Back to Tech Management


We help clients achieve digital resilience by integrating security into business decision making and the IT environment.

A major cybersecurity event can affect billions of dollars in assets. Preventing that takes foresight, resilience, and a responsiveness that comes from folding risk considerations into business decision making and embedding security protections in the IT environment.

We call that digital resilience. This is how we help companies achieve it.

Despite the speed, variability, and growing commercial implications of breaches and other cyberattacks, most institutions still manage digital security in a way that feels distinctly old-fashioned—by delegating responsibility to IT or security, by using protections designed to meet yesterday’s attacks, and by applying burdensome restrictions that impede innovation.

McKinsey’s approach integrates cyberresilience into management and governance processes and extends that integration deep into the technology environment to provide differentiated protection for an institution’s most important assets.

Risk economics

Our goal is to help businesses direct the most rigorous defense mechanisms toward the most important information assets. We help clients determine what to protect and how much to spend doing it through a combination of evidence-based assessments, a software-enabled methodology that allows companies to prioritize their business risks and assets, and a business-aligned strategy and tactical plan that synchronizes the company’s risk posture and cybersecurity capabilities with its business objectives and constraints.

Program acceleration

We help companies achieve the right outcomes faster by designing cybersecurity initiatives, from identity access management and data-loss prevention to network segmentation, through the lens of the business and its priorities.

Swift, efficient, and highly refined processes can stop an incident from starting or escalating. Our incident-simulation tools and threat libraries allow us to run detailed scenarios to surface the issues, capabilities, and plans required to help companies respond to a significant breach in real time. And by designing those processes using lean practices, businesses reduce errors and lag time and gain the benefit of standardizing and scaling the most effective practices—so risks are detected and mitigated fast.


The protection of customer data is paramount. When companies are designing customer experiences, we can help ensure the appropriate authentication and data-privacy elements are built into those processes. In addition, our transaction-support teams can work with businesses to assess the potential value associated with cybersecurity-related mergers, joint ventures, and acquisitions.

Featured experts

James Kaplan

Partner, New York