Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT
functions have had to think through how to protect increasingly valuable digital assets, how to assess
threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent
customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models
as companies adopt agile development and cloud computing.
We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular:
- Get a strategy in place that will activate the organization. Even more than in the past cybersecurity
is a business issue – and cybersecurity effectiveness means action not only from the CISO organization, but also from application development, infrastructure, product development, customer care,
finance, human resources, procurement and risk. A successful cybersecurity strategy supports the
business, highlights the actions required from across the enterprise – and perhaps most importantly
captures the imagination of the executive in how it can manage risk and also enable business innovation.
- Create granular, analytic risk management capabilities. There will always be more vulnerabilities
to address and more protections you can consider than you will have capacity to implement. Even
companies with large and increasing cybersecurity budgets face constraints in how much change
the organization can absorb. Therefore, better cybersecurity requires the ability to make rigorous,
fact-based decisions about a company’s most critical risks – and which cybersecurity investments it
- Build cybersecurity into business products and processes. For digital businesses – and almost
every company we know of aspires to be a digital business – cybersecurity is an important driver of
product value proposition, customer experience and supply chain configuration. Digital businesses
need, for example, design security into IoT products, build secure and convenient customer
interaction processes and create digital value chains that protect customer data.
- Enable digital technology delivery. Digital businesses cannot let slow technology delivery get in
the way of business innovation, so they are scrambling to adopt agile development, DevOps, cloud
computing. However, most companies have built their security architectures and processes to
support waterfall development and on-premises infrastructure – creating a disconnect that can
both increase risk and decelerate innovation. Forward-leaning CISOs are moving to agile security
organizations that enable much more innovation technology organizations.
- Help the business address impacts of a global pandemic. COVID-19 created three imperatives
for cybersecurity teams: supporting continued business operations by enabling remote working,
mitigating immediate risks – and helping their business partners transition to the next normal.
Over the past year, we’ve sought to publish cybersecurity articles in each of these areas that will help
senior executives consider their options and make pragmatic decisions about how to move forward in
making the right tradeoffs in managing technology risks. We hope you find this compendium of articles
interesting and helpful. We, and our colleagues in McKinsey’s cybersecurity practice, have appreciated
the opportunity to comment on what we consider to be one of the most complex and important business