Skip to main content
Cybersecurity
Digital networks and assets are more valuable and prolific than ever—and threats to digital ecosystems are multiplying. Senior leaders, boards, and investors increasingly see cybersecurity as a strategic business issue with enormous financial, reputational, and regulatory implications.
We believe cybersecurity should be an enabler of, rather than a barrier to, capturing and extending value in the digital economy. Our experienced, highly skilled experts help organizations measure their digital resilience, identify and prioritize critical assets for protection and investment, build leadership capabilities to neutralize threats, and make cybersecurity build-or-buy decisions.

What we do

Digital-security transformation

We help transform security programs to enable and derisk digital-business strategies.

Crisis preparedness and response

We help build capabilities to prepare for and respond to cybersecurity incidents and breaches across business functions, geographies, and vendor ecosystems.

Navigation of cybersecurity markets

We help those who create, scale, and trade on cybersecurity capabilities create value in competitive markets.

Examples of our work

Transforming effectiveness of cyber controls

A leading North America financial service organization wanted to understand how its technical security architecture and capabilities compared against best-practice controls used among cross-industry security leaders. We conducted an analytic assessment of control effectiveness across the bank’s full technology landscape to identify 90-plus areas that warranted deeper analysis. We then worked with a deeply technical external partner to create and execute hands-on validation tests for each area that was considered a potential risk to the bank. The results uncovered vulnerabilities and many previously unreported insights about the effectiveness of cyber controls throughout the institution’s technology landscape.

Embedding cybersecurity in agile capabilities

Following a cyber breach, we helped a Latin American bank’s digital transformation get back on track by rapidly training each of its agile squads in hands-on secure software development and delivery. We worked with a technical training partner to quickly provide quality assurance to existing code and halt the introduction of new vulnerabilities into the bank’s technology. With the bank’s digital transformation team, we helped restore confidence in the agile process and embedded new secure ways of working in the bank’s software development and deployment operating model.

Transforming security operating model

To address shortcomings identified in both the security of external products and the effectiveness of its internal security function, we helped a European enterprise software company modernize its strategy and transform its security operating model across all business units. We worked with leaders across the organization to analyze current cyber working models, design a new service catalog and delivery processes, and define a multiyear transformation plan. Alongside the organization’s digital transformation team, our experts helped design and implement several high-impact initiatives like security product rationalization and automation of security processes.

Building cyber security for future resilience

After a series of successful cyberattacks against key operational technology assets, we helped a Southeast Asian oil and gas company assess its cybersecurity gaps, build internal capabilities, roll out appropriate safeguards, and establish a corporate cybersecurity program spanning both the information technology and operational technology environments. We worked alongside its experts to design and build advanced cybersecurity solutions, establish a cybersecurity team of 20-plus full-time-equivalent employees, and shift the organization’s culture to one of cybersecurity safety across risk, technology, and operations.

Transforming cybersecurity program

As a part of a digital transformation, we helped the new chief information security officer and digital leaders of a Latin American oil and gas company develop a holistic cybersecurity program. Using our Digital Resilience Assessment, we created a baseline and benchmarked cybersecurity maturity, and then we conducted a rapid Cyber Risk Insights assessment to identify critical assets, understand information and operations controls, and measure residual digital risk exposure across the value chain. To assist with implementation, we partnered with leadership to design key initiatives and to build capabilities within the team.

Creating business case to enter cybersecurity market

Faced with competitive threats across its product portfolio, a global cybersecurity product and service organization wanted to develop a business case for a new end-to-end platform in a lucrative and fast-growing segment of the cybersecurity market. Working in short sprints, we codeveloped a novel and strategic approach across functions to build a next-generation solution. As the product transitions from ideation to development, we remain a sounding board and market advisor, bringing our outside-in perspective to threats, competitors, enhancements, and go-to-market opportunities.

Preparing for major cyber events

In the wake of a suspected cyber event, a North American healthcare organization realized it needed to formalize management-level escalation processes to better prepare executives for major events. We helped it develop a set of criteria for classifying incidents as well as a set of policies for escalation and notification. Then, we worked with a cross-functional team to construct a realistic simulation of a major cyber event. After running the simulation, the organization developed a cyber-communication strategy, identified several initiatives for crisis preparedness, and put protocols in place to better handle future cyber events.

Featured capabilities

  • Digital Resilience Assessment. We measure and benchmark company and business-unit cybersecurity maturity against industry peers using a seven-part digital-resilience framework that maps to industries’ security standards (for example, National Institute of Standards and Technology and Cybersecurity Capability Maturity Model standards). Based on this analysis, we help organizations create road maps of initiatives to mature cybersecurity capabilities.
  • Cyber Risk Insights. We map critical business processes and identify the most important embedded information assets to determine potential sources of business impact. Then we rightsize the cybersecurity-control environment to mitigate business risk. This helps leaders visualize cybersecurity risk across their enterprises and focus on protecting what matters most.
  • Cyber Risk Dashboard. Our dashboard helps cyber leaders manage and communicate cyber risks across the organization by visualizing an enterprise cyber risk model in terms of the enterprise’s risk management framework. It features real-time reporting of key risk indicators, key performance indicators, and other sources of insight that are tailored to help executive leadership make decisions.
  • Cyber Market Map. Our cybersecurity market maps identify powerful trends in the cybersecurity market. With these insights into consumer perspectives on cyber products and service-market dynamics, leaders can spot opportunities to create and optimize value.
  • Illumin8. Our tool delivers credible, actionable insights about potential and current compromises using automated, artificial-intelligence-driven network-flow analysis. With reports delivered in plain language, it provides C-suite stakeholders with immediate understanding and recommendations for findings, implications, and potential remediation steps.

Featured Video

Making Cyber Risk a Strategic Priority

Hear from McKinsey cyber experts about taking a risk-based approach to cybersecurity, and the business value behind it.

Featured Insights

Article

Building security into the customer experience

– Companies need to secure their digital channels against malicious attackers—without creating a negative experience for their customers.
Collection

Cybersecurity in a digital era

Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments.

Over the past year, we’ve sought to publish cybersecurity articles in various areas that will help senior executives consider their options and make pragmatic decisions about how to move forward in making the right tradeoffs in managing technology risks.

Article

Cybersecurity tactics for the coronavirus pandemic

– The pandemic has made it harder for companies to maintain security and business continuity. But new tactics can help cybersecurity... leaders to safeguard their organizations.
Article

Cybersecurity’s dual mission during the coronavirus crisis

– Chief information-security officers must balance two priorities to respond to the pandemic: protecting against new cyberthreats... and maintaining business continuity. Four strategic principles can help.
Report

The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey

– Cyberrisk has become one of the top risk concerns among financial-services firms, and new research from the Institute of International... Finance (IIF) and McKinsey can help provide an understanding of ways firms can enable and strengthen cyber resilience.
Interview

Protecting the business: Views from the CIO’s and CISO’s offices

– At JPMorgan Chase, CISOs and CIOs work together to align cybersecurity with business goals.
Article

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

– New cyberrisk management information systems provide executives with the risk transparency they need to transform organizational... cyberresilience.
Article

The risk-based approach to cybersecurity

– The most sophisticated institutions are moving from a “maturity based” to a “risk based” approach for managing cyberrisk. Here... is how they are doing it.
Article

Financial crime and fraud in the age of cybersecurity

– As cybersecurity threats compound the risks of financial crime and fraud, institutions are crossing functional boundaries to... enable collaborative resistance.
Article

Securing software as a service

– Here is how SaaS providers can meet the security needs of their enterprise customers.
Article

Cybersecurity: Linchpin of the digital enterprise

– As companies digitize businesses and automate operations, cyberrisks proliferate; here is how the cybersecurity organization can... support a secure digital agenda.
Article

Critical infrastructure companies and the global cybersecurity threat

– How the energy, mining, and materials industries can meet the unique challenges of protecting themselves in a digital world.
Collection

Perspectives on transforming cybersecurity

– Our experience working to protect some of the world’s largest and most sophisticated companies, and our proprietary research,... have revealed three broad mandates that can help organizations transform their cybersecurity efforts.
Podcast

Defense of the cyberrealm: How organizations can thwart cyberattacks

– Governments and companies have much work to do to protect people, institutions, and even entire cities and countries from potentially... devastating large-scale cyberattacks.
Article

Critical resilience: Adapting infrastructure to repel cyberthreats

– As the digital world becomes increasingly connected, it is no longer possible for infrastructure owners and operators to remain... agnostic in the face of evolving cyberthreats. Here’s what they can do to build an integrated cyberdefense.
Article

Cyber risk measurement and the holistic cybersecurity approach

– Comprehensive dashboards can accurately identify, size, and prioritize cyberthreats for treatment. Here is how to build them.
Article

Cybersecurity and the risk function

– Are your information technology, cybersecurity, and risk professionals working together as a championship team to neutralize cyberthreats... and protect business value?
Article

Insider threat: The human element of cyberrisk

– Cyber programs often miss the significant portion of risk generated by employees, and current tools are blunt instruments. A new... method can yield better results.
Interactive - McKinsey Quarterly

Five Fifty: Unprotected

– Your air conditioning system. Your factory widgets. Even the fish tank thermometer. Every IoT sensor is a potential target for... hackers.