What did you expect, a hoodie and a Guy Fawkes mask?
Photo credit: Stephen Yang
In law, there’s a saying about persuasion. “If the law is on your side, pound the law. If the facts are on your side, pound the facts. And when neither is on your side, pound the table."
In day-to-day IT and information security, reasonable minds can disagree. When that happens at McKinsey and we’re at our best, instead of pounding the table to reach consensus, we turn to values. That’s what makes this place special.
I grew from a philosophy undergraduate into a lawyer. Now, I have an information security role on an internal IT team. Weird, right? For me, it makes sense, and it all comes back to values. Even in my more technical work on IT architecture—be it tuning an infrastructural tool, managing an external audit, or evaluating a security vulnerability—I frame information security as a prerequisite to our values, instead of just a box that needs to be checked.
You can’t build enduring relationships based on trust if you’re mishandling sensitive data. You can’t preserve client confidences if you’re falling for phishing emails. You can’t manage client and firm resources effectively if you don’t have the personal or collective cyber hygiene it takes to avoid getting savaged by hackers.
Yet, there’s a balance. We can’t improve our clients’ performance significantly if our teams are hamstrung by security technologies and policies. The keys to that balance are design, judgment, and diplomacy, and McKinsey supports that never-ending journey.
Lockscreen on Noah’s phone.
Strengthening email security
In law school I was lucky to take a class with Bryan Stevenson, the founder of the Equal Justice Initiative, who teaches that narrative is everything. The stories we tell ourselves and each other shape our instincts, biases, and decisions. To change those narratives, leaders need to be willing to do what’s uncomfortable. That means staying hopeful while working on the ground in emotionally difficult situations and establishing an influential identity around your values.
I know it’s strange to apply criminal justice strategy to information security. But for me, it steers my sense of purpose. We have to remain hopeful—even as we “assume breach” (act like you will be hacked), plan how to recover from disasters, and scrutinize evidence of talented attackers. We have to get close to frustrated or confused colleagues and understand their business needs with empathy. When we do that, we can understand the narrative, and think about how to change it where necessary.
For example, early in my time here I managed our internal program for mitigating the risk of social engineering, which is hacking via deception. The goals included equipping colleagues to recognize and report phishing attempts. The program matters because across organizations globally, 94 percent of malware is delivered by email, and phishing attacks account for 80 percent of publicly reported cyber incidents. I was responsible for things like shaping user training, analyzing metrics, and sending firm-wide phishing tests.
The challenge at hand was to add a button to the email toolbar on about 30,000 laptops in order to make reporting suspicious emails easy for everyone, and capture more forensic information for our analysts. Doing so meant shifting our narrative toward collective defense. We were moving away from a mindset of, "If you're unsure about an email, report it." The new narrative was, "Even if you're sure it's phishing, report it, so we can protect others’ inboxes too."
We worked with UX designers, risk awareness leaders, and product adoption experts on user-facing touchpoints and announcements. We worked with product managers, IT and operations engineers, vendors, and pilot users who offered essential feedback. I was humbled by how much better the solution became as a result of the cross-team collaboration. Everyone helped embed this in our workflow as a tool for collective defense.
In the end, we launched the product with almost no installation errors. And in concert with other risk awareness efforts, the firm multiplied our phishing report rates by an impressive factor—especially for those who had previously struggled with our phishing tests. I attribute that to the narrative we reframed. People want to protect each other and our clients, instead of just themselves.
Noah (center) speaks at McKinsey Values Day 2019 in Boston with co-panelists Tom French, Teplyn Fournier, and Senthil Muthiah.
Photo credit: Sam Liang
Inclusive, nonhierarchical work
Let me tell you two more stories about a values-driven approach to IT and security.
I once witnessed a senior leader here make a serious slip-up in terms of personal cyber hygiene. I wanted to call this person out, but I was scared of the possible repercussions. I was also new, and maybe a touch righteous.
I decided to speak up, sheepishly but in a reply-all email. I cited one of our values: the obligation to dissent. I’m an elder millennial, so, embarrassingly, I actually wrote #obligationtodissent. I hit send. Held my breath. Slept poorly. Kicked myself for not backchanneling, and for being as intense as I am.
The next day, that leader wrote back, again in reply-all, “Feedback is a gift, so thank you. Also, you’re right, so I don’t know why you’re even apologizing. I’m sorry. Won’t happen again.” And it didn’t.
Talk about grace! I was as floored as I was relieved. To this day I am loyal to and admire that person.
Second story. There was an important hiccup in our firm’s IT, and it became a blocker for many people. A huge group joined to fix it quickly, but the problem reappeared and had to be fixed again.
At a lesser firm, tech leaders might have responded punitively, as if that somehow conveyed strength. But here, the message from the technology leadership team surprised me.
They said, look at how impressively so many teams came together to fix this. Let’s debrief it frankly and transparently with a focus on learning, not blaming. Let’s keep up this momentum to find and fix other tech debt too. And don’t say we failed. Think of it as learning from an experiment. Keep experimenting. That’s how we’ll continuously evolve.
I think that’s what it means to be nonhierarchical and inclusive. Your culture has to leave space for emotional vulnerability in order to unlock change. Isn’t that the kind of place you’d want to work?
Advice for recruits
First, the nuts and bolts. Before you apply, it’s okay to ask for a referral if you know someone at McKinsey. Our referral system is transparent, getting referred by an acquaintance is fine, and talking with a friend or former colleague who’s at the firm is a great way to learn what it’s like. Also, read what’s on our careers site about the interview process. That will help you practice your problem-solving skills and know what to expect. Our videos there feature real McKinsey people sharing their experiences and advice. During interviews, take notes and ask questions. If you get turned down, don’t be afraid to apply to a different position (typically we have many open, so search around). If you accept an offer and join, expect to spend the first six months acclimating—talking to people all over the firm, learning, and starting to create your path.
Then while you’re here—or anywhere, really—remember Vogue editor in chief Anna Wintour’s advice: “make choices that speak to what is happening in a wider context.” Success comes from focusing on what really matters.
The first step in McKinsey’s problem-solving approach addresses that: define the problem. In our technology and digital group’s credo, we take it even further: fall in love with the problem, not the solution. Contextual understanding leads to adaptability, which leads to relevance and results.
This holds true in cybersecurity. In our work, we often encounter radically specific or technical fixes, or intractably broad questions. It’s our job to take a beat, locate within the bigger picture, and, often as a team, carefully iterate to define the problem. That helps maximize our positive impact. When you do that, you’re not just clicking buttons. You’re a strategist anticipating risks and innovating.
Initially, I came to McKinsey for predictable reasons, like opportunities for impact and growth. I stayed for different reasons.
Some of those are simple. I love being on a team that follows an agile operating model. I love that we focus on outcomes, not effort for the sake of effort, so our velocity and time management are on point. And I can’t imagine working anywhere else while transitioning into fatherhood.
But, the critical reason I’ve stayed is deeper. To bring it back to Bryan Stevenson on identity, he says, “If you’re a teacher your words can be meaningful, but if you’re a compassionate teacher, they can be especially meaningful. If you're a doctor you can do some good things. But if you're a caring doctor you can do some other things."
McKinsey is a place where I can strive to live up to that. If you’re a technologist anywhere, you can do some good things. But if you’re a values-driven technologist, you can be a force multiplier—especially in a values-driven culture.
Noah with one of his twin children.
Noah is an information security architect in Boston. He earned his bachelor’s in philosophy and legal studies from Williams College and his J.D. from New York University School of Law. Noah is a Certified Cloud Security Professional (CCSP), Certified Information Systems Security Professional (CISSP), and Certified Information Privacy Professional (CIPP/US).
For more information on McKinsey's tech career paths, visit mckinsey.com/TechCareers.