The risk-based approach to cybersecurity

McKinsey 08 Oct 2019 12:00

Downloadable Resources

Open interactive popup
  1. Article (PDF-271KB)

Top managers at most companies recognize cyberrisk as an essential topic on their agendas. Worldwide, boards and executive leaders want to know how well cyberrisk is being managed in their organizations. In more advanced regions and sectors, leaders demand, given years of significant cybersecurity investment, that programs also prove their value in risk-reducing terms. Regulators are challenging the levels of enterprise resilience that companies claim to have attained. And nearly everyone—business executives, regulators, customers, and the general public—agree that cyberrisk is serious and calls for constant attention (Exhibit 1).

We strive to provide individuals with disabilities equal access to our website. If you would like information about this content we will be happy to work with you. Please email us at:

What, exactly, organizations should do is a more difficult question. This article is advancing a “risk based” approach to cybersecurity, which means that to decrease enterprise risk, leaders must identify and focus on the elements of cyberrisk to target. More specifically, the many components of cyberrisk must be understood and prioritized for enterprise cybersecurity efforts. While this approach to cybersecurity is complex, best practices for achieving it are emerging.

A further issue is that maturity-based programs, as they grow organically, tend to stimulate unmanageable growth of control and oversight. In monitoring, for example, a maturity-based program will tend to run rampant, aspiring to “monitor everything.” Before long, the number of applications queued to be monitored across the enterprise will outstrip the capacity of analysts to monitor them, and the installation of monitors will bog down application-development teams. The reality is that some applications represent more serious vulnerabilities—and therefore greater potential for risk—than others. To focus directly on risk reduction, organizations need to figure out how to move from a stance of monitoring everything to one in which particular applications with high risk potential are monitored in particular ways.

Reducing risk to target appetite at less cost

1. Fully embed cybersecurity in the enterprise-risk-management framework

The assumption in this use of the classic risk grid is that the enterprise-risk appetite has been defined for each enterprise risk. The potential impact for each enterprise-risk scenario can then be plotted on the risk grid. Once the relationships among the threats, vulnerabilities, and applied controls are modeled and understood, the risks can be evaluated according to their likelihood. As more controls are applied, the risk levels are reduced to the risk appetite. This is the way the cyber program can demonstrate impact in terms of enterprise-risk reduction.

Executives are often forced to make sense of a long list of sometimes conflicting metrics. By linking KRIs and KPIs, the cybersecurity team gives executives the ability to engage in meaningful problem-solving discussions on which risks are within tolerances, which are not, and why (see the sidebar, “Linking a KRI to a KPI”).

Many leading companies have a cyber-maturity assessment somewhere in their archives; some still execute their programs to achieve certain levels of maturity. The most sophisticated companies are, however, moving away from the maturity-based cybersecurity model in favor of the risk-based approach. This is because the new approach allows them to apply the right level of control to the relevant areas of potential risk. For senior leaders, boards, and regulators, this means more economical and effective enterprise-risk management.

About the author(s)

Jim Boehm is an associate partner in McKinsey’s Washington, DC, office; Nick Curcio is a cyber solutions analyst in the New York office; Peter Merrath is an associate partner in the Frankfurt office, where Tobias Stähle is a senior expert; and Lucy Shenton is a cyber solutions specialist in the Berlin office.

The authors wish to thank Rich Isenberg for his contributions to this article.

Continue reading original article...


KRIsCyberriskfraudLatin America