At the core of your cybersecurity strategy: Knowing your capabilities

The is the second of two excerpts from The Cyber Risk Handbook, published this month by Wiley with a contribution by McKinsey partners.

by James Kaplan and Jim Boehm

Organizations can measure cybersecurity performance only in the context of a cybersecurity strategy that tightly connects with an organization’s overall business strategy. Otherwise, they will stumble into one or more pitfalls. At its core an effective cybersecurity strategy has four components: a business risk assessment, an enabling set of capabilities, a target state to get to, and a portfolio of initiatives. Here we discuss in more detail cybersecurity capabilities.

Once an organization understands its risks, it can start to determine what types of capabilities its needs to build to protect itself. Naturally, there are many frameworks organizations can select from. We like organizations to think how about how far they can progress by putting in place the seven hallmarks of digital resilience that we developed in conjunction with the World Economic Forum:

  • Prioritize information assets based on business risks. Most organizations lack insight into what information assets need protecting and which are the highest priority. Cybersecurity teams must work with businesses leaders to understand business risks across the entire value chain and then prioritize the underlying information assets accordingly.
  • Differentiate protection based on the importance of assets. Few organizations have any systematic way of aligning the level of protection they give to information assets with the importance of those assets to the business. Putting in place differentiated controls such as encryption or multifactor authentication ensures that organizations are directing the most appropriate resources to protecting the information assets that matter most.
  • Integrate cybersecurity into enterprise-wide risk management and governance processes. Cybersecurity is an enterprise risk and must be managed as such. The possibilities of a cyber attack must be integrated with other risk analyses and presented in relevant management and board discussions. Moreover, the implications of digital resilience should be integrated into the broad set of governance functions such as human resources, vendor management, and compliance.
  • Enlist frontline personnel to protect the information assets they use. Users are often the biggest vulnerability an organization has—they click on links they should not, choose insecure passwords, and email sensitive files to broad distribution lists. Organizations need to segment users based on the assets they need to access, and help each segment understand the business risks associated with their everyday actions.
  • Integrate cybersecurity into the technology environment. Almost every part of the broader technology environment affects an organization’s ability to protect itself, from application development practices to policies for replacing outdated hardware. Organizations must lose a crude bolt-on security mentality and instead train their entire staff to incorporate it into technology projects from day one.
  • Deploy active defenses to uncover attacks proactively. There is a massive amount of information available about potential attacks, both from external intelligence sources and from an organization’s own technology environment. Companies will need to develop the capabilities to aggregate and analyze the most relevant information, and tune their defense systems accordingly.
  • Test continuously to improve incident response across business functions. An inadequate response to a breach, not only by the technology team but also from marketing, public affairs, or customer service functions, can be as damaging as the breach itself. Organizations should run cross-functional cyber-war games to improve their ability to respond effectively in real time.

It is easy to want the highest level of capability, but there are real constraints to consider. Achieving the hallmarks of digital resilience requires real organizational change across many business functions, so organizations have to ask what level of appetite exists for change. It also requires a level of skill in sophistication in the cybersecurity team that many organizations do not have and would have a hard time obtaining.

On the other hand, organizations also have to balance challenges like these against imperatives for change: How important is sensitive information to the future of the business? How sophisticated are attackers? What is the level of regulatory scrutiny? How important are cybersecurity capabilities and protections to customers?

The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities
The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities

James Kaplan is a partner in McKinsey’s New York office. Jim Boehm is a solution manager for Cyber Solutions in our Washington, D.C., office.

Excerpted with permission of the publisher, Wiley, from The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities by Domenic Antonucci. Copyright (c) 2017 by John Wiley & Sons, Inc. All rights reserved. To order, visit