Back to Overview


Establishing cyber resiliency and implementing a cybersecurity strategy aligned with the organization’s priorities

Cybersecurity is not just about managing risk, it’s also a strategic issue that shapes product capability, organizational effectiveness, and customer relationships. However, many businesses find it challenging to conduct the kind of transformation that embeds security considerations into all business products and processes while maintaining the pace of innovation.

We bring the full power of our firm, leveraging both industry and functional expertise, to help clients define a comprehensive cyber strategy (covering risk, business, and cultural dimensions), “de-risk” their digitization efforts, and establish a secure enterprise. We leverage our partnerships with industry-leading cybersecurity technology providers, proprietary assessments, in-depth training exercises, and organizational transformation efforts to address our clients’ most pressing cybersecurity issues, whether that’s securing a major cloud transformation, protecting operational technology, establishing appropriate cyber capabilities, or managing the implications of a public crisis.

We know your business, which is why we are uniquely positioned to find the right strategy, convene leadership around a common goal, communicate a clear plan to boards and stakeholders, and set up the organization to be prepared for the challenges of tomorrow.

What we do

Assessing risk and resilience

Our holistic, risk-based approach to cybersecurity bases the transformation on the clients’ existing capabilities and provides the current risk information and reporting that executives need to prioritize threats and devise effective controls. By identifying where the business creates value and analyzing threats, our experts help design necessary cyber programs, determine the allocation of funds, and inform board discussions on cyber risk strategy.

Securing the digital transformation

We leverage our deep understanding of the technology landscape to help companies implement security strategies and establish digital resilience. We work to de-risk enterprise platforms, extract value from existing investments, secure value chains, and embed “security by design” into new products and businesses.

Establishing crisis response and preparedness

We help organizations minimize the business impact of cyberattacks by enabling a faster and more coordinated response, improving regulatory and public perception, and building the capabilities of senior executives. We work with clients to diagnose their preparedness, engage leadership in crisis response trainings, and create a crisis playbook and “nerve center” that establishes governance and responsibilities.

Building long-term cyber capabilities

We work with clients to transform the culture and embed cyber capabilities into every aspect of the business. Our team of experts helps redesign operating models, adopt agile approaches, set up attribute-driven assessments, and attract and retain the right talent.

Examples of our work

Uncovering weaknesses in a global bank’s cybersecurity approach

The McKinsey team conducted interviews with roles across the organization; reviewed policies, procedures and other technical documents; and created 60 technical validation test plans to optimize testing efficiency.

Based on the results, we were able to identify 80+ capability and strategy gaps that the bank used to create a road map for a complete cyber transformation.

Helping an oil and gas company with its cybersecurity maturity transformation

We supported a Latin American oil and gas client’s cybersecurity maturity journey across its operational technology (OT) and information technology (IT), defining the company’s value chain, establishing a process to identify the assets most in need of protection, and analyzing controls and costs.

An eight-week assessment produced a holistic transformation program focused on the greatest potential for risk reduction, which the company pursued to greatly advance its cybersecurity maturity.

Establishing cloud security for a major pharma company

We worked with a top five pharmaceutical company to secure its cloud adoption and centrally manage the associated risks.

The McKinsey team assessed the client’s cloud-security abilities, designed a multicloud architecture, and developed a cloud security operating model. By creating a cloud security framework and road map, we helped the pharmaceutical company transform its way of working and adopt an architectural vision for a multicloud future.

Responding to a tech company’s cyber crisis

When a technology services company was struck by a cyberattack, the incident left many customers without service and unearthed a number of critical security gaps across the organization. We worked with the client to develop an approach for customer outreach and coordination, designed and executed a rapid remediation program, and built a governance model for long-term cybersecurity.

The tech client was able to take a crisis that threatened to destabilize the organization and use the experience to make the company more agile and resilient.

Featured experts

Venky Anant
Partner, Bay Area
Helps leading high-tech institutions solve their most challenging strategic, digital infrastructure, and security problems
Tucker Bailey
Partner, Washington DC
As a leader in cybersecurity, digital, and advanced analytics, empowers senior leaders in governments, public-sector organizations,...
Ida Kristensen
Senior Partner, New York
Coleads the Risk & Resilience Practice; advises leading financial institutions on cybersecurity, strategies for risk management,...
Jim Boehm
Partner, Washington DC
Technology risk expert with a deep spike in enterprise cybersecurity, serving mainly financial services institutions
Jan Shelly Brown
Partner, New Jersey
Helps financial institutions modernize technology to unlock significant cost savings and speed to market while enhancing risk...
Justin Greis
Partner, Chicago
Designs, builds, and activates secure and trusted digital transformations to help organizations accelerate their mission and protect...
Rich Isenberg
Partner, Atlanta
Leads enterprise-wide cybersecurity strategy and operations, with a keen focus on risk management and digital transformation
James Kaplan
Partner, New York
Helps organizations transform their technology, infrastructure, and cybersecurity for lasting impact
Mahir Nayfeh
Partner, Abu Dhabi
Leverages extensive experience implementing advanced analytics, digital, and cybersecurity transformations to advise private and...
Marc Sorel
Partner, Boston
Advises private, public, and not-for-profit clients on technology, digital transformation, and cybersecurity topics
David Ware
Partner, Washington DC
Supports digital and analytics transformations in the defense sector, and brings cybersecurity expertise to both private and public...

Featured Video

Making Cyber Risk a Strategic Priority

Hear from McKinsey cyber experts about taking a risk-based approach to cybersecurity, and the business value behind it.

Featured Insights


How to enhance the cybersecurity of operational technology environments

– Cyberattacks on operational technology systems have been on the rise since the start of the COVID-19 pandemic. Their huge impact on industrial operations means that organizations must find answers—quickly.

Managing a cyber risk event: ‘Be a student of a crisis’

– Julia Houston, chief strategy and marketing officer at Equifax Inc., explains how the credit bureau managed one of the biggest data breaches in history, her learnings, and how cybersecurity is rapidly changing.

Resiliency and leadership in uncertain times: An interview with Splunk’s CEO

– Splunk CEO Gary Steele explains how digitization is elevating the topic of resilience to the boardroom and shares his thoughts... on successful CEO transitions.

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers

– Cyberattacks are proliferating, causing trillions of dollars of damage every year. The cybersecurity industry has a chance to... step up and seize the opportunity.

Building a cybersecurity culture from within: An interview with MongoDB

– MongoDB’s security champions program leadership team discusses how cybersecurity training can create a company-wide culture... that prioritizes security and encourages employees to get involved.

Perspectives on model risk management of cybersecurity solutions in banking

– The sooner banks start their journey and establish an effective approach to model risk management of cybersecurity solutions,... the quicker they will be able to manage risk and establish controls.

Localization of data privacy regulations creates competitive opportunities

– Around the world, new regulations are promoting data localization. To comply, companies must be agile in their investments, but... those that get it right could increase their revenues and market share.

Securing your organization by recruiting, hiring, and retaining cybersecurity talent to reduce cyberrisk

– Shed the conventional methods. Talent-to-value protection defines the most important cybersecurity roles that demonstrate the... greatest reduction in risk for the enterprise.

Cybersecurity legislation: Preparing for increased reporting and transparency

– To get ready for compliance with new US regulations, companies can segment their preparation into stages and take both short-... and long-term actions to increase preparedness.

Cybersecurity trends: Looking over the horizon

– McKinsey examines three of the latest cybersecurity trends and their implications for organizations facing new and emerging cyberrisks... and threats.

Ransomware prevention: How organizations can fight back

– Ransomware has rapidly become one of the top cybersecurity nightmares. Strategies for prevention, preparation, response, and recovery... can help.

The unsolved opportunities for cybersecurity providers

– With sophisticated cyberthreats on the rise, organizations must continue evolving by using novel strategies and technology. For... cybersecurity providers, the challenges and opportunities are numerous.

Cyber resilience: Protecting America’s digital infrastructure

– Faced with rising cyberthreats, government and the private sector will need to improve their digital hygiene while also preparing... for the next wave of cyber adversaries.

Cyber Resilience

– McKinsey's Tucker Bailey joins former congressman, Will Hurd, for a discussion about the imperative of cyber resilience in government,... how the private sector can play a role and the cybersecurity skills gap in both the public and private sectors.

Organizational cyber maturity: A survey of industries

– Ours is proving to be the century of cyber insecurity, yet few organizations have made sufficient progress in protecting information... assets.

Security as code: The best (and maybe only) path to securing cloud applications and systems

– Managing security as code enables companies to create value in the cloud securely.

Building cyber resilience in national critical infrastructure

– Recent cyberattacks focus attention on the vulnerabilities of operations technology to web-based threats.

Enterprise cybersecurity: Aligning third parties and supply chains

– In today’s riskier, more connected environment, organizations must collaborate closely with external partners to reduce vulnerabilities... to cyberattackers.

Cybersecurity in Iberia: Aligning business and the board

– Keeping cyber teams in silos puts companies at risk. Boards can best prepare for an increasingly digital future with these cross-functional... strategies.

Securing small and medium-size enterprises: What’s next?

– Small and medium-size enterprises are becoming an increasingly attractive segment for cybersecurity-technology and -solution providers.

Strengthening the IT security posture in corporates and industrials

– Organizations must decide which information-security risks they willingly accept and where to invest to stay in balance.

The Latin American energy sector: How to address cybersecurity

– Electric-power and gas companies are vulnerable to cyberattacks, but a structured approach that applies communication, organizational,... and process frameworks can reduce cyber-related risks.

Derisking digital and analytics transformations

– While the benefits of digitization and advanced analytics are well documented, the risk challenges often remain hidden.

Cybersecurity: Emerging challenges and solutions for the boards of financial-services companies

– Mature boards are making themselves valuable partners for management in the effort to make firms more resilient.

How CIOs and CTOs can accelerate digital transformations through cloud platforms

– To capture the real value from cloud, companies need to focus their investments and build a cloud-ready operating model.
Article - McKinsey Quarterly

Three actions CEOs can take to get value from cloud computing

– Leaders need to accelerate their journey to the cloud in order to digitize quickly and effectively in the wake of COVID-19.

COVID-19 crisis shifts cybersecurity priorities and budgets

– Cybersecurity technology and service providers are shifting priorities to support current needs: business continuity, remote work,... and planning for transition to the next normal.

A dual cybersecurity mindset for the next normal

– As companies extend commitments to remote workforces, cybersecurity teams need to address new risks while helping create business... value in the next normal.

Safeguarding against cyberattack in an increasingly digital world

– There are actions businesses can take to safeguard their organizations from the growing risk of cyberattack.

Building security into the customer experience

– Companies need to secure their digital channels against malicious attackers—without creating a negative experience for their customers.

Cybersecurity in a digital era

Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environment as they sought to... protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments.

Over the past year, we’ve sought to publish cybersecurity articles in various areas that will help senior executives consider their options and make pragmatic decisions about how to move forward in making the right tradeoffs in managing technology risks.


Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps

– By integrating security into DevOps, companies can step up the speed and frequency of software releases without compromising controls... or increasing risk.

The consumer-data opportunity and the privacy imperative

– As consumers become more careful about sharing data, and regulators step up privacy requirements, leading companies are learning... that data protection and privacy can create a business advantage.

Cybersecurity tactics for the coronavirus pandemic

– The pandemic has made it harder for companies to maintain security and business continuity. But new tactics can help cybersecurity... leaders to safeguard their organizations.

Cybersecurity’s dual mission during the coronavirus crisis

– Chief information-security officers must balance two priorities to respond to the pandemic: protecting against new cyberthreats... and maintaining business continuity. Four strategic principles can help.

The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey

– Cyberrisk has become one of the top risk concerns among financial-services firms, and new research from the Institute of International... Finance (IIF) and McKinsey can help provide an understanding of ways firms can enable and strengthen cyber resilience.

Protecting the business: Views from the CIO’s and CISO’s offices

– At JPMorgan Chase, CISOs and CIOs work together to align cybersecurity with business goals.

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

– New cyberrisk management information systems provide executives with the risk transparency they need to transform organizational... cyberresilience.

The risk-based approach to cybersecurity

– The most sophisticated institutions are moving from a “maturity based” to a “risk based” approach for managing cyberrisk. Here... is how they are doing it.

Financial crime and fraud in the age of cybersecurity

– As cybersecurity threats compound the risks of financial crime and fraud, institutions are crossing functional boundaries to... enable collaborative resistance.

Securing software as a service

– Here is how SaaS providers can meet the security needs of their enterprise customers.

Cybersecurity: Linchpin of the digital enterprise

– As companies digitize businesses and automate operations, cyberrisks proliferate; here is how the cybersecurity organization can... support a secure digital agenda.

Critical infrastructure companies and the global cybersecurity threat

– How the energy, mining, and materials industries can meet the unique challenges of protecting themselves in a digital world.

Perspectives on transforming cybersecurity

– Our experience working to protect some of the world’s largest and most sophisticated companies, and our proprietary research,... have revealed three broad mandates that can help organizations transform their cybersecurity efforts.

Defense of the cyberrealm: How organizations can thwart cyberattacks

– Governments and companies have much work to do to protect people, institutions, and even entire cities and countries from potentially... devastating large-scale cyberattacks.

Critical resilience: Adapting infrastructure to repel cyberthreats

– As the digital world becomes increasingly connected, it is no longer possible for infrastructure owners and operators to remain... agnostic in the face of evolving cyberthreats. Here’s what they can do to build an integrated cyberdefense.

Cyber risk measurement and the holistic cybersecurity approach

– Comprehensive dashboards can accurately identify, size, and prioritize cyberthreats for treatment. Here is how to build them.

Cybersecurity and the risk function

– Are your information technology, cybersecurity, and risk professionals working together as a championship team to neutralize cyberthreats... and protect business value?

Insider threat: The human element of cyberrisk

– Cyber programs often miss the significant portion of risk generated by employees, and current tools are blunt instruments. A new... method can yield better results.

Related Insights

Critical infrastructure protection more vital than ever, though organizations still lack an understanding of its importance

As interconnected critical infrastructure networks crisscross national borders and global supply chains, becoming increasingly complex while turning into distributed, large-scale cyber-physical systems.

4 steps to tackling ransomware

It happens all too often: a hacker breaks into a company’s cyber systems, threatening chaos. Or they get access to confidential information prior to a merger. Then follows the message: pay up — or else.

Security-as-Code Gains More Support, but Still Nascent

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

The Wall Street Journal: Hackers May Be Coming for Your City’s Water Supply

More digitized and connected than ever, the nation’s infrastructure is vulnerable to cyberattack.

CSO Magazine: 6 new ways threat actors will attack in 2021

Cyber criminals will leverage improved capabilities and vulnerabilities introduced during the COVID crisis to improve the efficiency of their attacks.

POWER Magazine: The Energy-Sector Threat: How to Address Cybersecurity Vulnerabilities

Electric-power and gas companies are especially vulnerable to cyberattacks, but a structured approach that applies communication, organizational and process frameworks can significantly reduce cyber-related attacks.

CSO Magazine: 7 things to look for in a security awareness training provider

Not all cybersecurity awareness training vendors are the same or are right for your organization. Here’s how to find the best match.