This article was a collaborative effort by Kevin Eiden, James Kaplan, Bartlomiej Kazimierski, Charlie Lewis, and Kevin Telford, representing views from McKinsey’s Risk & Resilience Practice.
The S-curves of cybersecurity: Toward digital resilience
Companies are moving to a risk-based cybersecurity stance. The approach recognizes that not all assets are created equal, nor can they be equally protected in today’s all-encompassing digital environment. Some assets are extraordinary—of critical importance to a company and its business. The digital business model is, in fact, entirely dependent on trust. If a company’s customer interface is not secure, the risk can become existential. Safeguarding such assets is the heart of an effective strategy to protect against cyberthreats.
The seven action areas of digital resilience
Companies can only move to this advanced position if they already have in place the underlying capabilities needed to ensure digital stability and customer trust. Furthermore, as they develop and improve these capabilities, their guiding objective becomes the demonstrable and quantifiable reduction of enterprise risk. These capabilities can be grouped into seven action areas.
The McKinsey survey on cybersecurity maturity levels
In 2021, McKinsey assessed the cybersecurity-maturity level of more than 100 companies and institutions in a number of industry sectors. Results revealed that while some in the banking and healthcare industries have achieved fair progress, most organizations in all industries have much yet to do to protect their information assets against threats and attacks. The dangers are swiftly growing in number and severity.
Companies can measure their progress toward cybersecurity maturity by evaluating capabilities, technology, and risk-management processes. Companies initially plug gaps by building and strengthening security and resilience fundamentals (level 1), moving on to establish an operating model and organization to professionalize a cybersecurity function. The result is a maturity-based approach to cyberrisk (level 2).
Reducing enterprise risk is the aim of the more advanced, risked-based approach (level 3): companies manage and measure security and privacy controls in an enterprise-risk framework, set risk-appetite thresholds, and include all stakeholders in the cybersecurity operating mode.
Beyond this is level 4, the realm of proactive cybersecurity, in which holistic resilience and digital trust are attained through the transformation of processes and adoption of next-generation technologies. At level 4, security is embedded in products, services, and processes (“security by design”); customers, partners, third parties, and regulators are fully incorporated into the management of enterprise resilience.
Cybersecurity levels by industry sector
The banking, consumer-facing, and healthcare sectors are the most advanced in cybersecurity maturity. Here are the factors behind their maturity:
- The regulatory environment. Industry- and geography-focused regulations in the United States and Europe drive more advanced cybersecurity through regulatory scrutiny and the potential for fines.
- Consumer expectations. In consumer-facing industries, progress toward more advanced cybersecurity is accelerating due to high-profile data breaches and rising awareness of the threat to personally identifiable information. Increasingly customers are demanding better privacy controls as well.
- Competitive pressures. Consumers may switch to competitors if they lack trust and confidence in the security of their data.
The variation from sector to sector is significant, but it is more pronounced within each sector.
Relation between maturity in cybersecurity and profitability
Organizational cybersecurity attainments align on a profitability scale. While cyber maturity and profitability are not directly correlated in all organizations profiled, an overall relationship between higher cyber maturity and better margins is evident.
Cybersecurity maturity and organizational size and ownership structure
Differences by industry sector aside, the organizations attaining the highest cybersecurity levels are more often larger and publicly held.
The distinctive capabilities of cybersecurity leaders
The highest-scoring organizations performed at or above average in the cybersecurity activities measured in the survey. A few leaders were distinctive in a select group of these activities, which are key indicators of cybersecurity maturity: maintaining an up-to-date inventory of assets, reporting on cybersecurity to the board, and enforcing the separation of duties for those with privileged access. The first two activities clearly promote a heightened awareness of the current state of cybersecurity, making it easier for managers to identify gaps and measure the progress of improvements. The third activity is evidence of operational sensitivity in the effort to contain cyberrisk.
The survey probed companies for cybersecurity maturity for all the activities in each action area.
All organizations perform these activities well
Most survey respondents perform some of the essential activities well, notably, communicating cybersecurity requirements to suppliers and third parties, ensuring business-critical data can be used, managing the security of remote access, and communicating cybersecurity policies and standards throughout the organization and continuously improving cybersecurity standards and policies.
Most organizations find these activities challenging
Most organizations find certain activities challenging, especially, mapping organization and data flows, frequently conducting cybersecurity response simulations, and reviewing and rewarding code security.
Leaders outperform on these activities
Leading organizations are defined by their outstanding performance in several key activities, including maintaining a low “click rate” in employee phishing programs; revisiting and updating cybersecurity priorities at least annually and using a central identity, as well as accessing solutions for provisioning and deprovisioning for a majority of applications; regularly scanning the IT environment for vulnerabilities; and sourcing intelligence on standard and specific threats.
As they embrace a risk-based cybersecurity approach, leading organizations can become proactive. The survey also revealed that these organizations outperform in a number of other activities arising from the recognition of cyberrisk as a business risk. These include senior management making cyberrisk and cyber culture a part of business decision making, the use of tested cybersecurity scenarios in business-continuity planning and disaster recovery, taking a holistic approach to cybersecurity so that the supply chain as well as the organizational perimeter are covered, encryption protection for sensitive data at rest, and a deep understanding and use of threat intelligence.
Finally, the survey found that both leading organizations and aspiring leaders performed well on ten other technical and nontechnical activities, showing the overall trend toward risked-based security. These activities include the application of strong technical controls around mobile devices, the inclusion of business leaders as part of cyberrisk decision making, having segmented and more tightly secured networks to better protect sensitive information, and putting in place information and policies that enable mature cybersecurity.
The survey provides a measure of hard evidence to support the experiential knowledge of the most advanced cybersecurity professionals. The attackers have the edge right now, and while organizations have made some progress, most have a good deal to do to become resilient against existing cyberthreats and proactive on the rapidly changing threat landscape. Organizations have no time to lose in advancing toward holistic cyberresilience.