Back to Overview


Digital networks and assets are more valuable and prolific than ever—and threats to digital ecosystems are multiplying. Senior leaders, boards, and investors increasingly see cybersecurity as a strategic business issue with enormous financial, reputational, and regulatory implications.
We believe cybersecurity should be an enabler of, rather than a barrier to, capturing and extending value in the digital economy. Our experienced, highly skilled experts help organizations measure their digital resilience, identify and prioritize critical assets for protection and investment, build leadership capabilities to neutralize threats, and make cybersecurity build-or-buy decisions.

What we do

Digital-security transformation

We help transform security programs to enable and derisk digital-business strategies.

Crisis preparedness and response

We help build capabilities to prepare for and respond to cybersecurity incidents and breaches across business functions, geographies, and vendor ecosystems.

Navigation of cybersecurity markets

We help those who create, scale, and trade on cybersecurity capabilities create value in competitive markets.

Examples of our work

Transforming effectiveness of cyber controls

A leading North America financial service organization wanted to understand how its technical security architecture and capabilities compared against best-practice controls used among cross-industry security leaders. We conducted an analytic assessment of control effectiveness across the bank’s full technology landscape to identify 90-plus areas that warranted deeper analysis. We then worked with a deeply technical external partner to create and execute hands-on validation tests for each area that was considered a potential risk to the bank. The results uncovered vulnerabilities and many previously unreported insights about the effectiveness of cyber controls throughout the institution’s technology landscape.

Embedding cybersecurity in agile capabilities

Following a cyber breach, we helped a Latin American bank’s digital transformation get back on track by rapidly training each of its agile squads in hands-on secure software development and delivery. We worked with a technical training partner to quickly provide quality assurance to existing code and halt the introduction of new vulnerabilities into the bank’s technology. With the bank’s digital transformation team, we helped restore confidence in the agile process and embedded new secure ways of working in the bank’s software development and deployment operating model.

Transforming security operating model

To address shortcomings identified in both the security of external products and the effectiveness of its internal security function, we helped a European enterprise software company modernize its strategy and transform its security operating model across all business units. We worked with leaders across the organization to analyze current cyber working models, design a new service catalog and delivery processes, and define a multiyear transformation plan. Alongside the organization’s digital transformation team, our experts helped design and implement several high-impact initiatives like security product rationalization and automation of security processes.

Building cyber security for future resilience

After a series of successful cyberattacks against key operational technology assets, we helped a Southeast Asian oil and gas company assess its cybersecurity gaps, build internal capabilities, roll out appropriate safeguards, and establish a corporate cybersecurity program spanning both the information technology and operational technology environments. We worked alongside its experts to design and build advanced cybersecurity solutions, establish a cybersecurity team of 20-plus full-time-equivalent employees, and shift the organization’s culture to one of cybersecurity safety across risk, technology, and operations.

Transforming cybersecurity program

As a part of a digital transformation, we helped the new chief information security officer and digital leaders of a Latin American oil and gas company develop a holistic cybersecurity program. Using our Digital Resilience Assessment, we created a baseline and benchmarked cybersecurity maturity, and then we conducted a rapid Cyber Risk Insights assessment to identify critical assets, understand information and operations controls, and measure residual digital risk exposure across the value chain. To assist with implementation, we partnered with leadership to design key initiatives and to build capabilities within the team.

Creating business case to enter cybersecurity market

Faced with competitive threats across its product portfolio, a global cybersecurity product and service organization wanted to develop a business case for a new end-to-end platform in a lucrative and fast-growing segment of the cybersecurity market. Working in short sprints, we codeveloped a novel and strategic approach across functions to build a next-generation solution. As the product transitions from ideation to development, we remain a sounding board and market advisor, bringing our outside-in perspective to threats, competitors, enhancements, and go-to-market opportunities.

Preparing for major cyber events

In the wake of a suspected cyber event, a North American healthcare organization realized it needed to formalize management-level escalation processes to better prepare executives for major events. We helped it develop a set of criteria for classifying incidents as well as a set of policies for escalation and notification. Then, we worked with a cross-functional team to construct a realistic simulation of a major cyber event. After running the simulation, the organization developed a cyber-communication strategy, identified several initiatives for crisis preparedness, and put protocols in place to better handle future cyber events.

Featured capabilities

  • Digital Resilience Assessment. We measure and benchmark company and business-unit cybersecurity maturity against industry peers using a seven-part digital-resilience framework that maps to industries’ security standards (for example, National Institute of Standards and Technology and Cybersecurity Capability Maturity Model standards). Based on this analysis, we help organizations create road maps of initiatives to mature cybersecurity capabilities.
  • Cyber Risk Insights. We map critical business processes and identify the most important embedded information assets to determine potential sources of business impact. Then we rightsize the cybersecurity-control environment to mitigate business risk. This helps leaders visualize cybersecurity risk across their enterprises and focus on protecting what matters most.
  • Cyber Risk Dashboard. Our dashboard helps cyber leaders manage and communicate cyber risks across the organization by visualizing an enterprise cyber risk model in terms of the enterprise’s risk management framework. It features real-time reporting of key risk indicators, key performance indicators, and other sources of insight that are tailored to help executive leadership make decisions.
  • Cyber Market Map. Our cybersecurity market maps identify powerful trends in the cybersecurity market. With these insights into consumer perspectives on cyber products and service-market dynamics, leaders can spot opportunities to create and optimize value.
  • Illumin8. Our tool delivers credible, actionable insights about potential and current compromises using automated, artificial-intelligence-driven network-flow analysis. With reports delivered in plain language, it provides C-suite stakeholders with immediate understanding and recommendations for findings, implications, and potential remediation steps.

Featured Video

Making Cyber Risk a Strategic Priority

Hear from McKinsey cyber experts about taking a risk-based approach to cybersecurity, and the business value behind it.

Featured Insights


Enterprise cybersecurity: Aligning third parties and supply chains

– In today’s riskier, more connected environment, organizations must collaborate closely with external partners to reduce vulnerabilities to cyberattackers.

Derisking digital and analytics transformations

– While the benefits of digitization and advanced analytics are well documented, the risk challenges often remain hidden.

Cyber resilience: Protecting America’s digital infrastructure

– Faced with rising cyberthreats, government and the private sector will need to improve their digital hygiene while also preparing... for the next wave of cyber adversaries.

Cyber Resilience

– McKinsey's Tucker Bailey joins former congressman, Will Hurd, for a discussion about the imperative of cyber resilience in government,... how the private sector can play a role and the cybersecurity skills gap in both the public and private sectors.

Organizational cyber maturity: A survey of industries

– Ours is proving to be the century of cyber insecurity, yet few organizations have made sufficient progress in protecting information... assets.

Securing small and medium-size enterprises: What’s next?

– Small and medium-size enterprises are becoming an increasingly attractive segment for cybersecurity-technology and -solution providers.

Strengthening the IT security posture in corporates and industrials

– Organizations must decide which information-security risks they willingly accept and where to invest to stay in balance.

The Latin American energy sector: How to address cybersecurity

– Electric-power and gas companies are vulnerable to cyberattacks, but a structured approach that applies communication, organizational,... and process frameworks can reduce cyber-related risks.

Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies

– Mature boards are making themselves valuable partners for management in the effort to make firms more resilient.

How CIOs and CTOs can accelerate digital transformations through cloud platforms

– To capture the real value from cloud, companies need to focus their investments and build a cloud-ready operating model.
Article - McKinsey Quarterly

Three actions CEOs can take to get value from cloud computing

– Leaders need to accelerate their journey to the cloud in order to digitize quickly and effectively in the wake of COVID-19.

COVID-19 crisis shifts cybersecurity priorities and budgets

– Cybersecurity technology and service providers are shifting priorities to support current needs: business continuity, remote work,... and planning for transition to the next normal.

A dual cybersecurity mindset for the next normal

– As companies extend commitments to remote workforces, cybersecurity teams need to address new risks while helping create business... value in the next normal.

Safeguarding against cyberattack in an increasingly digital world

– There are actions businesses can take to safeguard their organizations from the growing risk of cyberattack.

Building security into the customer experience

– Companies need to secure their digital channels against malicious attackers—without creating a negative experience for their customers.

Cybersecurity in a digital era

Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environment as they sought to... protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments.

Over the past year, we’ve sought to publish cybersecurity articles in various areas that will help senior executives consider their options and make pragmatic decisions about how to move forward in making the right tradeoffs in managing technology risks.


Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps

– By integrating security into DevOps, companies can step up the speed and frequency of software releases without compromising controls... or increasing risk.

The consumer-data opportunity and the privacy imperative

– As consumers become more careful about sharing data, and regulators step up privacy requirements, leading companies are learning... that data protection and privacy can create a business advantage.

Cybersecurity tactics for the coronavirus pandemic

– The pandemic has made it harder for companies to maintain security and business continuity. But new tactics can help cybersecurity... leaders to safeguard their organizations.

Cybersecurity’s dual mission during the coronavirus crisis

– Chief information-security officers must balance two priorities to respond to the pandemic: protecting against new cyberthreats... and maintaining business continuity. Four strategic principles can help.

The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey

– Cyberrisk has become one of the top risk concerns among financial-services firms, and new research from the Institute of International... Finance (IIF) and McKinsey can help provide an understanding of ways firms can enable and strengthen cyber resilience.

Protecting the business: Views from the CIO’s and CISO’s offices

– At JPMorgan Chase, CISOs and CIOs work together to align cybersecurity with business goals.

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

– New cyberrisk management information systems provide executives with the risk transparency they need to transform organizational... cyberresilience.

The risk-based approach to cybersecurity

– The most sophisticated institutions are moving from a “maturity based” to a “risk based” approach for managing cyberrisk. Here... is how they are doing it.

Financial crime and fraud in the age of cybersecurity

– As cybersecurity threats compound the risks of financial crime and fraud, institutions are crossing functional boundaries to... enable collaborative resistance.

Securing software as a service

– Here is how SaaS providers can meet the security needs of their enterprise customers.

Cybersecurity: Linchpin of the digital enterprise

– As companies digitize businesses and automate operations, cyberrisks proliferate; here is how the cybersecurity organization can... support a secure digital agenda.

Critical infrastructure companies and the global cybersecurity threat

– How the energy, mining, and materials industries can meet the unique challenges of protecting themselves in a digital world.

Perspectives on transforming cybersecurity

– Our experience working to protect some of the world’s largest and most sophisticated companies, and our proprietary research,... have revealed three broad mandates that can help organizations transform their cybersecurity efforts.

Defense of the cyberrealm: How organizations can thwart cyberattacks

– Governments and companies have much work to do to protect people, institutions, and even entire cities and countries from potentially... devastating large-scale cyberattacks.

Critical resilience: Adapting infrastructure to repel cyberthreats

– As the digital world becomes increasingly connected, it is no longer possible for infrastructure owners and operators to remain... agnostic in the face of evolving cyberthreats. Here’s what they can do to build an integrated cyberdefense.

Cyber risk measurement and the holistic cybersecurity approach

– Comprehensive dashboards can accurately identify, size, and prioritize cyberthreats for treatment. Here is how to build them.

Cybersecurity and the risk function

– Are your information technology, cybersecurity, and risk professionals working together as a championship team to neutralize cyberthreats... and protect business value?

Insider threat: The human element of cyberrisk

– Cyber programs often miss the significant portion of risk generated by employees, and current tools are blunt instruments. A new... method can yield better results.
Interactive - McKinsey Quarterly

Five Fifty: Unprotected

– Your air conditioning system. Your factory widgets. Even the fish tank thermometer. Every IoT sensor is a potential target for... hackers.

Related Insights

The Wall Street Journal: Hackers May Be Coming for Your City’s Water Supply

More digitized and connected than ever, the nation’s infrastructure is vulnerable to cyberattack.

CSO Magazine: 6 new ways threat actors will attack in 2021

Cyber criminals will leverage improved capabilities and vulnerabilities introduced during the COVID crisis to improve the efficiency of their attacks.

POWER Magazine: The Energy-Sector Threat: How to Address Cybersecurity Vulnerabilities

Electric-power and gas companies are especially vulnerable to cyberattacks, but a structured approach that applies communication, organizational and process frameworks can significantly reduce cyber-related attacks.

CSO Magazine: 7 things to look for in a security awareness training provider

Not all cybersecurity awareness training vendors are the same or are right for your organization. Here’s how to find the best match.