In the first 6 months of 2017, there have been an unprecedented number of cyberattacks, from the hacking of presidential elections to leaks of government spy tools to breaches of major corporations. McKinsey is growing its Cyber Solutions team, which now has 30-plus cyber risk experts, led by Solutions Vice President Dayne Myers. In the 1990s, Dayne started his career at McKinsey and then left to run a number of early-stage technology companies, including a cyber software firm he cofounded and led from 2002 to 2007. He rejoined McKinsey last year. In a recent interview, he explains how we are helping clients in this critical area.
What role is the firm taking in the area of cyber risk?
Before the past 5 years or so, cyber security was viewed mostly as a technology issue overseen by the IT department. That has changed due to a series of high-profile cyberattacks that hit well-known companies. The attacks compromised customer data and resulted in substantial financial loss, damage to reputation, and in some cases, the CEO losing his or her job. Some businesses that were in the process of being acquired, when hit by a cyberattack, found that their valuations were significantly cut. These events started waking up boards and CEOs to the fact that cyber security is now a strategic issue and even an existential risk. McKinsey’s 20+ years of experience in business technology combined with our strength in serving senior leaders of organizations have made us a natural partner on cyber security as the threat grows.
What sorts of challenges are we helping clients with today?
Beyond concerns about high-profile attacks, CEOs are thinking about metrics and capabilities. They’re wondering, “Are we as a company doing the right things? Are we spending our money in the right ways?” At the same time, the chief information security officer (CISO) may need support in how to communicate highly technical information effectively to his or her board. Several years ago, I met with the chairman of a Fortune 500 company whose board had just spent hours on cyber security in a board meeting, yet he felt he and his fellow directors still didn’t fully understand where they stood. Cyber Solutions does exactly what he wished for: we help executives and their boards determine if their companies are doing the right things as well as getting a good return on the money they spend on cyber security—and we help them figure out the cybermarket.
Other examples of our work: If a client is considering acquiring a cybercompany, we assist with due diligence. We help our investor clients, such as venture-capital firms, figure out if their existing portfolio companies are effectively protected against cyberattacks. We also work with product manufacturers to ensure that their product-development processes are secure from hacking. We serve a variety of organizations across industries to help them secure their customer, citizen, and patient data, without putting “sand in the gears” with respect to their overall user experience.
McKinsey has a portfolio of Cyber Solutions. Tell us more about how these work.
There are four solutions, based on our research and analytics, and they are designed to work as a program. Clients typically start with a Digital Resilience Assessment to get a picture as to where they stand compared with best practices and with similar companies. We look at such things as how they manage their defenses and organize their security operations. From there, we help them to determine a set of initiatives to improve their cyber resilience.
The next step is Cyber Risk Insights, a cloud-based tool and related process that helps clients identify the data and systems that are most critical to their business and evaluate areas of vulnerability and risk. For example, is a business effectively securing its customer data, product specifications, or other kinds of intellectual property?
The Executive Cyber Simulation offering uses gaming techniques to simulate cyberattack scenarios for company leadership. It’s not a test of whether the company can repel a certain attack but rather determines the readiness of the executives to make critical decisions in a short time frame during a serious breach. For example, we might simulate the shutdown of critical facilities by a hacker who demands a ransom, or we might simulate the loss of patient data for a healthcare provider.
We customize the situation to the client’s business so that it’s a realistic scenario. By testing the readiness of management teams in a no-risk environment, we can highlight preparedness gaps and help a company strengthen its ability to respond before a breach takes place. We advise clients to conduct such a test regularly to build decision-making “muscle memory,” so that they’re not learning on the fly when a crisis strikes. We can also help them develop detailed incident-response plans.
Our fourth solution, Cyber Market Map, serves a different purpose. Through it, we track the entire cyber security market, including hardware, software, and services firms. We can rapidly help our clients identify, understand, and respond to growth and acquisition opportunities and consumer trends.
What is the one piece of advice you’d give to a CEO?
Think about this as a risk just like any other—economic, financial, or personnel—and manage it accordingly. Cyber risk is not going to be solved by just technology, and it’s never going away. There are tremendous advantages to being digital and on the cloud, but with great potential comes some risk. CEOs shouldn’t be scared of cyber risk. Instead, they should identify it, understand it, invest in it, and prioritize ways to handle it. Be as resilient as you can.