and and so on—then it’s hard to effectively guide an
learning. I spend about two hours every morning organization in the right direction.
just digesting what’s changed since I went to bed,
be it new threats, bad actors, or vulnerabilities.
1
r the full interviews with each interviewee, see “The benefits of a CISO background to a business-unit CIO” (Rohan Amin), “Enterprise-
wide security is both a technology and business issue” (Anish Bhimani), “Robust cybersecurity requires much more than great
technology” (George Sherman), and “The modern CISO: Managing scale, building trust, and enabling the business” (Jason Witty), March
2020, McKinsey.com.
Protecting the business: Views from the CIO’s and CISO’s offices 107
George Sherman: You can go back a decade require that security and controls be embedded into
and see how much has changed. Everything all the technology we deliver.
seemed much simpler. The successful CISOs
I use my technical-security skills on a daily basis.
of the future can’t be process managers. They
With new technology and connectivity platforms,
must have a deep understanding of technology.
many of our older security paradigms are being
Imagine leading thousands of software engineers
stressed. In the past, you could get away with not
but never having actually written a line of code.
having the most robust identity or authorization
At some point, you have to ask yourself how you
constructs and authentication and authorization
can relate to that community. And how will that
metrics. This is no longer the case, as the dynamic
community relate to you? Those questions are just
nature of these modern technologies requires
as relevant to today’s and tomorrow’s CISOs.
dynamic management of the trust chain.
Anish Bhimani: I used to go to the board of
If you add to this the complexity of the multivendor
directors and the audit committee annually for
cloud environments connecting into our
about 20 minutes. We now meet with the board
companies, you must have a strong understanding
eight times a year for at least an hour each time.
of the “threatscape” and how you deal with
cybersecurity issues. Everyone within the
The value of CISO experience to CIOs organization must understand that cybersecurity
Anish Bhimani: Every CIO should spend time in a is non-negotiable. We have to get it right all the
security role, since it makes you think differently. time. The bad actors only have to get it right once.
Regardless of your role, you’re never out of security.
With new technologies, including automation, How being CISO helped in becoming
security is a layered process. It’s built into the fabric a CIO
of the organization, from process to people.
Anish Bhimani: I spent my entire career aspiring
Rohan Amin: When we think about what matters to be the CISO of a large bank, and when I got
most to our customers, running a disciplined the job, it was a significant accomplishment in
environment with stability, resiliency, controls, and my career. When I then became a CIO, it meant
data privacy are non-negotiables. Being in the shifting to more of an implementation approach,
CISO role obviously instilled a lot of that in me. and I was eager to work with the business. But
The other aspect that’s helpful in having a CISO back- despite my excitement, I was clear that job number
ground is a deep understanding of non-functional one is having a secure operating environment. If
requirements and how to make them easier to adopt. you don’t do job one, you don’t earn the right to do
For example, modernizing our applications and job two, which is to deliver value to the business.
striving for platform-centric thinking help to focus our Rohan Amin: In the CIO role, you get a deep
engineers on the most relevant business functions, appreciation for the importance of the control
which are the features and value for customers. environment and security. You learn that everyone
As a CISO, you have a global view of risk and what understands the importance of controls but wants
the issues are and how you think about enterprise control adoption to be more seamless and part of
management in the application-development the engineering process.
context. Some CISOs are policy and governance Security and controls teams face a continuing
focused only, while others have a stronger challenge to figure out how to make this stuff
technical and business background. Having a simple and easy to use. This requires the
technical background and being able to effectively engineering work to make it easy to adopt, easy to
communicate complex issues to the business have innovate on the platform, and easy for engineers
served me well. to do the right thing. People can’t be forced to
George Sherman: We are unique and fortunate in read thousands of pages of policy to figure out
that three of our CIOs are former CISOs. This makes the right thing to do. The right thing to do should
the current CISO’s life much easier, specifically as it be easy and baked into the platforms and enabled
relates to how you design, deliver, and execute the via software, so that something as simple as “you
business-process automation efforts. Thanks to our should encrypt your data” isn’t something every
security background, we tend to think about data engineering team has to figure out for itself. Make
protection and security earlier in our processes and security the easy answer, not the hard answer.
108 Protecting the business: Views from the CIO’s and CISO’s offices
The impact of the cloud Focusing on the future
Anish Bhimani: When moving to the cloud, the Jason Witty: “Deepfakes” ar e a concern, so
first priority is figuring out your technology and having the ability to prove that who you are
business priorities and then striking a balance. talking to is actually the person you think you are
Services and architecture templates need to be talking to is vital. Artificial-intelligence (AI) and
validated and automated for cloud configuration. natural-language-processing algorithms are also
Secondly, cloud security can be a business advancing rapidly, posing new reputational and
enabler, and we know that businesses need to financial threats in addition to opening new doors
grow and thus must move fast. for business growth.
Why do you have brakes on a car? It’s not to stop. Safely enabling AI and maintaining our ability to
It’s so you can go fast, secure in the knowledge keep up with the velocity of automated attacks
that you can stop whenever you want or need to. is also something being much discussed. We’ll
Security done right enables businesses to go at continue to modernize software engineering
the speed they want while being able to manage around the cloud to ensure security and resiliency
risk appropriately. and to further unlock its business value. Finally,
we’re looking into crypto-agility and decoupling
George Sherman: Technology is going to become
the encryption process from the software-
more segmented but also more hyperconnected.
development process.
You can see that in the evolution of the private,
public, and hybrid cloud and with a combination Rohan Amin: Authentication is often the first
of infrastructure-as-a-service, platform-as-a- experience a consumer has with an organization,
service, and software-as-a-service providers so we’re working on the authentication strategy of
clamoring to support new growth. But with this the future. Previously, authentication was thought
hyperconnectivity comes hypercomplexity, and about as a channel-specific thing, meaning how
with that comes fragility. Fragility leads to reliability do we authenticate you in the branch? How do
and security issues. The enemy of a good security we authenticate you when you call in? How do we
program is complexity. If we’re not careful in our authenticate you online or on mobile?
execution, CISOs could end up with a “least common
We’re working to bring these experiences together
denominator” problem where their environments are
in a secure and more integrated manner. We’re
only as secure as their weakest controls.
thinking about ways of putting the customers at the
front of the design and about the multichannel ways
Cybersecurity advice for newcomers people interact with us differently than in the past.
Rohan Amin: Spend time with the folks in the
George Sherman: Resiliency, availability, and
business who have to use the stuff you’re creating.
security are everyone’s responsibility, regardless
If your objective is to help the business—which is
of whether you’re involved with infrastructure,
what it should be—then you need to spend time in
applications, or both. Everyone must believe that
the business to understand what it takes to deliver
operational risk and information security are core
something to a customer. If you spend time only
requirements of their role, so you need to invest
in security land, you really don’t understand the
in training and move this to the forefront of your
complexities the builders go through to deliver.
team’s minds, or you will end up with yet another
Knowing what I know now, building simplicity into
remediation program.
security-control adoption is where I’d recommend
they focus. Secure by design is critical. You can build systems
that are reliable and available, but they may
Anish Bhimani: My first advice is that life never
not necessarily be secure. But when you build
moves in a straight line. You need to be able to
secure systems, you often end up with ones that
adapt to constantly changing circumstances.
are both reliable and available. The disciplines
Well-roundedness is critical, and everything you
around security tend to lend themselves to the
do should get you a step closer to your goals.
same disciplines as resiliency and availability or
Rotations are valuable in gaining experience in
operational efficiency and effectiveness.
security and infrastructure.
Protecting the business: Views from the CIO’s and CISO’s offices 109
Enable digital technology delivery
business
technology, processes, automation, and cybersecurity.
March 2020
110 The modern CISO: Managing scale, building trust, and enabling the business
Securing the information of a multibillion-dollar getting bogged down. You also have to have very
enterprise with more than a quarter of a million strong leaders under you that you can trust. I am
employees is a daily Herculean labor. Enterprise fortunate to have a fantastic team.
chief information security officers (CISOs) must
James Kaplan: How are you addressing security
manage myriad cybersecurity threats, automation,
concerns amid increasing automation and
regulatory compliance, and ever-evolving
continuous controls monitoring?
technologies. Jason Witty, global CISO, JPMorgan
Chase, discusses his role and these challenges Jason Witty: We put a lot of effort around controls
with McKinsey’s James Kaplan. as code, or policies as code, ensuring the ubiquity
of modern software engineering practices across
This interview is part of a series of interviews on
the firm. All of our applications are in the process
the evolving relationship between the CISO and
of being rearchitected to support a modern
CIO. (See “Protecting the business: Views from the
software environment, with automated, self-
CIO’s and CISO’s offices,” on McKinsey.com.)
evidencing controls built in.
James Kaplan: How do you define the role of
We have hundreds of engineers on the security
a CISO?
side dedicated to automation, such as by making
Jason Witty: A CISO drives and controls an agenda, controls seamless and integrating security tools
and building trust is critical in implementing that within the product, platform, and service pipeline.
agenda, because trust is a force multiplier. As a
It’s all about data and code now. This ensures
CISO, my priorities are to protect the firm, enable
strong integration and collaboration with the
the firm to drive growth, and make this growth as
businesses as well. Security is thought of as a
seamless as possible from a security standpoint.
part of each technology capability or product
Being a successful CISO these days involves rollout, which is a tremendous advance compared
wearing many hats, from business to risk to to a decade ago, when security was viewed as a
technology to software engineer. You must be hindrance.
aware of the threat landscape and understand
James Kaplan: In years past, security was
human behavior. You also have to know how to
fragmented. How have the organizational structure
work with regulators and gain trust from multiple
and lines of responsibility evolved?
stakeholders.
Jason Witty: DevOps has significantly changed
Doing those things gives you a firmwide view of
the way that IT in general thinks about product
what’s going on in the business, what’s going on
management, application development, and
in technology, what’s going on in risk, and what’s
production support. Site reliability engineering
going on in the legal and regulatory landscape.
(SRE) is a big focus, along with our product
This allows you to connect the dots in a way that
journey. It’s a change in traditional telemetry
other roles simply do not provide.
management from years ago, when it was very
You must constantly be shifting, adapting, and fragmented and siloed. Our software environment
learning. I spend about two hours every morning provides transparency, which enables people to
just digesting what’s changed since I went to bed, respond quickly to issues.
be it new threats, bad actors, or vulnerabilities.
We’re simultaneously integrating core functions
Then you need to translate this into digestible
with SRE, as well as modernizing the environment.
content for a nontechnical audience, which
This means more colocation and cocreation, which
requires good soft skills as well.
spur both product and security innovation. We’re
James Kaplan: How do you manage the complexity completely aligned on the customer and client
of an institution the size of JPMorgan Chase? experience.
Jason Witty: You manage scale. You build James Kaplan: How are new technologies like
trust. You have command of the details without cloud impacting the institution?
The modern CISO: Managing scale, building trust, and enabling the business 111
Jason Witty: Today’s modern software environ- James Kaplan: Are you experiencing the talent or
ment is faster from a business-capability stand- skills gap that we hear about in the cybersecurity
point. You have more incremental change and space?
faster release cycles; you can also know earlier
Jason Witty: Yes. We have myriad ways we try
when something goes wrong, which means you
to address that. We have programs specifically
can respond faster.
focused on bringing in non-computer-science
James Kaplan: There’s often an overlap between talent, who we put through coding boot camps
infrastructure and security engineering. How have and upskill. We also have a Cyber Kids school
you addressed this collaboration? program that goes into schools and provides basic
skills training on internet safety and security.
Jason Witty: The product model supersedes
We hope to help spur interest in STEM-related
departmental silos. When you have multiple teams
activities and careers. We also recruit talent from
working on the same set of issues, it completely
the military and affinity groups to attract the best
transcends organizational boundaries. If everyone
talent available. We were a founding sponsor of
involved understands the end objectives and how
the Financial Services Information Sharing and
they are measured, then they’re all pointing the
Analysis Center’s (FS-ISAC’s) scholarship program
needle in the same direction. It’s a combination of
for female university students looking to pursue a
site reliability engineering and product that makes
career in cybersecurity. Recruiting the right people
the process more seamless.
is critical, but retaining them is also important,
James Kaplan: As the product model becomes hence our emphasis on upskilling, training, and
more pervasive, how does the role of the CISO continuing education.
change over time?
James Kaplan: If you look down the road for the
Jason Witty: The role of the CISO has already next three or four years, what keeps you up at
changed. It’s about measured risk taking, not risk night?
elimination. This measured risk taking must also
Jason Witty: “Deepfakes” are a concern, so
evolve with the availability of new technologies.
having the ability to prove that who you are
You must constantly adapt, train, and educate
talking to is actually the person you think you are
so that you can adjust the control environment
talking to is vital. Artificial-intelligence (AI) and
to enable the things the business is trying to
natural-language-processing algorithms are also
accomplish.
advancing rapidly, posing new reputational and
James Kaplan: Talk about the collaboration financial threats in addition to opening new doors
around regulatory compliance. for business growth.
Jason Witty: We take compliance very seriously. Safely enabling AI and maintaining our ability to
We are constantly mapping and cross-mapping keep up with the velocity of automated attacks
international regulations to our control is also something being much discussed. We’ll
environment and legal obligations. We’re always continue to modernize software engineering
looking for better ways of automating that around the cloud to ensure security and resiliency
process. We’re adopting the Bank Policy Institute’s and to further unlock its business value. Finally,
Financial Services Sector Cybersecurity Profile we’re looking into crypto-agility and decoupling
as our framework of frameworks in 2020 and the encryption process from the software-
encouraging regulators to start auditing against development process.
the profile, which has the potential to be an
industry-wide game changer.
112 The modern CISO: Managing scale, building trust, and enabling the business
Enable digital technology delivery
The benefits of a
CISO background to
a business-unit
The CIO
benefits of a CISO
background to a
business-unit CIO
A deep understanding of cybersecurity is a competitive advantage.
A deep understanding of cybersecurity is a competitive advantage.
March 2020
Robust cybersecurity
requires much more
than great technology
Robust cybersecurity
requires much more
than great technology
Security is increasingly an interdisciplinary capability.
© Getty Images
March 2020
Enterprise-wide security
is both a technology
and business issue
Enterprise-wide security
is both a technology and
business issue
CISOs have important skills that can position them
for the CIO role.
CISOs have important skills that can position them for the CIO role.
March 2020
Securing software
as a service
Risk Practice
Securing software as
a service
HereHere
is howis SaaS
how SaaS providers
providers can meet
can meet the security needs of their
the security
needsenterprise customers.
of their enterprise customers.
by Rich Cracknell, James Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart
by Rich Cracknell, James M. Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart
© jjaakk/Getty Images
September 2019
1
KBV research cited in “Software as a service (SaaS) market to reach a market size of $185.8 billion by 2024: KBV Research,” PR
Newswire, December 19, 2018, prnewswire.com; Enterprise software market research report – global forecast 2023, Market Research
Future, May 2019, marketresearchfuture.com; “Just where are SaaS companies priced after the 2018 correction?,” Tomasz Tunguz,
December 26, 2018,tomtunguz.com.
2
2019 McKinsey Customer Perspectives on SaaS Survey of chief information-security officers (and managers responsible for cloud
security or vendor security) from more than 60 organizations. More than half of the participants were from companies in financial
services, insurance, pharma, and health services, with the rest spread across the government, industrial, and tech sectors. Each third
(approximately) of the responding companies had respective annual IT budgets of $500 million and above, $50 million to $500 million,
and less than $50 million. Most respondents were from companies based in the United States. Differences in size, geography, and sector
apart, however, the companies largely expressed similar concerns.
Exhibit 1
Surveyed enterprises most commonly used software as a service for office automation,
IT-services support, and niche business applications.
Level of SaaS¹ adoption by usage type, % of respondents (n = 61)
Enterprise Customer Governance, Other (eg,
Office IT-services Human resource relationship risk, and marketing and
automation support resources planning management compliance sales, R&D)
92 84 61 49 44 25 93
¹ Software as a service.
Source: McKinsey Customer Perspectives on SaaS survey
Priorities in attempting
related applications to secure
and applications that may providers
revealed thatto hostcompanies,
most and manage their security
especially large keys.
software as a service
contain M&A information, the biggest barriers to Thedo
ones, majority prefer
not entrust SaaSto hold their to
providers keys
hostonand
premises
SaaS adoption concern data confidentiality. manage
through their security keys.
a hardware The majority
security module,prefer
retainto
In their relationships with SaaS vendors, most hold their keys oncontrol
premises through a hardware
management of cloud-hosted keys, or
respondents use questionnaires to gauge security module, retain management control ofThese
use a combination of methods (Exhibit 3).
security
Prioritiescapabilities but criticize
in attempting tothe approach as cloud-hosted keys, or use a combination of methods
secure approaches allow companies to control access
imprecise,
softwareincomplete,
as a service and overly time consuming. (Exhibit 3). These approaches allow companies
to sensitive information. It also ensures that
Security executiveswith
In their relationships tendSaaS
to focus on four
vendors, mostkey to control access to sensitive information. It
government agencies cannot gain access to and
issues when use
respondents confronting SaaS to
questionnaires capabilities:
gauge security also ensures that government agencies cannot
unencrypt their data without contacting them first.
gain access to and unencrypt their data without
encryption
capabilities and key management,
but criticize the approachidentity and
as imprecise,
access management
incomplete, and overly (IAM), security monitoring,
time consuming. Security contacting
The survey them first. revealed that companies want
further
executives
and incidenttend to focus (Exhibit
response on four key
2). issues when
Notable is that a degree of sophistication in key management
confronting
each of these SaaS capabilities:
issues has more encryption
to do withandthe
key The
sosurvey further
that they canrevealed that companies
grant access to data forwant
a a
management, identity and access management (IAM), degree of sophistication in key management so that
interface between the customer and the SaaS certain period of time or revoke access quickly.
security monitoring, andproviders’
incident response they can grant access to data for a certain period of
provider than with the intrinsic(Exhibit
technical This preference again emphasizes that most
2). Notable is that each of these issues has more time or revoke access quickly. This preference again
protections, such as code security and endpoint respondents want to exercise full control over their
to do with the interface between the customer and emphasizes that most respondents want to exercise
protection.
the SaaS provider than with the providers’ intrinsic fullsensitive information.
control over their sensitive information.
Encryption and key such
technical protections, management
as code security and Identity and access management
endpoint protection.
Applications running in the cloud and data Identity
Identityand access management
management is the act of confirming that
Identity management is the act of confirming that
stored there are not protected by a traditional each user is the person he or she purports to be.
Encryption and keyperimeter
management each user is the person he or she purports to be.
corporatesecurity of firewalls and the Access management is the determination that a
Applications running in the cloud and data stored Access management is the determination that a user
like. As a result, security becomes essentially user does or does not have legitimate rights to
there are not protected by a traditional corporate- does or does not have legitimate rights to retrieve
reliant on encryption and management of the retrieve
data or usedata or use an application.
an application. As importantAs
as important
both
security perimeter of firewalls and the like. As a
keys that provide access to encrypted data. as both identity and access management
identity and access management are on company are on
result, security becomes essentially reliant on
Our interviews
encryption and revealed
managementthatofmost companies,
the keys that company premises, they are even more important
premises, they are even more important for cloud-
especially large ones, do not entrust SaaS
provide access to encrypted data. Our interviews for cloud-based
based applications. applications.
Exhibit 2
Enterprise customers focus on the interface between software-as-a-service providers and their
own security environments.
Capabilities that respondents would like to see from SaaS¹ vendors, % of respondents (n = 61)
56 54 54 52 49 49
33 26 26 10 5
¹ Software as a service.
Source: McKinsey Customer Perspectives on SaaS survey and interviews with more than 60 industry leaders
Security executives emphasized that two IAM including the ability to provide selected people with
capabilities are especially important to them. First, the authority to access certain data or undertake
Security executives emphasized that two IAM Security telemetry and monitoring
they want tight, easily implementable integration certain transactions within an application.
capabilities are especially important to them. First, Increasingly, CISOs acknowledge that they
between SaaS applications and widely adopted
they want tight, easily implementable integration cannot prevent every instance in which security
Security telemetry and monitoring
enterprise IAM tools. Companies deploy hundreds
between SaaSofapplications
or thousands applications, and widely
dozens adopted
of which are is compromised.
Increasingly, They therefore
CISOs acknowledge thatwant
they the
enterprise IAM tools.
SaaS applications. Companies
They deploy
cannot expect hundreds
users to necessary
cannot preventtransparency
every instance toinidentify and assess
which security is
or thousands
memorize yet of applications,
another password dozens of new
for each whichSaaS emerging security
compromised. risks quickly
They therefore want theandnecessary
thoroughly. As
are SaaSthat
offering applications.
is adopted.They
Theycannot
want to expect users
allow users companies to
transparency adopt SaaS
identify andofferings, data from SaaS
assess emerging
totomemorize yet another
sign into SaaS password
applications for each new
via enterprise-wide providers
security risksabout
quicklyusage patterns become
and thoroughly. critical to
As companies
IAM platforms, which will provide additional
SaaS offering that is adopted. They want to features
allow adopt SaaS offerings,
this analysis. data from SaaS providers
like two-factor
users to sign intoauthentication. Second,
SaaS applications they
via need
enterprise- about usage patterns become critical to this analysis.
sophisticated, role-based
Security reporting is the baseline capability
wide IAM platforms, whichaccess management,
will provide additional
CISOs demand. They want a clear view – usually
features like two-factor authentication. Second,
consolidated in a dashboard – of the users that
they need sophisticated, role-based access
have been accessing their data and what they have
4 management,
Securing softwareincluding
as a service the ability to provide
done with it. Without this kind of transparency,
selected people with the authority to access
implementing even the best security concepts
certain data or undertake certain transactions
can be a “nightmare,” as one security executive
within an application.
remarked.
Exhibit 3
Most enterprises do not fully entrust software-as-a-service providers with hosting and
managing encryption keys and so use different control methods.
Preferences for hosting and managing encryption keys, by level of estimated IT spending,¹ % of respondents (n = 44)
SaaS² hosted
but customer Hybrid (varies by vendor
On-premise, managed by customer managed SaaS hosted and managed size, maturity)
High IT spend 33 14 24 29
Companies with a high Some companies allow Some companies may trust Other companies prefer A variety of hybrid
SaaS adoption rate vendors to host keys large vendors to host and to utilize 3rd-party approaches to
and high IT spending but prefer to retain manage keys but prefer to key management, so that encryption key
prefer to manage their access management retain control rather than neither they nor the management are
keys on-premises relinquish it to an unproven vendor manages keys being used
or niche vendor
Low IT spend 29 46 25
On-premises, managed by customer SaaS hosted and managed Hybrid (varies by vendor
size, maturity)
1
All IT-spending estimates rely on information from “IT key metrics data 2019: Executive summary,” Gartner, December 17, 2018, gartner.com.
² Software as a service.
Source: McKinsey Customer Perspectives on SaaS survey and interviews with more than 60 industry leaders
Many
Securitysecurity
reporting teams seek
is the to integrate
baseline data on
capability Incident
and response platforms (SIEMs). As a
event-management
SaaS
CISOsusagedemand.with external-threat
They intelligence
want a clear view—usually Every company
health-services canexplained,
CISO be breached. Therefore,
“On-premises
and information
consolidated in a from the rest ofthe
dashboard—of their technology
users that security
security teamsare
controls must implement
getting extended tools
intoand
the
environment to determine the
have been accessing their data and what actions they must
have cloud. Only a few SaaS providers allow us to resolving
practices for managing, mitigating, and pull
take
doneto protect
with it. Withouttheirthis
company. To accomplish
kind of transparency, incidents.
logs to go intoNaturally,
our SIEM.”security
A bankingmonitoring
CISO said, plays
“I a
implementing
this, the security eventeams
the best security
need SaaSconcepts
providers can
tobe want to integrate
significant role with SOC/SIEM.
in this, as greater I want something
transparency
a “nightmare,”
offer application as one security executive
programming remarked.
interfaces (APIs), flexible
enables enough
better toincident
work withresponse.
hardened SIEM tools,
which will allow them to pull data into their security and something capable of integrating as well.” In
Many security teams(SOCs)
seek toand
integrate data on Mostwords,
other organizations
CISOs want focus
theiron SOC and
vendors SIEMit
to make
operations centers security-incident
SaaS usage with external-threat intelligence integration. The more sophisticated
easier to use APIs for integration. They also wantsecurity
and event-management platforms (SIEMs). As a
and information from the rest of their technology organizations
timely we spoke
service provision withashave
as well dramatically
accurate security
health-services CISO explained, “On-premises
environment to determine the actions they must broadened
information their
from incident-response
their requirements
SaaS providers included in
security controls are getting extended into the
take to protect their company. To accomplish this, to include joint
service-level simulations,
agreements joint forensic activity,
(SLAs).
cloud. Only a few SaaS providers allow us to
the security teams need SaaS providers to offer and intelligence sharing. One company even
pull logs to go into our SIEM.” A banking
(APIs),CISO Incident
application programming interfaces which securedresponse
the right from one provider to send
said, “I want to integrate with SOC/SIEM.
will allow them to pull data into their security- I want Every company canprovider’s
be breached. Therefore,
personnel to the SOC in the event of a
something flexible enough to work
operations centers (SOCs) and security- incident with hardened security teams must implement tools and practices
major breach.
SIEM tools, and something capable of integrating
as well.” In other words, CISOs want their vendors
to make it easier to use APIs for integration. They
Securing software as a service 5
also want timely service provision as well as accurate
security information from their SaaS providers
included in service-level agreements (SLAs).
Rich Cracknell is a manager of solution delivery in McKinsey’s Silicon Valley office; James Kaplan
is a partner in the New York office, where Celina Stewart is a cyber solutions senior analyst; and
Wolf Richter is a partner in the Berlin office, where Lucy Shenton is a cyber solutions specialist.
© Getty Images
May 2020
132 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps
As digital technologies transform industry after What is DevSecOps?
industry, businesses are increasingly adopting
Pioneered by digital-native companies,
modern software-engineering practices
DevSecOps is based on the principle of integrating
pioneered by tech companies. Agile, DevOps, and
development, security, infrastructure, and
other methods enable organizations to test, refine,
operations at every stage in a product’s life cycle,
and release new products and functionality more
from planning and design to ongoing use and
rapidly and frequently than ever before. However,
support (exhibit). This enables engineers to tackle
the speed and frequency of releases can come
security and reliability issues more quickly and
into conflict with established methods of handling
effectively, making organizations more agile and
security and compliance. How can organizations
their digital products and services more secure
resolve this tension?
and reliable. Security, reliability, and compliance
We think the answer lies in DevSecOps, a method considerations are built into every agile sprint
for integrating security into agile processes and rather than being handled separately or left until
DevOps efforts across the whole product life the end of the development process.
cycle. Properly implemented, DevSecOps (literally,
Adopting a DevSecOps approach has implications
development, Ssecurity, operations) offers
for each stage of the product life cycle:
enormous advantages.
— Planning. From the inception of a new product,
Companies can increase the frequency of
teams are aware of their security and reliability
software releases from quarterly to weekly,
responsibilities and trained to handle them.
or even daily, without compromising their risk
For significant efforts, teams start by quickly
posture. They can cut mean time to remediate
modeling threats and risks and then identifying
vulnerabilities from weeks or months to hours as
and prioritizing backlog2 items needed to make
well as eliminate delays, cost overruns, product
the product secure, reliable, and compliant.
defects, and vulnerabilities. Last, but not least,
Where possible, teams take advantage of
getting security and compliance right from the
existing architectural designs that have been
outset is imperative as companies’ growing
developed in collaboration with security and
dependence on digital technologies makes them
reliability experts, thereby ensuring that best
more vulnerable to cyberattack, especially in the
practices are observed, as well as speeding up
wake of the uncertainty and confusion wrought by
planning and design.
the coronavirus pandemic.1
— Coding. To improve code quality, developers
In our experience, the companies that are most
constantly develop and update their
successful at extracting the full value from
knowledge of secure and resilient coding
DevSecOps commit to managing technology
practices. They take full advantage of
differently. They have an integrated operating
reusable coding patterns, components, and
model made up of teams of people – including
microservices to quickly build the functionality
those from security and compliance – with the full
and services needed to meet common security
range of necessary capabilities, make practical
and resiliency requirements for encryption,
use of automation, develop secure modular
authentication, availability, and observability.
services that are easy to use, and conceive of and
build digital products that are secure by design.
1
See Jim Boehm, James Kaplan, and Nathan Sportsman, “Cybersecurity’s dual mission during the coronavirus crisis,” March 2020,
McKinsey.com.
2
A backlog is a prioritized list of the features that an agile product team is planning to build and work on.
Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 133
Web 2019
Agile, reliable, and compliant IT: Integrating security into DevOps
Exhibit 1 of 1
Exhibit
Securityisisintegrated
Security integrated
intointo
everyevery step
step in in the product-development
the product-development life cycle. life cycle.
Planning
Operate
and design Code
— Reviewing. Instead of having a specialist group checks. After automated code-analysis tools
— Reviewing.
scrutinizeInstead of having
a product a specialist
for security group
vulnerabilities checks.
such asAfter automated
SonarQube andcode-analysis
Fortify havetools
looked
scrutinize a product
and resiliency for security
issues vulnerabilities
once it emerges from such
for as SonarQube
known and Fortify
vulnerabilities andhave looked
issues, senior
and resiliency
months issues once itteams
of development, emerges fromcode
review fordevelopers
known vulnerabilities
conduct peerandreviews
issues, senior
to discuss
months of development,
as often teams review
as every two weeks as partcode
of regular developers conduct peer reviews to discuss
the results and ensure the software meets
asagile
oftensprints,
as every two weeks as part
using both automated of regular
and manual theappropriate
results andstandards.
ensure the software meets
agile sprints, using both automated and manual appropriate standards.
134 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps
— Testing. Engineers create automated security To illustrate what these shifts look like in practice,
tests to be run alongside automated functional we’ll draw on examples from two organizations
and performance tests. This not only ensures that have recently adopted DevSecOps principles:
that testing is consistent and efficient but also a global software-and-services company and a
makes security requirements explicit, so that large financial-services provider. The software-
developers don’t waste time puzzling over and-services company was already using agile
how to satisfy ill-defined policies laid down by methods to develop digital products and manage
separate groups. Common security tests, such infrastructure, but it was striving to improve
as penetration tests that look for security holes the resiliency of its products while making its
in systems, are conducted automatically as internal processes more efficient. By contrast,
part of every sprint and release cycle. the financial-services firm still relied on traditional
waterfall methods to deliver its projects, and it
— Deployment. Code is delivered to production
saw DevSecOps as a way to improve performance,
hosting environments, not through manual
accelerate software releases, and streamline
processes itemized in checklists, but via well-
controls without increasing risk.
engineered automated processes that ensure
the right software is built and that it is deployed Organization and talent: Integrated cross-
securely and reliably. In addition, best-practice functional teams
companies have secure production hosting When organizations struggle with the tensions
environments that can be rapidly invoked between being agile and maintaining security,
through application programming interfaces reliability, and compliance, it’s often because
(APIs), eliminating wait times and reducing risk. the skills and accountabilities for developing,
operating, and securing products and validating
— Operations. Once software is in production,
compliance are split between different groups.
automated processes – including real-time
The answer is to break down these silos by setting
monitoring, host- and network-intrusion
up integrated agile teams charged with solving all
detection, and compliance validation, and
the requirements of the products in their scope,
evidence attestation – are used to increase
regardless of any functional, security, reliability,
efficiency and detect vulnerabilities. If defects
or compliance issues they may pose. These teams
or vulnerabilities are discovered, resolutions
should be staffed not with specialists but with
are identified, prioritized, and tracked to
well-rounded “full-stack” engineers who can work
make sure product reliability and security are
across disciplines and pick up new skills quickly.
constantly improved.
Every team member must be responsible for the
security and reliability of the code they create,
Adopting DevSecOps principles whether it’s for customer-facing products or
Capturing the potential of DevSecOps isn’t easy. internal shared services.
It relies on tight collaboration both within IT and
The software-and-services company mentioned
across IT, security, compliance, and risk. To get
earlier reconfigured its product-development
it right, companies need to make four shifts
teams to own their code bases from end to end
in the way they manage technology: create a
instead of relying on separate teams to address
more integrated operating model, build secure
maintenance and defects. The company also set
“consumable” services, automate development
up site reliability engineering (SRE) teams to help
and release processes, and evolve product
improve the way products were developed and
architectures.
operated. The two teams worked closely together,
shared objectives and key results (OKRs), and
took part in joint agile events to stay aligned on
Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 135
how to improve the security and reliability of the so on) and continuous integration and continuous
company’s products. delivery (CICD) pipelines for getting code safely
and securely to production. Thanks to these
The financial-services firm took a slightly
efforts, it managed to cut setup times for hosting
different approach, embedding SREs in product-
environments from three months to 15 minutes, as
development teams instead of having them in a
well as automating deployments that previously
separate team. But similar to the software-and-
required eight hours of manual release work.
services company, it introduced security and
reliability OKRs for those product teams as well Similarly, the financial-services firm focused on
as common service metrics to drive alignment and creating a secure CICD pipeline, which had to be
accountability. able to handle the high level of controls needed
to satisfy regulatory requirements. Implementing
Consumable services: Developer-owned
the pipeline cut software release times by half.
operations
By introducing mechanisms such as automated
In the past, the accountability for a digital
security test cases, the firm also streamlined con-
product’s functionality, operations, reliability,
trols by 50 to 80 percent without increasing risk.
security, and compliance was split. A development
team created an application, an infrastructure Development and release: Automated pipelines
team operated it, and a maintenance team took with built-in security controls
care of reliability. With a DevSecOps approach, The traditional path to production for software
on the other hand, a single team is given as much code was lengthy and prone to error. Developers
accountability and ownership as possible for all wrote code, and then quality-assurance engineers
aspects of a product. tested it – usually manually and in settings that
bore little resemblance to the environment in
In this approach, central enablement teams build
which it would eventually be used. Shepherding
shared consumable services for development,
code through these processes involved many
infrastructure, and security. They equip these
manual steps. Most testing took the form of basic
services with guardrails and transparency so that
functional and regression tests. Some defects and
subsequent product developers can use them
vulnerabilities slipped through and were caught
safely, securely, and efficiently in their operations.
only after the software was released.
Central checks and validations are still performed
to ensure that correct procedures and best Over the past decade, the DevOps movement
practices are implemented, but the goal is to make has striven to make the path to production more
teams accountable for the products they own. efficient and more effective at catching defects
This involves providing them with the tools they as early as possible, when they are cheaper to
need to meet their responsibilities – tools that are address. Leading companies have adopted CICD
convenient to use and designed to ensure that the pipelines to automate workflows and enable best
easiest path for developers is also the most secure engineering practices to be followed in the writing,
and reliable route. reviewing, testing, and deployment of code. In
addition to this, DevSecOps companies need to go
Building these consumable services takes time,
further by integrating an extra layer of testing into
so companies need to prioritize those with the
their CICD pipelines to analyze code for potential
greatest impact and assign agile teams to build
security issues, run security test cases, and
and own them. The software-and-services
conduct light penetration tests.
company decided to prioritize two key services:
life-cycle management for its on-premise hosting
environments (including provisioning, patching, and
136 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps
To improve their development and release Both the software-and-services company and
processes, the software-and-services company the financial-services firm had legacy systems
and the financial-services firm adopted similar they needed to support, and both pursued an
approaches. In designing and implementing evolutionary approach to modernizing their
automated CICD pipelines for deployments to application landscape. They used their new
both the cloud and on-premise environments, they processes to build new “greenfield” digital
took care to involve their security and compliance products and incrementally adapted older
specialists to ensure that controls would not be products to support DevSecOps best practices,
compromised in any way. They also used OKRs including the use of microservices, unit tests,
and metrics dashboards to encourage adoption of security test cases, static code analyses, and
the pipelines and increase the levels of automated resiliency patterns.
test coverage.
Product architecture: Secure by design Common pitfalls to avoid
Traditionally, applications have been built from The best path for an organization to take in
scratch, with all capabilities locked inside a single adopting DevSecOps depends on many factors,
code package and security not usually tackled ranging from its size to its familiarity with agile and
until late in the development process. Adding a DevOps methods. But regardless of their starting
new feature required extensive testing across the point, all organizations should take care, as they
whole system, making upgrades slow and complex set out on their transformation journey, to avoid a
to execute. Since applications were seldom few common pitfalls.
designed to scale in a linear fashion as additional
Pitfall 1: Focusing on tooling alone
load was put on the system, maintaining reliability
Companies should beware of assuming they can
was often a challenge.
realize the potential of DevSecOps merely by
With DevSecOps, by contrast, digital products implementing tools such as a CICD orchestration
are conceived and built from the ground up to system or a static code analysis tool. To capture
be secure by design. Security requirements and the full benefit, they need to make the four
best practices are factored into all elements of a shifts described earlier. Without that broader
product, from the code itself to the infrastructure transformation, new tooling is unlikely to be used
it runs on. Engineers take advantage of existing effectively or consistently across the organization.
components built by enablement or shared-
Pitfall 2: Failing to secure leadership buy-in
service teams, such as container templates and
If teams are to change their way of working, the
standardized monitoring APIs. They also draw
leaders of the technology organization must play
on open-source libraries released by web-scale
an active part in steering the transformation.
industry leaders – such as Netflix’s Hystrix library
In turn, development leaders must model and
for improving fault tolerance – to incorporate best-
reinforce target behaviors and equip their teams
practice resiliency patterns. Following a “systems of
to deliver on their new objectives. Finally, security
systems” approach, they integrate pre-engineered
and compliance leaders need to be fully involved
microservices via loosely coupled interfaces based
to ensure that greater agility doesn’t come at
on well-maintained APIs. All of this improves agility
the cost of higher risk. To help gain leadership
as well as security. Instead of struggling to build
buy-in, successful companies develop a baseline
their own code, waiting for reviews by security and
understanding of their agile and DevSecOps
compliance teams, and iterating until they pass
maturity and communicate the business case for
audit checks, product teams reuse code built with
improvement. Adding key stakeholders to the team
expert input and oversight.
leading the transformation is another way to make
leaders feel accountable for ensuring its success.
Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 137
Pitfall 3: Focusing only on greenfield new capabilities, they need to make a major
development cultural shift by learning to take ownership for
Though DevSecOps principles are easiest to adopt their product’s security, reliability, and compliance,
in new development efforts, applying them more no matter which team they are on. At the same
broadly can deliver significant value. For instance, time, they need to acquire knowledge and skills
secure CICD pipelines can support larger, more in creating and operating resilient products to
monolithic applications, which can in turn be meet their new objectives. Culture and capability
gradually broken down into loosely coupled building can reinforce one another: when
microservices. Organizations should constantly engineers know that the teams they work with
explore where they can best deploy DevSecOps to expect them to have particular skills, they will be
increase agility, security, and reliability. more motivated to develop them.
Pitfall 4: Taking too long to deliver value In addition to avoiding these pitfalls, best-practice
In successful DevSecOps transformations, value organizations ensure they pursue a structured
is captured from an early stage. Leaders quickly approach to change management. They use
identify any changes that need to be made to dedicated change-management and capability-
product teams and decide which consumable building workstreams as part of the transformation
services they need to launch. When rolling out ,and roll teams out in waves that allow enough
changes, they prioritize products and services time for training, team alignment, and planning
that will drive the highest impact or reduce the activities, such as agile sprint 0s. 3
most risk. By identifying quick wins in the first two
or three months, they showcase the value of the
transformation and gain support from engineers
and the broader organization. Once a niche practice confined to Silicon Valley
Pitfall 5: Overlooking capability building and start-ups, DevSecOps has matured to become a
culture priority for traditional enterprises, too. Adopting
Engineers operating in traditional technology the principles outlined in this article will help
organizations are likely to find adopting companies not only acquire the agility to stay
DevSecOps a challenge. As well as developing current but also strengthen their security to
withstand exposure to cyberattacks in the future.
Santiago Comella-Dorda is a partner in McKinsey’s Boston office, James Kaplan is a partner in the
New York office, Ling Lau is a partner in the New Jersey office, and Nick McNamara is an associate
partner in the Chicago office.
The authors wish to thank Nagendra Bommadevara, Daniel Brosseau, Alharith Hussin, Steve Jansen,
Jesus Mathus Garza, Mark Mintz, Thomas Newton, Jan Shelly Brown, Marc Sorel, Kevin Telford, and
Charles Wisniewski for their contributions to this article.
3
Agile sprint 0s are short efforts before a team starts working together, used to create a common vision, align on team norms, and create
a product backlog for what they plan to build.
138 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps
Help business to address impact of global pandemic
Cybersecurity’s
dual mission during
Risk Practice
Cybersecurity’s
the coronavirus
dual crisis
mission during
the coronavirus crisis
Chief information-security officers must balance two priorities to
respond to the pandemic: protecting against new cyberthreats and
Chief information-security officers must balance two priorities to
maintaining business continuity. Four strategic principles can help.
respond to the pandemic: protecting against new cyberthreats and
by Jimmaintaining business
Boehm, James Kaplan, continuity.
and Nathan Sportsman Four strategic principles can help.
March 2020
Exhibit
instance, a threatapplications.
actor targeted In one instance, a threat actorservices and
a public-sector services
issuingand issuing misinformation
misinformation to the to the
targeted a public-sector
entity by embedding malware in a pandemic- entity by embedding public. A major hospital in Europe
public. A major hospital in Europe was hit with was hit
a
malware in a pandemicrelated
related document and disguising it as an document with a cyberattack that forced
cyberattack that forced it to suspend scheduled it to suspend
and disguising it as an official communiqué scheduled operations, shut down its IT
official communiqué from another part of the operations, shut down its IT network, and move
from another part of the government. Once network, and move acute-care patients
government. Once installed, such a malicious acute-care patients to another facility. And a
installed, such a malicious application steals to another facility. And a department of a
application stealsaauser’s
user’sconfidential
confidential data
data (for example, department of agovernment
local local government had itsencrypted
had its website website
(for example, personal information,
personal information, credit-card encrypted by
credit-card information, byransomware,
ransomware,preventing
preventing officials
officials from
information, and bitcoin-wallet keys). Some
and bitcoin-wallet keys). Some malware from posting information for the public
posting information for the public andand keeping
malware applications launch ransomware attacks, keeping employees
launch ransomware
applications employeesfromfromaccessing certainfiles.
accessing certain files.
attacks, which lock a user’s system until they pay
which lock a user’s system until they pay a
As the COVID-19 outbreak progresses and alters
certain
a certain amount of money amount
to theofattacker.
money to the attacker. As the COVID-19 outbreak
the functioning ofprogresses and alters
our socioeconomic systems,
— Public-sector organizations are experiencing the functioning of our socioeconomic
cyberattackers systems,
will continue their efforts to
— Public-sector organizations
acute pressure. are experiencing cyberattackers
A large government entity will
exploit ourcontinue
fears andtheir efforts
our digital to
vulnerabilities. To
acute pressure. Ainlarge
North government
America suffered exploit our remain
entityfrom a distributed fears and our and
vigilant digital vulnerabilities.
effective, CISOs will need new
denial-of-service
in North America suffered attack aimed at disrupting
from a distributed approaches.
To remain vigilant and effective, CISOs will need
denial-of-service attack aimed at disrupting new approaches.
How to address the challenge: disaster recovery, talent succession, and vendor
Strategic practices for chief succession – then test them right away. If your
information-security officers organization doesn’t have adequate plans in
place, create them and then test them. You
While many CISOs and other executives have
must determine whether your organization’s
drawn on their experiences with past crises to
riskresponse approach is effective and efficient.
respond to the early stages of the COVID-19
Eliminating risk events is impossible, but you
outbreak, the pandemic’s vast scale and
can reduce the exacerbated risk associated
unpredictable duration are highly unusual. There
with a poor response.
is no playbook that CISOs can open for guidance.
Nevertheless, the CISOs and senior cybersecurity — Monitor. Consider mustering all available
managers we have spoken to have found it resources to help with monitoring, which
especially helpful to follow four practices: enables risk response and recovery to begin.
Areas for stepped-up monitoring can include
— Focus. Security- and technology-risk
remote monitoring of collaboration tools,
teams should focus on supporting only
monitoring networks for new and novel strains
those technology and security features,
of malware, and monitoring employees and
capabilities, and service rollouts that are
endpoints to catch data-related incidents
critical to operations. Examples of focus areas
before they result in operational risk.
that may justify a surge in capacity over the
coming weeks include maintaining security — Balance. Cybersecurity teams are likely
operations, mitigating risks of remote access to receive a flood of urgent requests for
to sensitive data and software-development cybersecurity-policy exceptions that will
environments, and implementing multifactor allow teams elsewhere in the organization
authentication to enable employees to work to get work done (for example, to approve
from home. Organizations should also reiterate the installation of new apps and allow the
to employees their safe remote-working use of USB drives). While CISOs might be
protocols and their procedures for threat inclined to deny such requests for the sake
identification and escalation. Employees on of preventing undue risk, they must also
the front line will play an especially important bear in mind the importance of maintaining
role in keeping the organization safe as normal business continuity during a fluid and
on-premises security measures become less challenging time for their colleagues. To
relevant. support continued operations, CISOs may
need to tolerate slightly higher risk in the
— Test. If your organization has security- or tech-
short term by granting waivers or temporarily
nology-risk plans of any kind – such as plans
relaxing some controls. An accommodating
for incident response, business continuity,
Jim Boehm is a partner in McKinsey’s Washington, DC, office. James Kaplan is a partner in the New
York office, and Nathan Sportsman is the founder and CEO of Praetorian.
McKinsey and Praetorian have entered into a strategic alliance to help clients solve complex cyber-
security challenges and promote innovation. As a part of this alliance, McKinsey is a minority investor
in Praetorian.
Cybersecurity tactics
for the coronavirus
Risk Practice
Cybersecurity tactics
pandemic
for the coronavirus
pandemic
The pandemic has made it harder for companies to maintain
security and business continuity. But new tactics can help
The pandemic has made it harder for companies to maintain
cybersecurity leaders to safeguard their organizations.
security and business continuity. But new tactics can help
cybersecurity
by Jim leaders
Boehm, James Kaplan, to safeguard
Marc Sorel, theirand
Nathan Sportsman, organizations.
Trevor Steen
by Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen
© Gorodenkoff/Getty Images
March 2020
temporarily at call centers to provide added to a VPN. Depending on the security stack,
frontline support. organizations that do not require the use of a
VPN or require it only to access a limited set
— Testing and adjusting IR and BC/DR
of resources may go largely unprotected. To
capabilities. Even with increased traffic,
expand monitoring, security teams should
validating remote communications and
update security-information- and-event-
collaboration tools allows companies to
management (SIEM) systems with new rule
support incident-response (IR), and business-
sets and discovered hashes for novel malware.
continuity (BC)/disaster-recovery (DR) plans.
They should also increase staffing in the
But companies might have to adjust their plans
security operations center (SOC) to help
to cover scenarios relevant to the current crisis.
compensate for the loss of network-based
To find weak points in your plans, conduct a
security capabilities, such as end-point
short IR or BC/DR tabletop exercise with no
protections of noncompany assets. If network-
one in the office.
based security capabilities are found to be
— Securing physical documents. In the office, degraded, teams should expand their IR and
employees often have ready access to digital BC/DR plans accordingly.
document-sharing mechanisms, as well
— Clarify incident-response protocols. When
as shredders and secure disposal bins for
cybersecurity incidents take place, SOC teams
printed materials. At home, where employees
must know how to report them. Cybersecurity
might lack the same resources, sensitive
leaders should build redundancy options into
information can end up in the trash. Set norms
response protocols so that responses don’t
for the retention and destruction of physical
stall if decision makers can’t be reached or
copies, even if that means waiting until the
normal escalation pathways are interrupted
organization resumes business as usual.
because people are working from home.
— Expand monitoring. Widening the scope
— Confirm the security of third parties.
of organization-wide monitoring activities,
Nearly every organization uses contractors
particularly for data and end points, is
and off-site vendors, and most integrate IT
important for two reasons. First, cyberattacks
systems and share data with both contract and
have proliferated. Second, basic boundary-
noncontract third parties, such as tax or law-
protection mechanisms, such as proxies, web
enforcement authorities. When organizations
gateways, or network intrusion-detection
assess which controls must be extended to
systems (IDS) or intrusion-prevention systems
employees to secure new work-from-home
(IPS), won’t secure users working from home,
protocols, they should do the same for third-
off the enterprise network, and not connected
party users and connections, who are likely to
Jim Boehm is a partner in McKinsey’s Washington, DC, office. James Kaplan is a partner in the New
York office, and Marc Sorel is a partner in the Boston office. Nathan Sportsman is the founder and CEO
of Praetorian, where Trevor Steen is a senior security engineer.
The authors wish to thank Wolf Richter and Mahir Nayfeh for their contributions to this article.
McKinsey and Praetorian have entered into a strategic alliance to help clients solve complex cyber-
security challenges and secure innovation. As a part of this alliance, McKinsey is a minority investor
in Praetorian.
150
Digital McKinsey and Global Risk Practice
June 2020
Copyright © McKinsey & Company
Designed by Visual Media Europe
www.mckinsey.com