Cybersecurity in a Digital Era.Pdf

Home , Application security, IT risk, Secure by design, WebAuthn

Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era

June 2020 Introduction

Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organization, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb. Therefore, better cybersecurity requires the ability to make rigorous, fact-based decisions about a company’s most critical risks – and which cybersecurity investments it should make. 3. Build cybersecurity into business products and processes. For digital businesses – and almost every company we know of aspires to be a digital business – cybersecurity is an important driver of product value proposition, customer experience and supply chain configuration. Digital businesses need, for example, design security into IoT products, build secure and convenient customer interaction processes and create digital value chains that protect customer data. 4. Enable digital technology delivery. Digital businesses cannot let slow technology delivery get in the way of business innovation, so they are scrambling to adopt agile development, DevOps, cloud computing. However, most companies have built their security architectures and processes to support waterfall development and on-premises infrastructure – creating a disconnect that can both increase risk and decelerate innovation. Forward-leaning CISOs are moving to agile security organizations that enable much more innovation technology organizations. 5. Help the business address impacts of a global pandemic. COVID-19 created three imperatives for cybersecurity teams: supporting continued business operations by enabling remote working, mitigating immediate risks – and helping their business partners transition to the next normal.

2 Over the past year, we’ve sought to publish cybersecurity articles in each of these areas that will help senior executives consider their options and make pragmatic decisions about how to move forward in making the right tradeoffs in managing technology risks. We hope you find this compendium of articles interesting and helpful. We, and our colleagues in McKinsey’s cybersecurity practice, have appreciated the opportunity to comment on what we consider to be one of the most complex and important business issues today.

Thank you,

Kevin Buehler Venky Anant Tucker Bailey Senior Partner, New York Partner, Silicon Valley Partner, Washington, DC

James Kaplan Mahir Nayfeh Wolf Richter Partner, New York Partner, Abu Dhabi Partner, Berlin

3 Risk Practice Cybersecurity: Linchpin of the digital enterprise

As companies digitize businesses and automate operations, cyberrisks proliferate; here is how the cybersecurity organization can support a secure digital agenda.

Tableby James Kaplan, Wolfof Richter, and David Warecontents

Get a strategy in place that will activate the organization

Risk Practice The risk-based Risk Practice 6 Enhanced cyberrisk approach to © Chad Baker/Getty Images reporting: Opening Cybersecurity:July 2019 Linchpin of the cybersecurity doors to risk-based digital Theenterprise most sophisticated institutions are moving from a “maturity based” to a “risk based” approach for managing cyberrisk. Here is cybersecurity how they are doing it. New cyberrisk management information systems provide executives with the risk transparency they need to transform organizational

by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle cyberresilience.

by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle Create granular, analytic risk management capabilities

Marketing & Sales Risk Practice Risk Practice Consumer-data privacy and The consumer-data15 personalization at scale: How25 Financial crime34 © me4o/Getty Images and fraud in the age of opportunity and the January 2020leading retailers and consumer The risk-basedprivacy approach imperative © lvcandy/Getty Images Enhanced cyberrisk reporting: Critical resilience:cybersecurity Adapting infra- October 2019 brands can strategize for both to cybersecurityAs consumers become more careful about sharing data, and regulators OpeningCustomer concerns doors about the securityto risk-based and privacy of their online data canCritical impedestructure resilience: to repel AdaptingAs cybersecurity cyber threats compoundthreats the risks of financial crime step up privacy requirements, leading companies are learning that data personalized marketing at scale. Best-practice companies are building protectionsinfrastructure to repeland fraud, cyber institutions threats are crossing functional boundaries to enable protection and privacy can create a business advantage. cybersecurityinto their digital properties. collaborative resistance. by Venky Anant, Lisa Donchak, James Kaplan, and Henning Soller by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel As the digital world becomes increasingly connected,by Salim it isHasham, no longer Shoan possible Joshi, and for Danielinfrastructure Mikkelsen owners and operators to remain agnostic in the face of evolving cyber threats. Here’s what they can do to build an integrated cyber defense. Build cybersecurity into business products and James Kaplan Christopher Toomey Adam Tyra Partner, New York Vice president, Boston Expert, Dallas McKinsey & Company CP&I Major Projects McKinsey & Company processes McKinsey & Company

29 Global Infrastructure Initiative

Risk Practice 40 48 Operations Practice 54 Critical infrastructure A practical approach

© Getty Images companies and the global© Phil Sharp/Getty Images TheApril 2020 consumer-data opportunity NovemberConsumer-data 2019 privacy and Financialto crime supply-chain and fraud riskin the © Cimmerian/Getty Images cybersecurity threat October 2019 and the privacy imperative personalization at scale: How age of cybersecuritymanagement How the energy, mining, and materials industries can meet the unique challenges of protecting themselves in a digital world. In supply-chain risk management, organizations often don’t leading retailers and consumer know where to start. We offer a practical approach.

by Adrian Booth, Aman Dhingra, Sven Heiligtag, Mahir Nayfeh, and Daniel Wallance brands can strategize for both by Tucker Bailey, Edward Barriball, Arnav Dey, and Ali Sankur

McKinsey Center for Future Mobility The race for cybersecurity: Protecting64 75 77 © Milko Marchett/Getty Images © Phil Leo/Michael Denora/Getty Images April 2019 Critical infrastructure the connected car in the The cybersecurity posture of March 2019A practical approach to supply- companiesera of and new the regulation global financial-services companies: IIF/ chain risk management The car industry’s digital transformation exposes new cybersecurity cybersecuritythreats. Learn what OEMsthreat can do to protect their cars and customers from hackers. McKinsey Cyber Resilience Survey

by Johannes Deichmann, Benjamin Klein, Gundbert Scherf, and Rupert Stützle

83 89

4 Protecting the business: The modern CISO: Views from the CIO’s Managing scale, building and CISO’s offices trust, and enabling the business At JPMorgan Chase, CISOs and CIOs work together to align cybersecurity with business goals. The modern CISO is uniquely positioned to bridge gaps across technology, processes, automation, and cybersecurity.

Enable digital technology delivery

The benefits of a CISO 100 Robust cybersecurity 106 Enterprise-wide security 110 requires much more is both a technology and Understandingbackground theto a uncertainties March 2020Protecting the business: Views The modern CISO: Managing than great technology Marchbusiness 2020 issue ofbusiness-unit cybersecurity: CIOQuestions for from the CIO’s and CISO’s scale, building trust, and A deep understanding of cybersecurity is a competitive advantage. Security is increasingly an interdisciplinary capability. CISOs have important skills that can position them for the CIO role. chief information-security officers offices enabling the business

Risk Practice Securing software as Agile, reliable, secure, a service 113 compliant IT: Fulfilling 117 120 the promise of DevSecOps © Getty Images March 2020 TheHere is benefits how SaaS providers of can meeta CISOthe security needsback- of their Robust cybersecurity requires Enterprise-wide security is both March 2020 enterprise customers. March 2020 By integrating security into DevOps, companies can step up the ground to a business-unit CIO speedmuch and frequency more of software than releases great without compromising technology a technology and business issue controls or increasing risk.

by Santiago Comella-Dorda, James Kaplan, Ling Lau, and Nick McNamara by Rich Cracknell, James M. Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart

Risk Practice Risk Practice Cybersecurity’s Cybersecurity tactics dual mission during 123 for the coronavirus132 the coronavirus crisis pandemic © Getty Images Securing software as a service© jjaakk/Getty Images Agile, reliable, secure, compliant IT: May 2020 September 2019 Chief information-security officers must balance two priorities to The pandemic has made it harder for companies to maintain respond to the pandemic: protecting against new cyberthreats and Fulfilling thesecurity promise and business continuity. of ButDevSecOps new tactics can help maintaining business continuity. Four strategic principles can help. cybersecurity leaders to safeguard their organizations.

by Jim Boehm, James Kaplan, and Nathan Sportsman by Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen Help business address impact of global pandemic

139 144

5 Get a strategy in place that will activate the organization Cybersecurity: Linchpin of the digital enterprise Risk Practice Cybersecurity: Linchpin of the digital enterprise

As companiesAs companies digitize digitize businesses businesses and and automate automate operations, operations, cyberriskscyberrisks proliferate; proliferate; here here is how is how the the cybersecurity cybersecurity organization can organizationsupport a cansecure support digital a agenda.secure digital agenda.

by James Kaplan, Wolf Richter, and David Ware by James Kaplan, Wolf Richter, and David Ware

July 2019

6 Cybersecurity: Linchpin of the digital enterprise Two consistent and related themes in enterprise They must also incorporate security controls technology have emerged in recent years, both into analytics solutions that may not use a involving rapid and dramatic change. One is formal software-development methodology. the rise of the digital enterprise across sectors As companies apply robotic process automation and internationally. The second is the need (RPA), they must manage bot credentials for IT to react quickly and develop innovations effectively and make sure that “boundary cases” aggressively to meet the enterprise’s digital – cases with unexpected or unusual factors, aspirations. Exhibit 1 presents a “digitization or inputs that are outside normal limits – do not index” – the results of research on the progress introduce security risks. of enterprise digitization within companies, Likewise, as companies build application encompassing sectors, assets, and operations. programming interfaces (APIs) for external As IT organizations seek to digitize, however, customers, they must determine how to identify many face significant cybersecurity challenges. vulnerabilities created by interactions between At company after company, fundamental tensions many APIs and services, and they must build and arise between the business’s need to digitize enforce standards for appropriate developer and the cybersecurity team’s responsibility to access.1 They must continue to maintain rigor protect the organization, its employees, and its in application security as they transition from customers within existing cyber operating models waterfall to agile application development. and practices. If cybersecurity teams are to avoid becoming barriers to digitization and instead become its enablers, they must transform their Challenges with existing capabilities along three dimensions. They must cybersecurity models improve risk management, applying quantitative At most companies, chief information officers risk analytics. They must build cybersecurity (CIOs), chief information-security officers directly into businesses’ value chains. And they (CISOs), and their teams have sought to establish must support the next generation of enterprise- cybersecurity as an enterprise-grade service. technology platforms, which include innovations What does that mean? They have consolidated like agile development, robotics, and cloud-based cybersecurity-related activities into one or a few operating models. organizations. They have tried to identify risks and compare them to enterprise-wide risk appetites to Cybersecurity’s role in digitization understand gaps and make better decisions about closing them. They have created enterprise-wide Every aspect of the digital enterprise has policies and supported them with standards. They important cybersecurity implications. Here have established governance as a counterweight are just a few examples. As companies seek to to the tendency of development teams to prioritize create more digital customer experiences, they time to market and cost over risk and security. They need to determine how to align their teams that have built security service offerings that require manage fraud prevention, security, and product development teams to create a ticket requesting development so they can design controls, such as service from a central group before they can get a authentication, and create experiences that are vulnerability scan or a penetration test. both convenient and secure. As companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information.

1 An API is software that allows applications to communicate with each other, sharing information for a purpose.

Cybersecurity: Linchpin of the digital enterprise 7 McK Risk 8 2019 Cybersecurity digital enterprise Exhibit 1 of 6

Exhibit 1 Across sectors, companies are digitizing, with profound implications for cybersecurity functions.

Digitization levels Low digitization High digitization

Asset Usage Labor

Overall Digital- Business Market Digital spend Digital Digitization Sector digitization Digital spend asset stock Transactions Interactions processes making on workers capital of work

Media

Professional services

Finance and insurance

Wholesale trade

Personal and local services

Government

Transportation and warehousing

Healthcare

Entertainment and recreation

Source: Appbrain; Blue Wolf; ContactBabel; eMarketer; Gartner; IDC; LiveChat; US Bureau of Economic Analysis; US Bureau of Labor Statistics; US Census Bureau; Global Payments Map by McKinsey; McKinsey Social Technology Survey; McKinsey analysis; McKinsey Global Institute analysis

actions, however, exist in tension with the emerging At one financial institution, development teams digital-enterprise model—the outcome of an end- were frustrated with the long period needed Allto-end these digital actions transformation—from have proven absolutely the customer necessary bypole the securityin the tent” team – to the validate most intractableand approve part of the tointerface the security through of anthe organization. back-office processes. Without them, As incrementalproblem of items standing in their applications cloud service on provider’s public cloud cybersecuritycompanies seek breaches to use public occur cloud more services, frequently they – cataloginfrastructure. for production usage. Developers at other andoften often, find that with security more severe is the “long consequences. pole in the tent”— The companies have puzzled over the fact that they can At one financial institution, development teams neededthe most actions, intractable however, part of existthe problem in tension of standing with the spin up a server in minutes but must wait weeks were frustrated with the long period needed by the emergingapplications digital-enterprise on public cloud infrastructure. model – the outcome for the vulnerability scan required to promote security team to validate and approve incremental of an end-to-end digital transformation – from items in their cloud service provider’s catalog for the customer interface through the back-office production usage. Developers at other companies processes. As companies seek to use public cloud have puzzled over the fact that they can spin services, they often find that security is the “long up a server in minutes but must wait weeks

How cybersecurity can best support the digital enterprise 3

8 Cybersecurity: Linchpin of the digital enterprise their application to production. IT organizations Cybersecurity for the digital everywhere are finding that existing security enterprise models do not run at “cloud speed” and do not In response to aggressive digitization, some of provide enough specialized support to developers the world’s most sophisticated cybersecurity on issues like analytics, RPA, and APIs (Exhibit 2). their application to production. IT organizations Cybersecurityfunctions are starting for the to transform digital enterprise their Theeverywhere misalignment are finding between that existing development security and Incapabilities response to alongaggressive the three digitization, dimensions some we of the cybersecuritymodels do not runteams at “cloud leads speed”to missed and business do not world’sdescribed: most sophisticatedusing quantitative cybersecurity risk analytics functions for opportunities,provide enough as specialized new capabilities support are to developers delayed aredecision starting making, to transform building their cybersecurity capabilities into inon reaching issues like the analytics, market. InRPA, some and cases, APIs (Exhibit the 2). alongthe businessthe three dimensionsvalue chain, we and described: enabling using the new pressure to close the gap has caused increased quantitativetechnology risk operating analytics platforms for decision that making, combine The misalignment between development and vulnerability, as development teams bend rules to buildingmany innovations. cybersecurity These into the innovations business value include cybersecurity teams leads to missed business chain, and enabling the new technology operating work around security policies and standards. agile approaches, robotics, cloud, and DevOps opportunities, as new capabilities are delayed in platforms that combine many innovations. These (the combination of software development and McK Risk 8 2019 reaching the market. In some cases, the pressure innovations include agile approaches, robotics, Cybersecurity digitalto close enterprise the gap has caused increased vulnerability, cloud,IT operations and DevOps to shorten (the combination development of software times and Exhibit 2 of 6 as development teams bend rules to work around developmentdeliver new and features, IT operations fixes, and to shorten updates aligned security policies and standards. developmentwith the business). times and deliver new features, fixes, and updates aligned with the business).

Exhibit 2 Current cybersecurity operating models do not operate at ‘cloud speed.’

Architecture Stage gates Architecture and design Implementation must receive 1 security sign-o Designing secure architecture requires special knowledge 1 2 Secure code review, test design, and implementation Security review 2 require specially trained required Security review developers not available to 3 required many teams

3 Cloud environments must be congured to security Cloud Code standards and instrumented Deployment deployment review with monitoring before cycle deployment into production

Separate security Security review 3 2 testing required required

Testing

Activities

Architecture and design Implementation Code review Testing Deployment – Analyze resource – Instantiate development – Review code – Develop test cases – Instantiate cloud availability from cloud and testing – Conduct automated – Do continuous testing infrastructure service provider environments code scanning – Fix bugs and errors; – Establish cloud – Analyze capacity – Begin solution – Accept code into make changes services requirements implementation code base – Do regression testing – Deploy production – Develop initial solution application design – Do nal testing – Design interfaces

4 How cybersecurity can best support the digital enterprise

Cybersecurity: Linchpin of the digital enterprise 9 Using quantitative risk analytics for decision It includes sophisticated employee and contractor making segmentation as well as behavioral analysis to AtUsing the quantitativecore of cybersecurity risk analytics are decisionsfor includesidentify sophisticated signs of possible employee insider and contractorthreats, such as aboutdecision which making information risks to accept and segmentationsuspicious aspatterns well as behavioralof email activity. analysis It toalso includes howAt the to core mitigate of cybersecurity them. Traditionally, are decisions CISOs identifyrisk-based signs of authentication possible insider that threats, considers such metadata andabout their which business information partners risks haveto accept made and as –suspicious such as userpatterns location of email and activity. recent It access also activity cyberriskmanagementhow to mitigate them. Traditionally, decisions CISOsusing aand includes– to determine risk-based whether authentication to grant that access considers to critical combinationtheir business of partners experience, have intuition,made cyberrisk- judgment, metadata—suchsystems. Ultimately, as user locationcompanies and willrecent start access to management decisions using a combination of activity—to determine whether to grant access to and qualitative analysis. In today’s digital use management dashboards that tie together experience, intuition, judgment, and qualitative critical systems. Ultimately, companies will start enterprises, however, the number of assets business assets, threat intelligence, vulnerabilities, analysis. In today’s digital enterprises, however, the to use management dashboards that tie together andnumber processes of assets to and protect, processes and the to protect, decreasing and businessand potential assets, threatmitigation intelligence, to help vulnerabilities,senior executives practicalitythe decreasing and practicality efficacy of and onesize- efficacy fits-all of one- andmake potential the bestmitigation cybersecurity to help senior investments. executives They will protections,size-fits-all protections, have dramatically have dramatically reduced the reduced makebe theable best to focus cybersecurity those investments investments. on They areas will of the applicabilitythe applicability of traditional of traditional decision-making decision-making be businessable to focus that those will yield investments the most on protection areas of the with the processesMcKprocesses Risk andand 8 2019heuristics. heuristics. businessleast disruption that will yield and the cost. most protection with the Cybersecurity digital enterprise least disruption and cost. InExhibitIn response,response, 3 of companies companies 6 are are starting starting to strengthento strengthen Building cybersecurity into the business value theirtheir business and and technology technology environments environments with with Buildingchain cybersecurity into the business quantitativequantitative risk risk analytics analytics so so they they can can make make better, better, valueNo chain institution is an island when it comes to fact-basedfact-based decisions. decisions. This This has has many many aspects. aspects. It Nocybersecurity. institution is an Every island company when it comes of any to complexity cybersecurity.exchanges Everysensitive company data andof any interconnects complexity Exhibit 3 exchangesnetworks sensitive with customers, data and interconnects suppliers, and other Priority requirements have changed networksbusiness with partners. customers, As suppliers,a result, cybersecurity- and other business partners. As a result, cybersecurity- for acquiring Internet of Things related questions of trust and the burden of relatedmitigating questions protections of trust and have the become burden ofcentral products: Cybersecurity has moved to mitigating protections have become central to value chains in many sectors. For example, the top. to value chains in many sectors. For example, CISOs for pharmacy benefit managers and CISOs for pharmacy benefit managers and Top 5 priorities when buying IoT products,¹ health insurers are having to spend significant number of survey responses health insurers are having to spend significant timetime figuring figuring out outhow how to protect to protect their theircustomers’ customers’ 312 datadata and and then then explaining explaining it to thoseit to those customers. customers. 290 Likewise,Likewise, cybersecurity cybersecurity is absolutely is absolutely critical critical to how to 251 companieshow companies make decisions make decisions about procuring about procuringgroup 235 healthgroup or businesshealth or insurance, business primeinsurance, brokerage, prime and 206 manybrokerage, other services. and many It is the other single services. most important It is the factorsingle companies most important consider factor when purchasing companies consider Internetwhen of purchasing Things (IoT) Internet products of (Exhibit Things 3).(IoT) products (Exhibit 3). Leading companies are starting to build cybersecurityLeading companies into their customer are starting relationships, to build productioncybersecurity processes, into theirand supplier customer interactions. relationships, Strong Reliability Compat- Compat- Ease of Someproduction of their tactics processes, include and the supplier following: interactions. cyber- ibility with ibility with use by security existing installed end user Some of their tactics include the following: enterprise production — Use design thinking to build secure and software hardware —convenient Use design online thinking customer to build experiences. secure and

¹ IoT = Internet of Things. Besides basic functionality. Forconvenient example, one online bank customer allowed customers experiences. to Source: McKinsey 2019 IoT Pulse Survey of more than 1,400 IoT customizeFor example, their security one bank controls, allowed choosing customers to practitioners (from middle managers to C-suite) who are executing IoT at scale (beyond pilots). Composition was 61% from US, simplercustomize passwords their if security they agreed controls, to two- choosing 20% from China, and 19% from Germany, with organizations of factor authorization. $50 million to more than $10 billion in revenue. This question on simpler passwords if they agreed to two-factor IoT-product purchases received 1,161 responses. authorization.

How cybersecurity can best support the digital enterprise 5

10 Cybersecurity: Linchpin of the digital enterprise — Educate customers about how to interact in — Take a seamless view across traditional a safe and secure way. One bank has a senior information security and operational executive whose job it is to travel the world and technology security to eliminate vulnerabilities. teach high-net-worth customers and family One autoparts supplier found that the system offices how to prevent their accounts from holding the master version of some of its being compromised. firmware could serve as an attack vector to the fuel-injection systems it manufactured. With — Analyze security surveys to understand what — Educate customers about how to interact in — Takethat a seamlessknowledge, view it acrosswas able traditional to put additional enterprisea safe and secure customers way. Oneexpect bank and has create a senior information security and operational technology protections in place. Pharma companies have knowledgeexecutive whose bases job so it that is to sales travel teams the world can and security to eliminate vulnerabilities. One auto- found that an end-toend view of information respondteach high-net-worth to customer customerssecurity inquiries and family during parts supplier found that the system holding protection across their supply chains was negotiationsoffices how to with prevent minimum their accounts friction. Forfrom the master version of some of its firmware could needed to address certain key vulnerabilities instance,being compromised. one software-as-a-service (SaaS) serve as an attack vector to the fuel-injection (Exhibit 5). — providerAnalyze security found that surveys its customers to understand insisted what systems it manufactured. With that knowledge, onenterprise having particularly customers expect strong and data-loss- create —it wasUse able threat to put intelligence additional to protections interrogate in place. supplier preventionknowledge bases(DLP) soprovisions. that sales teams can Pharmatechnology companies networks have found externally that an and end-to- assess end view of information protection across their respond to customer security inquiries during risk of compromise. — Treat cybersecurity as a core feature of negotiations with minimum friction. For supply chains was needed to address certain key productinstance, design. one software-as-a-service For instance, a hospital (SaaS) Donevulnerabilities in concert, (Exhibit these 5). actions yield benefits. networkprovider foundwould that have its to customers integrate insisted a new on —They Use enhancethreat intelligence customer to trust, interrogate accelerating supplier their operating-roomhaving particularly device strong into data-loss-prevention its broader adoptiontechnology of digital networks channels. externally They and reduce assess therisk risk security(DLP) provisions. environment. Exhibit 4 presents an ofof customers compromise. or employees trying to circumvent — exampleTreat cybersecurity of how security as a core is embedded feature of product in a security controls. They reduce friction and delays McK Risk 8 2019 product-developmentdesign. For instance, a hospital process. network would Doneas suppliers in concert, and these customers actions yield negotiate benefits. liability and Cybersecurity digital enterprise have to integrate a new operating-room device They enhance customer trust, accelerating their Exhibit 4 of 6 into its broader security environment. Exhibit 4 adoption of digital channels. They reduce the risk presents an example of how security is of customers or employees trying to circumvent embedded in a product-development process. security controls. They reduce friction and delays

Exhibit 4 How to embed security into a product-development process. From treating security and privacy as … to incorporating them by designing and building afterthoughts … an agile security-and-privacy model

Developers are unclear when Product owners don’t consider Prioritize security and privacy Make product owners aware security and privacy security and privacy tasks tasks according to product risk of need to prioritize security requirements are mandatory during sprint planning Requirements level and privacy tasks and be accountable for their inclusion in releases

Design

Unclear how to handle Chief information-security and Security and privacy champions Add capacity through CISPOs, distribution of tasks within privacy ocers (CISPOs) have (tech leads) assist teams in who clarify security and privacy development team limited capacity to support Development distributing tasks requirements with champions development teams and product owners

No uni ed real-time standardized monitoring of state of security Product-assessment dashboards give developers real-time and privacy tasks Testing views of security and privacy within products

Security and privacy needs Teams unclear how often to Launch delays eliminated as Simpli ed predeployment are often dealt with engage CISPOs security and privacy tasks are activities with CISPOs only for before deployment, causing Deployment executed across life cycles releases meeting risk criteria launch delays

Unclear accountability Lack of integration in De ne and communicate roles Integrate and automate Throughout for security and privacy in security and privacy tool sets and responsibilities during security- and privacy-related process product teams introduces complexity agile ceremonies testing and tracking tools

6 How cybersecurity can best support the digital enterprise Cybersecurity: Linchpin of the digital enterprise 11 McK Risk 8 2019 Cybersecurity digital enterprise Exhibit 5 of 6

Exhibit 5 An end-to-end view of information across the pharma supply chain is needed to address vulnerabilities. Supply chain

Product ow Data ow

Dynamic, cloud-based network optimization

Suppliers Bulk Finishing and Smart-warehouse Customers manufacturing packaging distribution center

Advanced business capability Resulting cyberrisks

Suppliers Finishing and packaging Overarching technologies Predictive supplier risk protection Fully integrated and automated production Machine-learning forecasting and integrated Risk of exposed vendor details and Attack on process, leading to shutdowns production planning trade secrets or errors Inaccurate business decisions and Transition from closed to open systems bad-actor access Bulk manufacturing prompts new security risks Yield optimization through advanced Real-time monitoring analytics and digitized operations Customers Unauthorized monitoring of processes and Hacking of legacy equipment No-touch order management leakage of business decisions Unauthorized changes in safety or Leak of customer data, leading to loss of compliance regulations customer trust and competitive data Loss of intellectual property and competitive advantage

as suppliers and customers negotiate liability and engineering talent from vendors and giving responsibilityresponsibility for for information information risks. risks. They They build build developersSome are self-service getting rid accessof their to data infrastructure. centers securitysecurity intrinsically into into customer-facing customer-facing and and Somealtogether are getting as they rid of leverage their data cloud centers services. altogether All of operationaloperational processes,processes, reducing reducing the the “deadweight “deadweight asthis they is leverage being done cloud to services. make technology All of this is fast being and loss”loss” associatedassociated with with security security protections. protections. donescalable to make enough technology to support fast and an scalableenterprise’s enough digital toaspirations. support an enterprise’s In turn, putting digital a aspirations.modern technology In Enabling an agile, cloud-based turn,model putting in place a modern requires technology a far more model flexible, in place operatingEnabling an platform agile, cloud-based enhanced by requiresresponsive, a far more and agileflexible, cybersecurity responsive, and operating agile operating platform enhanced cybersecuritymodel. Key tenetsoperating of thismodel. model Key includetenets of the this DevOps model include the following: by DevOps following: ManyMany companies seem seem to to be be trying trying to tochange change everythingeverything aboutabout IT IT operations. operations. They They are are replacing replacing —— Move Move from from ticket-based ticket-based interfaces interfaces to APIs to APIs for traditionaltraditional software-developmentsoftware-development processes processes forsecurity security services. services. This requiresrequires automating automating withwith agile methodologies. They They are are repatriating repatriating everyevery possible possible interaction interaction and andintegrating integrating engineering talent from vendors and giving cybersecurity into the software-development developers self-service access to infrastructure. tool chain. That will allow development teams

How cybersecurity can best support the digital enterprise 7

12 Cybersecurity: Linchpin of the digital enterprise to perform vulnerability scans, adjust DLP — Build a cloud-native security model that rules, set up application security, and connect ensures developers can access cloud services to identify and gain access to management instantly and seamlessly within certain services via APIs (Exhibit 6). guardrails. — Organize security teams into agile scrum or — Collaborate with infrastructure and scrumban teams that manage developer- architecture teams to build required security recognizablecybersecurity services,into the software-development such as identity and — Tightlyservices integrate into standardizedsecurity into enterprise solutions end-user for accesstool chain. management That will allow (IAM) development or DLP. Also, teams services,massive so analytics that employees and RPA. and contractors can recruiting development-team leaders to to perform vulnerability scans, adjust DLP —easily Shift obtain the talent productivity model and to incorporate collaboration those tools with serverules, setas productup application owners security, for security and connect services via an intuitive, Amazon-like portal. “e-shaped” skills – cybersecurity professionals canto identify help, just and asgain business access to managers management are — Buildwith a cloud-nativeseveral areas security of deep model knowledge, that ensures such productservices ownersvia APIs for(Exhibit customer 6). journeys and developersas in integrative can access problem cloud servicessolving, instantlyautomation, customeroriented services. — Organize security teams into agile scrum or andand seamlessly development within – certain as well guardrails. as security — Tightlyscrumban integrate teams security that manage into enterprise developer- end- — Collaboratetechnologies. with infrastructure and architecture recognizable services, such as identity and user services, so that employees and contractors teams to build required security services into access management (IAM) or DLP. Also, can easily obtain productivity and collaboration standardized solutions for massive analytics recruiting development-team leaders to serve tools via an intuitive, Amazon-like portal. and RPA. McK Risk 8 2019 as product owners for security services can — Shift the talent model to incorporate those with Cybersecurity digitalhelp, enterprise just as business managers are product owners for customer journeys and customer- “e-shaped” skills—cybersecurity professionals Exhibit 6 of 6 oriented services. with several areas of deep knowledge, such as

Exhibit 6 Automation, orchestration technology, and application programming interfaces can eliminate manual security processes and interactions. Automation opportunities in a notionally secure DevOps model

Architecture and design Implementation Code review Testing Deployment

App API-congurable APIs for conguration Automated code-review Automated and Fully congured, application application-level controls and debugging systems modied to congurable security test production-ready programming designed into new (eg, test instrumentation) search for application- cases added to nightly application possible via interfaces applications added during specic threat scenarios testing regime API calls alone (APIs) implementation phase

Process New application-level Congurable security Congurable Nightly testing results Predeployment APIs API options added tests added to nightly automated code reviews collected and curated for security-review process to deployment- testing regime added to precommit/ individual developers/ replaced by automated conguration process preacceptance process teams via congurable tests and conguration for newly written code test-management system checks

Infrastructure API for deployment Conguration options Automated code Cloud environments Security tools and APIs and instantiation for instantiation of scanning implemented regularly tested for conguration options processes rearchitected automated, project- for deployed web security via automated applied via API to new to accommodate new specic development applications to maintain vulnerability assessment environments at applications environment made quality and code integrity and identication tools deployment time available

Security-trained developers and engineers enable automation and orchestration throughout cloud-development, -deployment, and -operations phases

8 How cybersecurity can best support the digital enterprise Cybersecurity: Linchpin of the digital enterprise 13 Sidebar

How a large biopharma company built cybersecurity capabilities to enable a digital enterprise

A large biopharma company had slow or block the capture of business — Collaborating with the broader recently concluded a major investment opportunities. At the same time, the technology team to create the program to enhance its foundational cybersecurity team looked at a broad set application programming interfaces cybersecurity capabilities, dramatically of emerging practices and techniques (APIs) and the template to ensure reducing its risk profile. However, the from the pharma industry and other secure configuration of systems business strategy began to evolve in new sectors, including online services, running in the public cloud ways, with expanding online consumer banking, and advanced manufacturing. — Dramatically expanding automation relationships, digitally enabled products, Based on all this, it developed an of the security environment to reduce enhanced supply-chain automation, overarching vision for how cybersecurity time lags and frustrations developers and massive use of analytics. The could protect and enable the company’s and users experienced when company now needed new cybersecurity digital agenda, and it prioritized 25 interacting with the cybersecurity capabilities that would both address new initiatives. Some of the most important team business risks and facilitate business and were the following: technology innovation. The cybersecurity team then used its — Collaborating with the commercial vision and initiatives to articulate to To get started, the cybersecurity team to build patient trust by senior management how it could enable team engaged a broad set of business designing security into online patient the company’s digital business strategy partners, capturing current and journeys and the support and assistance it would planned strategic initiatives. It then — Collaborating with the manufacturing require from other organizations to do so. mapped out the new risks that these team to enhance transparency into initiatives would create and the ways in configuration of plant assets which cybersecurity protections might

Taken together, these actions will eliminate With digitization, analytics, RPA, agile, DevOps, roadblocks to building digital-technology and cloud, it is clear that enterprise IT is evolving operating models and platforms. Perhaps more rapidly and in exciting and value-creating ways. importantly, they can ensure that new digital This evolution naturally creates tension with platforms are inherently secure, allowing their existing cybersecurity operating models. For adoption to reduce risk for the enterprise as organizations to overcome the tension, they a whole (see sidebar, “How a large biopharma will need to apply quantitative risk analytics company built cybersecurity capabilities to enable for decision making, create secure business a digital enterprise”). value chains, and enable operating platforms that encompass the latest innovations. These actions will require significant adaptation from cybersecurity organizations. Many of these organizations are still in the early stages of this journey. As they continue, they will become more and more capable of protecting the companies while supporting the innovative goals of the business and IT teams.

James Kaplan is a partner in McKinsey’s New York office, Wolf Richter is a partner in the Berlin office, and David Ware is an associate partner in the Washington, DC, office.

14 Cybersecurity: Linchpin of the digital enterprise Create granular, analytic risk management capabilities The risk-based approach toRisk cybersecurity Practice The risk-based approach to cybersecurity The most sophisticated institutions are moving from a “maturity based”The to most a “risk sophisticated based” approach institutions for managing are moving cyberrisk. from a Here“maturity is howbased” they are to a doing “risk based”it. approach for managing cyberrisk. Here is how they are doing it. by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle

by Jim Boehm, Nick Curcio, Peter Merrath, Lucy Shenton, and Tobias Stähle

October 2019

The risk-based approach to cybersecurity 15 Article type and Year Article Title Exhibit X of X

TopTop managers managers at most at most companies companies recognize recognize Exhibit 1 cyberrisk as an essential topic on their agendas. cyberrisk as an essential topic on their agendas. Cyberthreats are growing in severity Worldwide,Worldwide, boards boards and and executive executive leaders leaders want and frequency. to knowto know how how well well cyberrisk cyberrisk is is being being managed managed in theirtheir organizations. organizations. In In more more advanced advanced regionsregions and Cyberthreat capacity and frequency today, andsectors, sectors, leaders leaders demand, demand, given given years years of significant threat actor cybersecurity investment, that programs also of significant cybersecurity investment, that Capability Frequency programsprove their also value prove in theirrisk-reducing value in terms.risk-reducing Regulators Very high are challenging the levels of enterprise resilience Nation state Opportunists terms. Regulators are challenging the levels of that companies claim to have attained. And nearly enterprise resilience that companies claim to everyone—business executives, regulators, Organized crime Insider threats have attained. And nearly everyone – business customers, and the general public—agree that Hacktivist groups Competitors executives,cyberrisk regulators, is serious and customers, calls for constant and the attention general public(Exhibit – agree 1). that cyberrisk is serious and calls Competitors Hacktivist groups for constant attention (Exhibit 1). Insider threats Organized crime What,What, exactly, exactly, organizations organizations should should do do isis a more difficult question. This article is advancing a “risk difficult question. This article is advancing a “risk Opportunists Nation state based” approach to cybersecurity, which means based” approach to cybersecurity, which means Very low that to decrease enterprise risk, leaders must that to decrease enterprise risk, leaders must identify and focus on the elements of cyberrisk to Decisions about how best to reduce cyberrisk can identify and focus on the elements of cyberrisk to target. More specifically, the many components be contentious. Taking into account the overall target. More specifically, the many components of cyberrisk must be understood and prioritized contextenterprise in which cyberrisk the asenterprise potential operates,avenues for leaders loss of cyberriskfor enterprise must cybersecurity be understood efforts. and Whileprioritized this of confidentiality, integrity, and availability of digital must decide which efforts to prioritize: Which for approachenterprise to cybersecurity cybersecurity isefforts. complex, While best this assets. By extension, the risk impact of cyberthreats projects could most reduce enterprise risk? What approachpractices to forcybersecurity achieving it are is complex, emerging. best includes fraud, financial crime, data loss, or loss of methodology should be used that will make clear practices for achieving it are emerging. system availability. To understand the approach, a few definitions are to enterprise stakeholders (especially in IT) that To understand the approach, a few definitions are in order. First, our perspective is that cyberrisk thoseDecisions priorities about will how have best the to reduce greatest cyberrisk risk reducing can in order.is “only” First, another our perspective kind of operational is that risk.cyberrisk That is, impactbe contentious. for the enterprise? Taking into Thataccount clarity the overallis crucial in is “only”cyberrisk another refers kind to the of operationalpotential for businessrisk. That losses organizingcontext in whichand executing the enterprise those operates, cyber projects leaders in a is, cyberriskof all kinds—financial, refers to the reputational, potential for operational, business focusedmust decide way. which efforts to prioritize: Which lossesproductivity of all kinds related, – financial, and regulatory reputational, related—in the projects could most reduce enterprise risk? What At the moment, attackers benefit from organiza- operational,digital domain. productivity Cyberrisk related, can also and cause regulatory losses in methodology should be used that will make clear tional indecision on cyberrisk – including the pre- relatedthe physical – in the domain, digital domain.such as damage Cyberrisk to operational can to enterprise stakeholders (especially in IT) that vailing lack of clarity about the danger and failure alsoequipment. cause losses But itin is the important physical to domain, stress that such those priorities will have the greatest risk reducing to execute effective cyber controls. as damagecyberrisk to is operationala form of business equipment. risk. But it is impact for the enterprise? That clarity is crucial in important to stress that cyberrisk is a form of Debilitatingorganizing and attacks executing on high-profile those cyber institutions projects in a are businessFurthermore, risk. cyberrisks are not the same as proliferatingfocused way. globally, and enterprise-wide cyber cyberthreats, which are the particular dangers that efforts are needed now with great urgency. It is Furthermore,create the potential cyberrisks for cyberrisk.are not the Threats same asinclude At the moment, attackers benefit from widely understood that there is no time to waste: cyberthreats,privilege escalation, which are vulnerability the particular exploitation, dangers or that organizational indecision on cyberrisk—including business leaders everywhere, at institutions of all createphishing.¹ the potential Cyberthreats for cyberrisk. exist in the Threats context include of the prevailing lack of clarity about the danger sizes and in all industries, are earnestly searching privilege escalation, vulnerability exploitation, 1 for the optimal means to improve cyber resilience. or 1phishing. Cyberthreats exist in the context Privilege escalation is the exploitation of a flaw in a system for purpose ofWe gaining believe unauthorized we have access found to protected a way resources. to help. Vulnerability of enterpriseexploitation is ancyberrisk attack that asuses potential detected vulnerabilities avenues tofor exploit (surreptitiously utilize or damage) the host system. loss of confidentiality, integrity, and availability of digital assets. By extension, the risk impact of cyberthreats includes fraud, financial crime, data loss, or loss of system availability.

2 The risk-based approach to cybersecurity

1 Privilege escalation is the exploitation of a flaw in a system for purpose of gaining unauthorized access to protected resources. Vulnerability exploitation is an attack that uses detected vulnerabilities to exploit (surreptitiously utilize or damage) the host system.

16 The risk-based approach to cybersecurity The maturity-based cybersecurity employee awareness and training. Yet a maturity- approach: A dog that’s had its day based model does not call for the organization to gather enough information to know that it should Even today, “maturity based” approaches to divert the funding needed for this from additional managing cyberrisk are still the norm. These application monitoring. Spending on both will be approaches focus on achieving a particular expected, though the one effort (awareness and level of maturity by building certain capabilities. training) may have a disproportionate impact on To achieve the desired level, for example, an enterprise-risk reduction relative to the other. organization might build a security operations center (SOC) to improve the maturity of assessing, If the objective is to reduce enterprise risk, then monitoring, and responding to potential threats to the efforts with the best return on investment in enterprise information systems and applications. risk reduction should draw the most resources. Or it might implement multifactor authentication This approach holds true across the full control (MFA) across the estate to improve maturity of landscape, not only for monitoring but also access control. A maturity-based approach can for privileged-access management, data-loss still be helpful in some situations: for example, prevention, and so forth. All of these capabilities to get a program up and running from scratch reduce risk somewhat and somehow, but most at an enterprise that is so far behind it has to companies are unable to determine exactly how “build everything.” For institutions that have and by how much. progressed even a step beyond that, however, a The final (and most practical) drawback of maturity-based approach is inadequate. It can maturity-based programs is that they can create never be more than a proxy for actually measuring, paralyzing implementation gridlock. The few managing, and reducing enterprise risk. teams or team members capable of performing A further issue is that maturity-based programs, the hands-on implementation work for the many as they grow organically, tend to stimulate controls needed become overloaded with demand. unmanageable growth of control and oversight. Their highly valuable attention is split across too In monitoring, for example, a maturity-based many efforts. The frequent result is that no project program will tend to run rampant, aspiring to is ever fully implemented and program dashboards “monitor everything.” Before long, the number of show perpetual “yellow” status for the full suite of applications queued to be monitored across the cyber initiatives. enterprise will outstrip the capacity of analysts The truth is that in today’s hyperconnected world, to monitor them, and the installation of monitors maturity-based cybersecurity programs are no will bog down application-development teams. longer adequate for combatting cyberrisks. A The reality is that some applications represent more strategic, risk-based approach is imperative more serious vulnerabilities – and therefore for effective and efficient risk management greater potential for risk – than others. To focus (Exhibit 2). directly on risk reduction, organizations need to figure out how to move from a stance of Reducing risk to target appetite at monitoring everything to one in which particular applications with high risk potential are monitored less cost in particular ways. Another issue related to the The risk-based approach does two critical things monitor-everything stance is inefficient spending. at once. First, it designates risk reduction as Controls grow year after year as program planning the primary goal. This enables the organization for cybersecurity continues to demand more to prioritize investment – including in spending for more controls. But is enterprise implementationrelated problem solving – based risk being reduced? Often the right answers squarely on a cyber program’s effectiveness lie elsewhere: for example, the best return on in reducing risk. Second, the program distills investment in enterprise-risk reduction is often in top management’s risk-reduction targets into

The risk-based approach to cybersecurity 17 become overloaded with demand. Their highly Reducing risk to target appetite at valuable attention is split across too many efforts. less cost The frequent result is that no project is ever fully The risk-based approach does two critical things implemented and program dashboards show at once. First, it designates risk reduction as the perpetual “yellow” status for the full suite of cyber primary goal. This enables the organization to initiatives. prioritize investment—including in implementationrelated problem solving—based squarely on a McK on Risk 8 2019The truth is that in today’s hyperconnected world, cyber program’s effectiveness in reducing risk. Risk-based approachmaturity-based cybersecurity programs are no Second, the program distills top management’s longer adequate for combatting cyberrisks. A more Exhibit 2 of 4 risk-reduction targets into precise, pragmatic strategic, risk-based approach is imperative for implementation programs with clear alignment effective and efficient risk management (Exhibit 2). from the board to the front line. Following the risk-

Exhibit 2 For many companies, the risk-based approach is the next stage in their cybersecurity journey.

Proactive cybersecurity

Risk-based Achieve holistic resilience approach Transform processes and adoption of next-generation technologies to reduce detection and response Maturity-based times to within recovery-time approach Reduce enterprise risk objectives Identify, prioritize, deliver, manage, and measure security and privacy Embed security in technology controls in line with enterprise-risk- products, services, and processes Security not management framework from point of inception through to execution to achieve complete considered Build capabilities “security by design” Strengthen essential security and Set risk-appetite thresholds for resilience fundamentals to plug gaps linked pairs of key risk indicators and key performance indicators Fully incorporate customers, partners, third parties, and Establish cyber operating model regulators into management Security schmecurity and organization to professionalize Include stakeholders from full of enterprise resilience Lack of capability and awareness cybersecurity function enterprise in cyber operating mode throughout organization, including among senior leadership

Example activities Example activities Example activities Example activities • Assess cyber maturity (eg, • Build security operations center, • Implement cyberrisk • Deploy advanced analytics and data protection, access incident-response playbooks, and quantication machine learning for preventative management) with or without identity- and access-management • Measure and report on detection benchmarks to highlight function; install multifactor reduction of risk, not progress • Implement security by design with capability gaps authentication on apps; enable use of capabilities multilayer response-time reduction • Evaluate cyber awareness across of virtual private network organization • Create and sta chief information security ocer and connect to other relevant areas

Foundational Advanced

precise, pragmatic implementation programs with transformation. The excess spending was deemed clear alignment from the board to the front line. necessary to fulfill a promise to the board to reach 4 The risk-based approach to cybersecurity Following the risk-based approach, a company a certain level of maturity that was, in the end, will no longer “build the control everywhere”; arbitrary. Using the risk-based approach, the rather, the focus will be on building the appropriate company scaled back controls and spending in controls for the worst vulnerabilities, to defeat areas where desired digital capabilities were being the most significant threats – those that target heavily controlled for no risk-reducing reason. A the business’s most critical areas. The approach particular region of success with the risk-based allows for both strategic and pragmatic activities approach has been Latin America, where a number to reduce cyberrisks (Exhibit 3). of companies have used it to leapfrog a generation of maturity-based thinking (and spending). Companies have used the risk-based approach to Instead of recapitulating past inefficiencies, these effectively reduce risk and reach their target risk companies are able to build exactly what they need appetite at significantly less cost. For example, to reduce risk in the most important areas, right by simply reordering the security initiatives in its from the start of their cybersecurity programs. backlog according to the risk-based approach, Cyber attackers are growing in number and one company increased its projected risk reduction strength, constantly developing destructive new 7.5 times above the original program at no added stratagems. The organizations they are targeting cost. Another company discovered that it had must respond urgently, but also seek to reduce massively overinvested in controlling new software- risk smartly, in a world of limited resources. development capabilities as part of an agile

18 The risk-based approach to cybersecurity based approach, a company will no longer “build 7.5 times above the original program at no the control everywhere”; rather, the focus will be added cost. Another company discovered that on building the appropriate controls for the worst it had massively overinvested in controlling new vulnerabilities, to defeat the most significant software-development capabilities as part of an threats—those that target the business’s most agile transformation. The excess spending was critical areas. The approach allows for both strategic deemed necessary to fulfill a promise to the board and pragmatic activities to reduce cyberrisks to reach a certain level of maturity that was, in the (Exhibit 3). end, arbitrary. Using the risk-based approach, the company scaled back controls and spending in Companies have used the risk-based approach to areas where desired digital capabilities were being McK on Risk 8 2019effectively reduce risk and reach their target risk heavily controlled for no risk-reducing reason. A Risk-based approachappetite at significantly less cost. For example, particular region of success with the risk-based Exhibit 3 of 4 by simply reordering the security initiatives in its approach has been Latin America, where a number backlog according to the risk-based approach, one of companies have used it to leapfrog a generation company increased its projected risk reduction of maturity-based thinking (and spending). Instead

Exhibit 3 A risk-based approach builds customized controls for a company’s critical vulnerabilities to defeat attacks at lower overall cost.

Maturity-based versus risk-based cybersecurity Risk-based approach: Optimizes defensive layers for Maturity-based approach: Builds highest level of defense risk-reduction and cost. Critical assets are highly protected, around everything. but at less expense and in ways that improve productivity.

Cyberrisk management and governance Cyberrisk management and governance Security organization Security organization Information-security processes Information-security processes

Technology controls Technology controls Key assets: Critical economic Key assets: Critical economic function, function, people, data, applications, people, data, applications, infrastructure, infrastructure, value-producing process value-producing process

Cost of maturity-based defenses Cost of risk-based defenses €2 million €1.5 million

€6 million €2.0 million

€1 million €0.5 million €1 million €0.5 million €4 million €0.5 million

Total cost Total cost €14 million €5 million

Note: Costs are illustrative but extrapolated from real-world examples and estimates.

The risk-based approach to cybersecurity 5 A transformation in sequential actions 4. Understand the relevant “threat actors,” their capabilities, and their intent. Companies adopting the risk-based approach and transforming their “run” and “change” activities 5. Link the controls in “run” activities and accordingly inevitably face the crucible of how “change” programs to the vulnerabilities that to move from maturity-based to risk-based they address and determine what new efforts cybersecurity. From the experience of several are needed. leading institutions, a set of best-practice actions 6. Map the enterprise risks from the enterprise- has emerged as the fastest path to achieving this risk-management framework, accounting for transformation. These eight actions taken roughly the threat actors and their capabilities, the in sequence will align the organization toward the enterprise vulnerabilities they seek to exploit, new approach and enable the appropriate efforts and the security controls of the organization’s to reduce enterprise risk. cybersecurity run activities and change 1. Fully embed cybersecurity in the program. enterpriserisk- management framework. 7. Plot risks against the enterprise-risk appetite; 2. Define the sources of enterprise value across report on how cyber efforts have reduced teams, processes, and technologies. enterprise risk. 3. Understand the organization’s enterprise-wide 8. Monitor risks and cyber efforts against risk vulnerabilities – among people, processes, and appetite, key cyberrisk indicators (KRIs), and technology – internally and for third parties. key performance indicators (KPIs).

The risk-based approach to cybersecurity 19 1. Fully embed cybersecurity in the enterprise- which it runs – and the vulnerabilities to those risk-management framework constituent parts can be specified. A risk-based cyber program must be fully 3. Understand vulnerabilities across embedded in the enterprise-risk-management the enterprise framework. The framework should not be used as Every organization scans its infrastructure, a general guideline, but rather as the organizing applications, and even culture for vulnerabilities, principle. In other words, the risks the enterprise which can be found in areas such as configuration, faces in the digital domain should be analyzed code syntax, or frontline awareness and training. and categorized into a cyberrisk framework. This The vulnerabilities that matter most are those approach demystifies cyberrisk management connected to a value source that particular threat and roots it in the language, structure, and actors with relevant capabilities can (or intend to) expectations of enterprise-risk management. exploit. The connection to a source of value can Once cyberrisk is understood more clearly as be direct or indirect. A system otherwise rated business risk that happens in the digital domain, as having low potential for a direct attack, for the organization will be rightly oriented to begin example, might be prone to lateral movement – implementing the riskbased approach. a method used by attackers to move through 2. Define the sources of enterprise value systems seeking the data and assets they are ultimately targeting. An organization’s most valuable business work flows often generate its most significant risks. It is Once the organization has plotted the people, therefore of prime importance to identify these work actions, technology, and third-party components flows and the risks to which they are susceptible. For of its value-creating processes, then a thorough instance, in financial services, a loan process is part identification of associated vulnerabilities can of a value-creating work flow; it is also vulnerable to proceed. A process runs on a certain type of data leakage, an enterprise risk. A payment process server, for example, that uses a certain operating likewise creates value but is susceptible to fraud, system (OS). The particular server – OS combi- another enterprise risk. To understand enterprise nation will have a set of identified common risks, organizations need to think about the potential vulnerabilities and exposures. The same will be true impact on their sources of value. for storage, network, and end-point components. People, process, and third-party vulnerabilities can Identifying the sources of value is a fairly straight- be determined by similar methodologies. forward exercise, since business owners will have already identified the risks to their business. Of note, vulnerabilities and (effective) controls Cybersecurity professionals should ask the exist in a kind of reverse symbiosis: where one businesses about the processes they regard as is present the other is not. Where sufficient valuable and the risks that they most worry about. control is present, the vulnerability is neutralized; without the control, the vulnerability persists. Making this connection between the cybersecurity Thus, the enterprise’s vulnerabilities are most team and the businesses is a highly valuable step practically organized according to the enterprise- in itself. It motivates the businesses to care more approved control framework.2 Here synergies deeply about security, appreciating the bottom-line begin to emerge. Using a common framework impact of a recommended control. The approach and language, the security, risk, IT, and frontline is far more compelling than the maturity-based teams can work together to identify what approach, in which the cybersecurity function needs to be done to close vulnerabilities, guide peremptorily informs the business that it is imple- implementation, and report on improvements menting a control “to achieve a maturity of 3.0.” in exactly the same manner and language. The constituents of each process can be defined – Experience confirms that when the entire relevant teams, critical information assets (“crown organization shares a common way of thinking jewels”), the third parties that interact with the about vulnerabilities, security can be significantly process, and the technology components on enhanced.

2 This can include the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), NIST National Vulnerability Dataset (NIST 800-53), International Organization for Standardization 27001/2 (standards for information-security-management systems), and Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT).

20 The risk-based approach to cybersecurity Experience confirms that when the entire organization shares a common way of thinking about vulnerabilities, security can be significantly enhanced.

4. Understand relevant threat actors and development. Any new controls needed are added their capabilities to the program backlog as either stand-alone or composite initiatives. The groups or individuals an organization must worry about – the threat actors – are determined While an organization may not be able to complete by how well that organization’s assets fit with all initiatives in the backlog in a single year, it will the attackers’ goals – economic, political, or now be able to choose what to implement from otherwise. Threat actors and their capabilities – the full spectrum of necessary controls relevant the tactics, techniques, and procedures they to the enterprise because they are applicable for use to exploit enterprise security – define the frustrating relevant threat capabilities. The risk- organization’s threat landscape. based approach importantly bases the scope of both existing and new initiatives in the same Only by understanding its specific threatlandscape control framework. This enables an additional can an organization reduce risk. Controls are imple- level of alignment among teams: delivery mented according to the most significant threats. teams charged with pushing and reporting on Threat analysis begins with the question, Which initiative progress can finally work efficiently threat actors are trying to harm the organization and with the second and third lines of defense (where what are they capable of? In response, organizations relevant), which independently challenge control can visualize the vulnerabilities commonly exploited effectiveness and compliance. When the program- by relevant threats, and appropriate controls can delivery team (acting as the first line of defense) then be selected and applied to mitigate these sits down with the second and third lines, they will specific vulnerability areas. all be speaking the same language and using the In identifying the controls needed to close specific same frameworks. This means that the combined gaps, organizations need to size up potential groups can discuss what is and is not working, and attackers, their capabilities, and their intentions – what should be done. the threat actors’ strength and will (intention) 6. Map the enterprise-risk ecosystem to create a risk event. This involves collecting information on and understanding how the A map of enterprise risks – from the enterpriserisk- attackers connect, technically and nontechnically, management framework to enterprise vulnera- to the people, process, and technology bilities and controls to threat actors and their vulnerabilities within the enterprise. capabilities – makes visible a “golden thread,” from control implementation to enterprise-risk reduction. 5. Address vulnerabilities Here the risk-based approach can begin to take To defeat threat actors, vulnerabilities discovered shape, improving both efficiency in the application in the third action we describe will either be closed of controls and the effectiveness of those controls by existing controls – normal run activities or in reducing risks. Having completed actions one existing change initiatives – or will require new through five, the organization is now in a position control efforts. For existing controls, the cyber to build the riskbased cybersecurity model. The governance team (for “run”) and the program analysis proceeds by matching controls to the management team (for “change”) map their vulnerabilities they close, the threats they defeat, current activities to the same control framework and the value-creating processes they protect. The used to categorize vulnerabilities. This will run and change programs can now be optimized show the controls already in place and those in

The risk-based approach to cybersecurity 21 according to the current threat landscape, present leadership (such as the board and the risk vulnerabilities, and existing program of controls. function) can identify an enterprise risk (such as Optimization here means obtaining the greatest data leakage), and the cybersecurity team can amount of risk reduction for a given level of report on what is being done about it (such as a spending. A desired level of risk can be “priced” data-loss prevention control on technology or a according to the initiatives needed to achieve it, or social-engineering control on a specific team). the entry point for analysis can be a fixed budget, Each part is connected to the other, and every which is then structured to achieve the greatest stakeholder along the way can connect to the reductionhere means in obtaining risk. the greatest amount of risk leadershipconversation. (such asThe the methodology board and the and risk model function) is at reduction for a given level of spending. A desired canthe identify center, an acting enterprise both risk as a(such translator as data and leakage), as an Cybersecurity optimization determines the right level of risk can be “priced” according to the andoptimizer. the cybersecurity The entire team enterprise can report team on whatknows is what level and allocation of spending. Enterprise-risk initiatives needed to achieve it, or the entry point beingto do, done from about the itboard (such to as the a data-loss front line, prevention and can reduction is directly linked to existing initiatives for analysis can be a fixed budget, which is then controlmove on in technologya unified way or a to social-engineering do it. andstructured the initiation to achieve of new the greatestones. The reduction analysis in risk. control on a specific team). Each part is connected develops the fact base needed for tactical to 7.the Plot other, risks and against every stakeholder risk appetite; along report the way on discussionsCybersecurity on optimization overly controlled determines areas the whence right canrisk connect reduction to the conversation. The methodology the organization might pull back as well as areas level and allocation of spending. Enterprise-risk andOnce model the is organization at the center, hasacting established both as a a clear wherereduction better is directly control linked for value to existing is needed. initiatives and translator and as an optimizer. The entire enterprise understanding of and approach to managing the initiation of new ones. The analysis develops the team knows what to do, from the board to the front By incorporating all components in a model and cyberrisk, it can ensure that these concepts fact base needed for tactical discussions on overly line, and can move in a unified way to do it. usingcontrolled the sources areas whence of value the and organization control frameworks might pull are easily visualized and communicated to all asback a common as well as language, areas where the better business, control IT, for risk, value 7. stakeholders.Plot risks against This risk is done appetite; through report a risk on grid, andis needed. cybersecurity groups can align. Discussions riskwhere reduction the application of controls is sized to the are framed by applying the enterprise control Oncepotential the organization level of risk has (Exhibit established 4). a clear frameworkBy incorporating to the all highest components sources in a of model value. and This understanding of and approach to managing McK on Risk 8 2019createsusing the the sources golden-thread of value and effect. control Enterprise frameworks cyberrisk, it can ensure that these concepts Risk-based approachas a common language, the business, IT, risk, are easily visualized and communicated to all Exhibit 4 of 4 and cybersecurity groups can align. Discussions stakeholders. This is done through a risk grid, where are framed by applying the enterprise control the application of controls is sized to the potential framework to the highest sources of value. This level of risk (Exhibit 4). creates the golden-thread effect. Enterprise

Exhibit 4 The risk-based approach applies controls according to the risk appetite and the likelihood and potential impact of a risk event.

Risk events by size of impact and likelihood of occurrence

Very high Out of risk appetite At limit of risk appetite

Within risk appetite

Well within risk appetite

Medium-impact risks must comply with tier-1 controls

Both very-high-impact and high-impact risks must comply Risk impact with tier-1 and tier-2 controls

Very-high-impact risks must also comply with tier-3 controls to be within risk appetite

Low-impact and very-low-impact risks do not need to comply with any controls in order to be within risk appetite. However, baseline controls should be applied when doing so is a “no regrets” move (low cost, high impact), and when it is required for improved productivity or regulatory alignment

Very low Likelihood Very high

22 The risk-based approach to cybersecurity The risk-based approach to cybersecurity 9 The assumption in this use of the classic risk grid is 8. Monitor risks and cyber efforts using risk that the enterprise-risk appetite has been defined appetite and key cyberrisk and performance for each enterprise risk. The potential impact for indicators each enterprise-risk scenario can then be plotted At this point, the organization’s enterprise risk on the risk grid. Once the relationships among posture and threat landscape are understood, the threats, vulnerabilities, and applied controls and the risk-based cybersecurity program is in are modeled and understood, the risks can be place. The final step is to monitor and manage for evaluated according to their likelihood. As more success. controls are applied, the risk levels are reduced to the risk appetite. This is the way the cyber program Many companies attempt to measure cyber can demonstrate impact in terms of enterprise- maturity according to program completion, rather risk reduction. than by actual reduction of risk. If a security function reports that the data-loss-prevention As new threats emerge, new vulnerabilities will (DLP) program is 30 percent delivered, for become apparent. Existing controls may become example, the enterprise assumption is that ineffective, and enterprise risks can move in the risk of data leakage is 30 percent reduced. If a opposite direction – even to the point where multifactor authentication initiative is 90 percent riskappetite limits are exceeded. For information- implemented, the assumption is that the risk of security-management systems, the risk grid allows unauthorized access is almost eliminated. These stakeholders to visualize the dynamic relationships assumptions are false, however, because actual among risks, threats, vulnerabilities, and controls risk-reducing results are not being measured in and react strategically, reducing enterprise risks to these examples. the appropriate risk-appetite level.

Sidebar

Linking a KRI to a KPI

A data-loss-prevention program (KPI) could be the proportion of critical With KRIs and KPIs systematically (DLP) is a helpful control to reduce assets covered since the last reporting incorporated into a digital dashboard, the enterprise risk of data leakage. period versus the total expected to be executives have complete risk- The critical assets identified by the covered. Enterprise leaders will see these based measurement and reporting enterprise-risk-management function two metrics on the reporting dashboard. at their fingertips. They can actively as requiring DLP coverage can become They can then assess the progress participate in risk-reduction efforts – the output metric, or key risk indicator towards the appetite-linked thresholds influencing their progress, projections, (KRI). Assuming that the KRI is not and with delivery teams discuss what if performance, and achievement of risk 100 percent, then the linked input anything is needed to continue meeting thresholds. metric, or key performance indicator (or possibly exceeding) expectations.

The risk-based approach to cybersecurity 23 Metrics need to measure both inputs and outputs; Executives are often forced to make sense of inputs, in this case, are risk-reduction efforts a long list of sometimes conflicting metrics. undertaken by the enterprise, while the output is By linking KRIs and KPIs, the cybersecurity Risk Practice the actual reduction in enterprise risk. The input team gives executives the ability to engage in metric here is a key performance indicator (KPI): meaningful problem-solving discussions on which measuring the performance of a program or a risks are within tolerances, which are not, and why Enhanced cyberrisk “run” function. The output metric is really a key risk (see the sidebar, “Linking a KRI to a KPI”). indicator (KRI), measuring the risk level associated The risk-based approach to cybersecurity is thus with a potential risk scenario. The thresholds for ultimately interactive – a dynamic tool to support reporting: Opening the KRIs must be tied directly to risk-appetite strategic decision making. Focused on business levels (the KPI thresholds can also be linked in value, utilizing a common language among the this way). For example, if risk appetite for data interested parties, and directly linking enterprise doors to risk-based leakage is zero, then the systemic controls (and risks to controls, the approach helps translate corresponding “red” thresholds) must be higher executive decisions about risk reduction into than they would be if a certain percentage of control implementation. The power of the risk- cybersecurity leakage is allowed over a certain period. Of course, based approach to optimize for risk reduction tolerances for cyber incidents may be not always at any level of investment is enhanced by its be set at zero. In most cases, it is impossible to New cyberrisk management information systems provide executives flexibility, as it can adjust to an evolving risk- stop all cyber attacks, so sometimes controls can with the risk transparency they need to transform organizational appetite strategy as needed. be developed that tolerate some incidents. cyberresilience. One way to think about KRIs and KPIs is with regard to the relationship between altitude and by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle trajectory. A KRI gives the current risk level of Many leading companies have a cyber-maturity the enterprise (the “risk altitude”) while the KPI assessment somewhere in their archives; some indicates the direction towards or away from the still execute their programs to achieve certain enterprise-risk-appetite level (“risk trajectory”). levels of maturity. The most sophisticated An enterprise may not yet have arrived at the companies are, however, moving away from the leadership’s KRI target but a strong KPI trajectory maturity-based cybersecurity model in favor of would suggest that it will soon. Conversely, an the risk-based approach. This is because the new enterprise may have hit the desired KRI threshold, approach allows them to apply the right level of but the KPIs of the run activity may be backsliding control to the relevant areas of potential risk. For and give cause for concern. senior leaders, boards, and regulators, this means more economical and effective enterprise-risk management.

Jim Boehm is an associate partner in McKinsey’s Washington, DC, office; Nick Curcio is a cyber © me4o/Getty Images solutions analyst in the New York office; Peter Merrath is an associate partner in the Frankfurt office, where Tobias Stähle is a senior expert; and Lucy Shenton is a cyber solutions specialist in the Berlin January 2020 office. The authors wish to thank Rich Isenberg for his contributions to this article.

24 The risk-based approach to cybersecurity Create granular, analytic risk management capabilities

EnhancedRisk Practice cyberrisk reporting:Enhanced Opening cyberrisk doorsreporting: to risk-based Opening cybersecuritydoors to risk-based

Newcybersecurity cyberrisk management information systems provide executivesNew cyberrisk with the management risk transparency information they need systems to transform provide executives organizationalwith the risk cyberresilience. transparency they need to transform organizational

by Jimcyberresilience. Boehm, James Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle

by Jim Boehm, James M. Kaplan, Peter Merrath, Thomas Poppensieker, and Tobias Stähle

January 2020

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 25 Executives in all sectors have deepened their Risk managers are flying blind understanding of the dangers cyberrisk poses Many companies rely on a patchwork of reports to their business. As hacks, cyberattacks, from different sources to manage cyberrisk. and data leaks proliferate in industry after Executives at these companies are unable to industry, a holistic, enterprise-wide approach assess the returns from their cybersecurity to cybersecurity has become a priority on investments. They lack needed information board agendas. Companies are strengthening about cyberrisk levels, the effectiveness of protections around their business models, countermeasures, and the status of protection core processes, and sensitive data. Regulators for key assets. Available data are incomplete, are applying their own pressures, and privacy inconsistent, and not reliable as a basis for demands are sharpening. decision making. Executives also question the We asked executives at financial institutions in complexity of their cyberrisk-management tools, Europe and North America about their actual finding them overly complicated and their results experiences with cyberrisk management and incomprehensible. reporting. What they told us was instructive. They Risk decision makers reserve particular criticism said cyberrisk management can be effective only for governance-risk-compliance (GRC) systems. when the information it is based on is accurate. These complex software solutions can take years Yet cyberrisk reporting at many companies is to implement and rarely produce a satisfying inadequate, failing to provide executives with the result. Like many risk-management systems, facts they need to make informed decisions about GRC software was created by technicians, and countermeasures. Because of the information specialized expertise is required to make sense gaps, managers often apply a standard set of of the output. In one survey, more than half controls to all company assets. As a result, low- of executive respondents said cybersecurity priority assets can be overprotected, while critical reporting was too technical for their purposes.1 assets remain dangerously exposed. In fact, GRC does not even focus on cyberrisk Fortunately, some leading organizations are but rather covers a wide range of risk types, pioneering an effective, efficient approach to including financial, legal, natural, and regulatory cyberrisk reporting that helps executives increase risks. It therefore cannot create the overview of corporate resilience – one that also provides cybersecurity that board members and regulators transparency on cyberrisk and allows companies to need. In effect, many cyberrisk managers are integrate cyberrisk reporting with legacy systems. flying blind.

1 “How boards of directors really feel about cyber security reports”, Bay Dynamics, June 2016, baydynamics.com.

“We need to bring rigor to the risks related to data and protect our top assets effectively.” —Advanced industries CIO

26 Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity “The current situation is a mess. We do not have the facts to decide on actions. This paralysis puts our business at risk.” —Financial-services chief information-security officer

At a leading European financial institution, of reliable reporting, the entire cybersecurity executives were dissatisfied with the existing strategy was undifferentiated: all controls were cyberrisk-reporting regime. In attempting to being applied to all assets. improve it, they first assessed their experience: The chief information-security officer (CISO) — Cyberrisk reports were compiled by IT did not know whom to contact about a given specialists for other IT specialists. As a result, issue. Regulators reproached the institution for the reports were very technical in nature and incomplete information. For example, the institution provided little to no guidance for executive did not compile data on the share of employees that decision making. Executives found that had completed mandatory cybersecurity training in the reports did not help them interpret how any one location. Within the undifferentiated group- cyberrisk is related to other risks the institution level data, high attendance in one country could faces, such as legal or financial risks. easily mask low attendance in another. The training gap could be contributing to unacceptable levels of — At the same time, the reporting had many gaps: cyberrisk exposure in that country, which, however, almost no information was provided on top would be invisible. risks, key assets, recent incidents, counterrisk measures, implementation accountability, the institution’s resilience in the face of The objectives of effective cyberrisk cyberthreats, or the return on investments in reporting cybersecurity. State-of-the-art cyberrisk management requires an information system that consolidates all relevant — The reporting was structured by systems, information in one place. The most important risk servers, and applications rather than by metrics – key risk indicators (KRIs) – present a business units, business processes, functions, consistent evaluation across assets to enable countries, or legal entities. Most reports were the tailored application of cyberrisk controls. A compiled as stand-alone documents, with no given asset can be protected with the controls integrated view of cyberrisk across the group . appropriate to its importance and the threat levels The executives had no clear sense of the overall to which it is exposed. magnitude of the risk from cyberattacks, malware, To ready their companies for the challenges and data leaks. Neither did they know what was of the evolving cyberrisk-threat landscape, needed to improve protection of their key assets executives need to upgrade their approach to against the biggest threats. Several mitigating cyberrisk reporting and management. To address initiatives were in progress, but the reporting the magnitude and the complexity of the threat, did not make clear what contributions, if any, companies should build a high-performing these actions made to reducing risk. Cyberrisk cyberrisk management information system (MIS) managers found it difficult to decide on the areas with three fundamental objectives.2 of focus for cybersecurity investments or to justify their ultimate decisions to the board. For want

2 See also Thomas Poppensieker and Rolf Riemenschnitter, “A new posture for cybersecurity in a networked world,” McKinsey on Risk, March 2018, McKinsey.com.

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 27 — Transparency on cyberrisk. Make the A strong analytical backbone cyberrisk status of the institution’s most Analytics is the backbone of the cyberrisk MIS; valuable assets fully transparent, with data having a strong, smart analytical system in place on the most dangerous threats and most enables users to integrate data from different important defenses assembled in a way sources across a network and aggregate risks as that’s accessible and comprehensible for needed. Ideally, the cyberrisk MIS should have nonspecialists. a pyramid structure, with risk data organized — Risk-based enterprise overview. Provide hierarchically. The starting point is a simple decision makers with a risk-based overview of the overview, with the most important data at the institution so they can focus their cybersecurity highest level of aggregation. These data would invest-ments on protecting the most valuable describe, for example, the top global risks, assets from the most dangerous threats. differentiated by potential loss and probability. More detailed information can be added as — Return on cyber investments. Ensure the needed, including KRIs and countermeasures for efficiency of counterrisk measures by requiring individual divisions, countries, assets, processes, a high return on investment. and even buildings. The contact details of the A dedicated cyberrisk MIS is not a substitute people responsible for implementing the specific for GRC systems but rather a reporting solution countermeasures can also be included. addressing cyberrisk. It must be compatible As shown in Exhibit 1, a top-down approach for with legacy systems and serve decision makers risk-data aggregation typically involves the use of rather than specialists. It is designed to provide qualitative risk assessments based on scenarios. the information that executives need to prioritize Top down is a good way to begin: it requires the threats and devise effective controls; it enables least amount of data and provides significant informed board discussions on cyberrisk strategy insight in a short time. Eventually, enough risk data and helps optimize the allocation of funds. will become available to introduce a bottom-up The cyberrisk MIS should not become a burden on approach. executives, reduced to yet another software system The movement from top down to bottom up helps they must learn. Rather, it should be integrated into achieve cyberrisk MIS objectives quicker – by the existing business-intelligence system, drawing clarifying definitions of the elements of cyberrisk, initially on existing data sources. A good cyberrisk MIS providing executives with the information they should also aspire to be future-proof, adaptable to need to make strategic decisions, and enhancing new technologies, and able to integrate more granular transparency on risk exposure and the efficacy of data sources and more sophisticated algorithms for risk-mitigation initiatives. risk assessment as they become available. For optimal performance, the cyberrisk MIS should be tailored to the needs of a given company. However, even a basic setup can create substantial impact. This is because a cyberrisk MIS acts as a catalyst for better, more informed decision making. Even the process of setting it up forces executives to come to a common understanding of the level of cyberrisk the company is willing to tolerate.

28 Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity As shown in Exhibit 1, a top-down approach for The movement from top down to bottom up helps risk-data aggregation typically involves the use of achieve cyberrisk MIS objectives quicker—by qualitative risk assessments based on scenarios. clarifying definitions of the elements of cyberrisk, Top down is a good way to begin: it requires the least providing executives with the information they McK on Risk 2020 amount of data and provides significant insight in a need to make strategic decisions, and enhancing Enhanced cyberrisk reporting short time. Eventually, enough risk data will become transparency on risk exposure and the efficacy of Exhibit 1 of 4 available to introduce a bottom-up approach. risk-mitigation initiatives.

Exhibit 1 The cyberrisk management information system begins with top-down risk aggregation and proceeds to a bottom-up approach.

Risk management and reporting

Low in risk appetite In risk appetite At risk appetite Out of risk appetite

Top-down risk aggregation is a good way to The top-down risk approach is phased into a The bottom-up approach allows for more begin, as it requires the least amount of data and bottom-up approach as the organization matures eective risk mitigation: it provides transparency provides the most insight in the shortest time and the required data become available sucient to achieve optimal risk-treatment decisions for a given budget in line with Methodologies Methodologies enterprise capabilities • Scenario-based, qualitive and quantitative • Scenario-based, qualitive, and quantitative assessments assessments Methodologies • Business-impact analysis • Operational-risk-management (ORM) • Inherent and residual risk exposure methodologies and portfolio-theory • Risk-inheritance modeling aggregation • ORM methodologies and portfolio-theory aggregation • Low-level data processing

1 2 3 5

1 Group enterprise-information risk exposure 2 Data-condentiality breach 5 Risk exposure for each individual asset and a 3 Data-integrity loss portfolio of assets 4 Insucient technical-disaster recovery

Reporting dimensions

Business divisions Business processes Asset classes Individual assets Legal entities Regions Buildings and stacks and countries

Exhibit 2 presents the “path to green”: the risk- aggregated scorecard or the most granular mitigation initiatives enabled by the mature breakdown of KRIs will be useless if executives do bottom-up approach that bring risk indicators not rely on the output for decision making. This is withinEnhanced the cyberrisk risk appetite. reporting: Opening doors to risk-based cybersecuritywhy a good cyberrisk MIS should be customized,5 reflecting the specific needs of decision makers at A high-performing cyberrisk MIS is much more than levels one and two of a company’s hierarchy. a reporting tool. It is an integrated decision-support system, creating visibility on all relevant assets – end-user devices, applications, infrastructure, net- Catalyzing a cybersecurity works, and buildings. It gives decision makers access transformation to detailed information on organizational units, The cyberrisk MIS can catalyze a comprehensive regions, and legal entities. It embodies the principles cybersecurity transformation. This happens of good cyberrisk governance, from definition and in the MIS implementation, which in itself is an detection to treatment and measurement. opportunity to transform the ways companies gather information about cyberrisk and make Implementation of the cyberrisk MIS is as decisions about countermeasures. critically important as its design. Even the finest

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 29 Exhibit 2 presents the “path to green”: the risk- Catalyzing a cybersecurity mitigation initiatives enabled by the mature transformation bottom-up approach that bring risk indicators The cyberrisk MIS can catalyze a comprehensive within the risk appetite. cybersecurity transformation. This happens in the MIS implementation, which in itself is an A high-performing cyberrisk MIS is much opportunity to transform the ways companies more than a reporting tool. It is an integrated gather information about cyberrisk and make decision-support system, creating visibility on all decisions about countermeasures. relevant assets—end-user devices, applications, infrastructure, networks, and buildings. It gives The description of a successful cyberrisk MIS decision makers access to detailed information implementation is remarkably congruent with that on organizational units, regions, and legal entities. of a cybersecurity transformation. The steps are It embodies the principles of good cyberrisk as follows: governance, from definition and detection to treatment and measurement. — Define the scope and objectives. Leaders work up front to define objectives and deliverables. Implementation of the cyberrisk MIS is as critically They begin by taking stock of how cyberrisk important as its design. Even the finest aggregated information is gathered and how executives scorecard or the most granular breakdown of decide on countermeasures. Cybersecurity McK on Risk 2020KRIs will be useless if executives do not rely on governance and organization should be Enhanced cyberriskthe outputreporting for decision making. This is why a good established across the whole company, with Exhibit 2 of 4 cyberrisk MIS should be customized, reflecting the common standards and best-in-class reporting specific needs of decision makers at levels one and for systematic risk identification and prioritization. two of a company’s hierarchy.

Exhibit 2 Risk-mitigation initiatives indicated by the bottom-up aggregation approach provide the ‘path to green.’

Share of scope population falling outside risk appetite, illustrative

100%

40 32 24 16 8 0

Risk-mitigating Control 1 Control 2 Control 3 Control 4 Control 5 initiatives 2-factor End-user Segregation No generic Additional controls authentication recerti cation of duties accounts added as needed

The description of a successful cyberrisk MIS how cyberrisk information is gathered and implementation is remarkably congruent with that how executives decide on countermeasures. of a cybersecurity transformation. The steps are as Cybersecurity governance and organization

6 follows:McKinsey on Risk Number 9, November 2019 should be established across the whole company, with common standards and — Define the scope and objectives. Leaders best-in-class reporting for systematic risk work up front to define objectives and identification and prioritization. deliverables. They begin by taking stock of “We don’t want to reinvent the wheel. We need a cyberrisk management information system that has a user- friendly interface. It should integrate the best, most recent data from our own sources. It has to be a lean machine. At the same time, it should give us more transparency than we have today.” —Financial-services chief information-security officer

30 Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity McK on Risk 2020 Enhanced cyberrisk reporting Exhibit 3 of 4

Exhibit 3 The cybersecurity transformation enabled through a cyberrisk management information system includes more e ective, less costly di erentiated controls.

Cyberrisk management information system, example

Control in place Control not in place Control recommended Out of scope Tier 1: Control A Tier 1: Control B Tier 1: Control C Tier 2: Control D Tier 3: Control E Multifactor Account Central privileged Account deactivation Data encryption authentication recertication access within 24 hours

Application 1: Trading example

Application 2: Accounting example

Application 3: Policy portal

Threat- and control- KRI-KCI 1 KRI-KCI 2 KRI-KCI 3 KRI-KCI 4 n/a related indicators KPI 1 KPI 2 KPI 3 KPI 4 n/a

Eective information-security risk management is based on asset-centric indicators, including key risk indicators (KRIs), key compliance indicators (KCIs), and key performance indicators (KPIs), revealing compliance issues as well as current and forecasted residual risk exposure.

—control Avoid regime. patchwork The company solutions. subjected The cyberriskonly its With therequirements, right approach, and a the cyberrisk return MISon investments in mostMIS critical, must most not be vulnerable regarded assets as another (class one) patch. It cybersecuritycybersecurity. transformation will provide board- should be comprehensive and more accessible to the full arsenal of controls—from multifactor level— executivesShift to a risk-basedwith a concise approach. and easily One digestible of the than the previous assemblage of stand- user authentication to deleting, after 24 hours, overviewmost of powerful top cyberrisks. benefits Exhibit of a 4good shows cyberrisk an alone reports. A good cyberrisk MIS can the accounts of anyone who left the company. MIS cyberriskMIS is the dashboard, risk-based with approach the risk heat-mapto controls By contrast,accommodate it applied different only basic degrees controls of maturityto the in tab open. Other tabs provide the chief risk officer (Exhibit 3), which replaces the undifferentiated leastdifferent critical assets business (Exhibit units. 3). ForAs a example, result of this a module and the chief information officer with the KRIs, “all controls for all assets” approach. The tieredcan approach, be included the companythat enables was managersable to improve to KPIs, controls, and progress reports for different risk-based approach focuses on the most complianceupload static with relevant reports regulatory until dynamic requirements data functions, organizational levels, and applications. important assets and the biggest, most whilebecome reducing available the residual for automatic risk level. Atupdates. the same The transformation will foster the use of a probable threats. Decision makers can then time,Generally, it also reduced the MIS costs: should both supply direct costs decision (such common language and a fact-based approach to as for software licenses) and indirect costs (such cyberriskallocate across investments the entire institution. accordingly. Over Resilience time, makers with the most pertinent information as those incurred through the use of cumbersome, the institutionis thereby will improved accrue the without benefits an of increased greater available at any given time. undifferentiated controls, even those for low- cyberriskcybersecurity transparency, budget. improved In many cybersecurity cases, a state- —level Enhance applications). consistency. With improved efficiency,of-the-art and greater cyberrisk cyberresilience. MIS allows reductions in transparency comes improved consistency. operating expenditure as well. As the transformation proceeds, executives One company used the fact base it created in should calibrate their understanding of implementing its cyberrisk MIS to introduce a cyberrisk and cybersecurity. They should ask, tiered control regime. The company subjected only “As an institution, how much risk are we willing its most critical, most vulnerable assets (class one) to accept? What are our biggest threats? What to the full arsenal of controls – from multifactor level of protection renders a given asset safe?” user authentication to deleting, after 24 hours, 8 McKinseyEven on a Riskseemingly Number 9, trivialNovember risk 2019 topic can initiate the accounts of anyone who left the company. fruitful discussions. For example, in defining By contrast, it applied only basic controls to the cyberrisk-warning thresholds, executives least critical assets (Exhibit 3). As a result of this can arrive at a common understanding of tiered approach, the company was able to improve risk appetite, asset relevance, regulatory

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 31 compliance with relevant regulatory requirements MIS cyberrisk dashboard, with the risk heat-map while reducing the residual risk level. At the same tab open. Other tabs provide the chief risk officer time, it also reduced costs: both direct costs (such and the chief information officer with the KRIs, as for software licenses) and indirect costs (such KPIs, controls, and progress reports for different as those incurred through the use of cumbersome, functions, organizational levels, and applications. undifferentiated controls, even those for lowlevel The transformation will foster the use of a applications). common language and a fact-based approach to McK on Risk 2020 cyberrisk across the entire institution. Over time, Enhanced cyberriskWith reporting the right approach, a cyberrisk MIS cyber- the institution will accrue the benefits of greater Exhibit 4 of 4 security transformation will provide board-level cyberrisk transparency, improved cybersecurity executives with a concise and easily digestible efficiency, and greater cyberresilience. overview of top cyberrisks. Exhibit 4 shows an

Exhibit 4 The cyberrisk dashboard includes a risk heat map.

Cyberrisk dashboard, example

Risk heat map: Current risk exposure according to risk register and assessment of 1st and 2nd lines of defense

Global overview 1. Unauthorized External incidents Low Medium High Very high 0 scenarios 2 scenarios 2 scenarios 9 scenarios transactions: internal Threat landscape 2. Unauthorized Risk heat map transaction: external 3. Data leakage Very high 7 2, 5, 8 1 Cyber incidents 4. Information gathering by Group security nation-state dashboard 5. Loss of data integrity 6. 3rd-party breach Shared nancial- High 10 4, 6, 12 3 7. Business-process system projects disruption Regulatory updates 8. Insucient Severity Medium 9, 11 13 Data import technical-disaster recovery System settings 9. Disruption of services/ denial-of-service attack Low 10. Physical intrusion 11. Failure of building environment Very low 12. Regulatory risk 13. System settings

Very low Low Medium High Very high

Likelihood

The fast track to impact place. In all likelihood, the initial version of a next-generation cyberrisk MIS will not be fully TheThe modular fast track design to of impactthe recommended cyberrisk MIS will not be fully customized to the customized to the needs of a given company, but cyberriskThe modular MIS design makes of it the possible recommended to implement needs of a given company, but it will be a real workingit will be product, a real working not a dummy. product, not a dummy. acyberrisk viable version MIS makes in parts it possible over a period to implement of three The implementation journey begins with a project toa viablesix months, version depending in parts over on ana period organization’s of three to six months, depending on an organization’s Theteam, implementation experts, risk journey managers, begins data with owners, a project IT, and needs and complexity. For many companies, the needs and complexity. For many companies, the team,other experts, stakeholders risk managers, jointly determining data owners, specific IT, and most important components – the underlying most important components—the underlying otherrequirements, stakeholders relevant jointly processes, determining and specific data data structure, the analytical backbone, and data structure, the analytical backbone, and the requirements,availability. In relevant the building processes, stage, and live data trial sessions thevisualization visualization interface—are interface – already are already in place. in In all availability. In the building stage, live trial sessions likelihood, the initial version of a next-generation are held to give executives a chance to provide

32 Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 9 “Step by step, we made the cyberrisk MIS our own. The whole process took less than half a year, and yet the finished product really feels like something that was made for us, not like an off-the-shelf solution.” —Cyberrisk MIS user

are held to give executives a chance to provide systems have seen significant improvement in the feedback on MIS utility. After needed adjustments, efficacy of cyberrisk detection and remediation. the scope is widened and the system is deployed The platform links operational data with groupwide to the entire organization. enterprise-risk-management information accurately and consistently. These cyberrisk systems can become the basis for a comprehensive cybersecurity transformation and part of a holistic risk-based Leading institutions that have implemented state- approach to cybersecurity, reducing risk, raising of-the-art cyberrisk management information resilience, and controlling costs.

Jim Boehm is an associate partner in McKinsey’s New York office, where James Kaplan is a partner; Peter Merrath is an associate partner in the Frankfurt office, where Tobias Stähle is a senior expert; and Thomas Poppensieker is a senior partner in the Munich office. The authors wish to thank Rolf Riemenschnitter for his contributions to this article.

Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity 33 Create granular, analytic risk management capabilities Critical resilience: Adapting infrastructure to repel cyber threats

As the digital world becomes increasingly connected, it is no longer possible for infrastructure owners and operators to remain agnostic in the face of evolving cyber threats. Here’s what they can do to build an integrated cyber defense.

by James Kaplan, Christopher Toomey, and Adam Tyra

Critical resilience: Adapting infrastructure to repel cyber threats 34 Critical resilience: Adapting infrastructure to repel cyber threats

James Kaplan Christopher Toomey Adam Tyra Partner, New York Vice president, Boston Expert, Dallas McKinsey & Company CP&I Major Projects McKinsey & Company McKinsey & Company

29 Global Infrastructure Initiative The BBC recently reported that researchers have are emerging to deliver and operate infrastructure, discovered major security flaws – which affect these solutions still rely on the operating systems flood defenses, radiation detection, and traffic common to nearly all sectors. monitoring – in the infrastructure for major cities Similarly, infrastructure leaders tend to think in the United States and Europe.1 Of those flaws, that they need industry-specific expertise when nearly ten are deemed “critical,” meaning that it comes to hiring cybersecurity specialists. But a cyberattack on these systems would have a while having industry-specific expertise is helpful, debilitating impact on essential infrastructure, it should not be viewed as essential; the tool kits including power grids, water treatment facilities, across industries are largely the same. Owners and and other large-scale systems. It seems like the operators might not have the resources they need stuff of disaster films: A major city loses power. to make significant strides in their cybersecurity Huge amounts of the population panic. The roads programs if they focus only on recruiting highly clog. Planes are grounded. Coordinating a rescue specialized talent, especially as it relates to people effort – even communicating with the public – who can design and execute responses to cyber would be a colossal task. threats. While such scenarios may seem far-fetched, they As it stands, infrastructure has a long way to go are indeed reality. In 2015, Ukraine’s power grid to catch up to other industries in terms of future- was the target of such an attack – in the hours that proofing for a cyber threat. To accomplish this, followed, nearly a quarter-million people were left cities and organizations will need to integrate without electricity – yet this and similar stories their defenses. They will need to recruit and retain rarely reach the public consciousness.2 As a result, new talent and develop a cybersecurity program. there is little pressure from constituents and cyber Furthermore, ensuring that infrastructure achieves threat operators are not top of mind. and sustains resilience to cyberattacks in the The number and severity of cyber threats continue midst of rapid digitization requires that designers to grow exponentially as the world becomes and operators make a proactive mindset shift increasingly connected. According to recent about cybersecurity – before hackers impose one. estimates from the research firm Gartner, by 2020 there will be 20.4 billion internet-connected Vulnerabilities do not expire or devices, and approximately 37 percent of these become obsolete will be used outside consumer settings – including When considering digitized infrastructure, large numbers dedicated to infrastructure owners typically focus their energies on monitoring and control.3 While the proliferation of envisioning the improvements in efficiency and connected devices has created unprecedented customer experience that can be realized by new productivity and efficiency gains, it has also technologies. Cyber attackers, on the other hand, exposed previously unreachable infrastructure focus on uncovering the ways that new technology systems to attack from a range of malicious groups use cases rehash the same weaknesses and with varying motivations. vulnerabilities of the old. Indeed, the problems Owners, planners, builders, and financiers faced by cybersecurity professionals – for routinely channel ample resources into mitigating example, authenticating users or protecting any number of risks to an infrastructure asset. sensitive data from unauthorized access – Yet they rarely, if ever, place as much care into largely stay the same over time, regardless of anticipating potential cybersecurity incidents. the technology in question. In a 2018 report, There are many reasons for the lack of attention vulnerability scanning firm EdgeScan noted that to cybersecurity. One is a common consensus approximately 54 percent of the vulnerabilities in the industry that the technology governing that it identified in customer networks that year physical infrastructure is fundamentally different originally became publicly known in the past ten or from the technology used in other industries. In more years.4 This is the cybersecurity equivalent reality, it is not. While new technology solutions of allowing yourself to remain susceptible to

1 “Dave Lee, “Warning over ‘panic’ hacks on cities,” BBC, August 9, 2018, bbc.com. 2 “Ukraine power cut ‘was cyber-attack’,” BBC, January 11, 2017, bbc.com. 3 Gartner says 8.4 billion connected “things” will be use in 2017, up 31 percent from 2016, Gartner, 2017. 4 2018 vulnerability statistics report, edgescan, 2018.

Critical resilience: Adapting infrastructure to repel cyber threats 35 an infectious illness a decade after a vaccine redundant power source. In turn, the asset owner becomes available. As a result, attack patterns will be able to look beyond what would strictly be that worked during the previous year will likely still considered their responsibility, and consider the work (in a modified form) against newly digitized broader network in which they are included. By infrastructure connecting to the internet today. going beyond their “battery limit,” so to speak, the hotel can gather more information about relevant The takeaway is that infrastructure owners, vulnerabilities and threats. engineers, and operators, many of whom are acutely aware of cybersecurity vulnerabilities in Moreover, both utility owners and governments their information technology environments, must can work together in this area to create more – consider the operational technology that powers and more widely distributed – utility networks. their digitized infrastructure to be vulnerable to the If they can better isolate network vulnerabilities, same issues. they can help ensure service to any undamaged portions. Hackers have long exploited this insight. In February 2017, a cybersecurity researcher developed a ransomware variant that could Start with the assumption that a successfully target and manipulate the control cyber incident will occur systems of a water treatment plant.5 In theory, his Since the March 2011 earthquake and tsunami malware could be used by an attacker threatening that caused widespread damage to the northeast to poison a municipal water supply unless the coast of Japan, including the Fukushima Daiichi ransom was paid. This may sound like a familiar nuclear plant, the country has constructed an scenario, because ransomware has been an estimated 245 miles of sea walls at a cost of increasingly common and disruptive cyber threat approximately $12.7 billion.6 The same prudence faced by business for the past three years. Even is needed to protect infrastructure from so, it is not possible for leaders to test for every cyber attacks. As a point of comparison, one possible risk or outcome. They will need to limit cybersecurity research organization estimates their attention to the most pressing threats. And that the cost of ransomware damages alone in the best way to determine those threats is to look 2019 could exceed $11 billion.7 But in spite of at the issues affecting other, similar deployments an increasing torrent of cyber attacks afflicting of technology. By identifying similarities internet-connected businesses and individuals between new and old use cases for technology, globally, infrastructure owners largely continue to infrastructure designers can ensure that cyber think of a cyber-attack as a mere possibility rather risks that were resolved in previous years don’t than a certainty. recur in the infrastructure space. By starting with an assumption that a future cyber attack will degrade, disable, or destroy Building cyber defenses for key infrastructure functionality, owners and infrastructure contractors can take action early to build resilience To build adequate defenses, infrastructure owners into their systems. For example, backups can be and operators should start by assuming that a implemented for critical connected components, cyber attack is imminent. Then they must build computers can be designed to fail safely and a unified, integrated cyber defense that best securely when compromised, and preparedness protects all relevant infrastructure assets. Going exercises can train operators to act decisively through the process of identifying what is relevant to ensure that cyber attacks aren’t able to will often require the asset owner to understand compromise connected infrastructure to threaten what supporting infrastructure is also vulnerable – lives or property. critical utilities, for instance – and ensure that it is When planning incident response, leaders should reasonably protected as well. For example, a hotel look beyond the infrastructure sector for lessons that relies entirely on a local utility for its power learned from cyber incidents that caused outages supply may decide that it makes sense to find a in other sectors of the economy. The steps

5 Michael Kan, “Researcher develops ransomware attack that targets water supply,” CSO, February 14, 2017, csoonline.com. 6 Megumi Lim, “Seven years after tsunami, Japanese live uneasily with seawalls,” Reuters, March 8, 2018, reuters.com. 7 Steven Morgan, “Global ransomware damage costs predicted to hit $11.5 billion by 2019,” Cybersecurity Ventures, November 14, 2017, cybersecurityventures.com.

36 Critical resilience: Adapting infrastructure to repel cyber threats required for shipping firm Maersk to respond to a Why wasn’t Target’s HVAC system cordoned June 2017 ransomware outbreak are particularly off from its payment system network? The informative. In order to purge itself of malware, the efficiencies gained from connecting networks company executed a ten-day effort to overhaul its are clear and undeniable, so preventing these entire information technology (IT) infrastructure – types of technology interactions isn’t a practical a software reinstallation “blitz” that should have option. Instead, infrastructure owners must taken approximately six months under normal craft a cybersecurity program that takes a conditions.8 While infrastructure owners are comprehensive view of all technologies in the unlikely to have the same technology footprint as a environment by working to understand how global shipping company, understanding the steps they’re connected to each other and to the outside required to respond to a major cyber incident world. Then they must deploy security controls can provide perspective on the level of effort and and defensive countermeasures to mitigate risks courses of action that may be required to respond attributable to IT and connected infrastructure in a to an attack in the infrastructure space. prioritized fashion. Just as designers must take into account the An integrated defense is the only physical resilience of infrastructure assets, defense owners should integrate cyber resilience. One Every infrastructure network has an associated way of ensuring this happens is to make cyber IT network within which its owners and operators resilience an integral part of the design process. conduct their day-to-day business, such as In addition to better incorporating protections, the sending and receiving emails and writing reports. Internet of Things has created a digital, keyboard- Likewise, most organizations operating an IT based operating culture that is often devoid environment – and some organizations operating of manual alternatives. Asset owners, notably a connected infrastructure environment – have those responsible for critical infrastructure, such cybersecurity programs in place to protect as power plants and hospitals, should consider their data and technology assets. However, two establishing core functionality that is either discrete cybersecurity programs can’t match the resistant to cyber attacks or that allows for an effectiveness of one unified program to protect asset to more readily withstand the impact of a both environments. cyber attack. Some hospitals in urban areas, for example, might have digitally controlled HVAC While the technology components deployed in systems, including all vents and windows. Having the IT and infrastructure environments may differ windows that can be opened manually – with significantly in their purpose and complexity, the option to override digital controls and use they’re vulnerable to the same risks when mechanical switches or toggles to open them – connected to the internet. In the best known could help create ventilation and allow operations instance of this from recent years, hackers to continue in the event of a cyber attack. that breached the network of retailer Target Stores in 2013 made their initial entry through an internet-connected control system for the How to get started stores’ air conditioning systems.9 By connecting We’ve identified three key steps for infrastructure the infrastructure management network to the owners starting the process of building their network through which Target executed its integrated cyber defense. corporate functions and processed credit card Recruit new talent. The cybersecurity industry payments, IT staff unwittingly elevated a minor risk is already severely constrained for talent, and into one with the potential to create catastrophic infrastructure owners and operators often losses. While the Target breach was a case of compete against other industries that offer attackers traversing an infrastructure environment higher-paying positions. Therefore, infrastructure to target the IT environment, attackers could groups need to get creative with where they look just as feasibly have made the opposite leap, for cybersecurity talent. Infrastructure players compromising an office network before leveraging might look to “cyber utilities,” for instance, connections to attack infrastructure.

8 Charlie Osborne, “NonPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs,” ZDNet, January 26, 2018, zdnet.com. 9 Brian Krebs, “Target hackers broke in via HVAC company,” Krebs on Security, February 5, 2014, krebsonsecurity.com.

Critical resilience: Adapting infrastructure to repel cyber threats 37 which are industry-aligned working groups clear path forward presents itself. This needs to that pool information and resources to improve change. cybersecurity effectiveness for their membership. Two specific actions are key in beginning and These member-driven organizations – such as the subsequently sustaining the mindset shift Intelligence Sharing and Analysis Centers (ISAC) required. To begin the mindset shift, organizations sponsored by the US Department of Homeland need to develop a perspective on what a cyber Security – were originally intended to serve as attack would actually look like for them. Cyber industry-sector-aligned cyber threat intelligence war gaming and table top exercises have long fusion centers for member companies. So, for been a staple for developing this perspective in instance, banks could join the financial services corporate environments, and they can be similarly ISAC. However, the concept could be employed effective for infrastructure. Effective exercise on a smaller scale to allow infrastructure owners scenarios emulate the actions of timely real-world in a particular region to share cybersecurity attackers to impose a series of difficult decisions talent and resources for cybersecurity functions on the team, creating numerous (and sometimes besides intelligence. For example, a cyber utility painful) learning opportunities. Through cyber consortium in any given metropolitan area – war gaming, participants often learn that their hypothetically comprising a city government, a organization lacks key response elements such municipal utility district, and a publicly traded as clear delineation of responsibilities in crisis electricity company – could share a single situations, plans for how and when they should cybersecurity team, rather than each entity communicate with stakeholders or the public, and competing to recruit their own. even procedures for shutting down compromised Form a cyber response team. The first hours systems. The best programs deepen learning after the discovery of a cyber attack are the most by establishing a regular cadence of exercises critical in effectively mitigating losses, and their (e.g. quarterly or semi-annually) to accustom importance is magnified in the case of attacks participants to the stress and confusion of a against infrastructure where loss of life may be crisis situation and to continuously identify a possible second- or third-order effect. For opportunities for improvement. this reason, selection and training of an incident Once organizations begin to understand how bad response team before an incident occurs is key. an attack could be for them, they must remain Teams should include cybersecurity professionals focused on steady improvement. To sustain skilled in cyber investigation and analysis, but they the mindset shift begun with cyber war games, must also include experts familiar with the broader infrastructure owners must integrate cyber functioning of the infrastructure asset itself along resilience metrics into their regular performance with leaders who can make timely decisions about measurement programs. As the cliché goes, “What issues such as whether to shut down infrastructure gets measured gets done.” By requiring their or notify the public about an incident. teams to continuously evaluate the organization’s Cyber response teams should be subjected to cyber resilience, leaders can ensure that the topic regular incident exercises to build the muscle remains front of mind. Leading organizations take memory necessary to respond effectively and this a step further by integrating cyber metrics into to uncover potential weaknesses in response the performance metrics for specific individuals, processes. The cyber utility concept described creating a culture of personal responsibility where above might be specifically helpful in forming bad cybersecurity can actually affect managers’ a response team, since skill sets such as cyber compensation and prospects for promotion. forensics are in particularly short supply. In a world steadily digitizing and becoming more Cultivate a mindset shift across the interconnected, cyber attacks should be thought organization. Cybersecurity for infrastructure is of as a certainty akin to the forces of nature. Just often seen as a trendy topic – every other year as engineers must consider the heaviest rains that something happens that makes headlines and a dam may need to contain in the next century or then, weeks later, the industry has returned to the the most powerful earthquake that a skyscraper status quo. Owners and operators take a hard look must endure, those digitizing infrastructure must at the situation and then lose interest when no plan for the worst in considering how an attacker

38 Critical resilience: Adapting infrastructure to repel cyber threats might abuse or exploit systems that enable By starting with the assumption that not only will infrastructure monitoring and control. This shift cyber attacks against infrastructure occur but also in thinking will begin to lay the path to connected that they will likely be successful, infrastructure infrastructure that is resilient by design. designers and operators can learn to trap many risks before they have the chance to develop into catastrophes. To do this, infrastructure owners and operators must first understand how old Cyber threats don’t become obsolete or irrelevant vulnerabilities will affect new technology and in the same way that the technology underlying then develop integrated cybersecurity plans to them does. So, in the context of cybersecurity, apply the appropriate level of protection to their future-proofing infrastructure is primarily about entire technology environment. The result will be ensuring that the steps taken to inject resilience safer and more resilient connected infrastructure into a system remain connected with the relevant delivering reliable services to customers for years threats of today and yesterday, rather than threats to come. that may manifest tomorrow.

James Kaplan is a partner in the New York office. Christopher Toomey is a vice president in the Boston office, and Adam Tyra is an expert in the Dallas office.

Critical resilience: Adapting infrastructure to repel cyber threats 39 Build cybersecurity into business products and processes The consumer-data opportunityRisk Practice and the privacyThe consumer-data imperative opportunity and the

As privacyconsumers become more imperative careful about sharing data, and regulators step up privacy requirements, leading companies areAs learning consumers that data become protection more careful and privacy about can sharing create data, a and regulators businessstep up advantage. privacy requirements, leading companies are learning that data protection and privacy can create a business advantage. by Venky Anant, Lisa Donchak, James Kaplan, and Henning Soller by Venky Anant, Lisa Donchak, James Kaplan, and Henning Soller

April 2020

40 The consumer-data opportunity and the privacy imperative As consumers increasingly adopt digital Regulation (GDPR) in Europe and the California technology, the data they generate create both Consumer Privacy Act (CCPA) in that US state. an opportunity for enterprises to improve their Many others are following suit. consumer engagement and a responsibility to The breaches have also promoted the increased keep consumer data safe. These data, including use of tools that give people more control over their location-tracking and other kinds of personally data. One in ten internet users around the world identifiable information, are immensely valuable (and three in ten US users) deploy ad-blocking to companies: many organizations, for example, software that can prevent companies from tracking use data to better understand the consumer’s pain online activity. The great majority of respondents – points and unmet needs. These insights help to 87 percent – said they would not do business with develop new products and services, as well as to a company if they had concerns about its security personalize advertising and marketing (the total practices. Seventy-one percent said they would global value of digital advertising is now estimated stop doing business with a company if it gave away at $300 billion). sensitive data without permission. Consumer data are clearly transforming business, Because the stakes are so high – and awareness and companies are responsible for managing the of these issues is growing – the way companies data they collect. To find out what consumers handle consumer data and privacy can become think about the privacy and collection of data, a point of differentiation and even a source McKinsey conducted a survey of 1,000 North of competitive business advantage. The main American consumers. To determine their views on findings of our research are presented below. data collection, hacks and breaches, regulations, We then offer prescriptive steps for data communications, and particular industries, we mapping, operations, and infrastructure, as well asked them pointed questions about their trust in as customer-facing best practices. These can the businesses they patronize. help companies position themselves to win that The responses reveal that consumers are competitive advantage. becoming increasingly intentional about what types of data they share – and with whom. A matter of trust – or a lack thereof They are far more likely to share personal data Consumer responses to our survey led to a number that are a necessary part of their interactions of important insights about data management and with organizations. By industry, consumers are privacy. First, consumer-trust levels are low overall most comfortable sharing data with providers but vary by industry. Two sectors – healthcare in healthcare and financial services, though no and financial services – achieved the highest industry reached a trust rating of 50 percent for score for trust: 44 percent. Notably, customer data protection. interactions in these sectors involve the use of That lack of trust is understandable given the personal and highly sensitive data. Trust levels recent history of high-profile consumer-data are far lower for other industries. Only about 10 breaches. Respondents were aware of such percent of consumer respondents said that they breaches, which informed their survey answers trust consumer-packaged-goods or media and about trust. The scale of consumer data exposed entertainment companies, for example (Exhibit 1). in the most catastrophic breaches is staggering. About two-thirds of internet users in the United In two breaches at one large corporation, more States say it is “very important” that the content of than 3.5 billion records were made public. their email should remain accessible only to those Breaches at several others exposed hundreds whom they authorize and that the names and of millions of records. The stakes are high for identities of their email correspondents remain companies handling consumer data: even private (Exhibit 2). consumers who were not directly affected by these breaches paid attention to the way About half of the consumer respondents said companies responded to them. they are more likely to trust a company that asks only for information relevant to its products or Proliferating breaches and the demand of that limits the amount of personal information consumers for privacy and control of their requested. These markers apparently signal to own data have led governments to adopt new consumers that a company is taking a thoughtful regulations, such as the General Data Protection approach to data management.

The consumer-data opportunity and the privacy imperative 41 McK on Risk 9 2020 The consumer-data opportunity Exhibit 1 of 4

Exhibit 1 Consumers view healthcare and nancial-services businesses as the most trustworthy. Respondents choosing a particular industry as most trusted in protecting of privacy and data, % (n = 1,000)

Healthcare Pharmaceuticals/ Retail Advanced Aerospace Automotive Consumer Media and medical electronics and defense and assembly packaged entertainment goods

Financial Electric power/ Technology Travel, transport, Telecom- Public Agriculture Oil and services natural gas and logistics munications sector and gas government 44 44

22 19 18 17 17 14 13 12 12 11 10 10 10 10

Source: McKinsey Survey of North American Consumers on Data Privacy and Protection, 2019

McK on Risk 9 2020 The consumer-data opportunity of their email should remain accessible only to Other issues are of lesser importance in gaining Exhibit 2 of 4 those whom they authorize and that the names and the consumer’s trust, according to the survey: the identities of their email correspondents remain level of regulation in a particular industry, whether private (Exhibit 2). a company has its headquarters in a country with a trustworthy government, or whether a company About half of the consumer respondents said they proactively shares cyber practices on websites or in Exhibit 2 are more likely to trust a company that asks only for advertisements (Exhibit 3). Consumer privacyinformation and protection relevant to itsconcerns products orvary that limitsby type the of digital data. amount of personal information requested. These Relative importance by data type, % of respondents (n = 792) markers apparently signal to consumers that a Consumer empowermentSomewhat andNot actions too company is taking a thoughtful approach Veryto data important Given the low overall levelsimportant of trust, it isimportant not surprisingN/A management. that consumers often want to restrict the types of Content of email 68 data that they share with businesses.13 Consumers15 4 Half of our consumer respondents are also more have greater control over their personal information Identity of email correspondentslikely to trust companies that react quickly to62 hacks as a result of the many privacy16 tools now16 available,6 and breaches or actively disclose such incidents including web browsers with built-in cookie blockers, Content of downloaded lesto the public. These practices have become55 ad-blocking software19 (used on more than21 600 million5 increasingly important both for companies and devices around the world), and incognito browsers Location data consumers as the impact of breaches grows54 and (used by more than16 40 percent of internet26 users 4 more regulations govern the timeline for data- globally). However, if a product or service offering— Content, usage of online chatrooms,breach disclosures. groups 51 for example, 12healthcare or money22 management—is15

Websites browsed 46 23 28 3

Searches performed 44 25 27 4

Apps and programs used 40 27 28 5 The consumer-data opportunity and the privacy imperative 3 Times of internet usage 33 17 45 5

Source: Internet & American Life Project, Pew Research Center

critically important to consumers, many are willing to example, implemented in Europe in May 2018, gives 42 setThe asideconsumer-data their privacy opportunity concerns. and the privacy imperative consumers more choices and protections about how their data are used. The GDPR gives consumers Consumers are not willing to share data for easier access to data that companies hold about transactions they view as less important. They them and makes it easier for them to ask companies may even “vote with their feet” and walk away to delete their data. from doing business with companies whose data-privacy practices they don’t trust, don’t For companies, the GDPR requires meaningful agree with, or don’t understand. In addition, while changes in the way they collect, store, share, overall knowledge of consumer privacy is on the and delete data. Failure to comply could result rise, many consumers still don’t know how to in steep fines, potentially costing a company up protect themselves: for example, only 14 percent of to 4 percent of its global revenue. One company internet users encrypt their online communications, incurred a fine of $180 million for a data breach and only a third change their passwords regularly that included log-in and payment information for (Exhibit 4). nearly 400,000 people.¹ Another was fined $57 million for failure to comply with GDPR. A side effect of this regulation is an increased awareness Evolving regulations among consumers of their data-privacy rights and Privacy regulations are evolving, with a marked protections. About six in ten consumers in Europe shift toward protecting consumers: the GDPR, for now realize that rules regulate the use of their data

1 The fine was imposed by the Information Commissions Office, the British data regulator, and is currently under regulatory process review.

4 The consumer-data opportunity and the privacy imperative McK on Risk 9 2020 The consumer-data opportunity Exhibit 3 of 4

Exhibit 3 Consumers trust companies that limit the use of personal data and respond quickly to hacks and breaches.

Respondent trust by practices, % (n = 1,000)

Do not ask for information not relevant to their product 52

React quickly to hacks and breaches 50

Do not ask for too much personal information 48

Proactively report a hack or breach 46

Have a trustworthy brand 43

Do not collect passive data (eg, click or browsing history) 43

Have had few hacks or breaches 42

Do not use tracking cookies 41

Promote privacy for their products (eg, 2-factor 36 authentication)

Have trustworthy leaders 35

Do not operate in countries with untrusted governments 32

Are considered trustworthy by family, friends 32

Share their approach to protecting data 31

Are part of a highly regulated industry 28

Headquarted in a country with a trusted government 28

Publicize their consumer-privacy interest 20

Source: McKinsey Survey of North American Consumers on Data Privacy and Protection, 2019

Half of our consumer respondents are also a trustworthy government, or whether a company more likely to trust companies that react quickly proactively shares cyber practices on websites or to hacks and breaches or actively disclose in advertisements (Exhibit 3). such incidents to the public. These practices have become increasingly important both for Consumer empowerment and actions companies and consumers as the impact of Given the low overall levels of trust, it is not breaches grows and more regulations govern the surprising that consumers often want to restrict timeline for data-breach disclosures. the types of data that they share with businesses. Other issues are of lesser importance in gaining Consumers have greater control over their personal

theThe consumer-dataconsumer’s opportunitytrust, according and the privacy to the imperative survey: the information as a result of the many privacy tools 5 level of regulation in a particular industry, whether now available, including web browsers with built- a company has its headquarters in a country with in cookie blockers, ad-blocking software (used

The consumer-data opportunity and the privacy imperative 43 on more than 600 million devices around the ePrivacy regulation (an extension of GDPR), which world), and incognito browsers (used by more than focuses on privacy protection for data transmitted 40 percent of internet users globally). However, electronically. Its status as a regulation (rather if a product or service offering – for example, than a directive) means that it could be enforced healthcare or money management – is critically uniformly across EU member states. The ePrivacy important to consumers, many are willing to set regulation is likely to be enacted in 2020. aside their privacy concerns. Beyond Europe Consumers are not willing to share data for Governments outside Europe have also begun transactions they view as less important. They to enact data-privacy regulations. In Brazil, for may even “vote with their feet” and walk away example, the Lei Geral de Proteção de Dados, from doing business with companies whose or LGPD (General Data Protection Law) will go data-privacy practices they don’t trust, don’t into effect in August 2020. Brazil’s previous agree with, or don’t understand. In addition, data-protection regulations were sector based. while overall knowledge of consumer privacy The LGPD is an overarching, nationwide law is on the rise, many consumers still don’t know centralizing and codifying rules governing the how to protect themselves: for example, only collection, use, processing, and storage of 14 percent of internet users encrypt their online personal data. While the fines are less steep than communications, and only a third change their the GDPR’s, they are still formidable: failing to passwords regularly (Exhibit 4). comply with the LGPD could cost companies up to 2 percent of their Brazilian revenues. Evolving regulations In the United States, the California Consumer Privacy regulations are evolving, with a marked Privacy Act (CCPA) went into effect in the state shift towards protecting consumers: the GDPR, in January 2020. It gives residents the right to for example, implemented in Europe in May 2018, know which data are collected about them and gives consumers more choices and protections to prevent the sale of their data. CCPA is a broad about how their data are used. The GDPR gives measure, applying to for-profit organizations that consumers easier access to data that companies do business in California and meet one of the hold about them and makes it easier for them to following criteria: earning more than half of their ask companies to delete their data. annual revenues from selling consumers’ personal information; earning gross revenues of more than For companies, the GDPR requires meaningful $50 million; or holding personal information on changes in the way they collect, store, share, more than 100,000 consumers, households, or and delete data. Failure to comply could result devices. in steep fines, potentially costing a company up to 4 percent of its global revenue. One company The CCPA is the strictest consumer-privacy incurred a fine of $180 million for a data breach regulation in the United States, which as yet has that included log-in and payment information for no national data-privacy law. The largest fine for nearly 400,000 people.1 Another was fined mishandling data was, however, issued by the US Federal Trade Commission (FTC). $57 million for failure to comply with GDPR. A side effect of this regulation is an increased awareness Compliance investments among consumers of their data-privacy rights and Companies are investing hefty sums to ensure that protections. About six in ten consumers in Europe they are compliant with these new regulations. In now realize that rules regulate the use of their data total, Fortune Global 500 companies had spent within their own countries, an increase from only $7.8 billion by 2018 preparing for GDPR, according four in ten in 2015. to an estimate by the International Association of Privacy Professionals. Companies have The GDPR has been considered a bellwether hired data-protection officers, a newly defined for data-privacy regulation. Even in Europe, corporate position mandated by the GDPR for all policy makers are seeking to enact additional companies handling large amounts of personal consumer-privacy measures, including the data. Despite these measures, few companies

1 The fine was imposed by the Information Commissions Office, the British data regulator, and is currently under regulatory process review.

44 The consumer-data opportunity and the privacy imperative McK on Risk 9 2020 The consumer-data opportunity Exhibit 4 of 4

Exhibit 4 Consumer concerns over data collection and privacy are mounting, but few take adequate protective precautions.

Respondents taking action, % (n = 792)

Cleared cookies and browser history 64

Deleted or edited past internet posts 41

Set browser to disable or turn o cookies 41

Not used website because it asked for real name 36

Used temporary user name, email address 26

Posted comments without revealing identity 25

Asked someone to remove an intrusive post 21

Masked identity 18

Used a public computer to browse anonymously 18

Used a false or untraceable user name 18

Encrypted communications 14

Used service that allows anonymous browsing 14

Given inaccurate personal information 13

Source: Internet & American Life Project, Pew Research Center

within their own countries, an increase from only Beyond Europe feel fully compliant, and many are still working on the most restrictive legal requirements as their four in ten in 2015. Governments outside Europe have also begun scalable solutions. toown enact standard. data-privacy For most regulations. companies In Brazil, in the Unitedfor States, this means following CCPA’s guidelines. TheA central GDPR challenge has been –considered particularly a bellwether for companies for example, the Lei Geral de Proteção de Dados, thatdata-privacy operate internationallyregulation. Even – in is Europe, the patchwork policy orAnother LGPD (Generaldifficult aspectData Protection of privacy Law) regulation will go naturemakers of are regulation. seeking to Requirements enact additional are consumer- very intohas effectto do with in August the deletion 2020. Brazil’sand porting previous of data: differentprivacy measures, from one including jurisdiction the or ePrivacy market regulation to data-protectionregulations allow regulations consumers were to request sector based. that their another.(an extension To address of GDPR), regulatory which focuses diversity on andprivacy Thedata LGPD be deleted is an overarching, or that enterprises nationwide provide law user protection for data transmitted electronically. Its centralizing and codifying rules governing the anticipate future regulations, many companies data to individual consumers or other services. status as a regulation (rather than a directive) collection, use, processing, and storage of have begun systematizing their approach For many companies, these tasks are technically means that it could be enforced uniformly across EU personal data. While the fines are less steep than to compliance. Some have begun creating challenging. Corporate data sets are often member states. The ePrivacy regulation is likely to the GDPR’s, they are still formidable: failing to regulatory roles and responsibilities within their fragmented across varied IT infrastructure, making be enacted in 2020. organizations. Many are trying to implement it difficult to recover all information on individual future-proof solutions. Rather than meeting consumers. Some data, furthermore, may be CCPA requirements only in California, Microsoft located outside the enterprise, in affiliate or third- is applying them to all US citizens, though other party networks. For these reasons, companies states do not yet have policies as restrictive as can struggle to identify all data from all sources for 6 theThe consumer-data CCPA. This opportunitypractice will and probablythe privacy imperative become transfer or deletion. more common, as many companies are using

The consumer-data opportunity and the privacy imperative 45 Companies should develop clear, standardized procedures to govern requests for the removal or transfer of data.

Proactive steps for companies according to their roles, with security-access levels determined for different data categories. Several effective actions have emerged for About one-third of the breaches in recent years companies that seek to address enhanced have been attributed to insider threats. This risk consumer-privacy and data-protection can be mitigated by ensuring that data sets are requirements. These span the life cycle of accessible only to those who need them and that enterprise data, and include steps in operations, no one has access to all available data. Even the infrastructure, and customer-facing practices, and most robust practices for identity and access are enabled by data mapping. management can fail – some breaches can be Data mapping caused by individuals with approved access – so Leading companies have created data maps or additional activity monitoring can be helpful. registers to categorize the types of data they To act quickly when breaches do occur, collect from customers. The solution is best organizations will want to pressure-test their designed to accommodate increases in the volume crisis-response processes in advance. People and range of such data that will surely come. who will be involved in the response must be Existing data-cataloging and data-flow-mapping identified and a strong communications strategy tools can support the process. developed. One of the highest predictors of Companies need to know which data they actually consumer trust is the speed of company reporting require to serve customers. Much of the data that and response when breaches occur. Indeed, most is collected is not used for analytics and will not new regulations require companies to disclose be needed in the future. Companies will mitigate breaches very quickly; the GDPR, for example, risk by collecting only the data they will probably mandates the announcement of a breach within need. Another necessary step is to write or revise 72 hours of its discovery. data-storage and -security policies. The best Companies should develop clear, standardized approaches account for the different categories of procedures to govern requests for the removal or data, which can require different storage policies. transfer of data. These should ensure expedited Of further importance is the growing appetite for compliance with regulations and cover consumer applied analytics. Today, leading companies need requests for the identification, removal, and robust analytics policies. Given the proliferation transfer of data. The processes should support of advanced machine-learning tools, many data discovery in all pertinent infrastructure organizations will seek to analyze the high volumes environments within a company and across its of data they collect, especially by experimenting affiliates. Most companies today use manual with unsupervised algorithms. But unless processes, which creates an opportunity for companies have advanced model-validation streamlining and automating them to save time approaches and thoughtfully purposed consumer and resources. This approach also prepares data, they should proceed with extreme caution, infrastructure environments for future process probably by focusing specifically on supervised- developments. learning algorithms to minimize risk. Working closely with third parties, affiliates, and Operations vendors, companies can gain an understanding Leading organizations have developed identity- of how and where their data are stored. This and access-management practices for individuals knowledge is especially important when third

46 The consumer-data opportunity and the privacy imperative parties are supporting the development of while features strike a balance with the user products and features and need access to experience. consumer data. Some companies are considering It is important for organizations to communicate establishing review boards to support decisions transparently: customers should know when about sharing data with third parties. and why their data are being collected. Many Infrastructure companies are adding consumer privacy to their Organizations are working to create infrastructure value propositions and carefully crafting the environments that can readily accommodate the messages in their privacy policies and cookie increasing volumes of data collected, as well as notices to align with the overall brand. attending technological innovations. Best practice is to store data in a limited number of systems, depending on data type or classification. A smaller Our research revealed that our sample of systems footprint reduces the chance of breaches. consumers simply do not trust companies to Customer-facing best practices handle their data and protect their privacy. Leading companies are building “privacy by Companies can therefore differentiate themselves design” into consumer-facing applications, with by taking deliberate, positive measures in this such features as automatic timed logouts and domain. In our experience, consumers respond requirements for strong passwords. Security and to companies that treat their personal data as privacy become default options for consumers, carefully as they do themselves.

Venky Anant is a partner in McKinsey’s Silicon Valley office, where Lisa Donchak is a consultant; James Kaplan is a partner in the New York office; Henning Soller is a partner in the Frankfurt office.

The consumer-data opportunity and the privacy imperative 47 Build cybersecurity into business products and processes Consumer-data privacy and personalization at

Marketing & Salesscale: How leading Consumer-dataretailers and privacy consumer and personalizationbrands can at strategizescale: How leadingfor retailers both and consumer brands can strategize for both Customer concernsCustomer about concerns the security about and the privacysecurity of and their privacy online of data their can online impede personalizeddata marketing can impede at scale. personalized Best-practice marketing companies at scale. are building Best-practice protections into their digitalcompanies properties. are building protections into their digital properties.

by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel by Julien Boudet, Jess Huang, Kathryn Rathje, and Marc Sorel

November 2019

48 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both Personalization at scale is where retailers and will limit current practices, and 51 percent said consumer brands are competing to win. But in they don’t think consumers will limit access to their focusing on “playing offense” to capture value, data (Exhibit 1)—this despite other recent surveys executives are oftenPersonalization overlooking attheir scale “defense”: is where retailers showing and thatregulations more than will 90 limit percent current ofpractices, consumers and 51 preserving, protecting,consumer enabling, brands and are accelerating competing to win. Butare in concerned percent about said their they online don’t think privacy, consumers and nearly will limit focusing on “playing offense” to capture value, access to their data (Exhibit 1) – this despite other the hard-won gains of their digital efforts by 50 percent have limited their online activity because executives are often overlooking their “defense”: recent surveys showing that more than 90 percent ensuring that personalizationpreserving, protecting,at scale keeps enabling, and acceleratingof privacy concerns.¹of consumers are concerned about their online personal data securethe andhard-won private. gains of their digital efforts by privacy, and nearly 50 percent have limited their ensuring that personalization at scale keepsGetting theonline security activity and because privacy ofof privacy personalization concerns.1 As the enterprise riskpersonal of collecting, data secure holding, and private. and wrong can slow time to market for new applications, Getting the security and privacy of using consumer dataAs theto personalize enterprise risk offerings of collecting, holding,constrain remarketingpersonalization and wrong consumer-data can slow time to market grows, so do the business-impairingand using consumer consequences data to personalize collection, resultfor new in applications, significant constrainfines, or—worse— remarketing and for those who fail toofferings get it right. grows, Despite so do the these business-impairing cause materialconsumer-data harm to brand collection, reputation result inthrough significant challenges and opportunities,consequences most for those marketing who fail to get it right.negative consumerfines, or – experience. worse – cause Getting material it harmright to brand leaders remain surprisinglyDespite these unconcerned challenges withand opportunities, how reduces timereputation to market, through puts negative security consumer and privacy experience. to manage data securitymost marketing and privacy. leaders remain surprisinglyat the heartGetting of the itcompany’s right reduces value time proposition, to market, puts unconcerned with how to manage data security security and privacy at the heart of the company’s boosts customer-satisfaction scores, and materially and privacy. value proposition, boosts customer-satisfaction In a recent McKinsey survey of senior marketing reduces the likelihood of regulatory fines. scores, and materially reduces the likelihood of In a recent McKinsey survey of senior marketing leaders, 64 percent said they don’t think regulations regulatory fines. leaders, 64 percent said they don’t think

1 Brian Byer, “Internet users worry about online privacy but feel powerless to do much about it,”Entrepreneur , June 20, 2018, entrepreneur.com; 1 Brian Byer, “Internet users worry about online privacy but feel powerless to do much about it,” Entrepreneur, June 20, 2018, and Rafi Goldberg, “Lack ofentrepreneur.com; trust in internet andprivacy Rafi Goldberg,and security “Lack may of trust deter in economicinternet privacy and otherand security online may activities,” deter economic National and Telecommunications other online activities,” National Telecommunications

Exhibit 1 ManyMany marketers feelfeel confident condent thatthat neither regulations regulations nor nor consumer consumer sentimentsentiment will will limitlimit datadata collectioncollection in in the the future. future.

Marketers’ perspectives on regulations, %

Regulations will not limit current practices 64

Regulations will limit current practices 30

Regulations will make access easier 6

Marketers’ perspectives on consumer attitudes, %

Consumers will not limit data access 51

Consumers will limit data access 26

Consumers to demand transparency but 23 seek new ways to share data

Source: 2018 senior management personalization survey: Based on question 27: How do you expect regulations to affect personalization practices in your industry? And question 28: How do you expect customer behavior regarding data collection to evolve over the next six years?

2 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 49 Where to start — Establishing and enforcing standards on security and privacy for creative agencies For most companies, getting security and privacy right begins with remediating and transforming the — Using best practices for data protection in their digital-marketing applications and systems that day-to day-work They also put marketing at the center of the Wheregenerate, to starttransmit, consume, store, or dispose of effort,— Tokenizingeducating teams consumer on the data value ensuring at stake consent Forconsumer most companies, data (Exhibit getting 2). security Leading and brands privacy make through,compliance for example: rightthis begins part ofwith a broader remediating baseline and transformingassessment ofthe data digital-marketingsecurity and privacy applications across and people, systems processes, that — Sanitizing data before using them in outbound generate, transmit, consume, store, or dispose of — establishing and enforcing standards on and technology and tie it to business use cases. communications and remarketing consumer data (Exhibit 2). Leading brands make security and privacy for creative agencies

this part of a broader baseline assessment of data — Being accountable for incidents when they occur They also put marketing at the center of the effort, security and privacy across people, processes, and — using best practices for data protection in educating teams on the value at stake through, for technology and tie it to business use cases. their day-to day-work example:

TheExhibit marketing 2 structure should enable digital-property remediation and The marketing structure should enable digital-property remediation and transformation. transformation.

Digital properties (consumer-facing or consumer-touching applications)

Marketing-operations pillars that support digital-property impact

Marketing operations that Content Consumer- Outbound enable digital-property creation data communications value creation A and delivery B acquisition C and use

Remediation & trans- 1 Digital-property workflows and processes formation enablers— the foundation of 2 Technical architecture, infrastructure, and data marketing operations and digital 3 Compliance and risk management properties 4 Organization design, operating model, and governance

Descriptions (not exhaustive):

a) Content development for consumer-facing brand websites 1 Where and how digital assets/properties should be created and

A b) Content delivery through e-commerce and merchandising maintained portraying products and brands in a way that allows the enterprise to "do business" with its customers 2 Technical capabilities, such as data lake or discovery scan tools, to facilitate collection, storage, management, and testing a) Cookie management to granularly track and collect consumer- of consumer data behavior data across properties as customers engage with them B b) Remarketing by using data to drive portrayal and placement 3 The global vs local policies, processes, and tools to adopt, of products and brands with which the consumer engages follow, and validate to meet security-and-privacy obligations in a variety of regulatory environments a) Using consumer data from digital properties and other 4 Agile organization and operating model that clarifies roles C sources to drive outbound marketing (such as pay-per-click, and responsibilities across functions and rationalizes external advertising, digital display) partners/agencies

Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 3 50 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both The dialogue with marketing and other executive team defend its decisions on where stakeholders in this context should be ongoing, and how to allocate spend on security and to match the enterprise’s evolving needs for data privacy. Understanding how properties such as and technical capabilities and to capture the value information systems and assets map to each other, from use cases. to the threat landscape, and to the business value chain also clarifies where eliminating risks can An imperative on security and privacy can help enhance enterprise value. with— tokenizing many things consumer – from data eliminating tech debt security and privacy functions. Aligning on core to breaking down silos – by opening iterative beliefsClarify and data a framework strategy, to governance, approach the effortand policies, dialogue— ensuring on consentdata needs compliance and new operational (Exhibitand build 3) can in help the theroles team and quickly requirements get the to make requirements between the business and the neededthem convictionwork and buy-in. security— sanitizing and privacydata before functions. using them Aligning in outbound on core The details of programs for data security and beliefscommunications and a framework and remarketing to approach the effort privacy may vary by company, industry, or the local (Exhibit 3) can help the team quickly get the Howregulatory to move climate. quickly Consumer at scale and retail enterprises, needed— being conviction accountable and for buy-in. incidents when they Asfor the example, transformation often hold of data consumer management data for is no more occur pilotedthan 13and months, scaled, inprioritizing order to track a few consumerkey actions patterns to How to move quickly at scale improvethrough security seasons and and privacy holidays. will ensure Auto retailers,outcomes on The dialogue with marketing and other that enable rather than disable the business. the other hand, often hold data longer, to reflect the Asstakeholders the transformation in this context of data should management be ongoing, is longer time between automotive purchases, which pilotedto match and the scaled, enterprise’s prioritizing evolving a needsfew key for actions data to Build a risk register for digital properties tend to be multiyear, not annual. Other companies improveand technical security capabilities and privacy and to will capture ensure the outcomes value Taking a risk-back approach can help the may tailor their global privacy policy to meet local thatfrom enable use cases. rather than disable the business. executive team defend its decisions on where and howregulatory to allocate requirements, spend on security such andas General privacy. Data Build a risk register for digital properties An imperative on security and privacy can help UnderstandingProtection Regulation how properties (GDPR) such or theas information California Takingwith many a risk-back things—from approach eliminating can helptech thedebt systemsConsumer and assetsPrivacy map Act to (CCPA). each other, to the to breaking down silos—by opening iterative threat landscape, and to the business value chain dialogue on data needs and new operational also clarifies where eliminating risks can enhance requirements between the business and the enterprise value.

Exhibit 3 CompanyCompany alignment on on the the core core principles principles for transforming for transforming digital properties digital properties willwill enable enable personalization at scale.at scale.

Manage digital property the way you manage your people. K nowing the identity, performance, and safety of your applications is as important as knowing the identity, performance, and reliability of your people.

? Anchor the approach in use cases. For a successful transformation, understand which business use cases the transformed digital properties will support, and clarify the architectural gaps you need to fill to support both properties and use cases.

. Create and maintain a risk-based asset inventory. This will help to clarify your enterprise digital-property landscape, as well as compliance issues and business risk, and is an essential tool for prioritizing ... transformation initiatives.

Align risk with enterprise appetite. A risk-back, minimum viable approach to building security-and-privacy protections into the transformation of digital properties is a commercial imperative for personalization at scale.

Clarify roles, responsibilities, decision rights, and talent requirements across the organization. This is the key to ensuring you can quickly embed the cross-functional capabilities needed to bring new properties to market.

Implement the transformation by deploying cross-functional teams in agile sprints. This will not only mitigate execution risk—a requirement, not an option—but also enable you to capture value at scale and demonstrate that the process is iterative.

4 Consumer-data privacy privacy and and personalization personalization at scale:at scale: How How leading leading retailers retailers and consumerand consumer brands brands can strategize can strategize for both for both 51 But some best practices are emerging as developed, which reduced downstream rework, enterprises focus on data privacy and security. accelerated time to market, and put data One leading privacy policy is the tokenization protection at the center of the enterprise’s value and sanitization of data before using them in proposition to consumers. remarketing. Further, leading institutions will Create and deliver role-based training on align on the “minimum viable data and controls” security and privacy required to preserve a long-term view of Given that more than 80 percent of enterprise consumers and empathetically engage them cybersecurity incidents begin with a human at scale. To embed awareness of security and clicking on malware, regular training tailored privacy across an enterprise, some companies find to key roles is essential to reduce the risks of it useful to create roles for business-information personalization. Marketing teams, for example, security and privacy officers (BISPOs) or “security might need to learn best practices for remarketing, and privacy ambassadors.” Such programs can such as parsing data to eliminate personal not only empower employee teams to become identifiability while preserving business value. knowledgeable about organization practices on security and privacy but also ensure that the There are about 15 core employee behaviors that integrity of digital properties continues long after can be addressed and transformed through a they are transformed and remediated. focused campaign of annual training supported by unpredictable reminders, such as occasional In the event of a breach of data security or emails and text messages or antiphishing test privacy, it is helpful to have in place incident- campaigns. Similarly, building security and response plans that are “living documents” formed privacy standards into performance reviews – for through the test-and-learn iterative process of example, setting a threshold for the number of simulation. These can help executive teams make security or privacy incidents in a line of business better decisions faster about managing their over a period of time – can ensure that the entire digital properties – and their relationships with business, not just the experts on security and regulators. privacy, owns the problem and the solution. Build security and privacy into enterprise Personalize security and privacy for the analytics and application development consumer Consider the example of an enterprise seeking Leading financial institutions have already to transform itself into a platform company unlocked the value of increasing net promoter using consumer and customer data to cocreate scores (NPS) by taking the hassle out of consumer application programming interfaces (APIs) to validation processes. By reducing hold times, transform how consumers engaged with the simplifying and tailoring multifactor authentication brand. Before the enterprise built security to meet consumer preferences, and placing requirements into its application development, it data-protection controls for consumer-facing had missed at least one major market opportunity applications in the hands of the consumer, they because of regulators’ security concerns, are improving customer experience without frequently experienced application launch delays compromising underlying security and privacy. because of security-related rework requirements, and lacked capacity to verify whether around 80 Leading retailers and consumer brands can percent of the business-support applications it adopt a product-management mind-set and developed annually complied with its requirements delight consumers by building data-protection on security and privacy. options into consumer-facing applications and support functions. By partnering with cutting- By building those requirements into its software- edge technology innovators, they can tailor development policies, the enterprise made the processes to what is most convenient for the software-developer team responsible for meeting consumer. Good places to start are multifactor them right from the start, in the design phase. The authentication by text, call, or randomly generated security-and-privacy team would only involve itself code, or built-in strong-password-generating “by exception,” if a development team declined tools to simplify password recall for consumers to meet a specified requirement. This approach accessing a retailer’s direct-to-consumer ensured that standards on security and privacy application. Measuring performance over time were met in more than 90 percent of applications through commonly available customer-experience

52 Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both dashboards such as NPS can ensure that attempts 4. How are you managing your data to derive to build security and privacy into consumer-facing value-creating analytic insight from applications are refined quickly and iteratively. personalization without causing value- destroying financial or operational loss due to The opportunity around personalization at scale privacy or security incidents? for consumer brands and retailers has never been more critical to capture. At the same time, the 5. What is the state of your secure software- need to create a net positive consumer experience development life cycle program? while avoiding the downsides of reputational, 6. How are you ensuring the secure operation of operational, legal, and financial risks is a hard your cloud environment? balance to strike. Several core questions can help clarify where your enterprise stands – and what to 7. How are you ensuring that security and privacy do about it: are every employee’s responsibility? 1. How does your personalization technology 8. What is your capability aspiration for measure your customer’s security and privacy customer-data security and privacy, how experience? are you measuring progress toward that aspiration, and how are you reporting progress 2. What is your enterprise’s critical-asset or to the board? -system risk register for data security and privacy? By answering these questions, companies can help ensure that personalization at scale is only a 3. How complete is your security-and-privacy benefit, not a bane, to any consumer and brand. technology stack, and how do you determine this?

Julien Boudet is a partner in McKinsey’s Southern California office, Jess Huang is a partner in the Silicon Valley office, Kathryn Rathje is an associate partner in the San Francisco office, and Marc Sorel is a consultant in the Washington, DC, office.

Consumer-data privacy and personalization at scale: How leading retailers and consumer brands can strategize for both 53 Build cybersecurity into business products and processes Financial crime

andRisk Practice fraud in the age ofFinancial cybersecurity crime and fraud in the age of cybersecurity As cybersecurity threats compound the risks of financial crimeAs and cybersecurity fraud, institutions threats are compound crossing thefunctional risks of financial crime boundariesand fraud, to enable institutions collaborative are crossing resistance. functional boundaries to enable collaborative resistance. by Salim Hasham, Shoan Joshi, and Daniel Mikkelsen

by Salim Hasham, Shoan Joshi, and Daniel Mikkelsen

October 2019

54 Financial crime and fraud in the age of cybersecurity In 2018, the World Economic Forum noted that targeting countries, public and private entities, fraud and financial crime was a trillion-dollar and even individuals. Institutions are finding that industry, reporting that private companies their existing approaches to fighting such crimes spent approximately $8.2 billion on anti-money cannot satisfactorily handle the many threats and laundering (AML) controls alone in 2017. The burdens. For this reason, leaders are transforming crimes themselves, detected and undetected, their operating models to obtain a holistic view have become more numerous and costly than of the evolving landscape of financial crime. This ever. In a widely cited estimate, for every dollar view becomes the starting point of efficient and of fraud institutions lose nearly three dollars, effective management of fraud risk. The evolution once associated costs are added to the fraud of fraud and financial crime Fraud and financial loss itself.1 Risks for banks arise from diverse crime adapt to developments in the domains factors, including vulnerabilities to fraud and they plunder. (Most financial institutions draw a financial crime inherent in automation and distinction between these two types of crimes: digitization, massive growth in transaction for a view on the distinction, or lack thereof, see volumes, and the greater integration of financial the sidebar “Financial crime or fraud?”) With the systems within countries and internationally. advent of digitization and automation of financial Cybercrime and malicious hacking have also systems, these crimes have become more intensified. In the domain of financial crime, electronically sophisticated and impersonal. One meanwhile, regulators continually revise rules, series of crimes, the so-called Carbanak attacks increasingly to account for illegal trafficking beginning in 2013, well illustrates the cyber profile and money laundering, and governments have of much of present-day financial crime and fraud. ratcheted up the use of economic sanctions, These were malware-based bank thefts totaling

1 World Economic Forum Annual Meeting, Davos-Klosters, Switzerland, January 23–26, 2018; LexisNexis risk solutions 2018 True Cost of Fraud study, LexisNexis, August 2018, risk.lexisnexis.com.

Sidebar

Financial crime or fraud?

For purposes of detection, interdiction, financial crime has generally meant and insider threats, involving deception of and prevention, many institutions draw a money laundering and a few other financial personnel or services to commit distinction between fraud and financial criminal transgressions, including bribery theft. Financial institutions have generally crime. Boundaries are blurring, especially and tax evasion, involving the use of approached fraud as a loss problem, since the rise of cyberthreats, which financial services in support of criminal lately applying advanced analytics for reveal the extent to which criminal enterprises. It is most often addressed detection and even real-time interdiction. activities have become more complex as a compliance issue, as when financial As the distinction between these three and interrelated. What’s more, the institutions avert fines with anti-money categories of crime have become less distinction is not based on law, and laundering activities. Fraud, on the other relevant, financial institutions need to use regulators sometimes view it as the result hand, generally designates a host of many of the same tools to protect assets of organizational silos. Nevertheless, crimes, such as forgery, credit scams, against all of them.

Financial crime and fraud in the age of cybersecurity 55 more than $1 billion. The attackers, an organized A siloed approach to these interconnected risks criminal gang, gained access to systems through is becoming increasingly untenable; clearly, the phishing and then transferred fraudulently inflated operating model needs to be rethought. balances to their own accounts or programmed totaling more than $1 billion. The attackers, an A Assiloed banks approach begin toto alignthese operations interconnected to the risks ATMs to dispense cash to waiting accomplices organized criminal gang, gained access to systems isshifting becoming profile increasingly of financial untenable; crime, clearly,they confront the (Exhibit 1). through phishing and then transferred fraudulently operatingthe deepening model needs connections to be rethought. between cyber Significantly,inflated balances this tocrime their was own one accounts simultaneous, or breaches and most types of financial crime. The programmed ATMs to dispense cash to waiting As banks begin to align operations to the coordinated attack against many banks. The cyber element is not new, exactly. Until recently, accomplices (Exhibit 1). shifting profile of financial crime, they confront attackers exhibited a sophisticated knowledge for example, most fraud has been transaction the deepening connections between cyber of the cyber environment and likely understood based, with criminals exploiting weaknesses in Significantly, this crime was one simultaneous, breaches and most types of financial crime. The bankingcoordinated processes, attack against controls, many and banks. even The cybercontrols. element Banks is not counter new, exactly. such fraud Until with recently, relatively vulnerabilitiesattackers exhibited arising a sophisticated from siloed organizations knowledge forstraightforward, example, most fraud channel-specific, has been transaction point-based andof the governance. cyber environment They also and made likely use understood of several based,controls. with Lately, criminals however, exploiting identity-based weaknesses fraud in has channels,banking processes, including ATMs,controls, credit and andeven debit cards, controls.become Banks more counter prevalent, such as fraud fraudsters with relatively develop andvulnerabilities wire transfers. arising The from attacks siloed revealed organizations that straightforward,applications to channel-specific, exploit natural or point-based synthetic data. meaningfuland governance. distinctions They also among made cyberattacks, use of several controls.Cyber-enabled Lately, however, attacks identity-based are becoming fraudmore fraud,channels, and including financial ATMs,crime creditare disappearing. and debit cards, Banks hasambitious become inmore scope prevalent, and omnipresent, as fraudsters eroding McK Risk 8 2019haveand wire not yettransfers. addressed The attacks these new revealed intersections, that developthe value applications of personal to exploitinformation natural and or syntheticsecurity Financial crime whichmeaningful transgress distinctions the boundary among cyberattacks, lines most have data.protections. Cyber-enabled attacks are becoming Exhibit 1 of 6 erectedfraud, and between financial the crime types are of disappearing. crimes (Exhibit Banks 2). more ambitious in scope and omnipresent, have not yet addressed these new intersections, eroding the value of personal information and which transgress the boundary lines most have security protections. erected between the types of crimes (Exhibit 2).

Exhibit 1 The new cyber prole of fraud and nancial crime is well illustrated by the Carbanak attacks.

1. Spear phishing 2. Backdoor executed: 3. Machines infected in 4. Admin PC identied, Employee in targeted credentials stolen search for admin PC clerk screens intercepted organization receives email Upon opening attachment, Carbanak searches network Attacker watches with the Carbanak backdoor employee activates and nds admin PC; embeds admin screen to mimic admin as an attachment the Carbanak backdoor and records behavior for the bank’s cash-transfer systems

5. Balances inated and 6. ATM programmed to 7. Cash moved through inated amount transferred dispense cash channels by wire transfers, Attackers alter balances, Attackers program ATMs to e-payments pocket extra funds ($1k issue cash to waiting Attackers use online and account enlarged to $10k, accomplices at specic times e-payments to receiver banks then $9k transferred) to transfer extracted funds

Financial crime and fraud in the age of cybersecurity 3

56 Financial crime and fraud in the age of cybersecurity McK Risk 8 2019 Financial crime Exhibit 2 of 6

Exhibit 2 Crime pathways are converging, blurring traditional distinctions among cyber breaches, fraud, and nancial crimes.

Fraud and insider threats Cyber breaches Financial crimes • Internal and external • Condentiality • Money laundering threats • Integrity • Bribery and corruption • Retail and nonretail threats • Systems availability • Tax evasion and tax fraud • Insider threats • Market abuse and misbehavior

Example: cyberattack on a central bank

Bank employee’s SWIFT1 Malware surreptitiously Funds routed from bank’s Withdrawals were made Attacks may have been linked to credentials stolen with installed on the bank’s account at a branch of at the third bank through a known sanctioned entity the help of insiders computers to prevent another country’s central multiple transactions discovery of withdrawals bank to a third bank (on a that were not blocked weekend to ensure until too late sta absence)

¹ Society for Worldwide Interbank Financial Telecommunication.

In a world where customers infrequently contact cybercrime. Both the front line and back-office Inbank a world staff where but rather customers interact infrequently almost entirely contact operationsbanks. Risk are functions oriented in and this regulators direction at are many catching bankthrough staff digital but rather channels, interact “digital almost trust” entirely has fast banks.on as Riskwell. functions AML, while and now regulators mainly are addressed catching as throughbecome digital a significant channels, differentiator “digital trust” of customer has fast ona regulatoryas well. AML, issue, while is now seen mainly as being addressed on the as next becomeexperience. a significant Banks that differentiator offer a seamless, of customer secure, ahorizon regulatory for issue, integration. is seen Importantas being on initial the next steps experience.and speedy Banksdigital interface that offer will a seamless,see a positive secure, horizonfor institutions for integration. embarking Important on an initial integration steps for andimpact speedy on revenue, digital interface while those will that see don’t a positive will erode institutionseffort are embarkingto define precisely on an integration the nature effort of allare impactvalue and on revenue,potentially while lose business.those that Modern don’t will banking torelated define preciselyriskmanagement the nature activities of all related and risk- to clarify erodedemands value faster and riskpotentially decisions lose (such business. as real-time Modern managementthe roles and activities responsibilities and to clarify across the theroles lines and payments) so banks must strike the right balance responsibilities across the lines of defense. These banking demands faster risk decisions (such as of defense. These steps will ensure complete, between managing fraud and handling authorized steps will ensure complete, clearly delineated real-time payments) so banks must strike the right clearly delineated coverage – by the businesses transactions instantly. coverage—by the businesses and enterprise balance between managing fraud and handling and enterprise functions (first line of defense) functions (first line of defense) and by risk, including authorizedThe growing transactions cost of financial instantly. crime and fraud risk financialand by risk,crime, including fraud, and financial cyber operations crime, fraud, (second and cyber operations (second line) – while eliminating Thehas growing also overshot cost of expectations, financial crime pushed and upwardfraud risk by line)—while eliminating duplication of effort. duplication of effort. hasseveral also drivers.overshot As expectations, banks focus tightly pushed on upwardreducing by severalliabilities drivers. and efficiency As banks costs, focus losses tightly in on areas reducing AllAll risks risks associated associated with with financial financial crime crime involve involve such as customer experience, revenue, reputation, three kinds of countermeasures: identifying and liabilities and efficiency costs, losses in areas such three kinds of countermeasures: identifying and and even regulatory compliance are being missed authenticating the customer, monitoring and as customer experience, revenue, reputation, and authenticating the customer, monitoring and (Exhibit 3). detecting transaction and behavioral anomalies, even regulatory compliance are being missed anddetecting responding transaction to mitigate and risks behavioral and issues. anomalies, Each (Exhibit 3). ofand these responding activities, to whether mitigate taken risks in and response issues. Each Bringing together financial crime, toof fraud, these cybersecurity activities, whether breaches taken or attacks, in response or Bringingfraud, and together cyber operations financial crime, otherto fraud, financial cybersecurity crimes, are breaches supported or by attacks, many or fraud,At leading and institutions cyber the operations push is on to bring similarother datafinancial and processes. crimes, are Indeed, supported bringing by many these datasimilar sources data togetherand processes. with analytics Indeed, materially bringing these Attogether leading efforts institutions on financial the push crime, is onfraud, to bring and data sources together with analytics materially together efforts on financial crime, fraud, and improves visibility while providing much deeper cybercrime. Both the front line and back-office insight to improve detection capability. In many operations are oriented in this direction at many 4 Financial crime and fraud in the age of cybersecurity instances it also enables prevention efforts.

Financial crime and fraud in the age of cybersecurity 57 McK Risk 8 2019 Financial crime Exhibit 3 of 6

Exhibit 3 Banks often focus on only a fraction of total nancial-crime, fraud, and cybersecurity costs.

Example of nancial-crime, fraud, and cybersecurity costs, $ million

525

50 Reimbursements if any

Regulatory nes 150 and remediation 100 Regulatory nes

40 System unavailable

40 Failed authentication

Indirect costs and 200 40 Transaction decline foregone revenue • Bank is in second quartile on 40 Customer-experience impact/attrition customer satisfaction for fraud cards • Satis ed customers are twice as 40 Incorrect risk categorization likely to spend more on their cards 16.6 Breaches than are unsatis ed customers Direct fraud losses 50 16.6 Fraud losses 16.6 Cost of FIU1

41.6 Cyber breach Bank focus areas • Costs of all three lines of defense Direct and indirect • Much of the cost is in the rst line 125 41.6 Fraud personal costs • Banks in this region typically spend 20 to 40 basis points of 41.6 Financial crime revenue on anti–money laundering

¹ Financial intelligence unit.

improves visibility while providing much deeper Generally speaking, experience shows that insight to improve detection capability. In many organizational and governance design are the Ininstances taking a moreit also holistic enables view prevention of the underlying efforts. mainGenerally considerations speaking, for experience the development shows ofthat the processes, banks can streamline business and operatingorganizational model. and Whatever governance the particular design arechoice, the institutions will need to bring together the right technologyIn taking a more architecture holistic view to support of the underlying a better main considerations for the development of processes, banks can streamline business and people in agile teams, taking a more holistic customer experience, improved risk decision the operating model. Whatever the particular technology architecture to support a better customer approach to common processes and technologies making, and greater cost efficiencies. The choice, institutions will need to bring together experience, improved risk decision making, and and doubling down on analytics—potentially organizationalgreater cost efficiencies. structure Thecan organizationalthen be reconfigured structure creatingthe right “fusion people centers,” in agile toteams, develop taking more a more ascan needed. then be (Exhibit reconfigured 4). as needed. (Exhibit 4). sophisticatedholistic approach solutions. to common It is entirely processes feasible and that technologies and doubling down on analytics – From collaboration to holistic unification an institution will begin with the collaborative potentially creating “fusion centers,” to develop ThreeFrom models collaboration for addressing to holistic financial unification crime model and gradually move toward greater more sophisticated solutions. It is entirely feasible areThree important models forfor ouraddressing discussion. financial They crime are integration, depending on design decisions. We are important for our discussion. They are havethat seenan institution many banks will identify begin with partial the integration collaborative distinguished by the degree of integration they distinguished by the degree of integration they asmodel their andtarget gradually state, with move a view toward that fullgreater AML represent among processes and operations for represent among processes and operations integrationintegration, is dependingan aspiration. on design decisions. We the different types of crime (Exhibit 5). for the different types of crime (Exhibit 5). have seen many banks identify partial integration as their target state, with a view that full AML integration is an aspiration.

Financial crime and fraud in the age of cybersecurity 5

58 Financial crime and fraud in the age of cybersecurity McK Risk 8 2019 Financial crime Exhibit 4 of 6

Exhibit 4 At their core, all functions perform the same three roles using similar data and processes. Identication: “Who is my Monitoring: “What transactions Response: “How do I respond customer?” are legitimate?” to a threat?”

Financial crime • Client risk rating • Transaction monitoring • Suspicious-activity monitoring • Client due diligence; • Name screening • Financial intelligence unit enhanced due diligence • Payments screening • List management • Do not bank

Fraud • Identity verication, including • Transaction monitoring and • Investigations and resolutions teams digital and nondigital presence decision making • Device and voice analytics

Cybersecurity • Credentials management • Security-operations center (SOC) • SOC and network-operations center, • Forensics which enable monitoring • Resolution teams

Synergies across • Risk scoring of customers using • Risk scoring of transactions • Common feedback loop to functions common and similar customer using similar analytics and develop a holistic view on modus data, such as nancials, digital common use cases based on operandi and drive top-down footprint, nondigital records timing, destination, source, use-case development value and frequency, device, • Pooling of resources and capabilities and geolocation intelligence

1. Collaborative model. In this model, which for (including taxonomies) are shared, and most banks represents the status quo, each similar interdiction processes are deployed. 1. ofCollaborative the domains model. – financial In this crime,model, fraud,which forand of Deeperdefense. integral Each unit advantages maintains independenceprevail, including cybersecuritymost banks represents – maintain the theirstatus independent quo, each in consistencythis model but in works threat from monitoring a consistent and detection roles,of the responsibilities,domains—financial and crime, reporting. fraud, and Each frameworkand lower and risk taxonomy, of gaps and following overlap. mutually The unitcybersecurity—maintain builds its own independent their independent framework, roles, acceptedapproach rules remains, and responsibilities. however, consistent Thus a with cooperatingresponsibilities, on andrisk reporting.taxonomy Each and unitdata builds and consistentthe existing architecture organizational for prevention structure (such and little its own independent framework, cooperating as for customer authentication) is adopted, analytics for transaction monitoring, fraud, disrupts current operations. Consequently, on risk taxonomy and data and analytics for risk-identification and assessment processes and breaches. The approach is familiar to transparency is not increased, since separate transaction monitoring, fraud, and breaches. (including taxonomies) are shared, and regulators, but offers banks little of the reporting is maintained. No benefits of scale The approach is familiar to regulators, but offers similar interdiction processes are deployed. transparencybanks little of theneeded transparency to develop needed a holistic to Deeperaccrue, integral and with advantages smaller operationalprevail, including units still in viewdevelop of financial-crime a holistic view of risk. financial-crime In addition, risk. the In consistencyplace, the inmodel threat is monitoring less attractive and detection to top talent. collaborative model often leads to coverage addition, the collaborative model often leads to 3.and Unified lower risk model. of gaps In thisand fullyoverlap. integrated The approach gaps or overlaps among the separate groups coverage gaps or overlaps among the separate remains,approach, however, the financial consistent crimes, with the fraud, existing and andgroups fails and to achievefails to achieve the benefits the benefits of scale of scale that organizational structure and little disrupts cybersecurity operations are consolidated comethat come with with greater greater functional functional integration. integration. The current operations. Consequently, transparency into a single framework, with common assets model’sThe model’s reliance reliance on onsmaller, smaller, discrete discrete units units also is not increased, since separate reporting is and systems used to manage risk across the meansalso means banks banks will willbe lessbe less able able to toattract attract top top maintained. No benefits of scale accrue, and enterprise. The model has a single view of the leadershipleadership talent.talent. with smaller operational units still in place, the customer and shares analytics. Through risk 2. Partially integrated model for cybersecurity model is less attractive to top talent. 2. Partially integrated model for cybersecurity convergence, enterprise-wide transparency and fraud. Many institutions are now working 3. Unified model. In this fully integrated approach, and fraud. Many institutions are now working on threats is enhanced, better revealing the toward this model, in which cybersecurity and the financial crimes, fraud, and cybersecurity towardfraud are this partially model, integrated in which ascybersecurity the second line and operationsmost important are consolidated underlying into risks. a single The unified fraud are partially integrated as the second line model also captures benefits of scale across of defense. Each unit maintains independence key roles and thereby enhances the bank’s in this model but works from a consistent ability to attract and retain top talent. The framework and taxonomy, following mutually disadvantages of this model are that it entails 6 Financialaccepted crime and rules fraud and in the responsibilities. age of cybersecurity Thus, a significant organizational change, making consistent architecture for prevention (such bank operations less familiar to regulators. And as for customer authentication) is adopted, even with the organizational change and risk risk-identification and assessment processes convergence, risks remain differentiated.

Financial crime and fraud in the age of cybersecurity 59 McK Risk 8 2019 Financial crime Exhibit 5 of 6

Exhibit 5 The three models address nancial crime with progressively greater levels of operational integration.

Traditional: collaboration Ongoing: partial integration1 Future: complete integration

Model features • Independent reporting, roles, and • Each nancial-crime unit • Consolidated unit under a single responsibilities for each type of maintains independence but framework using common assets and nancial crime uses a consistent framework systems to manage risks: • Independent framework built and taxonomy with agreed-upon – Single view of the customer by each unit rules and responsibilities: – Shared analytics – Fraud and cybersecurity join on prevention (eg, on customer authentication) – Consistent processes for risk identi cation and assessment – Similar processes (eg, interdiction)

Pluses and Least disruptive: maintains the More uni ed approach with lower risk Underlying risks are converging minuses status quo of gaps/overlaps Enhanced ability to attract and Regulators most familiar with Consistent organizational structure retain talent the model with status quo Standard and common framework Less visibility into overall Limited disruption from current state on what is being done nancial-crime risk Maintains separate reporting; Bene ts of scale across key roles Potential gaps, overlap among groups does not increase transparency Largest organizational change No scale bene ts No scale bene ts While converging, risks remain Smaller units less able to attract Smaller units less able to attract dierentiated top talent top talent Regulators are less familiar with setup

Banks have begun by closely integrating cybersecurity and fraud while stopping short of a fully integrated unit

1Mainly cybersecurity and fraud.

framework, with common assets and systems less familiar to regulators. And even with the cybersecurity and financial crime, including AML. Theused imperative to manage risk of across integration the enterprise. The organizational change and risk convergence, By degrees, however, increased integration can The modelintegration has a ofsingle fraud view and of cybersecurity the customer and risks remain differentiated. improve the quality of risk management, as it operationsshares analytics.is an imperative Through step risk now, convergence, since the enhances core effectiveness and efficiency in all crimesenterprise-wide themselves are transparency already deeply on threats interrelated. is channels, markets, and lines of business. The enhanced,enhanced betterdata and revealing analytics the capabilities most important that The imperative of integration underlying risks. The unified model also integration enables are now essential tools for the TheStrategic integration prevention: of fraud and Threats, cybersecurity prediction, captures benefits of scale across key roles prevention, detection, and mitigation of threats. operationsand controls is an imperative step now, since the and thereby enhances the bank’s ability to Most forward-thinking institutions are working crimesThe idea themselves behind strategicare already prevention deeply interrelated. is to predict attract and retain top talent. The disadvantages towards such integration, creating in stages a Therisk enhanced rather than data just and react analytics to it. capabilitiesTo predict wherethat of this model are that it entails significant more unified model across the domains, based integration enables are now essential tools for the organizational change, making bank operations threats will appear, banks need to redesign on common processes, tools, and analytics. AML prevention,customer detection,and internal and operations mitigation andof threats. processes activities can also be integrated, but at a slower based on a continuous assessment of actual cases pace, with focus on specific overlapping areas first. of fraud, financial crime, and cyberthreats. A view of these is developed according to the customer The starting point for most banks has been the journey. Controls are designed holistically, around collaborative model, with cooperation across processes rather than points. The approach can silos.Financial Some crime banks and fraud are in thenow age shifting of cybersecurity from this 7 significantly improve protection of the bank and its model to one that integrates cybersecurity and customers (Exhibit 6). fraud. In the next horizon, a completely integrated model enables comprehensive treatment of

60 Financial crime and fraud in the age of cybersecurity Most forward-thinking institutions are working core effectiveness and efficiency in all channels, toward such integration, creating in stages a markets, and lines of business. more unified model across the domains, based on common processes, tools, and analytics. AML Strategic prevention: Threats, prediction, activities can also be integrated, but at a slower and controls pace, with focus on specific overlapping areas first. The idea behind strategic prevention is to predict risk rather than just react to it. To predict where The starting point for most banks has been the threats will appear, banks need to redesign collaborative model, with cooperation across silos. customer and internal operations and processes Some banks are now shifting from this model to based on a continuous assessment of actual cases McK Risk 8 2019 one that integrates cybersecurity and fraud. In of fraud, financial crime, and cyberthreats. A view Financial crime the next horizon, a completely integrated model of these is developed according to the customer Exhibit 6 of 6 enables comprehensive treatment of cybersecurity journey. Controls are designed holistically, around and financial crime, including AML. By degrees, processes rather than points. The approach can however, increased integration can improve significantly improve protection of the bank and its the quality of risk management, as it enhances customers (Exhibit 6).

Exhibit 6 With a ‘customer journey’ view of fraud, banks can design controls with the greatest impact. Potential fraud attacks in a customer journey, retail-banking example

Open an account Change account Make a payment Make a deposit

Customer- Customer opens a new Customer updates Customer pays self or third Customer makes a transfer or initiated actions account or adds another existing account, eg, adding party through wire, credit deposit into their account account through online, a beneciary or changing or debit card, or online mobile, branch, or ATM address transaction channels

Attack channel

ATM • Identity theft • Malware • Card skimming or trapping • Money laundering • Synthetic ID • Fake PIN pad or terror nancing • Employee-generated • Cash trapping • Malware (balance account • Shoulder surng multiplier) • Malware • Duplicate card • Malware • Transaction reversal

Cards and • Account takeover • Card-not-present fraud e-commerce • Address change • Card skimming • Secondary card • Malware • Malware • Cyberattack

E-banking • Addition of false • Cyberattack and wire beneciary • Malware • Account takeover • Employee-driven • Malware transaction

Branch • Account takeover • n/a

8 Financial crime and fraud in the age of cybersecurity To arrive at a realistic view of these transgressions, Efficiencies of scale and processes institutions need to think like the criminals. Crime The integrated fraud and cyber-risk functions takes advantage of a system’s weak points. can improve threat prediction and detection while Current cybercrime and fraud defenses are eliminating duplication of effort and resources. focused on point controls or silos but are not Roles and responsibilities can be clarified so that based on an understanding of how criminals no gaps are left between functions or within the actually behave. For example, if banks improve second line of defense as a whole. Consistent defenses around technology, crime will migrate methodologies and processes (including risk elsewhere – to call centers, branches, or taxonomy and risk identification) can be directed customers. By adopting this mind-set, banks towards building understanding and ownership will be able to trace the migratory flow of crime, of risks. Integrating operational processes looking at particular transgressions or types of and continuously updating risk scores allow crime from inception to execution and exfiltration, institutions to dynamically update their view on the mapping all the possibilities. By designing controls riskiness of clients and transactions . around this principle, banks are forced to bring Data, automation, and analytics together disciplines (such as authentication Through integration, the anti-fraud potential of and voice-stress analysis), which improves both the bank’s data, automation, and analytics can efficacy and effectiveness. be more fully realized. By integrating the data of separate functions, both from internal and

Financial crime and fraud in the age of cybersecurity 61 external sources, banks can enhance customer has affirmed that banks are held in high regard by identification and verification. Artificial intelligence their customers for performing well on fraud. and machine learning can also better enable Unified risk management for fraud, financial predictive analytics when supported by aggregate crime, and cyberthreats thus fosters digital trust, sources of information. Insights can be produced a concept that is taking shape as a customer rapidly – to establish, for example, correlations differentiator for banks. Security is clearly at the between credential attacks, the probability heart of this concept and is its most important of account takeovers, and criminal money ingredient. However, such factors as convenience, movements. By overlaying such insights onto their transparency, and control are also important rules-based solutions, banks can reduce the rates components of digital trust. The weight customers of false positives in detection algorithms. This assign to these attributes varies by segment, lowers costs and helps investigators stay focused but very often such advantages as hassle-free on actual incidents. authentication or the quick resolution of disputes The aggregation of customer information that are indispensable builders of digital trust. comes from the closer collaboration of the A holistic view groups addressing financial crime, fraud, and The objective of the transformed operating model cybersecurity will generally heighten the power of is a holistic view of the evolving landscape of the institution’s analytic and detection capabilities. financial crime. This is the necessary standpoint For example, real-time risk scoring and of efficient and effective fraud-risk management, transaction monitoring to detect transaction fraud emphasizing the importance of independent can accordingly be deployed to greater effect. This oversight and challenge through duties clearly is one of several improvements that will enhance delineated in the three lines of defense. Ultimately, regulatory preparedness by preventing potential institutions will have to integrate business, regulatory breaches. operations, security, and risk teams for efficient The customer experience and digital trust intelligence sharing and collaborative responses The integrated approach to fraud risk can also to threats. result in an optimized customer experience. Obviously, meaningful improvements in customer How to proceed? satisfaction help shape customer behavior and When banks design their journeys toward a unified enhance business outcomes. In the context of operating model for financial crime, fraud, and the risk operating model, objectives here include cybersecurity, they must probe questions about the segmentation of fraud and security controls processes and activities, people and organization, according to customer experience and needs as data and technology, and governance (see sidebar well as the use of automation and digitization to “The target fraud-risk operating model: Key enhance the customer journey. Survey after survey questions for banks”).

62 Financial crime and fraud in the age of cybersecurity Sidebar

The target fraud-risk operating model: Key questions for banks

In designing their target risk operating • What skills and how many people matrix, risk-identification rules, model for financial crimes, fraud, and are needed to support the taxonomy)? How should they cybersecurity, leading banks are probing activities? converge? the following questions. • What shared activities should be • What systems and applications do — Processes and activities housed together (for example, in each of the divisions use? Can they centers of excellence)? be streamlined? • What are the key processes or activities to be conducted for • What is the optimal reporting — Governance customer identification and structure for each type of financial • What are the governance bodies authentication, monitoring and crime – directly to the chief risk for each risk type? How do they detection of anomalies, and officer? To the chief operations overlap? For example, does the responding to risks or issues? officer? To IT? same committee oversee fraud and • How frequently should specific — Data, tools, and technologies cybersecurity? Does committee activities be conducted (such as membership overlap? • What data should be shared reporting)? across cybersecurity, fraud, and • What are the specific, separate • What activities can be consolidated other financial-crime divisions? responsibilities of the first and into a “center of excellence”? Can the data sit in the same data second lines of defense? warehouses to ensure consistency — People and organization • What measurements are used to and streamlining of data activities? set the risk appetite by risk type? • Who are the relevant stakeholders • What tools and frameworks should How are they communicated to the in each line of defense? converge (for example, riskseverity rest of the organization?

Most banks begin the journey by closely fraud and AML, into a single global utility. The bank integrating their cybersecurity and fraud has attained a more holistic view of customer risk units. As they enhance information sharing and reduced operating costs by approximately and coordination across silos, greater risk $100 million. effectiveness and efficiency becomes possible. To achieve the target state they seek, banks are redefining organizational “lines and boxes” and, even more important, the roles, responsibilities, As criminal transgressions in the financial-services activities, and capabilities required across each sector become more sophisticated and break line of defense. through traditional risk boundaries, banks are Most have stopped short of fully unifying the risk watching their various risk functions become more functions relating to financial crimes, though a costly and less effective. Leaders are therefore few have attained a deeper integration. A leading rethinking their approaches to take advantage of US bank set up a holistic “center of excellence” the synergies available in integration. Ultimately, to enable end-to-end decision making across fraud, cybersecurity, and AML can be consolidated fraud and cybersecurity. From prevention under a holistic approach based on the same data to investigation and recovery, the bank can and processes. Most of the benefits are available point to significant efficiency gains. A global in the near term, however, through the integration universal bank has gone all the way, combining all of fraud and cyber operations. operations related to financial crimes, including

Salim Hasham is a partner in McKinsey’s New York office, where Shoan Joshi is a senior expert; Daniel Mikkelsen is a senior partner in the London office.

Financial crime and fraud in the age of cybersecurity 63 Build cybersecurity into business products and processes Critical infrastructure

companiesRisk Practice and the globalCritical cybersecurity infrastructure threatcompanies and the global cybersecurity threat How the energy, mining, and materials industries can meet the uniqueHow challenges the energy, of mining, protecting and materialsthemselves industries in a digital can world. meet the unique by Adrianchallenges Booth, Aman of Dhingra, protecting Sven Heiligtag, themselves Mahir Nayfeh, in a and digital Daniel world. Wallance

by Adrian Booth, Aman Dhingra, Sven Heiligtag, Mahir Nayfeh, and Daniel Wallance

April 2019

64 Critical infrastructure companies and the global cybersecurity threat Whether they generate or distribute power, Heavy industrials can become collateral or extract or refine oil, gas, or minerals, damage in broader attacks even when they are heavy industrial companies comprise critical not the target, given IT security gaps and OT infrastructure for the global economy. As a result, networks connected to IT networks through new they are attractive targets for cyber crimes. technologies. Obviously, these threats have become Already by 2018, nearly 60 percent of relevant a major concern for top managers, boards, and surveyed organizations had experienced a breach national government bodies. in their industrial control (ICS) or supervisory Attacks on national infrastructure control and data-acquisition (SCADA) systems.1 Among the most significant attacks on critical Heavy industrials face unique cybersecurity national infrastructure of the past few years are challenges, given their distributed, decentralized these: governance structures and large operational — In 2014, a Western European steel mill suffered technology (OT) environment – an environment serious damage in its operational environment that does not lend itself readily to traditional from a phishing attack used first to penetrate cybersecurity controls.2 Furthermore, many heavy its IT network and then its OT network where industrials have invested in becoming “cyber attackers gained control of plant equipment. mature,” as have other at-risk industries, such as financial services and healthcare. The investment — The 2015 to 2016 attacks on an Eastern gap has left most heavy industrials insufficiently European power-distribution grid cut power prepared for the mounting threats. to 230,000 people. In this case, attackers compromised a third-party-vendor’s network, As awareness of the threat environment grows, which was connected to an energy company’s however, many top executives at these companies OT network, allowing the attackers to make are now sharpening their focus on cybersecurity. changes to the control system. They are asking important questions like: What does it take to transform our cybersecurity — In 2017, attackers gained access to a Middle capabilities? What investments will address the Eastern petrochemical plant’s ICS and most risk? How much should we be spending? attempted to sabotage operations and trigger Leading companies are now rethinking their an explosion. cybersecurity organizations and governance Recent discoveries in the networks of electrical- models. Some are taking advantage of new distribution companies based in the European security tools for OT offered by innovative start- Union and the United States indicate that threat- ups. Most are adopting a risk-based approach actors established vantage points within OT to security – identifying their critical assets and networks from which to launch attacks at a future seeking appropriate controls based on risk levels date. An example of this is the Dragonfly syndicate, (see sidebar, “A cybersecurity transformation in oil which has been blamed for the breach of EU and and gas”). US electrical companies to gather intelligence and build cyber capabilities to compromise OT Evolution of the threat landscape systems. Several factors underlie the growing threat Groups like Dragonfly are increasingly procuring landscape for the heavy industrial sector. One is private-sector offensive tools, enabling them to the rise in geopolitical tensions, which has led to deliver highly sophisticated cyberattacks. Given attacks targeting critical national infrastructure. the sensitivity of the targets, this has quickly

1 Forrester consulting study commissioned and published by Fortinet, May 2018. 2 Operational-technology systems include centralized, human-interface control systems such as supervisory control and data-acquisition systems (SCADA), industrial control systems (ICS), distributed control systems (DCS), industrial Internet of Things (IoT) devices that send and receive feedback from machinery, and programmable logic controllers (PLC) that relay commands between SCADA and IoT field devices.

Critical infrastructure companies and the global cybersecurity threat 65 Sidebar

A cybersecurity transformation in oil and gas

A large state-owned oil-and-gas The company suffered a ransomware accompanying this article). The company company was facing frequent attack, email phishing campaigns, also tailored industrial security standards cyberattacks, even as it was undertaking and defacement of its website. As the to the oil-and-gas industry and its a digital transformation that increased company was digitizing many systems, regional context. A security operation the exposure of its critical systems. A including critical controllers, massive center was established to monitor successful attack on its assets would amounts of data were exposed to and react to threats, and a data-loss- harm the economy of an entire nation. potential manipulation that could trigger prevention program was set up to avoid disastrous accidents. The company leaks. Over 18 months, this multibillion-dollar focused on three important steps. organization was able to protect its assets Third, the company outlined its plan for and improve its overall digital resilience First, it defined and protected its “crown a holistic cybersecurity transformation, by transforming its cybersecurity posture. jewels”: its most important assets. It including a three-year implementation The transformation engaged 30,000 comprehensively mapped its business program with prioritized initiatives, employees across 450 sites in addressing assets and identified the most critical, estimated budget, and provisions security issues every day. This experience from automated tank gauges that to integrate cybersecurity into the offers a good example of how a critical- manage pressure and oil levels on oil rigs digitization effort. To ensure that effort infrastructure company can meet the to employee health records and customer did not create new vulnerabilities, the global cybersecurity threat and commit to credit-card information. The company company created the new digital systems the cyber-resilience journey. created a library of controls to be “secure by design,” creating secure coding guidelines and principles. The company operates across the to protect these crown-jewel assets, industry value chain, upstream, which are now being brought on line. The achievements were impressive. The midstream, and downstream. It had cybersecurity organization is now fully Second, the company focused on rapidly suffered attacks on both its IT and built, with a focus on improving resilience building capabilities. To address siloed operational technology (OT) systems, daily. The company is on its way to IT and OT operations, it created an which, as in most companies, were siloed ensuring that it can continue to reliably integrated cybersecurity organization from each other. Attacks hit IT network supply the energy its nation needs, under a chief security officer aligned security and the supervisory control supporting a major share of the country’s with the risk function (see Exhibit 1 and data-acquisition (SCADA) systems. GDP growth.

become a matter of national security involving In many cases, this digitization has allowed access government bodies and intelligence agencies. to these OT devices from the wider internet, as well. According to analysis of production OT Collateral damage in nonspecific attacks networks by CyberX, an industrial cybersecurity The electricity, oil-and-gas, and mining sectors company, 40 percent of industrial sites have at have been rapidly digitizing their operational least one direct connection to the public internet, value chains. While this has brought them great and 84 percent of industrial sites have at least one value from analysis, process optimization, and remotely accessible device.3 automation, it has also broadened access to previously isolated ICS and SCADA devices by users of the IT network and third parties with physical and/or remote access to the OT network.

3 CyberX report on global industrial control systems and Internet of Things risk (2018).

66 Critical infrastructure companies and the global cybersecurity threat In response to the danger, ICS manufacturers can technology. One challenge stems from the digital analyze USB-born threats to detect and neutralize transformations that many energy and mining those that could seriously disrupt operations. companies are undertaking. Others relate to their distributed footprint, their large OT environment, Ransomware poses an additional threat. One well and exposure to third-party risk. known example was WannaCry, which disrupted 80 percent of gas stations of a major Chinese oil The overlooked costs of security in company by exploiting a vulnerability in a dated digital transformations and unsupported version of Windows. NotPetya Most heavy industrials are undergoing major was far more devastating. This malware wiped digital transformations or have recently completed IT devices around the world, affecting about them. When building the business case for these 25 percent of all oil-and-gas companies. transformations, leaders often overlook the cost of managing the associated security risks. Security More recently, botnets with the ability to detect is not often a central part of the transformation, and infect SCADA systems have been discovered, and security architects are brought in only after a and those targeting Internet of Things (IoT) new digital product or system has been developed. devices have become pervasive. The past year This security-as-afterthought approach increases has also seen the massive growth of crypto- the cost of digitization, with delays due to last- mining malware targeting ICS computers, severely minute security reviews, new security tools, or affecting productivity by increasing load on increases in the load on existing security tools. industrial systems. For example, instead of building next-generation These types of sweeping, nontargeted attacks security stacks in the cloud, most enterprises are disproportionately affect industries, including still using security tools hosted on premise for heavy industrial companies with less cyber their cloud infrastructure, limiting the cloud’s cost maturity and many devices to protect. Moreover, advantages. heavy industrials have the dual challenge of Additionally, security capabilities that are bolted protecting against new digital threats while on top of technology products and systems are maintaining a largely legacy OT environment. inherently less effective than those built in by Most companies still operate with their founding design. Bolt-on security can also harm product cybersecurity initiatives like patch management usability, causing friction between developers and asset compliance. More than half of OT and user-experience designers on one side, and environments tested in one study had versions security architects on the other. This sometimes of Windows for which Microsoft is no longer results in users circumventing security controls, providing security patches. Fully 69 percent had where possible. passwords traversing OT networks in plain text.4 Protecting the ‘crown jewels’ Unique security challenges facing The expansive geographical footprint typical heavy industrials for these heavy industrials can harm their cybersecurity efforts in several ways. It limits their Electricity, mining, and oil-and-gas companies ability to identify and protect their key assets – have revealed four unique security challenges that their “crown jewels.” They may have difficulty are less prevalent in industries of greater cyber managing vulnerabilities across end devices. And maturity, such as financial services and

4 Ibid.

Critical infrastructure companies and the global cybersecurity threat 67 while they tend to have a good handle on IT Challenges of protecting operational assetsmanaged centrally, they have little or no technology visibility over assets managed by business units Most of today’s OT networks consist of legacy or third parties. Examples of crown-jewel assets equipment originally designed to be perimeter include IT, OT, and management assets: protected (“air gapped”) from unsecure networks. Over time, however, much of it has become — Information technology: network diagrams, connected to IT networks. Most security efforts to system logs, and network access directory protect OT involve network-based controls such as — Operational technology: programmable logic firewalls that allow data to leave the OT network for controllers, SCADA protocols, and system- analysis, but do not allow data or signals to enter it. configuration information Although important, these perimeter controls are — Management assets: internal strategy ineffective against attacks originating from within documents, executive and board the OT network, such as malware on removable communications, customer and employee devices. Additionally, malware has been discovered personal information that exploits vulnerabilities in VPNs (virtual private networks) and network-device software. Governance structures typically leave central security leaders without responsibility for security Many traditional security tools cannot be applied in the business units or operations. Many heavy to the OT environment. In some cases, these tools industrials we surveyed could not identify a party can harm the sensitive devices that control plant responsible for OT security. The chief information- equipment. Even merely scanning these devices for security officer (CISO) may set policy and develop vulnerabilities has led to major process disruptions. security standards but often has no responsibility Applying security patches (updates) to address for implementing OT security in the operations, known vulnerabilities in high-availability systems or for auditing adherence to it. At the same time, presents yet another operational risk, as few sites many operational units have no clear security have representative backup systems on which counterpart responsible for deploying, operating, to test the patches. Because of these risks of and maintaining OT security controls at the plant disruption, operational-unit leaders are hesitant to level. Therefore, they often neglect OT security. allow changes in their OT environment. This requires security teams to implement workarounds that are

Many traditional security tools cannot be applied to the operational technology environment.

68 Critical infrastructure companies and the global cybersecurity threat far less effective in managing risk. Adding even results are rarely pursued. OEM vendors that do more risk and complexity are newer technologies have security features in their products report that such as industrial IoT devices, cloud services, operational buyers rarely want them. In some cases, mobile industrial devices, and wireless networking. even if security features are included by default, or at no additional cost, the buyer does not use them. Beyond technology is the human factor, as many industries face a shortage in cybersecurity skills. The problem is worse for heavy industrials, which Emerging solutions need to staff both IT and OT security teams, and Considering the complexity of these challenges, to attract talent to remote operational locations. In companies in heavy industrial sectors have been a 2017 report on the global information-security slow to invest in cybersecurity programs that span workforce, the cybersecurity professional both IT and OT, especially when compared with organization (ISC)2 predicted that the gap between manufacturing and pharmaceutical companies. The qualified IT professionals and unfilled positions will only exception is the US electricity production and grow to 1.8 million by 2022. OT security expertise distribution grid, acting in response to emerging is even more specialized and difficult to acquire, regulation in this sector. The good news is that making it particularly expensive to staff. solutions for heavy industrials are becoming more sophisticated. Several incumbent OEM providers, Exposure to third-party risk and a growing number of start-ups, have developed Compared with IT, the OT environment is highly new approaches and technologies focused on customized, as it supports a process specific to protecting the OT environment. a given operation. The proprietary nature of OT equipment means that companies rely on the OEM Leaders that deploy these solutions must first to maintain it and make changes. This equipment is carefully consider the unique challenges and often a “black box” to its owner, who has no visibility process requirements they face. They can then into security features or levels of vulnerability. combine the solutions with appropriate operational Furthermore, companies are increasingly changes. Below we describe the challenges outsourcing maintenance and operation of OT, or they will have to address along the way and the adopting build-operate-transfer contracts. These investments that will be needed, both internally types of relationships require third parties to gain and through OEMs and start-ups, to achieve cyber physical access to OT networks. Where remote maturity. maintenance is required, the owner needs to Integrate cybersecurity earlier, across OT and IT establish connections to the OEM networks. These As companies undergo digital transformation, remote connections are mostly unsupervised by leaders are integrating cybersecurity earlier, in both the owner organizations, introducing a blind spot. the OT and IT environments. If heavy industrials are Several heavy industrials have reported that third to manage risk and avoid security-driven delays parties frequently connect laptops and removable during their digital transformations, they will need storage devices directly into the OT network without to embed security earlier in the process, with any prior cybersecurity checks, despite the obvious investments in developer training and oversight. dangers of infection. At the same time, these companies should Vendor assessments and contracts for OEMs expect increased convergence between their OT often fail to include a cybersecurity review. This and IT systems. Therefore, their investments in failure prevents companies from enforcing security cybersecurity transformation programs should span standards without renegotiating contracts. Where both, while they more deeply integrate their security they do conduct precontract security assessments, functions into both the OT and IT ecosystems.

Critical infrastructure companies and the global cybersecurity threat 69 One way to accomplish this is to create an But in the fourth approach, the CSO role spans integrated security operations center that covers both IT and OT. The CSO reports directly to the both OT and IT, housing detailed escalation COO, thus protecting security from IT cost cutting, protocols and incident response plans for and preventing security from being sidestepped OT-related attack scenarios. An example comes by IT programs. from Shell, which is working with some of its In this optimal approach, the CSO sets policy, IT networking providers and some OT OEMs creates standards, and works with process to develop a unified security-management engineers to create security architectures that solution for plant-control systems across 50 incorporate operational specifics. In an ideal plants.5 Solutions like these enable centralized scenario, deployment and operation of OT asset management, security monitoring, and security resides in plant-level functions, staffed compliance, dynamically and in real time. with OT experts who are cross-skilled in security. Improving governance and accountability for However, this separation between policy setting security across IT and OT and deployment can lead to misunderstandings, The decentralized nature of heavy industries perhaps allowing some risks to fall through the makes it particularly vital that they integrate cracks. Companies can mitigate this by creating security into all technology-related decisions local security-review task forces, including across IT and OT, and deep into different functions tenured business-unit security officers who and business units. This integration will become represent the security organization regionally or even more important as they become digital locally. Metrics and reporting structures can be enterprises. Accomplishing this will require new managed by a company-wide cyber governance governance models. committee that reports into the board. For instance, mature heavy industrials have Emerging technical solutions established architecture-review committees To overcome difficulties in OT security, consider to vet new technologies introduced into the IT emerging technical solutions. Several providers or OT environments, and changes to existing focused on protecting the OT environment technologies. Emerging as a second line of defense are bringing new capabilities to tackle issues. are teams that do information risk management Although several proofs of concept have resulted (IRM), including strategy, compliance, and reporting. in successful, large-scale deployments, the Additionally, some companies have enlisted their technology is still evolving quickly. As companies internal audit function as a truly independent third compete to differentiate their solutions, winners line of defense. have yet to emerge. Here, however, are some solutions to consider: But few have reached such a level of maturity. A look at four typical approaches to IT and OT — Firewalls to limit attackers’ ability to move security reveals that only one approach integrates across the network after one section is security under a chief security officer (CSO) compromised. Enhancements in controls at aligned with the risk function (Exhibit 1). In the first the gateway between the OT and IT networks three, accountabilities are insufficiently defined. enable companies to inspect the traffic

5 “Shell Oil Strengthening Cybersecurity,” ciab.com.

70 Critical infrastructure companies and the global cybersecurity threat Article type and Year Article Title Exhibit X of X

Exhibit 1 Of four approaches to IT and OT security, only one integrates them, using a CSO aligned with the risk function.

Distribution of responsibilities, by security approach Primary responsibility Shared responsibility

Led by a CISO,1 whose location will vary, typically within IT, risk, or security department Led by a CSO

No clear direction of OT so CISO advises and has CISO is accountable, but Single accountability defaults to operations oversight, operations directs not responsible for execution for IT, OT; cyber is part of in OT risk agenda OT security functions CISO Ops IT CRO4 CISO Ops IT CRO CISO Ops IT CRO CSO Ops IT CRO

Policy setting

Standards creation

Security architecture and engineering Execution deployment Operations/maintenance (within perimeter) Operations/maintenance (perimeter/IT interface) Operations/maintenance (physical security)

Adherence

— Earliest stages of maturity; — CISO advises on security — CISO determines policy and — CSO spans IT and OT; owns OT cybersecurity ownership policy, but has little in uence standards centrally security end to end defaults to business units over operations — Operational units responsible — Collaboration between — Decentralized policy and — Execution, operations, for execution and operations security and CRO for policy standard setting and maintenance with setting, architecture, operational units adherence

1Chief information-security ocer. 2Chief security ocer. 3Operational technology. 4Chief risk ocer.

between the OT and IT networks enable — Unified identity and access management. companies to inspect the traffic traversing that These tools allow the company to centralize gateway. They also automate a system’s ability adding, changing, and removing user access to execute policy changes and block newly to OT systems and devices. This is linked to the identified threats. Best practice also calls for organization’s identity-management system, traversing that gateway. They also automate a — Unified identity and access management. placing critical assets and systems in separate providing robust authentication. This approach, system’s ability to execute policy changes and These tools allow the company to centralize zones to limit the impact from a compromise; for pervasive in IT, has been adopted as a standard blockexample, newly a fail-safe identified system threats. in a separate Best practice zone in OTadding, environments changing, in and the removingUS electricity user sector. access It alsofrom callsthe SCADA. for placing Incumbent critical firewall assets providers and reducesto OT systemsthe risk of and attack devices. by limiting This is “super-user” linked to the systemsare tailoring in separate their solutions zones for to OT. limit the impact accounts.organization’s It allows identity-management the company to trace whosystem, from a compromise; for example, a fail-safe providing robust authentication. This approach, system in a separate zone from the SCADA. pervasive in IT, has been adopted as a standard Incumbent firewall providers are tailoring their in OT environments in the US electricity sector. It solutions for OT. reduces the risk of attack by limiting “super-user” accounts. It allows the company to trace who

8 Critical infrastructure companies and the global cybersecurity threat

Critical infrastructure companies and the global cybersecurity threat 71 has access to critical assets, and it helps identify such as information sharing and analysis centers sources of attack. It also has safety applications; (ISACs) have become important in reducing a Chinese power plant, for instance, uses it to these costs. For instance, the health ISAC, which allow security administrators to remotely close includes pharmaceutical and medical-device facility doors for improved safety management. manufacturers with large OT contingents, has implemented a tool that automates evidence — Asset inventory and device authorization. collection and sector-specific risk assessments, to These tools help keep companies aware of all measure third-party vendors for security and data devices connected to their OT network. They can risk. This ISAC has also created a standardized identify vulnerabilities in specific devices based vendor repository for evidence collected by others. on the device type, manufacturer, and version. They are also used for controlling authorizations of devices and communications. In addition to Enablers to drive progress security applications, these tools can optimize Given the investment required to achieve digital efficiency and identify faults in connected devices. resilience, and the increasing calls from business executives to get there, we have identified some — OT network monitoring and anomaly important enabling factors that will help drive detection. A plethora of passive OT network progress. These include increased cybersecurity monitoring tools have emerged that monitor regulation (by industry groups or government), traffic in a noninvasive way. These tools use higher and smarter investments in digital machine-learning algorithms to identify and alert resilience programs, and greater industry-level known threats and anomalies. collaboration. — Decoys to deceive attackers. These relatively Evolving cybersecurity regulations new IT tools, tailored for OT environments, Among heavy industries, cybersecurity regulation create asset and user-credential decoys and is now quite limited. One potential model is fictitious OT devices, including SCADAs, to emerging in the United States. An electrical- throw off attackers. industry agency, the North American Electric While all these tools are useful, the organizational Reliability Corporation (NERC), is empowered issues mentioned above have thus far inhibited in federal law to set standards known as Critical their adoption. For one thing, security buyers have Infrastructure Protection (CIP). These standards little or no influence over the OT environment. regulate technical and procedural controls. Incumbent OT OEMs, who own the relationship NERC issued 12 penalties in 2017, totaling over with the operational decision makers, have made $1.7 million, and stepped up its work in 2018, some plays directly, and through partnerships in issuing millions of dollars in penalties that year. some verticals. However, low cyber awareness One serious violation resulted in a penalty of among the decision makers has thus far limited the $2.7 million against an electric utility for data number of such deals. exposure by a vendor. Existing and emerging EU Third-party risk management and UK regulations for critical infrastructure are Cost and timing sometimes interfere with a a first step to creating consistency at an industry- company’s responsibility to assess vendor security wide level. However, most heavy industrial compliance, both before the contract and on a companies are struggling to develop their own regular basis. Sector-specific collaboration groups standards for IT and OT security, patching them

72 Critical infrastructure companies and the global cybersecurity threat together from numerous industry standards. As Cybersecurity spending benchmarks are not the attacks on critical infrastructure continue, more only factor to consider when deciding on what regulation in this sector is likely to follow, either investment is required for a particular company. At the early stages of a cybersecurity transformation, from industry, government, or both. This will bring program costs may spike before the company a much-needed mandate for CISOs and CSOs to can reach a steady state. Spending mix is another take action, and create a clearer path to setting important factor to consider. Companies at lower consistent standards across industries. maturity levels tend to spend most of their cyber Higher and smarter investment in budget on compliance-driven, reactive activities. cybersecurity programs This mix changes substantially as companies The average electrical-energy company spends mature, spending far more on forward-looking, just 4.9 percent of its IT budget on security, with proactive activities such as threat intelligence, miningfrom industry, coming government, in at 5.4 percent. or both. This This is compared will bring programhunting, costs and deception. may spike before Companies the company that conduct a much-needed mandate for CISOs and CSOs to can reach a steady state. Spending mix is another with an all-industries average of 6.2 percent and a comprehensive assessment of their current take action, and create a clearer path to setting important factor to consider. Companies at lower financial services at 7.8 percent (Exhibit 2). cyber maturity and sources of vulnerability can consistent standards across industries. maturity levels tend to spend most of their cyber drive smarter long-term spending. budget on compliance-driven, reactive activities. Higher and smarter investment in This mix changes substantially as companies cybersecurity programs mature, spending far more on forward-looking, The average electrical-energy company spends proactive activities such as threat intelligence, just 4.9 percent of its IT budget on security, with hunting, and deception. Companies that conduct mining coming in at 5.4 percent. This is compared a comprehensive assessment of their current with an all-industries average of 6.2 percent and cyber maturity and sources of vulnerability can financial services at 7.8 percent (Exhibit 2). drive smarter long-term spending.

Cybersecurity spending benchmarks are not the Greater industry-wide collaboration Article type and Year only factor to consider when deciding on what Knowledge-sharing initiatives have started to Article Title investment is required for a particular company. At emerge across heavy industrial sectors, but much Exhibit X of X the early stages of a cybersecurity transformation, more can be done. Some good examples come

Exhibit 2 Heavy industrial companies lag behind most sectors in IT security spending.

IT security spending as a % of all IT spending, 2017

7.8 7.3 Average 6.2 6.5 6.0 5.8 5.7 5.4 5.0 4.9 4.9 4.5 4.3

Banking Education Professional Construction, Transportation Retail and and nancial services materials, wholesale services Government Insurance Healthcare and natural Government Energy Industrial (national and providers resources (state and manufacturing international) local)

Source: IT Key Metrics Data 2018: Key IT Security Measures: By Industry, Gartner.com, 2018

Critical infrastructure companies and the global cybersecurity threat 73

10 Critical infrastructure companies and the global cybersecurity threat Greater industry-wide collaboration Finally, it is worth noting that neither spending nor Knowledge-sharing initiatives have started to regulatory compliance are reliable indicators of emerge across heavy industrial sectors, but much digital resilience. Using the frameworks and tools we more can be done. Some good examples come from have identified in this article, companies can build ISACs and other regional and sector-specific that resilience by consistently applying a risk-based approach – identifying their critical assets and groups, which have supported rapid maturity building applying controls appropriately based on risk levels. through information sharing, resource pooling (such This can then help them create cyber transformation as shared vendor assessments), and capability programs that buy down risk to tolerable levels and building (such as cross-sector crisis simulations). prioritize the activities that address the most risk per Although a few ISACs exist for heavy industrials, dollar spent. companies have much more to do to establish the high levels of collaboration and value seen in other sectors. Being part of a digitized, connected economy, organizations can be successful only if they As senior leaders set the stage for cyber apply the power of cooperation within and across transformation, they must ensure collaboration and sectors. Other industries such as financial services, buy-in from both security and risk professionals and insurance, and healthcare have built robust networks the businesses. With such cooperation, companies of security professionals, using roundtables and will be truly able to transform cybersecurity, helping other collaborations to address common threats and keep them out of harm’s way in a digital world. build a more secure industry for all.

Adrian Booth is a senior partner in McKinsey’s San Francisco office, Aman Dhingra is an associate partner in the Singapore office, Sven Heiligtag is a senior partner in the Hamburg office, Mahir Nayfeh is a partner in the Abu Dhabi office, and Daniel Wallance is a consultant in the New York office. The authors wish to thank Rhea Naidoo and Rolf Riemenschnitter for their contributions to this article.

74 Critical infrastructure companies and the global cybersecurity threat Build cybersecurity into business products and processes The cybersecurity posture of financial- services companies: IIF/McKinsey Cyber Resilience Survey

Cyberrisk has become one of the top risk concerns among financial- services firms, and new research from the Institute of International Finance (IIF) and McKinsey can help provide an understanding of ways firms can enable and strengthen cyber resilience.

The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey 75 A recent joint survey on cyber resilience by cyber resilience, sector-level cyber resilience, the Institute of International Finance (IIF) and costs and full-time-equivalent employees, and McKinsey found significant concerns regarding next-generation trends (exhibit). A key theme third-party security, and our survey determined is around building up cybersecurity controls that 33 percent of financial-services firms do not around supply chains, including third- or fourth- have proper vendor remote-access management party risks, in areas such as vendor remote- with multifactor-authentication controls. access management, activity monitoring, and concentration risk. The survey was designed to provide an understanding of current and planned practices Key challenges reported by firms include that financial firms are undertaking to enable and regulations, cloud adoption, digitization, and the strengthen firm- and sector-level cyber resilience. talent gap. Firms said they are active in platforms Twenty-seven globally active firms participated to share threat intelligence and participate in the survey, and more than 50 companies frequently in sectorwide cyber exercises. participated in group discussions in meetings we Automation is seeing extensive adoption, and this convened with chief risk officers in the Americas, could soon be followed by elements of cognitive Asia, Europe, and the Middle East. computing. The report also includes a number of recommendations and industry practices, The report IIF/McKinsey Cyber Resilience Survey: collected through the survey, that companies can Cybersecurity posture of the financial-services draw on to enhance their cybersecurity posture. industry focuses on four different areas: firm-level

76 The cybersecurity posture of financial-services companies: IIF/McKinsey Cyber Resilience Survey Build cybersecurity into business products and processes A practical approach

toOperations supply-chain Practice risk managementA practical approach to supply-chain risk management In supply-chain risk management, organizations often don’t know where to start. We offer a practical approach. In supply-chain risk management, organizations often don’t by Tuckerknow Bailey, where Edward Barriball,to start. Arnav We Dey, offer and aAli practical Sankur approach.

by Tucker Bailey, Edward Barriball, Arnav Dey, and Ali Sankur

March 2019

A practical approach to supply-chain risk management 77 In the last decade, a number of organizations and monitoring risks in a way that truly minimizes have been rocked by unforeseen supply-chain business disruption. vulnerabilities and disruptions, leading to recalls We believe public- and private-sector costing hundreds of millions of dollars in industries organizations have struggled to progress ranging from pharmaceuticals and consumer significantly on this topic for several reasons: goods to electronics and automotive. And multiple government organizations and private businesses 1. Supply-base transparency is hard (or have struggled with cybersecurity breaches, impossible) to achieve. In modern multi- losing critical intellectual property due to failures tier supply chains, hundreds or thousands of in the supplier ecosystem. suppliers may contribute to a single product. Even identifying the full set of suppliers from At the heart of these crises is a common theme the raw-material sources to a final assembled – the lack of robust processes to identify and system can require a significant time successfully manage growing supply-chain risks investment. as the world becomes more interconnected. New threats, such as cyber-ransom attacks, are 2. The scope and scale of risks is intimidating. emerging alongside more traditional and longer- The probability and severity of many risks is acknowledged supplier risks, such as supplier difficult to ascertain (How likely are certain bankruptcy. weather patterns? How often will a supplier’s employee be careless in cybersecurity The challenge of supply-chain risk management practices?), and therefore difficult to address, has been exacerbated by globalization, where quantify, and mitigate. even sensitive products like defense systems use raw materials, circuit boards, and related 3. Proprietary data restrictions impede components that may have originated in countries progress. In complex products, Tier 1 or 2 where the system manufacturer did not even know suppliers may consider their supply chains it had a supply chain. This increased complexity to be proprietary, limiting visibility at the has brought with it more potential failure points purchaser or integrating-manufacturer level. and higher levels of risk. Rather than admiring the problem and these Yet progress in addressing these risks has difficulties, we suggest organizations begin to been slow. In our 2010 survey of 639 executives tackle issues in a structured way, cataloging covering a range of regions and industries, and addressing known risks while improving 71 percent said their companies were more at risk the organization’s resilience for the inevitable from supply-chain disruption than previously, and unknown risk that becomes a problem in the 72 percent expected those risks to continue to rise future. (from “The challenges ahead for supply chains: McKinsey Global Survey Results,” Nov 2010, A structured approach to supply- McKinsey.com). In 2018, the United States chain risk management government stood up multiple agencies and We recommend that organizations start by task forces to better address supply-chain risk thinking of their risks in terms of known and (including the Critical Infrastructure Security unknown risks. and Cybersecurity Agency in the Department of Known risks can be identified and are possible to Homeland Security and the Protecting Critical measure and manage over time. For instance, a Technology Task Force at the Department of supplier bankruptcy leading to a disruption in supply Defense), and the private sector continues to seek would be a known risk. Its likelihood can be estimated a uniform and proven methodology for assessing based on the supplier’s financial history, and its

78 A practical approach to supply-chain risk management The challenge of supply-chain risk management has been exacerbated by globalization.

impact on your organization can be quantified combined with a risk-aware culture can give an through consideration of the products and organization this advantage. markets the supplier would disrupt. Newer risks Managing known risks such as cybersecurity vulnerabilities in the supply Organizations can use a combination of structured chain are also now quantifiable through systems problem solving and digital tools to effectively that use outside-in analysis of a company’s IT manage their known-risk portfolio through four steps: systems to quantify cybersecurity risks. Step 1: Identify and document risks Organizations should invest time with a cross- A typical approach for risk identification is to functional team to catalog a full scope of risks map out and assess the value chains of all major they face, building a risk-management framework products. Each node of the supply chain – that determines which metrics are appropriate for suppliers, plants, warehouses, and transport measuring risks, “what good looks like” for each routes – is then assessed in detail (Exhibit 1). metric, and how to rigorously track and monitor Risks are entered on a risk register and tracked these metrics. This team can also identify gray rigorously on an ongoing basis. In this step, parts areas where risks are hard to understand or define of the supply chain where no data exist and further (e.g., tiers of the supply chain where no visibility investigation is required should also be recorded. exists). This analysis can dimensionalize the scale and scope of unknown risks. Step 2: Build a supply-chain risk-management framework Unknown risks are those that are impossible or very Every risk in the register should be scored based difficult to foresee. Consider the sudden eruption on three dimensions to build an integrated of a long dormant volcano that disrupts a supplier risk-management framework: impact on the you didn’t know was in your supply chain, or the organization if the risk materializes, the likelihood exploitation of a cybersecurity vulnerability buried of the risk materializing, and the organization’s deep the firmware of a critical electronic component. preparedness to deal with that specific risk. Predicting scenarios like these is likely impossible for Tolerance thresholds are applied on the risk scores even the most risk-conscious managers. reflecting the organization’s risk appetite. For unknown risks, reducing their probability It is critical to design and use a consistent scoring and increasing the speed of response when they methodology to assess all risks. This allows for do occur is critical to sustaining competitive prioritizing and aggregating threats to identify the advantage. Building strong layers of defense highest-risk products and value-chain nodes with

the greatest failure potential.

A practical approach to supply-chain risk management 79 2019 A practical approach to supply-chain risk management Exhibit 1 of 2

Exhibit 1 Assess value-chain nodes to identify key risks.

• Failure to meet regulatory standards on quality • Changes in macroeconomic environment— recession, • Supply shortfall—capacity ination constraints reduce output

• Lack of data and transparecy— • Supply stoppage— changes in customers’ buying production ceases because • Illegal interference from behavior of bankruptcy third party—e.g., pilferage

New-product Make Make introduction Plan Source Deliver (internal) (external) (NPI)

• Production process is not • Failure to meet regulatory • Failure to meet regulatory robust—lower yields or longer standards on quality standards on quality time to stability than expected • Factory shutdown or slowdown • Failure to meet regulatory • Cost and time exceed forecast— because of equipment or standards on environment, e.g., for scale-up of production execution failure health, and safety from R&D • Process disruption—e.g., • Process disruption—e.g., • Failure to meet regulatory lower-than-expected yield lower-than-expected yield standards on quality

Step 3: Monitor risk cycle times. These 25 indicators were carefully Once a risk-management framework is weighted to develop a quality risk-exposure score, established, persistent monitoring is one of the and then tracked on a regular cadence. critical success factors in identifying risks that may Step 3: Monitor risk andSuccessful deviation cyclemonitoring times. Thesesystems 25 indicatorsare customized damage an organization. The recent emergence Once a risk-management framework is established, wereto an carefully organization’s weighted needs, to develop incorporating a quality risk- impact, of digital tools has made this possible for even persistent monitoring is one of the critical success exposurelikelihood, score, and and preparedness then tracked perspectives.on a regular Hence, the most complex supply chains, by identifying factors in identifying risks that may damage an cadence.while one organization may track deviations on and tracking the leading indicators of risk. For organization. The recent emergence of digital manufacturing lines to predict quality issues, example, a large organization operating in a tools has made this possible for even the most Successfulanother may monitoring follow real-timesystems are Caribbean customized weather regulated industry identified 25 leading indicators complex supply chains, by identifying and tracking toreports an organization’s to monitor needs, hurricane incorporating risk at its impact, plants in ofthe quality leading issues indicators at its of plants risk. For and example, contract a large likelihood, and preparedness perspectives. Hence, Puerto Rico. Regardless, it is critical to have an manufacturers,organization operating ranging in afrom regulated structural industry drivers while one organization may track deviations on early warning system to track top risks to maximize includingidentified 25geographical leading indicators location of qualityand number issues of at manufacturing lines to predict quality issues, the chances of mitigating, or at the very least yearsits plants in operation and contract to operational manufacturers, performance ranging from another may follow real-time Caribbean weather limiting, the impact from their occurrence. metrics,structural such drivers as including“right first geographical time” and deviation location reports to monitor hurricane risk at its plants in and number of years in operation to operational Puerto Rico. Regardless, it is critical to have an early performance metrics, such as “right first time” warning system to track top risks to maximize the

4 A practical approach to supply-chain risk

80 A practical approach to supply-chain risk management Step 4: Institute governance and regular review Building strong defenses The final critical step is to set up a robust Strong defenses, from request-for-proposal (RFP) governance mechanism to periodically review language to worker training, all contribute to an supply chain risks and define mitigating actions, organization identifying and stopping unknown improving the resilience and agility of the supply risks before they affect operations. Exhibit 2 chain. outlines typical layers of defense organizations employ to defend against unknown risks. An effective supply-chain risk-management governance mechanism is a cross-functional risk Building a risk-aware culture board with participants representing every node of A risk-aware culture helps an organization both the value chain. It typically includes line managers establish and maintain strong defensive layers who double-hat as risk owners for their function, against unknown risks, as well as respond more giving them ownership of risk identification quickly when an unknown risk surfaces and and mitigation. In most cases, the risk board threatens operations. receives additional support from a central risk- — Acknowledgement. Management and management function, staffed with experts to employees need to feel empowered to pass provide additional guidance on identifying and on bad news and lessons from mistakes. This mitigating risks. openness fosters an environment where it is An effective board will meet periodically to review okay to voice and deal with issues. Culturally, the top risks in the supply chain and define the it is critical that the organization not get mitigation actions. The participants will then discouraged or point fingers when a risk event own the execution of mitigation actions for their occurs, and instead works harmoniously respective functional nodes. For example, if the towards a rapid resolution. board decides to qualify and onboard a new — Transparency. Leaders must clearly define supplier for a critical component, the procurement and communicate an organization’s risk representative on the board will own the action tolerance. Risk mitigation often has an and ensure its execution. associated incremental cost, and so it is Additionally, in many organizations the risk board important to align on which risks need to be will also make recommendations to improve the mitigated and which can be borne by the agility and resilience of the supply chain, ranging organization. An organization’s culture should from reconfiguring the supply network, finding also allow for warning signs of both internal new ways of reducing lead times, or working with and external risks to be openly shared. suppliers to help optimize their own operations. — Responsiveness. Employees need to be Increasing supply-chain agility can be a highly empowered to perceive and react rapidly effective mitigation strategy for organizations to to external change. This can be enabled by improve their preparedness for a wide range creating an ownership environment, where of risks. members feel responsible for outcome of Managing unknown risks actions and decisions. Unknown risks are, by their nature, difficult or — Respect. Employees’ risk appetites should be impossible to predict, quantify, or incorporate into aligned with an organization, so that individuals the risk-management framework discussed above or groups do not take risks or actions that for known risks. In our experience, mitigating benefit themselves but harm the broader unknown risks is best achieved through creating organization. strong defenses combined with building a risk- aware culture.

A practical approach to supply-chain risk management 81 2019 A practical approach to supply-chain risk management Exhibit 2 of 2

Exhibit 2 Layers of defenses help organizations manage unknown risks.

Signicant operational event • Irrecoverable asset damage Sources of risk • Catastrophic personnel injury

• Signicant environmental or local impact

Design quality, Equipment health, Oversight, Decision-making Worker, operator Event, Risk conguration performance assurance processes fundamentals emergency manage- control methods preparedness ment • Preserving • Overseeing • Developing • Emergent-issue • Frontline skills • Operator, barriers margins maintenance oversight responses and behaviors organizational strategies structure readiness • Protecting the • Operational • Clearly de ned design basis • Monitoring, • Strengthening focus for standards of • Infrastructure, intervening independence resolution performance materials • Strictly and quality controlling • Running and • Risk-informed • Response, con guration maintaining mitigation capital assets equipment

Risk processes, standards, competency, organization, and culture

The road ahead risk management is not merely about setting up TheGlobal road supply aheadchains are irreversible, as are the processesmanagement and governance is not merely models, about but setting also entails up processes and governance models, but also Globalsupply-chain supply risks chains that are globalization irreversible, has as brought are the shifts in culture and mind-sets. By employing these approaches,entails shifts organizations in culture and increase mind-sets. their chances By supply-chainwith it. Our experience risks that suggests globalization that it hasis critical brought ofemploying minimizing supply-chainthese approaches, disruptions organizations and crises, withfor organizations it. Our experience to build suggests robust programs that it is for critical managing both known and unknown supply- whileincrease capturing their the chances full value of ofminimizing their supply-chain supply-chain for organizations to build robust programs for chain risks. Leaders should also recognize that strategies.disruptions and crises, while capturing the full managing both known and unknown supplychain value of their supply-chain strategies. risks. Leaders should also recognize that risk

Tucker Bailey and Edward Barriball are partners in McKinsey’s Washington, DC office. Arnav Dey is an engagement manager in the Boston office, and Ali Sankur is a senior practice manager in Chicago.

Tucker Bailey and Edward Barriball are partners in McKinsey’s Washington, DC office. Arnav Dey is an

6 engagementA practical approach manager to supply-chain in the risk Boston office, and Ali Sankur is a senior practice manager in Chicago.

82 A practical approach to supply-chain risk management Build cybersecurity into business products and processes The race for cybersecurity:McKinsey Center for Future MobilityProtecting the connectedThe race forcar in the era ofcybersecurity: new regulation Protecting the connected car in the The carera industry’s of digital new transformation regulation exposes new cybersecurity threats. Learn what OEMs can do to protect their cars and customersThe car industry’s from hackers. digital transformation exposes new cybersecurity threats. Learn what OEMs can do to protect their cars and customers by Johannes Deichmann, Benjamin Klein, Gundbert Scherf, and Rupert Stützle from hackers.

by Johannes Deichmann, Benjamin Klein, Gundbert Scherf, and Rupert Stützle

October 2019

The race for cybersecurity: Protecting the connected car in the era of new regulation 83 In the past, what happened in your car The cybersecurity playing field tilts typically stayed in your car. That is no longer in favor of attackers the case. The influx of digital innovations, To be sure, the economics of car cybersecurity from infotainment connectivity to over-the-air are inherently unfair: with the right state-of- (OTA) software updates, is turning cars into theart tools, attacks are relatively affordable, information clearinghouses. While delivering loweffort affairs. Mounting a coherent defense significant customer value, these changes for the complex value chain and its products, also expose vehicles to the seamier side of the on the other hand, requires increasingly higher digital revolution. Hackers and other black-hat effort and investment. So far, this reality tilts the intruders are attempting to gain access to critical playing field in favor of the attackers. Examples in-vehicle electronic units and data, potentially abound across the industry. For example, white- compromising critical safety functions and hat hackers took control of the infotainment customer privacy. system in an electricvehicle model. They exploited a vulnerability in the in-car web browser during Cybersecurity becomes a core product a hacking contest, causing the electric-vehicle and value-chain issue maker to release a software update to mitigate Cybersecurity has risen in importance as the the problem. In another white-hat hack, a Chinese automotive industry undergoes a transformation security company found 14 vulnerabilities in driven by new personal-mobility concepts, the vehicles of a European premium-car maker autonomous driving, vehicle electrification, and in 2018. Another global automaker recalled car connectivity. In fact, it has become a core approximately 1.4 million cars in 2015 in one of consideration, given the digitization of in-car the first cases involving automotive cybersecurity systems, the propagation of software, and the risks. The impact of the recall was significant, creation of new, fully digital mobility services. with a potential cost for the OEM of almost $600 These services include arrays of car apps, online million, based on our calculations. offerings, vehicle features that customers can buy and unlock online, and charging stations for The automotive industry lacks a e-vehicles that “talk” to on-board electronics. standard approach for dealing with Today’s cars have up to 150 electronic control cybersecurity units; by 2030, many observers expect them For an industry used to breaking down complex to have roughly 300 million lines of software challenges and standardizing responses, code. By way of comparison, today’s cars have cybersecurity remains an unstandardized anomaly. about 100 million lines of code. To put that into Thus far, automotive suppliers have a hard time perspective, a passenger aircraft has an estimated dealing with the varying requirements of their OEM 15 million lines of code, a modern fighter jet about customers. Consequently, they try to balance the 25 million, and a mass-market PC operating use of common security requirements that go into system close to 40 million. This overabundance their core products against those via the software of complex software code results from both adjustments made for individual OEMs. However, the legacy of designing electronics systems current supplier relationships and contractual in specific ways for the past 35 years and the arrangements often do not allow OEMs to test the growing requirements and increasing complexity end-to-end cybersecurity of a vehicle platform of systems in connected and autonomous cars. It or technology stack made up of parts sourced generates ample opportunity for cyberattacks – from various suppliers. That can make it difficult not only in the car but also along the entire value for both suppliers and OEMs to work together to chain (Exhibit 1). achieve effective cybersecurity during automotive software development and testing.

84 The race for cybersecurity: Protecting the connected car in the era of new regulation Insights 2019 The race for cybersecurity: Protecting the connected car in the era of new regulation Exhibit 1 of 3

Exhibit 1 The advancement of electrical and electronic architecture and digitalization of the car ecosystem increases attack surface and leads to increasing cyberrisk. Vehicle ecosystem, illustrative Emerging cyberrisks, not exhaustive

Vehicle 1 Sensor spoo ng: Access autonomous-drive functions, engine, and brakes through vulnerability in sensors Handset 5 2 Take over: Take over of safety-critical control units such as engine control or brakes 1 Sense 3 Infotainment 3 Espionage: Listen to voices in cars by misusing Compute 4 voice-recognition module

2 Act Connect 4 Physical access: Secure direct access to on-board diagnostics for manipulation of vehicle data, engine characteristics, and tuning chips

5 Entertainment content: Access infotainment system via Bluetooth, 7 6 USB, or Wi-Fi

6 Telematics: Remotely unlock cargo doors through vulnerability in external connectivity modules

OEM back end Third-party back end 7 Denial of service: Stop cars that rely on back-end servers to provide data 8 Over-the-air update Content provider Remote vehicle function High-denition-map 8 Over the air: Access vehicle software though online updates provider Remote diagnostic 7 9 Unauthorized access: Access back-end vehicle services and user data Tra c data 9 User management Regulatory data access 10 Data theft: Access car owner’s private information via unsecure third party

OEM front end Third-party front end

Car congurator Music player Drive log Weather monitor Service Map editor Mobile app 10 Mobile app

Source: McKinsey analysis

Regulatory change in product came into effect, requiring autonomous vehicles software updates. This will make cybersecurity Regulatorycybersecurity change is imminent in product to meet appropriate industry standards for a clear requirement for future vehicle sales; the cybersecurityThe difficulty is about is to imminent change. Regulators are cybersecurity. While these regulations have an associated regulationswill affect new vehicle-type Thepreparing difficulty minimum is about standards to change. for vehicle Regulators software are immediate impact on a limited fleet, the World approvals in more than 60 countries (Exhibit 2). preparingand cybersecurity minimum that standards will affect for the vehicle entire value software Forum for Harmonization of Vehicle Regulations underIndustry the United experts Nations see the Economic upcoming Commission UNECE for andchain. cybersecurity Cybersecurity that concerns will affect now thereach entire into value Europeregulation (UNECE) only is as expected the beginning in 2020 of to a finalize new era its of chain.every modernCybersecurity car in the concerns form of demandsnow reach made into regulationtechnical on compliance cybersecurity regulation and software in the updates. automotive everyby regulators modern and car type-approval in the form of authorities. demands madeFor Thissector will make addressing cybersecurity the increase a clear andrequirement significance of byexample, regulators in April and 2018, type-approval California’s finalauthorities. regulations For on autonomous-vehicle testing and deployment forsoftware future vehicle and connectivity sales; the associated within the regulations industry. example, in April 2018, California’s final regulations on autonomous-vehicle testing and deployment came into effect, requiring autonomous vehicles Shifting gears to make cybersecurity to meet appropriate industry standards for a core consideration cyber-security. While these regulations have an While still relatively new, the in-car cybersecurity immediate impact on a limited fleet, the World threat will remain an ongoing concern. As such, ForumThe race for for cybersecurity:Harmonization Protecting of Vehicle the connected Regulations car in the era of newautomakers regulation must now consider cybersecurity an3 under the United Nations Economic Commission integral part of their core business functions and for Europe (UNECE) is expected in 2020 to development efforts. finalize its regulation on cybersecurity and

The race for cybersecurity: Protecting the connected car in the era of new regulation 85 will affect new vehicle-type approvals in more than Shifting gears to make cybersecurity a 60 countries (Exhibit 2). Industry experts see the core consideration Insights 2019 upcoming UNECE regulation only as the beginning While still relatively new, the in-car cybersecurity The race for cybersecurity: Protecting the connected car in the era of new regulation of a new era of technical compliance regulation in threat will remain an ongoing concern. As such, Exhibit 2 of 3 the automotive sector addressing the increase and automakers must now consider cybersecurity an significance of software and connectivity within integral part of their core business functions and the industry. development efforts.

Exhibit 2 More than 24 million cars will be a ected under the new World Forum for Harmonization of Vehicle Regulations on cybersecurity and software updates. Countries party to 1958 Agreement,1 as of Dec 2018

Top 10 countries party to 1958 Agreement by vehicle sales, 2019 estimate, million

5.2

3.8

2.6 2.6 2.1 1.9 1.8 1.5 1.1 1.0

Japan Germany United France Italy Russia South Spain Australia Thailand Kingdom Korea

1 Agreement concerning Adoption of Harmonized Technical United Nations Regulations for Wheeled Vehicles, Equipment and Parts which can be Fitted and/or be Used on Wheeled Vehicles and the Conditions for Reciprocal Recognition of Approvals Granted on the Basis of these United Nations Regulations (original version adopted in Geneva on Mar 20, 1958). Source: Automotive sales forecasts, IHS Markit, ihsmarkit.com; “ECE/TRANS/WP.29/343/Rev.27,” United Nations Economic Commission for Europe, March 11, 2019, unece.org What is more, the industry can no longer view have a strong record of establishing a culture of cybersecurity as purely an IT topic. Instead, safety – but not yet in cybersecurity. Looking automakers need to assign ownership and beyond automotive-industry borders, it becomes responsibility for it along core value-chain clear that many digital natives have demonstrated activities (including among their numerous how to build strong security cultures in their 4 suppliers)The race for cybersecurity:and embrace Protecting a security the connected culture car among in the era of newengineering regulation departments (not just in IT). At the core teams. Likewise, suppliers in the automotive best digital companies, everyone understands the industry need to embrace OEM concerns on importance of cybersecure coding practices, and cybersecurity, develop capabilities to embed the organizations maintain engineering-outreach security best practices in their components, and and -education programs that train people in collaborate effectively with OEMs on integration cybersecurity, enticing them to look below the and verification of end-to-end cybersecurity surface and raise the cybersecurity bar constantly. solutions. This requires the creation of a real, software- Including cybersecurity in design centric cybersecurity culture, given the from the start pervasiveness of the cybersecurity threat along Carmakers must securely design vehicle platforms the entire value chain. Carmakers themselves and related digital mobility services from the start.

86 The race for cybersecurity: Protecting the connected car in the era of new regulation That is because the inherent complexity of vehicle High-tech companies, such as smartphone platforms, with their long development cycles and suppliers, currently deal with this issue by complex supply chains, do not allow for late-stage releasing software updates and security fixes architectural changes. Furthermore, regulators for their products after the initial sales (in many form strict requirements for OEMs to obtain type cases, new operating-system fixes also support approvals for new vehicles (Exhibit 3). some oldergeneration products). However, this is typically limited to a period of two to three years, Automotive players must consider cybersecurity while vehicles have an average service life of a over the entire product life cycle and not just up decade or even more. With the advent of OTA to when the car is sold to a customer, because software upgrades, automakers could maintain new technical vulnerabilities can emerge at any Insights 2019 the fleets on the road in a cost-effective way, time. These issues can have a direct impact on The race for cybersecurity: Protecting the connected car in thein contrastera of new with regulationthe current practice of costly customers and cars already on the road, thus Exhibit 3 of 3 reprogramming (“reflashing”) of car electronic effectively requiring OEMs to provide security- control units at the dealer. related software patches well into the car’s ownership life cycle.

Exhibit 3 Upcoming regulations require automotive OEMs to step up cybersecurity activities along the entire value chain. United Nations Economic Commission for Europe cybersecurity requirements

Cybersecurity- Security by design Car cybersecurity Software-update- management system across value chain monitoring and response management system

Automotive-company value chain

Development Production Postproduction

Identify and manage cyberrisk to vehicle types (includes suppliers and service providers)

Managing Ensure security testing of systems Monitor and respond to cybersecurity throughout development and production cyberattacks on vehicle types

React to new and evolving cyberthreats and vulnerabilities

Ensure security by design, detail designing and testing information, and collect evidence across full supply chain

Analyze cyberthreats and create risk-treatment plan Securing vehicles and Build cybersecurity into system design ecosystems and contain known vulnerabilities in Protect integrity of hardware/software used hardware/software components components from suppliers (eg, contractual clauses)

Test security of hardware/software Protect access to production environment components (eg, vulnerability scans, (eg, software servers, ashing process) pen testing, code analysis) and units received from suppliers

Ensure full traceability of software versions and vehicle congurations along vehicle life cycle (initial and updated software/conguration)

Providing secure Identify target vehicles for updates and software assess impact on certied systems and updates compatibility with vehicle conguration

Provide software updates without impact on safety and security

Source: “Draft recommendation on cybersecurity software updates of the task force on cybersecurity and over-the-air issues,” ISO/SAE 21434:2018 Committee, United Nations Economic Commission for Europe, World Forum for Harmonization of Vehicle Regulations; McKinsey analysis

2. Create a true digital-security-by-design do not follow rigorous software-engineering The race for cybersecurity: Protecting the connected car in the era of new regulation 87 culture in engineering, quality assurance, and processes as seen in software-native industries. other core value-chain functions and promote This security-by-design culture should focus car-software architectures with security on secure development practices, enhanced built-in. This might require OEMs to overhaul software-testing processes, and new supplier- their software engineering and software audit processes that include cyber issues. quality-assurance practices that oftentimes Other helpful elements include state-of-the

6 The race for cybersecurity: Protecting the connected car in the era of new regulation The automotive industry must therefore develop 3. Ramp up expertise and capabilities to monitor common cybersecurity standards to keep the cybersecurity of cars on the road. The development and maintenance costs under focus should include fixing issues in a timely control. On this issue, OEMs and suppliers must manner without costly product recalls and speak one language to ensure manageable, end- media scrutiny. That likely means fully managing to-end secure solutions. the digital life cycle of cars and having full transparency over a vehicle’s configuration (for Focusing on four core cybersecurity example, using digital twins) and, ultimately, themes setting up a security-operations center for cars that receives data from the vehicles and We believe automakers should attack the new the broader digital ecosystem – in line with cybersecurity and software-update challenges dataprivacy laws (for instance, back-end both along the value chain and across the digital systems). The security-operations center life cycle of their cars. To do this, they should focus would use correlation and artificial intelligence on four core themes: to detect adverse events and to launch clear 1. Establish a clear baseline to execute against. incidentresponse activities, eventually leading The essence of a good baseline involves to the provision of software updates to cars. understanding requirements from relevant 4. Adapt software-engineering practices that legislation in the OEM markets and leveraging embrace function-based development, solid existing international standards around version control, and integration testing. This cybersecurity and software engineering. Doing approach effectively allows an OEM to assess so will enable OEMs to deliver cybersecurity the potential impact of individual software practices as demanded by regulatory authorities updates to its vehicles and their relevant and international standards and to develop and safetyand type-approval systems. Establishing maintain secure software. A management system such systems – version control for vehicle for cybersecurity (CSMS) can help ensuring a software, configuration management, and relentless application of cyber practices across softwareupdate management – thus helps cars and the digital-mobility ecosystem. to ensure operational safety when updating 2. Create a true digital-security-by-design software in vehicles. The approach can also culture in engineering, quality assurance, and help when considering changes to a vehicle’s other core value-chain functions and promote configuration and assessing the impact on a car. car-software architectures with security built-in. This might require OEMs to overhaul their software engineering and software quality-assurance practices that oftentimes Sensing an opportunity, hackers have begun to do not follow rigorous software-engineering focus more energy on compromising connected processes as seen in software-native cars, posing a new challenge for automakers industries. This security-by-design culture and suppliers alike. While consumers will largely should focus on secure development practices, take cybersecurity for granted until the first enhanced software-testing processes, and consequential breach, regulators will increase new supplier-audit processes that include pressure on automakers and suppliers to ensure cyber issues. Other helpful elements include greater protection against attacks. The overall state-of-th-eart supplier contracts that allow security of modern mobility services will depend the testing of a component’s cybersecurity, on how well the industry addresses cyberrisks and cyber-awareness training for involved in and around connected cars, as well as on the technical personnel and customer-facing staff. strategic actions key players take today to prepare for future attacks.

Johannes Deichmann is an associate partner in McKinsey’s Stuttgart office, and Benjamin Klein is a specialist in the Berlin office, where Gundbert Scherf and Rupert Stützle are both partners. The authors wish to thank Georg Doll, Ralf Garrecht, and Wolf Richter for their contributions to this article.

88 The race for cybersecurity: Protecting the connected car in the era of new regulation Build cybersecurity into business products and processes Defense of the cyberrealm: How organizations can thwart cyberattacks

Governments and companies have much work to do to protect people, institutions, and even entire cities and countries from potentially devastating large-scale cyberattacks.

In this episode of the McKinsey Podcast, Simon London speaks with McKinsey senior partner David Chinn and cybersecurity expert Robert Hannigan, formerly the head of GCHQ (Government Communications Headquarters), about how to address the major gaps and vulnerabilities in the global cybersecurity landscape.

Defense of the cyberrealm: How organizations can thwart cyberattacks 89 Podcast transcript Now we’ve got some more regulation forcing people to be more transparent about the breaches Simon London: Hello, and welcome to this edition and the length of time that attackers were inside of the McKinsey Podcast, with me, Simon London. networks before being discovered. And it’s not 2018 was a year of good news and bad news in always clear to those attacked what they’ve lost. cybersecurity. The year passed without a major I’m broadly pessimistic. international incident, certainly nothing on the scale of the WannaCry ransomware attack, in Simon London: When you think about where the 2017. And yet every few weeks brought news of next tier-one attack might come, what are some of another big data breach at another big company. the vulnerabilities that in business and government So where do we stand going into 2019? Are we people are thinking about, talking about? winning, in any sense? When and where will Robert Hannigan: I think most of the focus now the next so-called tier-one attack occur? And, is on supply-chain and upstream risk, because importantly, what is the role of government in even the best-defended companies now realize helping to ensure national cybersecurity. To find that their vulnerability is either those who are out more, I sat down in London with David Chinn, connected to their vendors, their suppliers, even a McKinsey senior partner who works with public- their customers. And, increasingly, government is and private-sector organizations on these issues, worrying about the IT infrastructure, so the global and also with Robert Hannigan, who is the former supply chain, both hardware and software, and its head of GCHQ, the UK government’s electronic- integrity. surveillance agency. Robert also led the creation of the UK National Cyber Security Centre, or And some of the state attacks we’ve seen in NCSC. Today he’s a McKinsey senior adviser. the last couple of years have been against the Robert and David, welcome to the podcast. backbone of the internet, if you like. Routers, switches, places that give you massive options to David Chinn: Thank you, Simon. Glad to be here. do different things with internet traffic [Exhibit 1]. Robert Hannigan: Thanks. It’s going deeper and more sophisticated. Simon London: I think for a layperson, the general David Chinn: I think there’s different versions question around cybersecurity is, probably, are we of what tier one might feel like. I think that the winning? increasing ability of both criminals and states to attack critical infrastructure [is one of them]. Robert Hannigan: No, I think we are making Taking out power to a city might have relatively progress, but I think it would be very rash to say limited impact in terms of the actual damage done, we’re winning. If you look at the two big trends, but could have a huge impact on the way people the rise in volume of attacks and the rise in feel. sophistication, they are both alarming. On volume, particularly of crime, there were something like 317 Robert Hannigan: There’s a difference between million new pieces of malicious code, or malware, a genuinely catastrophic damaging attack and a [in 2016]. That’s nearly a million a day, so that’s politically sensitive attack that spreads fear and pretty alarming. terror or a lack of trust in data. It’s fairly easy to imagine things that will lead to public panic. On the sophistication, we’ve seen, particularly, states behaving in an aggressive way and using You’ve seen big public controversies over airlines very sophisticated state capabilities and that and banks being unable to function, often not bleeding into sophisticated criminal groups. It’s through cyberattacks. But if you were to multiply a rise in the sheer tradecraft of attacks. So no, I that and see it as a malicious attack, you could see don’t think we’re winning, but I think we’re doing genuine public disquiet, a lot of political pressure the right things to win in the future. to do something about it. David Chinn: I would agree with Robert. We Simon London: Yes, it’s interesting, because may not have seen a single attack that brought when you talk about critical infrastructure of the down multiple institutions in the same way that modern economy, you often think about things, WannaCry did, but look at the list of institutions like, as you say, the internet backbone. reporting very sizable breaches of increasingly It’s those kind of things. Or maybe financial sensitive data. services, the financial system. But just talk a little

90 Defense of the cyberrealm: How organizations can thwart cyberattacks bit more about the supply chain, for example. those is that although they almost certainly That’s one that I think in the broad conversation weren’t targeting big manufacturing enterprises and the broad business public is less discussed. in Europe, they effectively disabled quite a lot of household-name companies. They simply couldn’t David Chinn: If you think about, at the simplest do business, couldn’t manufacture for, in one case, level, how a pint of milk gets onto the supermarket several weeks. It was a wake-up call to sectors of shelf, there are many stages in that, from the the economy who thought they weren’t a target for farm – by the way, the cows are milked by a cyberattacks because they didn’t have great IP or machine, which is probably connected to a data that was worth stealing. network – through to the transport network. The cold chain. The monitoring of the cold chain. The Internet of Things is simply connecting more processes and more devices to the internet. And it You don’t need to disrupt anything except the is quite striking that the level of security built into record that says the milk was kept cold for it no those is usually very low because they’re designed longer to be a product that can be given to the and built and procured on cost [Exhibit 2]. There public. The integrity of that data is the essential will probably be a role for regulation to improve the glue that sticks it all together. standards there. Robert Hannigan: If you think of the big But it does mean companies are, both through ransomware attacks of WannaCry and NotPetya digitization and through the Internet of Things, a couple of years ago, one of the lessons from

Exhibit 1

It’s those kind of things. Or maybe financial services, the financial system. But just talk a little bit Defense of the cyberrealm: How organizations can thwart cyberattacks 91 more about the supply chain, for example. That’s one that I think in the broad conversation and the broad business public is less discussed.

David Chinn: If you think about, at the simplest level, how a pint of milk gets onto the supermarket shelf, there are many stages in that, from the farm—by the way, the cows are milked by a machine, which is probably connected to a network—through to the transport network. The cold chain. The monitoring of the cold chain.

You don’t need to disrupt anything except the record that says the milk was kept cold for it no longer to be a product that can be given to the public. The integrity of that data is the essential glue that sticks it all together.

Robert Hannigan: If you think of the big ransomware attacks of WannaCry and NotPetya a couple of years ago, one of the lessons from those is that although they almost certainly weren’t targeting big manufacturing enterprises in Europe, they effectively disabled quite a lot of household-name companies. They simply couldn’t do business, couldn’t manufacture for, in one case, several weeks. It was a wake-up call to sectors of the economy who thought they weren’t a target for cyberattacks because they didn’t have great IP or data that was worth stealing.

3 increasing their attack surface, making it harder It’s not straightforward to apply, and I think there’s for them to understand the perimeters of their own a lot of talk about it. The application in particular networks, harder to see where their vulnerabilities sectors for particular uses is still to be developed, are. That is a real problem for the next five, ten years. to be honest. But it certainly ought to be a net gain for security, and particularly for data integrity, Simon London: And is this one of the reasons because one of the big future worries is it’s one that people are very interested, for example, in thing to destroy data or steal it or ransom it. To blockchain? The application of blockchain in the change it and undermine trust in data, particularly supply chain. in financial services, could be catastrophic. Robert Hannigan: Yes, I think blockchain holds Simon London: Or, indeed, milk, which is what a massive potential because of the holy grail, gave me the thought. It’s a very, very simple really, of having a ledger that is distributed and example, but it underlines how much of the unchangeable and visible to everybody. That has economy runs on trust in that data. great benefits in cybersecurity. It’s got a bad name because it’s used for Bitcoin, and Bitcoin has a Robert Hannigan: We’re just seeing criminals bad name, but I think blockchain technology is moving in this direction and looking at ways of fantastic. looking at the corruption of data to, for example, affect stock prices. There’s a huge potential there

Exhibit 2

92 Defense of the cyberrealm: How organizations can thwart cyberattacks The Internet of Things is simply connecting more processes and more devices to the internet. And it is quite striking that the level of security built into those is usually very low because they’re designed and built and procured on cost [Exhibit 2]. There will probably be a role for regulation to improve the standards there.

But it does mean companies are, both through digitization and through the Internet of Things, increasing their attack surface, making it harder for them to understand the perimeters of their own networks, harder to see where their vulnerabilities are. That is a real problem for the next five, ten years.

Simon London: And is this one of the reasons that people are very interested, for example, in blockchain? The application of blockchain in the supply chain.

Robert Hannigan: Yes, I think blockchain holds a massive potential because of the holy grail, really, of having a ledger that is distributed and unchangeable and visible to everybody. That has great benefits in cybersecurity. It’s got a bad name because it’s used for Bitcoin, and Bitcoin has a bad name, but I think blockchain technology is fantastic.

It’s not straightforward to apply, and I think there’s a lot of talk about it. The application in particular sectors for particular uses is still to be developed, to be honest. But it certainly ought to be a net gain for security, and particularly for data integrity, because one of the big future

4 to use the changes to data, or to put out false data, David Chinn: Robert, it’s interesting what you to affect the value of a company. say because in a sense, government has three challenges. One, it is an actor in cyberspace in David Chinn: Fake news is a great example. They service of national interest, usually in secret. haven’t affected the integrity of the core data. They’re just simply putting out noise. In the reports Second, it has to protect itself from cyberattack. on the attacks of the integrity of the electoral And third, it has to create, at the minimum, an system in the United States, in a system which is environment which protects the citizens and highly distributed, where different standards and businesses of the country. technologies are used across the United States, My observation would be that, at least reportedly, there was clear evidence of attempts to penetrate the UK is very good in the first. Your old institution electoral registers. You imagine changing the is a world-class actor in the national interest in electoral register so that people of a certain party cyberspace. The second is quite hard, defending simply didn’t appear. In the hustle and bustle of government, because there’s so much of it. Election Day, they probably wouldn’t get to place their votes. That could dramatically undermine The technical skills of government, government IT, trust in democracy. are continually in the newspapers and in the public accounts committee as being something that we Simon London: Robert, we’re lucky to have you struggle to do well. Simple things, like putting a on the podcast today. Why don’t you talk a little bit working computer on everybody’s desk, let alone about what is the role of government in all of this? defending those networks. Robert Hannigan: It’s a challenge that every Robert Hannigan: Most governments, including government is grappling with in different ways the UK, have focused their attention on protecting and has been over the last ten years. There are government networks, sometimes interpreted a couple of things that make cyber particularly slightly more broadly to take in some critical bits of difficult. One is cyberdefense undercuts the national infrastructure that really, really matter, but assumption that government can do defense for to encourage the rest of the economy to get better. everybody. So we spent ten, 15 years, in a sense, preaching at David has spent a lot of his time dealing with companies to get them to raise their standards. government defense in a traditional sense. And There was quite a critical shift, certainly in the UK, you, as a citizen, expect government to defend you about three or four years ago, where we decided using the armed forces. It’s unrealistic to expect that a security model that depended on everybody government to do cyberdefense in the same way for and every company doing the right thing all the the whole economy, because of the scale of it, and time was almost bound to fail. The whole system because most of what you’re dealing with is outside was not designed with security in mind, so the government. Quite apart from the fact that the skills people who invented the internet and then the and resources just aren’t there in government to do web that sits on it didn’t have security at the front it on that scale. So that’s one problem. of mind, and so we are retrofitting that, and have The other problem is that cyber is crosscutting been over the last 15 years. in every sense. It is in a new domain, so it’s a bit Things like scanning websites for vulnerabilities, like discovering water or air. Every department, which is, again, being done across government, every part of the economy, is dependent on this, you could do nationally, and you could make that increasingly, as we digitize more and become more available nationally. One of the problems, I think, dependent. You can’t really point to a single bit is that because the internet wasn’t designed with of government and say, “You’re responsible for security in mind, security is seen as something you cyber.” That was the tendency in the early days. need to add on rather than something that’s built in. The answer has to be to find a way of organizing We need to reach a point where security is government that gives sufficient speed and designed in and is there by default, particularly command and control to deal with the pace at with the Internet of Things. That may require some which digital networks work and cyberattacks regulation and certainly will require bits of the work but that actually drags out the whole of economy, including insurance, to start to drag up government to be good at cybersecurity, because standards. if any one bit is bad at it, the whole system suffers.

Defense of the cyberrealm: How organizations can thwart cyberattacks 93 David Chinn: Do you think government’s been Robert Hannigan: I think government, certainly remiss on regulation? My observation would be that in this country, has been reluctant to regulate, for GDPR [Exhibit 3], which is not a cyberregulation, all sorts of reasons. In cyber, there’s a particular but that puts significant penalties on institutions for reason why regulation can be difficult, because it allowing private information to be misused, which can end up being very prescriptive and very tick includes being stolen, is having quite a big impact box, and it doesn’t take account of the speed at already in terms of reporting and transparency, which technology is changing and the particular which is then going to inevitably lead to more networks that a company may have. We preferred investment and more focus by organizations on an advisory, “Here are objectives you should protecting that data. Do you think government meet” – a risk-based approach, I suppose. missed the boat a little bit on regulation?

Exhibit 3

94 Defense of the cyberrealm: How organizations can thwart cyberattacks Simon London: Best practices and these kind of things.

Robert Hannigan: Yes. Then there is a good case for saying we need a tougher approach on regulation. I think the EU is moving in that direction. I think GDPR has been a net benefit, because essentially there are two sides to most cyberattacks. There’s “Did you do the right things to prevent it, and then how did you handle it afterward?”

So GDPR has been particularly strong on the second bit. First of all, it’s removed the debate in companies about whether they reveal the attack and how long, because they have to. That’s good. It’s raised awareness in boardrooms and so, to some degree, panic in boardrooms.

But I think the best regulation probably is in the states. It’s interesting to see that California is introducing some hardware-IT supply-chain regulation, which will have a big impact, I think, given that so much of it is designed there, even if it’s mostly made in China. There is a place for

7 Simon London: Best practices and these kind of Robert Hannigan: That’s true, but I wouldn’t things. underestimate the creativity and innovation of criminal groups. They are genuinely creative. They Robert Hannigan: Yes. Then there is a good are talking to each other about, “How could we do case for saying we need a tougher approach this in a better way? How could we defraud this on regulation. I think the EU is moving in that particular bank? What technique is going to work direction. I think GDPR has been a net benefit, best? What’s the best way of delivering it?” because essentially there are two sides to most cyberattacks. There’s “Did you do the right things They are doing what so many traditional to prevent it, and then how did you handle it companies are trying to do, which is pull in afterward?” skills from around the internet. Not necessarily colocated. They’ve clocked something about how So GDPR has been particularly strong on the to harness young innovative skills and do creative second bit. First of all, it’s removed the debate in things. We have quite a bit to learn from them, I companies about whether they reveal the attack think. I agree that governments have been very and how long, because they have to. That’s good. good in quite a small and narrow way, but the It’s raised awareness in boardrooms and so, to criminal world is also pretty innovative. some degree, panic in boardrooms. David Chinn: I think this is similar, certainly in But I think the best regulation probably is in the the UK, to the crisis in STEM education. If people states. It’s interesting to see that California is don’t study STEM subjects, we’re just not going to introducing some hardware-IT supply-chain have the inflow into the economy, whether it be for regulation, which will have a big impact, I think, government or private industry. given that so much of it is designed there, even if it’s mostly made in China. There is a place for I’ve been particularly impressed by the way that regulation, and we probably should have done more Israel has effectively said that this is a national of it. The difficulty is lack of skills, again. I think most defensive-capability issue, but it’s a national governments don’t have sufficient skills. industrial-growth issue. The country decided they wanted to have one of the world’s leading Simon London: Ah, well, that was going to be my cyberindustry platforms and that to do that they next question. Yes. To your point, David, I mean had to make a massive investment in skills. government IT doesn’t have a massively positive reputation in the world at large. Sometimes They started with after-school activities in the unfairly. But yes, do governments have the most deprived areas, because they recognized technical skills in cyber to protect their own that if you start young enough in a country where networks? almost every home has a computer, even those with very low means, who think that having a David Chinn: The interesting thing about cyber computer is important, that you can build those is that the source of innovation in attacks is skills, in a sense, in parallel to formal education. mostly coming from inside governments. Many governments have very highly skilled people who Many people who are extremely talented in the when their knowledge leaks into the public domain cyberdomain actually don’t do particularly well at gets adopted quickly by criminals. We have the school. It’s an outlet for those people, and I think equivalent of government weapons proliferation it’s been very, very successful. It’s created a great into cyberspace. pipeline of talent into government and private industry. If you follow the cyberindustry, where there’s a huge number of start-ups, effectively, each year’s Simon London: I think about another interesting retiring crop of government hackers is bringing question for government is how you manage this new innovation from inside the secret domains tension between the need for transparency and of government in an appropriately, hopefully bringing the whole economy with you, and yet appropriately, modified way to the benefit of at the same time there is an element of secrecy, those who are under attack, often from other acting in the national interest and so on. How do governments. One can’t say that there are no skills you manage that tension in practice? in government. The best skills are probably in government.

Defense of the cyberrealm: How organizations can thwart cyberattacks 95 Robert Hannigan: I think the key insight of the last Simon London: Can we just internationalize the ten years has been that you can’t do cybersecurity conversation a little bit? If you look across the in secret. You can’t do it behind a wall in the international context, what are other governments intelligence agencies. For the obvious reason that who are doing this well and innovatively, and who the attacks are out there in open source in the we can all learn from? economy, on the internet. It’s all visible. Well, most Robert Hannigan: I would say Singapore and Israel of it visible. are doing it very well, in slightly different models. It makes no sense to try to do it in the way that Australia has chosen a model that’s similar to the you’ve tackled traditional security threats, which UK model [Exhibit 4]. Having it all in one place may be very, very secret and coming from very effectively. Certainly, the operational side of cyber. sophisticated governments. There is a side of Most governments are organizing and constantly that that is true for cyber, but most of it is not. tweaking the system. There are very different Most of what people experience in cyber, whether models, and in Europe, perhaps in Germany companies or individuals, is crime. Some of it’s especially, the cyber agencies are purely civilian. state-backed crime, but still crime. And it simply doesn’t work to be referring constantly to a secret And then there is a secret-world element of cyber, world that can’t really communicate. and I think they’re also looking at how to bring those two together in a way that works for them, The obvious development here has been to given the different constitutional setup. create a national cybersecurity center that was outside the secret world, but under the aegis The military in many countries has a primacy in and under the control of GCHQ, which is where cyber, and certainly in Germany they’ve been the skills sat. And to have a blend of both. In the given a strong lead in cyberdefense. That brings headquarters you’ve got access to secret systems both opportunities, because the military always for some people, but the key point is that you have a lot of resources and they’re very good at have openness to industry, and you have industry organizing stuff. But also challenges, because people sitting alongside government experts. they’re not used to dealing with defending banks and the economy, and it’s a culture shock for them. It goes back to our discussion of regulation. They don’t necessarily feel that’s part of their What you need in cyber, you can’t simply have remit. There are difficulties in the military. cyberregulators who do it for everybody, because so much is domain-specific. You need to The US, everybody looks to, but I think it’s so large, understand the energy sector to regulate or advise with its multiplicity of agencies, that it’s struggling. on how to do cybersecurity of energy, or for any It has fantastic capabilities, obviously. The private other sector. It’s different. Therefore, the idea is to sector is probably better organized, particularly in have experts from those particular sectors sitting financial services, than anywhere in the world. But literally alongside a deep cyberexpert. you often get the criticism or complaint from the private sector that the links to government are not Simon London: To your point, David, it sounds like quite right yet. a lot of companies are struggling with this same cultural pull between the secrecy but the need to That I think reflects partly the fact that it’s still share information really to be effective, or to be evolving; the Department of Homeland Security, more effective and to collaborate with your peers that was given this leadership under the Bush and share information. administration, is still developing. It’s not straightforward, particularly on that scale. I don’t David Chinn: Yes, and I think we’ll see the infor- think anybody has a perfect answer. mation commissioner shaping the environment around transparency quite actively in the very near David Chinn: I think the military is a very future. interesting subset of government because I don’t think there was even one model in the military. Simon London: This is your point around Some countries are creating cybercommands. regulation? Others are building cyber in all of their commands. David Chinn: Yes. I think that will really change Others are concentrating in their intelligence people’s understanding of how much they can services, and then combining those in different legitimately keep secret. ways. And that’s also changing over time.

96 Defense of the cyberrealm: How organizations can thwart cyberattacks Exhibit 4

Robert Hannigan: I would say Singapore and Israel are doing it very well, in slightly different models. Australia has chosen a model that’s similar to the UK model [Exhibit 4]. Having it all in one place effectively. Certainly, the operational side of cyber.

Most governments are organizing and constantly tweaking the system. There are very different models, and in Europe, perhaps in Germany especially, the cyber agencies are purely civilian. Defense of the cyberrealm: How organizations can thwart cyberattacks 97 And then there is a secret-world element of cyber, and I think they’re also looking at how to bring those two together in a way that works for them, given the different constitutional setup.

The military in many countries has a primacy in cyber, and certainly in Germany they’ve been given a strong lead in cyberdefense. That brings both opportunities, because the military always

10 Simon London: It sounds like we’re in an era of “Yes, there are things that we could do at national institutional innovation, in many ways – to some scale.” degree, institutional improvisation to try and figure The problem, I suppose, at the risk of sort of out what models work in what context. making excuses, is that the nature of cyberspace, Robert Hannigan: Absolutely. I think the military’s however defined, makes politicians feel quite a very good example, particularly outside the US. impotent, because it cuts across jurisdictions. The US is ahead of anybody, I think, in developing They can pass laws in their own parliament that cyberskills in the military at scale. really have zero effect. They can regulate their own companies, but not necessarily others. That is a On the broader point about civilian structures real problem. and civilian/military, I think the one thing that is probably key is that many of the questions are For cybercrime, for example, most of it is based in the same, starting with, “What does government countries which are either endemically corrupt or actually want to achieve?” And not being unwilling to do anything about it for geopolitical overambitious in what government can achieve, reasons. What do you do about that? I mean and what’s the appropriate role of government, is there’s a much bigger context here of international a good starting point. And trying to define what relations, and we are a million miles from getting people expect from their government. Things any kind of international agreements on the like a single source of advice, incident response, security and safety of cyberspace. protection of certain networks. I think that is a Simon London: David, you were the rousing voice conversation that just about every government is of critique just now. What should be done? having in different ways. David Chinn: First, a sophisticated debate around David Chinn: But I think there’s a paradox here, the legislative and regulatory environment. The because if you were to interview the chairman or use of product liability has been very effective chief executive of any large corporation and ask in other sectors for changing the game for the them what’s their top three risks, cyber would be manufacturers. A robust thinking about product on that top three, for every single one. And for liabilities, extension to the technology arena, many of them, it would be number one. Yet, if we would frankly have quite a chastening effect on look at what governments are doing, this is the one industry. area of national security, of crime prevention and prosecution of critical national infrastructure, that Simon London: In other words, selling a product governments have, to a large extent, abdicated that has technology embedded that is deemed to their responsibility. Great, some small steps. And be insecure could be breaking the law. sorry, I don’t mean to be critical of what was a David Chinn: Well, not necessarily breaking the big small step. But exalting the private sector law, but would expose you to civil action that could to do better feels like a very different role that have severe financial consequences. Effectively, it government takes in almost every aspect of life would create a market mechanism for valuing more that would feature for most people in their top secure products. Second, there is room for some three risks. I think there’s a lot more to do, but better and some more regulation. For example, if unfortunately we may have to wait for a genuine you want to sell anything to the UK government, event – people talk of the cyber 9/11 – to create a you have to meet a minimum standard called Cyber big change in focus, understanding, spending, and Essentials. This is not the most sophisticated, but, so on. as we’ve discussed, most of the attacks are not the Simon London: Let me just put that back to you. most sophisticated attacks. What should be done? These kind of standards are very helpful because David Chinn: What would your list be, Robert? they’re easily adopted by people for their own supply chains. I think a promulgation of standards, Robert Hannigan: Your criticism is very fair. I ideally with some degree of harmonization. And it’s mean I think the government has moved from an very interesting, in the US the national standards absolutely sort of hands-off position to say, “Well, organization, NIST (National Institute of Standards we’ll look after our networks, but everybody else and Technology), has created a number of models, should get better.” And sort of slightly hectoring which have got global acceptance. Once an them when they’re not good enough. To saying, authority puts it out there in a world where

98 Defense of the cyberrealm: How organizations can thwart cyberattacks there’s a lot of uncertainty, there’s a lot of demand Robert Hannigan: Yes, either trust or an attack for good standards. that leads to loss of life. It might not be massive loss of life, but it would put huge pressure, as The traditional tools of government around terrorism does, on politicians to react. legislation, regulation, standards setting, and so on could be used quite a lot more, without Simon London: So what’s that Churchill phrase, throttling innovation. Industry always says, “You’re this is not the beginning of the end. This is the end going to throttle innovation.” What they mean is it’s of the beginning? going to cost them more. But the cost to society of Robert Hannigan: Well, I don’t think it’s even insecurity is high and is going to get higher. really the end of the beginning. I think we’re still Simon London: One of my takeaways from this at very early stages of this technology. For most conversation, tell me if this is right or wrong, is people, it’s 15, 20 years old. Even if you look back that there will be one or more significant tier-one, to the ARPANET (Advanced Research Projects we might call them attacks, on critical national Agency Network.), it’s, what, 40, 50 years old? infrastructure. We’re recording this in London, but That’s not long, and it’s developing incredibly fast. it may not be based in the UK. But that will come. We are about to add a massive amount of new We know where it will come. And that will probably processing power, and therefore new data to the shift the debate into a higher gear. That probably system, mostly through the Internet of Things. We will shift the international debate about what is to have a whole new issue emerging with quantum be done and, in some ways, get this taken more computing, and people have not quite woken up, seriously, perhaps at government policy and including the regulators, to the fact that current regulatory level. Is that a correct takeaway? encryption will cease to be useful once quantum Robert Hannigan: I think for most people, arrives. most of what they would experience, and most We need now to be building in quantum-safe companies, is still crime. So that’s the volume, but encryption standards, which are available through everybody understandably gets excited about the NIST and through others. But if we don’t do that, catastrophic attack and that there is a range of everything, every company’s records, every bit possibilities for and the insurance industry worries of financial data, every transaction is going to be a lot about systemic failure. So systemic failure of readable from the moment that quantum computing cloud providers, for example. Systemic failure of really arrives at scale. It’s a wonderful innovation, some major financial institutions, two or three of and it has obviously lots of possibilities on the other which would bring down the system or could bring side of the equation, but it is one that we need to down the system. So those are the kind of real start thinking about in regulatory terms now. tier one. But there may be some political tier-one problems and attacks that will have the kind of Simon London: All right. Well, I think that’s all effect that David was talking about earlier, of panic we have time for. Robert and David, thank you so and political pressure. much, and thanks, as always, to you, our listeners, for tuning in. To learn more about our work on Simon London: Trust. cybersecurity, technology, and related matters, please go to McKinsey.com.

David Chinn is a senior partner in McKinsey’s London office, and Robert Hannigan, the former head of GCHQ, is a senior adviser to McKinsey. Simon London, a member of McKinsey Publishing, is based in McKinsey’s Silicon Valley office.

Defense of the cyberrealm: How organizations can thwart cyberattacks 99 Enable digital technology delivery Understanding the uncertainties of cybersecurity: Questions for chief information- security officers

Given the dynamic nature of the cybersecurity environment, CISOs need to address a set of questions that will shape their strategies over time.

by Venky Anant, Tucker Bailey, Rich Cracknell, James Kaplan, and Andreas Schwarz

100 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers At a highly dynamic moment of change in the and which perceptions and actions (or failures to way companies use technology, cybersecurity act) might heighten their concerns. is probably the most dynamic of all corporate 2. How will different regulatory, political, and technology domains. The field and the companies cultural expectations about data protection that rely on it are being transformed as an uncertain across national boundaries shape the security geopolitical environment emboldens potential environment? cyberattackers, rapid technological innovation Perhaps paradoxically, while consumers have creates new ways to launch and repel cyberattacks, been relatively blithe about their data, privacy and and cybersecurity’s emergence as a critical security have continued to be hot-button political business function prompts experimentation with and regulatory issues. Jurisdictions such as Brazil, organizational and operating models alike. California, and the European Union have started In such an environment, perfect foresight is to implement tough new requirements on data impossible. Yet business, technology, and privacy. But regulations in different jurisdictions security executives all have a responsibility to may contradict each other or create conflicts understand the important uncertainties and to between compliance and security – particularly by develop practical working hypotheses about how constraining the forensics a company can perform to manage them. To help these senior managers, on its own network to identify insider threats or we’ve compiled a list of the key questions they compromised accounts. (Regulators might perceive ought to ask over the next 12 to 18 months. those actions as inimical to the privacy rights of employees.) Authoritarian states may demand that Evolving market expectations companies limit security or privacy protections for their customers or employees as a condition of Two of these questions focus on market doing business in those places. That in turn may expectations: whether consumers will start to spark public frustration and anger elsewhere. care about security issues and the way differing regulatory, political, and cultural expectations Going forward, companies will certainly have to about data protection shape security across think about tailoring their security models to the national boundaries. requirements of different national markets. Some may have to make tough choices about whether 1. Will consumers start to care about privacy they can reconcile expectations about privacy and and security? security in all the markets where they might ideally Anyone who has observed the procurement like to do business. of group health insurance, pharmacy-benefits management, prime brokerage, or IT-outsourcing services knows that corporate customers care Evolving risks a lot about how their suppliers protect sensitive The next set of questions focuses on evolving data. But with a few exceptions – such as high- risks: whether companies will be collateral net-worth or mass-affluent purchasers of financial damage, coopted or directly targeted by nation- services – the consumer market just doesn’t seem state actors; how companies will protect their data to care about privacy or security. Most breaches in a world of pervasive sensors and protect their involving personally identifiable information machine-learning capabilities; and how quickly haven’t affected revenues or market share in any quantum computing will become a security threat. sustained way. 3. To what extent will companies be collateral Yet in view of the relentless attention to privacy damage, coopted or directly targeted by and security issues in the press and the political nation-state actors? arena, this indifference could certainly change. As the NotPetya attack showed, nation states Companies have a responsibility to protect all increasingly use cybertools as weapons of consumer data, but when senior executives think domestic and military tradecraft. Originally through their risk appetites, levels of investment, directed at targets in Ukraine, NotPetya wreaked and incident-response plans, they must consider havoc on unprotected networks around the world. not only how sensitive consumers in general are Another harbinger of what’s to come: it has been but also who may be the most sensitive consumers widely reported that NotPetya was derived from

Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 101 a stolen exploit originally developed by the US 5. How can companies protect their machine- National Security Agency.1 learning capabilities? Businesses are racing to implement machine- In an era of renewed great-power conflict, countries learning systems to detect fraud, improve pricing, increasingly promote their global interests by rationalize supply chains, and optimize dozens means other than war. During the past several of other business decisions. For all these use years, asymmetric approaches (such as cybertheft, cases, decision algorithms improve over time as cyberattacks, malign influence, and media more data generate better insights about the manipulation) have taken advantage of unsuspecting connections between inputs and the objective content providers, critical national-infrastructure function to be optimized. This is a fundamental operators, and intellectual-property producers. change – analysts can no longer replicate When global tensions rise and economic algorithms on a pad of graph paper, as they could interventions become increasingly common in with traditional decision tools. It may therefore great-power conflict, companies will be collateral be all but impossible to determine whether a damage; in fact, they will probably be targeted cyberattack has subtly compromised a business directly in state-against-state cybercampaigns. capability (by reducing the ability to detect fraud, Similarly, nation states may increasingly use for example). Security organizations and their for-profit companies as proxies, partners, and business partners may need to develop new conduits for asymmetric activities. Businesses ways to ensure the validity of machine-learning must therefore determine how much risk they face algorithms. from either intentional state-sponsored attacks 6. How quickly will quantum computing create on them or, as collateral damage, from attacks on security threats? other targets. All security relies on encryption – and on the 4. How will companies protect data in a world of assumption that massive computing resources pervasive sensors? would be required to decrypt data protected by The Internet of Things (IoT) dramatically raises even a moderately capable encryption algorithm. the stakes for cybersecurity – at least potentially, But quantum computers that could crack the RSA- cyberattackers could manipulate devices that are 1024 encryption standard in less than 24 hours now becoming connected to networks: for instance, may be only a decade away.2 At a stroke, many automobiles; heating, cooling, and ventilation of the security technologies the modern world systems; and industrial machinery. The IoT involves depends on would become ineffective: for example, huge numbers of network-connected sensors that what would happen to investments in business will generate massive amounts of sensitive data. processes based on blockchain if the encryption it The security functions of companies will have to requires could be compromised quickly? understand what kind of data the devices installed Of course, defensive capabilities advance just as on their networks collect, who might benefit from offensive ones do, and quantum encryption will compromising the data, and how to secure a whole probably attempt to protect users against quantum new technological environment. decryption. Yet the National Academy of Sciences Although that goal is challenging, it is at least estimates that it will take 20 years to make more straightforward than protecting sensitive enterprise networks less vulnerable to quantum- information in the consumer IoT. Companies based attacks.3 That time frame, and the risk that prohibit their executives and managers from some attackers may have access to quantum working with sensitive documents on any personal capabilities well before the next decade’s end, device and from transmitting them via personal mean that companies – especially in critical email accounts. Will companies also have to infrastructure sectors – have a responsibility prevent employees from making or receiving to start early planning for the transition to a company-related telephone calls at home in rooms quantum world. with voice-activated smart devices?

1 Andy Greenberg, “The untold story of NotPetya, the most devastating cyberattack in history,” Wired, August 22, 2018, wired.com. 2 Martin Giles, “Quantum computers pose a security threat that we’re still totally unprepared for,” MIT Technology Review, December 3, 2018, technologyreview.com. 3 Emily Grumbling and Mark Horowitz, editors; Quantum Computing: Progress and Prospects, Washington, DC: National Academies Press, 2019, nap.edu.

102 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers Evolving security protections and What might a postpassword world look like? It platforms would probably combine biometric authentication or authentication based on devices (such as The next group of questions addresses evolving phones, which use biometrics) with behavioral security protections and platforms: how quickly analytics that can determine, probabilistically, if a zero-trust model could be adopted, the future users are legitimate. The advent of the WebAuthn of passwords, the evolution of the security-tech standard for using devices to authenticate online market, and the security problems of cloud services might be a critical enabler.5 services. But a successful transition will require device 7. How quickly could zero trust be adopted? manufacturers, service providers, and Most chief information-security officers (CISOs) commercial-software developers to adopt have believed for years that the perimeter is less relevant standards and incorporate them into their important than it used to be, though they continue offerings. In many cases, companies may want to to make investments in perimeter-based controls. develop the behavioral analytics to complement Now, as companies start to accelerate their move biometric authentication. Given the momentum, into the public cloud, these traditional perimeters CISOs and other executives may want to start may become irrelevant for larger and larger parts putting plans in place now. of the corporate environment. 9. How will the security-technology market In the zero-trust model, applications base no evolve? trust assumptions on whether a user (or another The cybersecurity-tooling market has recently application) is inside the network perimeter. This been among the most fragmented in enterprise has several advantages: organizations can set the technology. Systems architects might have only a right level of protection for each application and few practical choices for app servers or database- dramatically limit the ability of attackers to move management systems. But their security colleagues laterally across technology environments. must sort through dozens of endpoint-protection Yet companies have decades worth of legacy or antimalware products. Despite the problematic applications that assume the existence of a complexity, attempts to create integrated security network perimeter, and very few technology platforms have met with limited success, to date. organizations have developers with the skills to Enterprise security leaders planning investments develop zero-trust applications. Less than 10 should ask the larger market participants to percent of the CISOs McKinsey surveyed believed explain what makes their integrated offerings they could adopt the zero-trust model, even for compelling. If they can’t, it isn’t clear whether cloud applications, in the next two or three years.4 proprietary products will continue to dominate The key to success in zero trust is the ability to this space or companies will seek to optimize understand and go on tracking users, assets, their security expenditures by adopting open- and controls simply, but at a granular level – or, source products. Equally important, how will the if necessary, to reengineer or reshape them. answers to these questions differ across market CISOs will have to caucus with their application- segments – say, between larger and smaller development and infrastructure colleagues to companies or between companies facing threats determine how quickly their companies can that are more sophisticated or less sophisticated? develop the required capabilities. 10. When will large companies be able to 8. When will we finally be able to kill passwords? consume cloud services securely? Passwords are terrible. Users hate them, forget The case for public-cloud infrastructure is exciting: them, write them down on publicly displayed sticky access to innovative services for developers, notes, and use them across accounts – including near-infinite capacity on demand, and (at least consumer accounts from providers with security potentially) lower costs. Yet for large, complicated vulnerabilities. Eliminating passwords could both companies – especially in heavily regulated reduce that vulnerability and improve the user industries – the pace of adoption has been slow. experience dramatically.

4 Arul Elumalai, James Kaplan, Mike Newborn, and Roger Roberts, “Making a secure transition to the public cloud,” January 2018, McKinsey.com. 5 Francis Navarro, “A world without passwords? The web’s weakest link gets long-overdue fix,” komando.com.

Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 103 Some companies with thousands of applications 12. Will the cyberinsurance market protect (and more than 100,000 servers) desperately want against material cyberrisks? to leverage the infrastructure of the public cloud For the past decade, market observers have but have succeeded only in running fewer than ten suggested that cyberinsurance is the next major applications there. growth area for insurance carriers. Sceptics have rejoined that it will always be the next Legacy applications never designed to run major growth area. For now, the sceptics seem efficiently in the cloud are part of the problem, but to be right: the cyberinsurance market has security is a major bottleneck as well. Security grown only incrementally and still doesn’t cover teams are racing to perform risk assessments most cyberrisks except customer-data-breach of hundreds of cloud services – first to learn mitigation and regulatory penalties. Direct costs, if capabilities such as identity and access reputational risks, and intellectual-property theft management (I&AM) and monitoring work in them do not get meaningful coverage. Since companies and, second, to build the level of automation that cannot effectively hedge cyberrisks, they adopt would make it possible to configure systems new technologies relatively slowly for fear of their securely in the cloud. Companies thus need to adverse cybersecurity implications. determine just how quickly they can build cloud- enabled security capabilities, which acceleration As for the insurance carriers, they don’t have good opportunities they have, and what that means for actuarial data for cyberthreats, know how to model the overall journey to the cloud. cyberrisks well, or truly understand the cyberrisks they would insure or the returns on the relevant 11. Will smaller companies use cloud services to investments. However, new quantitative methods reduce their security footprint dramatically? are emerging to assess the likelihood of long- Some security professionals talk about the tail cyberevents, and one or more carriers may cybersecurity poverty line: companies that succeed in quantifying and insuring cyberrisks. If annually spend even $50 million or $100 million so, companies may be able to transfer risks they a year on IT may struggle to afford all the cyber- have so far been accepting or mitigating at high security tools they need and to attract the talent cost. But that will come to pass only if carriers can to deploy and manage them. The transition to dramatically improve their underwriting. cloud services has challenged larger companies scrambling to recast their security architectures 13. How will the scope of security organizations and operations to support a cloud-based develop? infrastructure. Cybersecurity has become a more important issue for boards and senior management teams alike. But the cloud may be a security godsend for Many companies have therefore started to expand smaller companies. Their technology executives the remit of what used to be the information- (or counterparts in small, independent divisions security organization, recasting it as the IT-risk of larger companies) should ask themselves if group, responsible not only for information they could dramatically reduce their internally security but also for technology compliance, managed technology footprint, their surface area, the quality of software, disaster recovery, and and therefore their level of risk by accelerating business continuity. The goal is to have one the transition to business applications based on executive and one team make integrated decisions software as a service (SaaS) and to SaaS-based about protecting corporate information and desktop environments, voice communications, systems from both accidents and attacks. and network connectivity. This question will be especially relevant for private-equity firms, which Other companies, thinking that no clear line invest in many midmarket companies. separates cybersecurity from physical security in an increasingly digital world, have integrated them. Evolving security operating models A few companies have combined cybersecurity with fraud control because they think that most The final set of questions focuses on evolving fraud has an online component and want integrated operating models for security: whether the analytics to oppose it. A few other companies cyberinsurance market will protect against combine the security and privacy teams, on the cyberrisks, how the scope of security theory that customers care only about the misuse organizations will develop, and how cybersecurity of their data and don’t distinguish between talent pools will react to demand.

104 Understanding the uncertainties of cybersecurity: Questions for chief information-security officers security and privacy. Meanwhile, many companies available and whether it aligns with their overall have moved much of their security-related strategy. People with low-end cybersecurity skills, service delivery and technology support into the for example, may become more available long technology-infrastructure organization, so that before companies can find enough experts with CISOs and their teams can focus on strategy and the advanced skills required to face off against risk management. business leaders on cybersecurity issues or to direct the automation of cybersecurity. In short, the organizational structure for cybersecurity hasn’t stabilized. Senior managers must watch developments in their industries to see which organizational structures succeed. Policy decisions, investment choices, and security 14. How will cybersecurity talent pools evolve in incidents now confront security, business, and relation to demand? technology executives with pressing (and often CISOs disagree on many things, but they almost exhausting) cybersecurity issues they must address universally believe that cybersecurity talent is in the short – and sometimes very short – term. Yet in short supply. When people chose majors and in view of the cybersecurity environment’s highly courses of study in the past, almost nobody dynamic nature, CISOs and other executives have expected cybersecurity to be as big an issue as it a responsibility to think through the longer-term is today. But for several years now, demand signals questions raised in this article. indicating a pressing need for cybersecurity expertise have been penetrating the talent Companies can address some of the issues marketplace. Computer-science students are described here – for instance, quantum beginning to take cybersecurity courses, security computing, pervasive sensors, and the specialists trained in the military have entered cyberinsurance market – as events unfold in civilian labor markets, and lawyers and other coming years. Other issues, such as evolving professionals have gone back to school to retrain consumer expectations and regulatory demands, themselves as cybersecurity experts. require more immediate attention because they could have a dramatic impact in the next year or Technology executives should think about two. To withstand the coming security onslaught, their cybersecurity operating models: what to companies will have to change in important ways. outsource, how aggressively to automate, and The questions posed in this article are the natural which skills to foster internally. As they do, they starting point. must know how much cybersecurity talent is

Venky Anant is a partner in Silicon Valley office of McKinsey. Tucker Bailey is a partner in McKinsey’s Washington DC office. Rich Cracknell is a manager of solution delivery in Silicon Valley. James Kaplan is a partner in the New York office, where Andreas Schwarz is an expert.

Understanding the uncertainties of cybersecurity: Questions for chief information-security officers 105 Enable digital technology delivery Protecting the business: Views from the CIO’s and CISO’s offices Protecting the business: Views from the CIO’s andAt JPMorgan CISO’s Chase, CISOs andoffices CIOs work together to align cybersecurity with business goals.

At JPMorganby James Kaplan Chase, CISOs and CIOs work together to align cybersecurity with business goals.

March 2020

106 Protecting the business: Views from the CIO’s and CISO’s offices In an increasingly digital era, protecting information Then you need to translate this into digestible and systems from cyberattack is one of the most content for a non-technical audience, which important and challenging responsibilities of every requires good soft skills as well. IT organization. In some cases, business-unit chief A CISO drives and controls an agenda, and information officers (CIOs) and enterprise chief building trust is critical in implementing that information security officers (CISOs) can have agenda, because trust is a force multiplier. As a very different perspectives and agendas, creating CISO, my priorities are to protect the firm, enable friction and reducing organizational effectiveness. the firm to drive growth, and make this growth as At JPMorgan Chase & Co., which has one of seamless as possible from a security standpoint. the world’s largest private-sector technology George Sherman: I think the best CISOs are the environments, two of the four business-unit CIOs ones who have learned about policy and controls have previously served as the bank’s enterprise but at their core are very strong technologists. The CISO. CISO role must evolve with the threat landscape McKinsey’s James Kaplan spoke with several and technologies. You must understand the members of JPMorgan Chase’s Global Technology technical side of cybersecurity. But information leadership team, led by Lori Beer, Global CIO and security and protecting against cyberthreats member of the company’s Operating Committee, are also about people and process, not just about effective collaboration between the security technology, so you have to understand all three and business-unit technology functions, what dimensions in order to fully appreciate what you makes a good CISO, and how being a CISO can be have to do to protect the firm. valuable preparation for being a CIO. Sometimes you have to go slow to go fast. It’s the Rohan Amin is CIO of Consumer & Community old race-car analogy. You can go really fast in a Banking, Anish Bhimani is CIO of Commercial race car because you’re wearing a fireproof suit, Banking, George Sherman is CIO of Global you’re in a protective cage, you have an automatic Technology Infrastructure, and Jason Witty is fire-extinguishing system, and you were trained. JPMorgan Chase’s global CISO. All are managing This allows you to drive superfast. directors. Prior to their current roles, both Amin and But getting to that point can feel slow. CISOs who Bhimani served as JPMorgan Chase’s global CISO..1 “get it” spend a little bit more time up front being thoughtful about their execution. The attributes of an effective CISO Jason Witty: Being a successful CISO these days The changing role of the CISO involves wearing many hats, from business to risk Jason Witty: The role of the CISO has already to technology to software engineer. You must be changed. It’s about measured risk taking, not risk aware of the threat landscape and understand elimination. This measured risk taking must also human behavior. You also have to know how to evolve with the availability of new technologies. work with regulators and gain trust from multiple You must constantly adapt, train, and educate stakeholders. so that you can adjust the control environment Doing those things gives you a firmwide view of to enable the things the business is trying to what’s going on in the business, what’s going on accomplish. in technology, what’s going on in risk, and what’s Rohan Amin: If you want to help the builders, you going on in the legal and regulatory landscape. have to know how to build. As a CISO, if you are This allows you to connect the dots in a way that not close to the modernization agenda—modern other roles simply do not provide. architectures, cloud, data, machine learning, You must constantly be shifting, adapting, and and so on—then it’s hard to effectively guide an learning. I spend about two hours every morning organization in the right direction. just digesting what’s changed since I went to bed, be it new threats, bad actors, or vulnerabilities.

1 r the full interviews with each interviewee, see “The benefits of a CISO background to a business-unit CIO” (Rohan Amin), “Enterprise- wide security is both a technology and business issue” (Anish Bhimani), “Robust cybersecurity requires much more than great technology” (George Sherman), and “The modern CISO: Managing scale, building trust, and enabling the business” (Jason Witty), March 2020, McKinsey.com.

Protecting the business: Views from the CIO’s and CISO’s offices 107 George Sherman: You can go back a decade require that security and controls be embedded into and see how much has changed. Everything all the technology we deliver. seemed much simpler. The successful CISOs I use my technical-security skills on a daily basis. of the future can’t be process managers. They With new technology and connectivity platforms, must have a deep understanding of technology. many of our older security paradigms are being Imagine leading thousands of software engineers stressed. In the past, you could get away with not but never having actually written a line of code. having the most robust identity or authorization At some point, you have to ask yourself how you constructs and authentication and authorization can relate to that community. And how will that metrics. This is no longer the case, as the dynamic community relate to you? Those questions are just nature of these modern technologies requires as relevant to today’s and tomorrow’s CISOs. dynamic management of the trust chain. Anish Bhimani: I used to go to the board of If you add to this the complexity of the multivendor directors and the audit committee annually for cloud environments connecting into our about 20 minutes. We now meet with the board companies, you must have a strong understanding eight times a year for at least an hour each time. of the “threatscape” and how you deal with cybersecurity issues. Everyone within the The value of CISO experience to CIOs organization must understand that cybersecurity Anish Bhimani: Every CIO should spend time in a is non-negotiable. We have to get it right all the security role, since it makes you think differently. time. The bad actors only have to get it right once. Regardless of your role, you’re never out of security. With new technologies, including automation, How being CISO helped in becoming security is a layered process. It’s built into the fabric a CIO of the organization, from process to people. Anish Bhimani: I spent my entire career aspiring Rohan Amin: When we think about what matters to be the CISO of a large bank, and when I got most to our customers, running a disciplined the job, it was a significant accomplishment in environment with stability, resiliency, controls, and my career. When I then became a CIO, it meant data privacy are non-negotiables. Being in the shifting to more of an implementation approach, CISO role obviously instilled a lot of that in me. and I was eager to work with the business. But The other aspect that’s helpful in having a CISO back- despite my excitement, I was clear that job number ground is a deep understanding of non-functional one is having a secure operating environment. If requirements and how to make them easier to adopt. you don’t do job one, you don’t earn the right to do For example, modernizing our applications and job two, which is to deliver value to the business. striving for platform-centric thinking help to focus our Rohan Amin: In the CIO role, you get a deep engineers on the most relevant business functions, appreciation for the importance of the control which are the features and value for customers. environment and security. You learn that everyone As a CISO, you have a global view of risk and what understands the importance of controls but wants the issues are and how you think about enterprise control adoption to be more seamless and part of management in the application-development the engineering process. context. Some CISOs are policy and governance Security and controls teams face a continuing focused only, while others have a stronger challenge to figure out how to make this stuff technical and business background. Having a simple and easy to use. This requires the technical background and being able to effectively engineering work to make it easy to adopt, easy to communicate complex issues to the business have innovate on the platform, and easy for engineers served me well. to do the right thing. People can’t be forced to George Sherman: We are unique and fortunate in read thousands of pages of policy to figure out that three of our CIOs are former CISOs. This makes the right thing to do. The right thing to do should the current CISO’s life much easier, specifically as it be easy and baked into the platforms and enabled relates to how you design, deliver, and execute the via software, so that something as simple as “you business-process automation efforts. Thanks to our should encrypt your data” isn’t something every security background, we tend to think about data engineering team has to figure out for itself. Make protection and security earlier in our processes and security the easy answer, not the hard answer.

108 Protecting the business: Views from the CIO’s and CISO’s offices The impact of the cloud Focusing on the future Anish Bhimani: When moving to the cloud, the Jason Witty: “Deepfakes” ar e a concern, so first priority is figuring out your technology and having the ability to prove that who you are business priorities and then striking a balance. talking to is actually the person you think you are Services and architecture templates need to be talking to is vital. Artificial-intelligence (AI) and validated and automated for cloud configuration. natural-language-processing algorithms are also Secondly, cloud security can be a business advancing rapidly, posing new reputational and enabler, and we know that businesses need to financial threats in addition to opening new doors grow and thus must move fast. for business growth. Why do you have brakes on a car? It’s not to stop. Safely enabling AI and maintaining our ability to It’s so you can go fast, secure in the knowledge keep up with the velocity of automated attacks that you can stop whenever you want or need to. is also something being much discussed. We’ll Security done right enables businesses to go at continue to modernize software engineering the speed they want while being able to manage around the cloud to ensure security and resiliency risk appropriately. and to further unlock its business value. Finally, we’re looking into crypto-agility and decoupling George Sherman: Technology is going to become the encryption process from the software- more segmented but also more hyperconnected. development process. You can see that in the evolution of the private, public, and hybrid cloud and with a combination Rohan Amin: Authentication is often the first of infrastructure-as-a-service, platform-as-a- experience a consumer has with an organization, service, and software-as-a-service providers so we’re working on the authentication strategy of clamoring to support new growth. But with this the future. Previously, authentication was thought hyperconnectivity comes hypercomplexity, and about as a channel-specific thing, meaning how with that comes fragility. Fragility leads to reliability do we authenticate you in the branch? How do and security issues. The enemy of a good security we authenticate you when you call in? How do we program is complexity. If we’re not careful in our authenticate you online or on mobile? execution, CISOs could end up with a “least common We’re working to bring these experiences together denominator” problem where their environments are in a secure and more integrated manner. We’re only as secure as their weakest controls. thinking about ways of putting the customers at the front of the design and about the multichannel ways Cybersecurity advice for newcomers people interact with us differently than in the past. Rohan Amin: Spend time with the folks in the George Sherman: Resiliency, availability, and business who have to use the stuff you’re creating. security are everyone’s responsibility, regardless If your objective is to help the business—which is of whether you’re involved with infrastructure, what it should be—then you need to spend time in applications, or both. Everyone must believe that the business to understand what it takes to deliver operational risk and information security are core something to a customer. If you spend time only requirements of their role, so you need to invest in security land, you really don’t understand the in training and move this to the forefront of your complexities the builders go through to deliver. team’s minds, or you will end up with yet another Knowing what I know now, building simplicity into remediation program. security-control adoption is where I’d recommend they focus. Secure by design is critical. You can build systems that are reliable and available, but they may Anish Bhimani: My first advice is that life never not necessarily be secure. But when you build moves in a straight line. You need to be able to secure systems, you often end up with ones that adapt to constantly changing circumstances. are both reliable and available. The disciplines Well-roundedness is critical, and everything you around security tend to lend themselves to the do should get you a step closer to your goals. same disciplines as resiliency and availability or Rotations are valuable in gaining experience in operational efficiency and effectiveness. security and infrastructure.

James Kaplan is a partner in McKinsey’s New York office.

Protecting the business: Views from the CIO’s and CISO’s offices 109 Enable digital technology delivery The modern CISO: Managing scale, building Thetrust, modern and CISO:enabling the Managingbusiness scale, building

trust,The modern and CISO is uniquely enabling positioned to bridge the gaps across businesstechnology, processes, automation, and cybersecurity. The modern CISO is uniquely positioned to bridge gaps across technology, processes, automation, and cybersecurity.

March 2020

110 The modern CISO: Managing scale, building trust, and enabling the business Securing the information of a multibillion-dollar getting bogged down. You also have to have very enterprise with more than a quarter of a million strong leaders under you that you can trust. I am employees is a daily Herculean labor. Enterprise fortunate to have a fantastic team. chief information security officers (CISOs) must James Kaplan: How are you addressing security manage myriad cybersecurity threats, automation, concerns amid increasing automation and regulatory compliance, and ever-evolving continuous controls monitoring? technologies. Jason Witty, global CISO, JPMorgan Chase, discusses his role and these challenges Jason Witty: We put a lot of effort around controls with McKinsey’s James Kaplan. as code, or policies as code, ensuring the ubiquity of modern software engineering practices across This interview is part of a series of interviews on the firm. All of our applications are in the process the evolving relationship between the CISO and of being rearchitected to support a modern CIO. (See “Protecting the business: Views from the software environment, with automated, self- CIO’s and CISO’s offices,” on McKinsey.com.) evidencing controls built in. James Kaplan: How do you define the role of We have hundreds of engineers on the security a CISO? side dedicated to automation, such as by making Jason Witty: A CISO drives and controls an agenda, controls seamless and integrating security tools and building trust is critical in implementing that within the product, platform, and service pipeline. agenda, because trust is a force multiplier. As a It’s all about data and code now. This ensures CISO, my priorities are to protect the firm, enable strong integration and collaboration with the the firm to drive growth, and make this growth as businesses as well. Security is thought of as a seamless as possible from a security standpoint. part of each technology capability or product Being a successful CISO these days involves rollout, which is a tremendous advance compared wearing many hats, from business to risk to to a decade ago, when security was viewed as a technology to software engineer. You must be hindrance. aware of the threat landscape and understand James Kaplan: In years past, security was human behavior. You also have to know how to fragmented. How have the organizational structure work with regulators and gain trust from multiple and lines of responsibility evolved? stakeholders. Jason Witty: DevOps has significantly changed Doing those things gives you a firmwide view of the way that IT in general thinks about product what’s going on in the business, what’s going on management, application development, and in technology, what’s going on in risk, and what’s production support. Site reliability engineering going on in the legal and regulatory landscape. (SRE) is a big focus, along with our product This allows you to connect the dots in a way that journey. It’s a change in traditional telemetry other roles simply do not provide. management from years ago, when it was very You must constantly be shifting, adapting, and fragmented and siloed. Our software environment learning. I spend about two hours every morning provides transparency, which enables people to just digesting what’s changed since I went to bed, respond quickly to issues. be it new threats, bad actors, or vulnerabilities. We’re simultaneously integrating core functions Then you need to translate this into digestible with SRE, as well as modernizing the environment. content for a nontechnical audience, which This means more colocation and cocreation, which requires good soft skills as well. spur both product and security innovation. We’re James Kaplan: How do you manage the complexity completely aligned on the customer and client of an institution the size of JPMorgan Chase? experience. Jason Witty: You manage scale. You build James Kaplan: How are new technologies like trust. You have command of the details without cloud impacting the institution?

The modern CISO: Managing scale, building trust, and enabling the business 111 Jason Witty: Today’s modern software environ- James Kaplan: Are you experiencing the talent or ment is faster from a business-capability stand- skills gap that we hear about in the cybersecurity point. You have more incremental change and space? faster release cycles; you can also know earlier Jason Witty: Yes. We have myriad ways we try when something goes wrong, which means you to address that. We have programs specifically can respond faster. focused on bringing in non-computer-science James Kaplan: There’s often an overlap between talent, who we put through coding boot camps infrastructure and security engineering. How have and upskill. We also have a Cyber Kids school you addressed this collaboration? program that goes into schools and provides basic The benefits of a CISO skills training on internet safety and security. Jason Witty: The product model supersedes We hope to help spur interest in STEM-related departmental silos. When you have multiple teams activities and careers. We also recruit talent from working on the same set of issues, it completely background to a the military and affinity groups to attract the best transcends organizational boundaries. If everyone talent available. We were a founding sponsor of involved understands the end objectives and how the Financial Services Information Sharing and they are measured, then they’re all pointing the business-unit CIO Analysis Center’s (FS-ISAC’s) scholarship program needle in the same direction. It’s a combination of for female university students looking to pursue a site reliability engineering and product that makes A deep understanding of cybersecurity is a competitive advantage. career in cybersecurity. Recruiting the right people the process more seamless. is critical, but retaining them is also important, James Kaplan: As the product model becomes hence our emphasis on upskilling, training, and more pervasive, how does the role of the CISO continuing education. change over time? James Kaplan: If you look down the road for the Jason Witty: The role of the CISO has already next three or four years, what keeps you up at changed. It’s about measured risk taking, not risk night? elimination. This measured risk taking must also Jason Witty: “Deepfakes” are a concern, so evolve with the availability of new technologies. having the ability to prove that who you are You must constantly adapt, train, and educate talking to is actually the person you think you are so that you can adjust the control environment talking to is vital. Artificial-intelligence (AI) and to enable the things the business is trying to natural-language-processing algorithms are also accomplish. advancing rapidly, posing new reputational and James Kaplan: Talk about the collaboration financial threats in addition to opening new doors around regulatory compliance. for business growth. Jason Witty: We take compliance very seriously. Safely enabling AI and maintaining our ability to We are constantly mapping and cross-mapping keep up with the velocity of automated attacks international regulations to our control is also something being much discussed. We’ll environment and legal obligations. We’re always continue to modernize software engineering looking for better ways of automating that around the cloud to ensure security and resiliency process. We’re adopting the Bank Policy Institute’s and to further unlock its business value. Finally, Financial Services Sector Cybersecurity Profile we’re looking into crypto-agility and decoupling as our framework of frameworks in 2020 and the encryption process from the software- encouraging regulators to start auditing against development process. the profile, which has the potential to be an industry-wide game changer.

James Kaplan is a partner in McKinsey’s New York office.

March 2020

112 The modern CISO: Managing scale, building trust, and enabling the business Enable digital technology delivery The benefits of a CISO background to Thea business-unit benefits of a CIOCISO background to a

business-unitA deep understanding of cybersecurity CIO is a competitive advantage. A deep understanding of cybersecurity is a competitive advantage.

March 2020

The benefits of a CISO background to a business-unit CIO 113 Although chief information security officers Rohan Amin: I’m still getting up to speed! It is a (CISOs) focus on technology and chief information behemoth of a business, with more than 52 million officers (CIOs) concentrate on the business, their digitally active consumers. I have never been the missions are inextricably linked. A CIO with a foot CIO of a consumer bank. That I am, I think, is a in each world enjoys a unique perspective that testament to how the organization thinks about can only enhance effectiveness and better serve talent development and mobility. Second, I wanted the enterprise. Rohan Amin, CIO, Consumer & to do something where I was forced to learn a lot Community Banking, JPMorgan Chase, explains of new things and was intellectually stimulated and to McKinsey’s James Kaplan how his CISO fully engaged. I got all of that. background prepared him for the CIO role. James Kaplan: Having been a CISO provides an This interview is part of a series of interviews on interesting background for a CIO role. Was there the evolving relationship between the CISO and anything about your CISO experience that made CIO. (See “Protecting the business: Views from the you a more effective business-unit CIO? CIO’s and CISO’s offices,” on McKinsey.com.) Rohan Amin: When we think about what matters James Kaplan: What was it like making the most to our customers, running a disciplined transition from CISO to business-unit CIO? What environment with stability, resiliency, controls, and was unexpected once you moved into the CIO role? data privacy are non-negotiables. Being in the CISO role obviously instilled a lot of that in me. Rohan Amin: I had the technical background, but the main learning curve was getting much closer to The other aspect that’s helpful in having a CISO the technology that supports the business – and, background is a deep understanding of non- of course, the business processes – itself. I’m functional requirements and how to make them thankful I get to work with an incredible team, and easier to adopt. For example, modernizing our they have been very supportive of me in my new applications and striving for platform-centric role. In a CISO role, you can be a step removed, so thinking help to focus our engineers on the most it’s been a great learning experience for me. relevant business functions, which are the features and value for customers. James Kaplan: Where has the learning curve been the fastest? Where has it been the steepest? As a CISO, you have a global view of risk and what the issues are and how you think about enterprise Rohan Amin: I began my career as a software management in the application-development engineer and have led large development teams, context. Some CISOs are policy and governance so that was a more comfortable part of the focused only, while others have a stronger transition. The greater learning curve has been technical and business background. Having a around the business itself and the business technical background and being able to effectively strategy. In my previous CISO role, the primary communicate complex issues to the business have set of relationships I had were mostly with the served me well. technology risk-and-controls community. While I did have a presence at the business table, most James Kaplan: What advice do you have for CISOs day-to-day interaction was with our technology who may aspire to someday become CIOs? teams. In my current CIO role, I am balancing Rohan Amin: In the CISO role, you get a deep across two senior teams, so my interaction with appreciation for the importance of the control different stakeholder communities has increased environment and security. You learn that everyone dramatically. understands the importance of controls but wants James Kaplan: How long did it take you to get control adoption to be more seamless and part of up to speed on the consumer banking side of the the engineering process. business?

114 The benefits of a CISO background to a business-unit CIO Security-and-controls teams face a continuous complexities the builders go through to deliver. challenge to figure out how to make this stuff Knowing what I know now, building simplicity into simple and easy to use. This requires the security-control adoption is where I’d recommend engineering work to make it easy to adopt, easy to they focus. innovate on the platform, and easy for engineers James Kaplan: What do you know now that you to do the right thing. People can’t be forced to wish you had known a year or two ago? read thousands of pages of policy to figure out the right thing to do. The right thing to do should Rohan Amin: I have a much greater appreciation be easy and baked into the platforms and enabled for our engineering and development teams and via software, so that something as simple as “you the challenges they face in trying to do the right should encrypt your data” isn’t something every thing. There are so many things hitting them engineering team has to figure out for itself. Make at once – modernization, cloud, data security, security the easy answer, not the hard answer. controls, resiliency, regulatory, and, of course, business functionality. I would have had a far James Kaplan: Do you think the skill sets of CISOs greater sense of urgency about what a difficult and CIOs will converge over time? environment we create for builders if we’re not Rohan Amin: To some degree, yes. If you want putting them first and thinking about them as to help the builders, you have to know how customers. That’s a different mindset, one I would to build. As a CISO, if you are not close to the have acted on faster if I’d had the insights into their modernization agenda – modern architectures, challenges that I do now. cloud, data, machine learning, and so on – then James Kaplan: How do you advance the skill sets it’s hard to effectively guide an organization in the of development teams? right direction. That said, the risk-and-controls discipline is also rapidly evolving, with increasing Rohan Amin: Your development teams’ training focus on data governance, privacy, and operational should be balanced with what you ask those resiliency in a world powered by the cloud and development teams to focus on. You can’t train for machine learning. everything, and the evolving complexity demands that we make this easier for engineers. For James Kaplan: What advice would you have for a example, typically you run your software through a business-unit CIO who’s never been a CISO about scanning tool designed to highlight vulnerabilities, establishing an effective relationship with a CISO? and typically, the security tool reports thousands Rohan Amin: Take the time to understand in of things you need to fix. But when you go through detail what those teams are seeing. Because data sets and reports, there’s simply too much when you’re on the outside of that, it’s sometimes to handle. A good security team will say, “Here difficult to appreciate the full extent of the problem are the discrete actions you need to focus on they’re trying to solve. It’s unlike other aspects and take,” as opposed to, “Here are 5,000 things of the technology organization. Understand the that you need to figure out the importance of challenges those teams face as they try to keep addressing.” the bank and the firm safe. That’s an eye-opener in James Kaplan: How do you address security terms of thinking through how you build software training for developers? and the values that you instill in the organization. Rohan Amin: Increasingly, we’re baking those James Kaplan: Is there any advice you would give requirements into the software-development life to folks newly entering the security domain? cycle itself, so you don’t deploy software that has Rohan Amin: Spend time with the folks in the issues. That, to me, is the ultimate way to solve this business who have to use the stuff you’re creating. problem. You need the training, but you also have If your objective is to help the business – which is the tool chain and the telemetry. Enforce what you what it should be – then you need to spend time in want through a controls-and-security perspective. the business to understand what it takes to deliver With cloud applications, these platforms are something to a customer. If you spend time only automatically enforcing the control environment. in security land, you really don’t understand the

The benefits of a CISO background to a business-unit CIO 115 So if you’re not compliant, your workload won’t get about as a channel-specific thing, meaning how deployed or run in production. That’s a big change do we authenticate you in the branch? How do in mindset. And to be clear, I’m referring to cloud we authenticate you when you call in? How do we generically – private or public. authenticate you online or on mobile? James Kaplan: Authentication is an incredibly We’re working to bring these experiences together important part of the consumer-banking experience. in a secure and more integrated manner. We’re What are your thoughts about managing that? thinking about ways of putting the customers at the front of the design and about the multichannel ways Rohan Amin: Authentication is often the first people interact with us differently than in the past. experience a consumer has with an organization, so we’re working on the authentication strategy of the future. Previously, authentication was thought

James Kaplan is a partner in McKinsey’s New York office.

116 The benefits of a CISO background to a business-unit CIO Enable digital technology delivery Robust cybersecurity requires much more Robustthan great cybersecurity technology requires much more thanSecurity is increasinglygreat an interdisciplinary technology capability.

Security is increasingly an interdisciplinary capability.

March 2020

Robust cybersecurity requires much more than great technology 117 It’s easy to view the 21st-century “threatscape” race car because you’re wearing a fireproof suit, through a purely technological lens. But today’s you’re in a protective cage, you have an automatic chief information security officers (CISOs) fire-extinguishing system, and you were trained. and chief information officers (CIOs) need to This allows you to drive superfast. But getting to understand and appreciate the people and that point can feel slow. CISOs who “get it” spend a process elements as well. George Sherman, CIO little bit more time up front being thoughtful about of Global Technology Infrastructure, JPMorgan their execution. Chase, discusses his multiprong outlook on James Kaplan: Does that need to understand information security with McKinsey’s James the technology environment holistically at every Kaplan. layer in the stack provide a good background for a This interview is part of a series of interviews on future business-unit CIO? the evolving relationship between the CISO and George Sherman: We are unique and fortunate CIO. (See “Protecting the business: Views from the in that three of our CIOs are former CISOs. This CIO’s and CISO’s offices,” on McKinsey.com.) makes the CISO’s life much easier, specifically as James Kaplan: How does your security back- it relates to how you design, deliver, and execute ground shape your approach to your current role? the business-process automation efforts. Thanks to our security background, we tend to think George Sherman: I use my technical-security about data protection and security earlier in our skills on a daily basis. With new technology processes and require that security and controls and connectivity platforms, many of our older be embedded into all the technology we deliver. security paradigms are being stressed. In the past, you could get away with not having the most James Kaplan: Given all that’s changing, robust identity or authorization constructs and particularly around cloud and digitization, how authentication and authorization metrics. This different will the skill set of a CISO be in a decade? is no longer the case, as the dynamic nature of George Sherman: You can go back a decade these modern technologies requires dynamic and see how much has changed. Everything management of the trust chain. seemed much simpler. The successful CISOs If you add to this the complexity of the multivendor of the future can’t be process managers. They cloud environments connecting into our must have a deep understanding of technology. companies, you must have a strong understanding Imagine leading thousands of software engineers of the “threatscape” and how you deal with but never having actually written a line of code. cybersecurity issues. Everyone within the At some point, you have to ask yourself how you organization must understand that cybersecurity can relate to that community. And how will that is non-negotiable. We have to get it right all the community relate to you? Those questions are just time. The bad actors only have to get it right once. as relevant to today’s and tomorrow’s CISOs. James Kaplan: What makes for a good CISO? Also, the technology is going to become more segmented but also more hyperconnected. George Sherman: I think the best CISOs are the You can see that in the evolution of the private, ones who have learned about policy and controls public, and hybrid cloud, and with a combination but at their core are very strong technologists. The of infrastructure-as-a-service, platform-as-a- CISO role must evolve with the threat landscape service, and software-as-a-service providers and technologies. You must understand the clamoring to support new growth. But with this technical side of cybersecurity. But information hyperconnectivity comes hypercomplexity, security and protecting against cyberthreats and with that comes fragility. Fragility leads to are also about people and process, not just reliability and security issues. The enemy of a technology, so you have to understand all three good security program is complexity. If we’re not dimensions in order to fully appreciate what you careful in our execution, CISOs could end up with a have to do to protect the firm. “least common denominator” problem where their Sometimes you have to go slow to go fast. It’s the environments are only as secure as their weakest old race-car analogy. You can go really fast in a controls.

118 Robust cybersecurity requires much more than great technology James Kaplan: CISO and infrastructure George Sherman: Resiliency, availability, and responsibilities often overlap – for example, in security are everyone’s responsibility, regardless patch management. How do you deal with this? of whether you’re involved with infrastructure, applications, or both. Everyone must believe that George Sherman: Having clear lanes of operational risk and information security are core responsibility is important. If you view patching requirements of their role, so you need to invest and life-cycle management as a tax or a duty, in training and move this to the forefront of your then you really don’t understand the need to team’s minds, or you will end up with yet another keep software current and manage it in a near- remediation program. real-time way. This mindset translates into your organization’s view of these functions as a burden. Secure by design is critical. You can build systems A CIO has the responsibility to design and direct that are reliable and available, but they may their organization to understand that this isn’t not necessarily be secure. But when you build a burden but instead a core part of their team’s secure systems, you often end up with ones that job. Protecting the firm, keeping it patched and are both reliable and available. The disciplines updated, is everyone’s responsibility. around security tend to lend themselves to the same disciplines as resiliency and availability or James Kaplan: Where does security fit into operational efficiency and effectiveness. people’s roles in IT?

James Kaplan is a partner in McKinsey’s New York office.

Robust cybersecurity requires much more than great technology 119 Enable digital technology delivery Enterprise-wide security is both a technology and business issue Enterprise-wide security is both a technology and businessCISOs have important issue skills that can position them for the CIO role. CISOs have important skills that can position them for the CIO role.

March 2020

120 Enterprise-wide security is both a technology and business issue A chief information security officer (CISO) focuses new digital platforms. And as regulatory scrutiny on creating a secure operating environment, intensified around technology, we paid more while a chief information officer (CIO) strives to attention to technology control than to security. deliver value to the business. But if you don’t Since then, our level of focus on cybersecurity in get the former right, it becomes impossible to the entire organization has been fantastic. do the latter. Anish Bhimani, CIO, Commercial James Kaplan: Are there things you know now Banking, JPMorgan Chase, has filled both roles. that you wish you had known then in your CISO role He discusses how they interact – and how they are that could have made you more effective? evolving – with McKinsey’s James Kaplan. Anish Bhimani: What I realize now is that a This interview is part of a series of interviews on lot of the things we try to do centrally have a the evolving relationship between the CISO and tremendous impact on people. I can now set CIO. (See “Protecting the business: Views from the and drive the tone for the organization so that CIO’s and CISO’s offices,” on McKinsey.com.) we get in front of security issues, remediate, James Kaplan: Tell us about your cybersecurity and move on to the next challenge. I also did not journey. fully appreciate the transition from developing policy to implementing policy. Finally, we probably Anish Bhimani: I joined JPMorgan Chase in 2003, should have pushed business leaders harder much nominally as the CISO. I say “nominally,” because earlier by stressing that security was not just a when I got here, we were heavily outsourcing our technology issue, but a business issue as well. cybertechnology. My role was largely a policy- vetting job, and I had 12 people working for me. James Kaplan: Technology has changed. In years past, it was a 15-minute conversation in passing. Everything changed dramatically when we By the early 2000s, you’d have a daylong strategy merged with Bank One. The role became much session. How is the topic being addressed at the more technology oriented and transformed into highest levels of the organization? execution as well as policy. We were initially responsible for issues such as threat response, Anish Bhimani: I used to go to the board of vulnerability management, security infrastructure, directors and the audit committee annually for and so on. At that point, we didn’t have a CISO, so about 20 minutes. We now meet with the board the challenge was getting the right level of buy-in eight times a year for at least an hour each time. from the CIOs, and we were pushing hard to get James Kaplan: Discuss your transition from CISO people to pay attention to cybersecurity matters. to CIO. In 2009, the role was made into a proper CIO- Anish Bhimani: I spent my entire career aspiring level role, as it is today. It was at that point to be the CISO of a large bank, and when I got that cybersecurity had more visibility. Cyber the job, it was a significant accomplishment in became visible across the entire organization, my career. When I then became a CIO, it meant with leadership driving the tone. It felt like a shifting to more of an implementation approach, remediation exercise. We began to see an increase and I was eager to work with the business. But in denial-of-service attacks and malware, and despite my excitement, I was clear that job number leadership said, “This is more than a technology one is having a secure and resilient operating problem; it’s a business problem. Let’s fix it.” environment. If you don’t do job one, you don’t James Kaplan: What happened when internal earn the right to do job two, which is to deliver stakeholders realized that cybersecurity was a value to the business. business-critical issue? James Kaplan: What do you miss about your Anish Bhimani: We began putting the right CISO role? resources behind it. Businesses were trying to Anish Bhimani: You always miss the cat-and- find a balance between security and the growth of mouse challenge, the game theory, as well as the

Enterprise-wide security is both a technology and business issue 121 problem solving and intellectual curiosity. There Understand your business’s priorities. One of is also a very active peer and industry community the things I am most proud of is the professional for best-practice sharing, since everyone is facing development of my direct reports. During my time many of the same challenges. It’s amazing how the as CISO, 21 of the people I managed went on to CISO role has evolved. serve as CISOs elsewhere. So you must develop the people, not just their roles. James Kaplan: How do you see the CIO role evolving? James Kaplan: It sounds like one of the biggest priorities is security remediation. Anish Bhimani: The ongoing debate is where security should report. Some say security can’t Anish Bhimani: It’s less remediation and more report to IT, because it’s a conflict of interest. about how you proactively build controls. For Others say there’s no way you can get the job example, several years ago, when we found a done reporting outside of IT. I think that, in years serious issue with some systems, we would run to come, security will become more embedded a remediation program that took days or weeks. within the IT fabric of any organization as standard Now, a similar incident is opened and fixed before operating practice. people go home. There is also the client impact. As we become James Kaplan: Talk about the movement to cloud better at securing systems, the point of applications. vulnerability moves from the system to the person. Anish Bhimani: When moving to the cloud, the Security becomes every employee’s responsibility. first priority is figuring out your technology and Cyber organizations are now building frameworks, business priorities and then striking a balance. working across infrastructure with developers on Services and architecture templates need to be systems such as cloud. So the architecture of how validated and automated for cloud configuration. the CIO goes about implementing infrastructure Second, cloud security can be a business enabler, and security policies will evolve with the role itself. and we know that businesses need to grow and A security organization will always attempt to be thus must move fast. agile, but it’s very challenging when you’re moving at the speed of light. Why do you have brakes on a car? It’s not just to stop. It’s so you can go fast, secure in the James Kaplan: Do you see the CISO and CIO roles knowledge that you can stop whenever you want integrating? or need to. Security done right enables businesses Anish Bhimani: Every CIO should spend time to go at the speed they want while being able to in a security role, since it makes you think manage risk appropriately. differently. Regardless of your role, you’re never James Kaplan: What type of advice would you out of security. With new technologies, including offer someone who is just beginning their career automation, security is a layered process. It’s built in cyber? into the fabric of the organization, from process to people. Anish Bhimani: My first advice is that life never moves in a straight line. You need to be able to James Kaplan: What advice can you offer on adapt to constantly changing circumstances. breaking down silos and managing talent? Well-roundedness is critical, and everything you Anish Bhimani: Understand how to navigate do should get you a step closer to your goals. the organization. Manage conflicts. Keep your Rotations are valuable in gaining experience in objectives in mind while managing these conflicts. security and infrastructure.

James Kaplan is a partner in McKinsey’s New York office.

122 Enterprise-wide security is both a technology and business issue Enable digital technology delivery Securing software as a service Risk Practice Securing software as a service

HereHere is how is SaaShow SaaS providers providers can meetcan meet the security the security needs of their needsenterprise of their enterprise customers. customers.

by Rich Cracknell, James Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart

by Rich Cracknell, James M. Kaplan, Wolf Richter, Lucy Shenton, and Celina Stewart

September 2019

Securing software as a service 123 Companies are rapidly adopting software as a The security challenges of software as service (SaaS) in place of purchasing commercial a service for adopting companies off-the-shelf software (COTS). Companies Our survey polled chief information-security using SaaS rely on SaaS vendors to host their officers (CISOs) and other cybersecurity applications in the cloud instead of running them in professionals from more than 60 companies of their own data centers. Industry analysts estimate varying size in a range of industries. We wanted that the SaaS market will grow by more than to understand how companies experienced SaaS 20 percent annually, reaching nearly $200 billion offerings and how they responded to security by 2024, a level that would represent nearly one- challenges. Almost universally, respondents third of the overall enterprise-software market. confirmed what we had suspected: they have With enterprise values for SaaS businesses increased their focus on security for SaaS reaching approximately seven times forward offerings, emphasizing capabilities at the revenue, software companies are racing to convert intersection of the vendor’s and their own security from on-premises to SaaS-based delivery models.1 environments. They expressed a fair amount Most companies, therefore, will eventually of frustration with shortcomings in vendors’ confront the cybersecurity risks inherent in the cybersecurity capabilities, which often caused SaaS approach. These are different risks from delays in contracting and implementation. In their those posed by on-premises COTS. In building view, SaaS vendors need to take a much more COTS, the vendor takes responsibility for removing customer-centric approach to security, making security vulnerabilities from the application code. it easier to understand their products’ security The customer, however, installs the software, capabilities, easier to integrate them with the rest configures it, and takes responsibility for running of the enterprise-security environment, and easier it in a secure infrastructure. For SaaS offerings, to configure them in a secure and compliant way. the vendor takes on many of the security All the companies we spoke with had already responsibilities previously assumed by the begun to make the transition to SaaS offerings. customer. About half had used products from 20 or fewer Companies do not always feel comfortable with SaaS vendors, about a quarter from more the indirect relationship to cybersecurity risk than 80. Almost all companies surveyed were that SaaS presents, mediated as it is through deploying SaaS offerings in at least one major vendorbased protections. More important, area, especially office automation, IT-service SaaS vendors have not always ensured that management, and niche business applications their products meet their customers’ security (Exhibit 1). requirements. That is the story that emerged from Many security executives said that their our survey of cyber professionals from companies organizations were not ready to use SaaS in seeking to adopt SaaS solutions.2 Their responses some critical domains, however, because of also provide insights into how enterprises the potential risks. These include enterprise- should think about security in an SaaS world and resource-planning applications, where downtime important clues for SaaS vendors on how to earn can prevent the entire business from functioning. the confidence of their enterprise customers. Similar concerns were raised for engineering- or manufacturer-related applications. For health- related applications and applications that may contain M&A information, the biggest barriers to SaaS adoption concern data confidentiality.

1 KBV research cited in “Software as a service (SaaS) market to reach a market size of $185.8 billion by 2024: KBV Research,” PR Newswire, December 19, 2018, prnewswire.com; Enterprise software market research report – global forecast 2023, Market Research Future, May 2019, marketresearchfuture.com; “Just where are SaaS companies priced after the 2018 correction?,” Tomasz Tunguz, December 26, 2018,tomtunguz.com. 2 2019 McKinsey Customer Perspectives on SaaS Survey of chief information-security officers (and managers responsible for cloud security or vendor security) from more than 60 organizations. More than half of the participants were from companies in financial services, insurance, pharma, and health services, with the rest spread across the government, industrial, and tech sectors. Each third (approximately) of the responding companies had respective annual IT budgets of $500 million and above, $50 million to $500 million, and less than $50 million. Most respondents were from companies based in the United States. Differences in size, geography, and sector apart, however, the companies largely expressed similar concerns.

124 Securing software as a service McKinsey on Risk 8 Securing the path to software Exhibit 1 of 3

Exhibit 1 Surveyed enterprises most commonly used software as a service for o ce automation, IT-services support, and niche business applications.

Level of SaaS¹ adoption by usage type, % of respondents (n = 61)

Enterprise Customer Governance, Other (eg, Oce IT-services Human resource relationship risk, and marketing and automation support resources planning management compliance sales, R&D)

92 84 61 49 44 25 93

¹ Software as a service. Source: McKinsey Customer Perspectives on SaaS survey

Prioritiesrelated applications in attempting and applications to secure that may revealedproviders that to most host companies, and manage especially their security large keys. softwarecontain M&A as information, a service the biggest barriers to ones,The do majority not entrust prefer SaaS to hold providers their tokeys host on and premises SaaS adoption concern data confidentiality. managethrough their a hardware security keys. security The majority module, prefer retain to In their relationships with SaaS vendors, most holdmanagement their keys on control premises of cloud-hostedthrough a hardware keys, or respondents use questionnaires to gauge securityuse a combination module, retain of management methods (Exhibit control 3). of These security capabilities but criticize the approach as Priorities in attempting to secure cloud-hostedapproaches keys, allow or companies use a combination to control of methods access imprecise, incomplete, and overly time consuming. (Exhibit 3). These approaches allow companies software as a service to sensitive information. It also ensures that Security executives tend to focus on four key to control access to sensitive information. It In their relationships with SaaS vendors, most government agencies cannot gain access to and issuesrespondents when useconfronting questionnaires SaaS tocapabilities: gauge security also ensures that government agencies cannot unencrypt their data without contacting them first. encryptioncapabilities andbut criticize key management, the approach identity as imprecise, and gain access to and unencrypt their data without accessincomplete, management and overly (IAM),time consuming. security monitoring, Security contactingThe survey them further first. revealed that companies want andexecutives incident tend response to focus (Exhibiton four key 2). issuesNotable when is that a degree of sophistication in key management eachconfronting of these SaaS issues capabilities: has more encryption to do with and the key Theso survey that they further can revealed grant access that companies to data for want a a degree of sophistication in key management so that interfacemanagement, between identity the and customer access management and the SaaS (IAM), certain period of time or revoke access quickly. they can grant access to data for a certain period of providersecurity monitoring,than with the and providers’ incident response intrinsic (Exhibit technical This preference again emphasizes that most 2). Notable is that each of these issues has more time or revoke access quickly. This preference again protections, such as code security and endpoint respondents want to exercise full control over their to do with the interface between the customer and emphasizes that most respondents want to exercise protection. sensitive information. the SaaS provider than with the providers’ intrinsic full control over their sensitive information. Encryptiontechnical protections, and key managementsuch as code security and Identity and access management Applicationsendpoint protection. running in the cloud and data IdentityIdentity and management access management is the act of confirming that stored there are not protected by a traditional Identityeach user management is the person is the heact or of sheconfirming purports that to be. each user is the person he or she purports to be. corporatesecurityEncryption and key perimeter management of firewalls and the Access management is the determination that a Access management is the determination that a user like.Applications As a result, running security in the becomes cloud and essentially data stored user does or does not have legitimate rights to there are not protected by a traditional corporate- does or does not have legitimate rights to retrieve reliant on encryption and management of the retrieve data or use an application. As important security perimeter of firewalls and the like. As a data or use an application. As important as both keys that provide access to encrypted data. as both identity and access management are on result, security becomes essentially reliant on identity and access management are on company Ourencryption interviews and revealedmanagement that of most the keys companies, that premises,company they premises, are even they more are important even more for cloud-important especiallyprovide access large to ones, encrypted do not data. entrust Our interviewsSaaS basedfor cloud-based applications. applications.

Securing software as a service 3

Securing software as a service 125 McKinsey on Risk 8 Securing the path to software Exhibit 2 of 3

Exhibit 2 Enterprise customers focus on the interface between software-as-a-service providers and their own security environments.

Capabilities that respondents would like to see from SaaS¹ vendors, % of respondents (n = 61)

Encryption and Advanced identity Granular security telemetry Incident response encryption key and access management and integration with tools requirements are management options, (IAM) capabilities, including used in the security operations starting to extend including self-managing, integration with federated center and security incident beyond simple notica- SaaS vendor-to-host IAM and role-based IAM and event management tions, to include shared managed, and hybrids (SOC/SEIM) platform information and joint simulations

Encryption and Integration with Role-based IAM Monitoring Integration Incident-response key management federated IAM (employee side) and logging with SOC/SIEM capabilities

56 54 54 52 49 49

Data Business Application-level Country-based User-behavior residency resilience encryption at rest employees analytics, insider threat

33 26 26 10 5

¹ Software as a service. Source: McKinsey Customer Perspectives on SaaS survey and interviews with more than 60 industry leaders

Security executives emphasized that two IAM including the ability to provide selected people with capabilities are especially important to them. First, the authority to access certain data or undertake Security executives emphasized that two IAM Security telemetry and monitoring they want tight, easily implementable integration certain transactions within an application. capabilities are especially important to them. First, Increasingly, CISOs acknowledge that they between SaaS applications and widely adopted they want tight, easily implementable integration cannot prevent every instance in which security enterprise IAM tools. Companies deploy hundreds Security telemetry and monitoring betweenor thousands SaaS of applications applications, anddozens widely of which adopted are Increasingly,is compromised. CISOs acknowledgeThey therefore that want they the enterpriseSaaS applications. IAM tools. They Companies cannot expect deploy users hundreds to cannotnecessary prevent transparency every instance to in identify which security and assess is ormemorize thousands yet ofanother applications, password dozens for each of newwhich SaaS compromised.emerging security They therefore risks quickly want theand necessary thoroughly. As areoffering SaaS that applications. is adopted. They They cannotwant to expectallow users users transparencycompanies toadopt identify SaaS and offerings, assess emerging data from SaaS toto memorize sign into SaaS yet another applications password via enterprise-wide for each new securityproviders risks about quickly usage and thoroughly. patterns become As companies critical to SaaSIAM platforms, offering that which is adopted.will provide They additional want to features allow adoptthis analysis.SaaS offerings, data from SaaS providers userslike two-factor to sign into authentication. SaaS applications Second, via they enterprise- need about usage patterns become critical to this analysis. Security reporting is the baseline capability widesophisticated, IAM platforms, role-based which access will provide management, additional CISOs demand. They want a clear view – usually features like two-factor authentication. Second, consolidated in a dashboard – of the users that they need sophisticated, role-based access have been accessing their data and what they have 4 management,Securing software including as a service the ability to provide done with it. Without this kind of transparency, selected people with the authority to access implementing even the best security concepts certain data or undertake certain transactions can be a “nightmare,” as one security executive within an application. remarked.

126 Securing software as a service McKinsey on Risk 8 Securing the path to software Exhibit 3 of 3

Exhibit 3 Most enterprises do not fully entrust software-as-a-service providers with hosting and managing encryption keys and so use dierent control methods.

Preferences for hosting and managing encryption keys, by level of estimated IT spending,¹ % of respondents (n = 44)

SaaS² hosted but customer Hybrid (varies by vendor On-premise, managed by customer managed SaaS hosted and managed size, maturity)

High IT spend 33 14 24 29

Companies with a high Some companies allow Some companies may trust Other companies prefer A variety of hybrid SaaS adoption rate vendors to host keys large vendors to host and to utilize 3rd-party approaches to and high IT spending but prefer to retain manage keys but prefer to key management, so that encryption key prefer to manage their access management retain control rather than neither they nor the management are keys on-premises relinquish it to an unproven vendor manages keys being used or niche vendor

Low IT spend 29 46 25

On-premises, managed by customer SaaS hosted and managed Hybrid (varies by vendor size, maturity)

1 All IT-spending estimates rely on information from “IT key metrics data 2019: Executive summary,” Gartner, December 17, 2018, gartner.com. ² Software as a service. Source: McKinsey Customer Perspectives on SaaS survey and interviews with more than 60 industry leaders

ManySecurity security reporting teams is the seek baseline to integrate capability data on andIncident event-management response platforms (SIEMs). As a SaaSCISOs usage demand. with They external-threat want a clear view—usually intelligence health-servicesEvery company CISO can explained, be breached. “On-premises Therefore, andconsolidated information in a fromdashboard—of the rest of the their users technology that securitysecurity controls teams are must getting implement extended tools into and the environmenthave been accessing to determine their data the and actions what theythey havemust cloud.practices Only afor few managing, SaaS providers mitigating, allow usand to resolvingpull takedone to with protect it. Without their thiscompany. kind of To transparency, accomplish logsincidents. to go into Naturally, our SIEM.” security A banking monitoring CISO said, plays “I a this,implementing the security even teams the best need security SaaS concepts providers can to be wantsignificant to integrate role within this, SOC/SIEM. as greater I want transparency something offera “nightmare,” application as one programming security executive interfaces remarked. (APIs), flexibleenables enough better to incident work with response. hardened SIEM tools, which will allow them to pull data into their security and something capable of integrating as well.” In Most organizations focus on SOC and SIEM operationsMany security centers teams (SOCs) seek to and integrate security-incident data on other words, CISOs want their vendors to make it easierintegration. to use APIs The for more integration. sophisticated They also security want andSaaS event-management usage with external-threat platforms intelligence (SIEMs). As a and information from the rest of their technology timelyorganizations service provision we spoke as wellwith as have accurate dramatically security health-services CISO explained, “On-premises environment to determine the actions they must informationbroadened from their their incident-response SaaS providers included requirements in security controls are getting extended into the take to protect their company. To accomplish this, service-levelto include joint agreements simulations, (SLAs). joint forensic activity, cloud. Only a few SaaS providers allow us to the security teams need SaaS providers to offer and intelligence sharing. One company even pull logs to go into our SIEM.” A banking CISO application programming interfaces (APIs), which Incidentsecured response the right from one provider to send said, “I want to integrate with SOC/SIEM. I want will allow them to pull data into their security- Everypersonnel company to thecan provider’s be breached. SOC Therefore, in the event of a something flexible enough to work with hardened operations centers (SOCs) and security- incident securitymajor breach. teams must implement tools and practices SIEM tools, and something capable of integrating as well.” In other words, CISOs want their vendors to make it easier to use APIs for integration. They Securing software as a service 5 also want timely service provision as well as accurate security information from their SaaS providers included in service-level agreements (SLAs).

Securing software as a service 127 Broader security concerns and adequate clarity on the data-privacy protections pain points in their offerings. One medical-products CISO pointed out that SaaS providers struggled to fulfill CISOs also stated broader concerns with SaaS data-residency requirements – identifying the vendors’ security capabilities. These include a lack countries where the data are stored. Companies of readiness of many SaaS offerings for integration need to know the residency to meet local data with the company’s larger security environment, as regulations. well as insufficient transparency on whether SaaS products meet local data-privacy requirements. A CISOs often cannot tell whether SaaS products further concern surrounds the experience of SaaS properly meet new data-privacy mandates, sales forces, which CISOs say can be ill informed including the European Union’s General Data and sometimes even outwardly deceptive about Protection Regulation (GDPR), Brazil’s General security-related issues. Data Protection Law, and the California Consumer Privacy Act. Companies need to know this Integration is challenging information to configure critical features, like Nearly two-thirds of companies express frustration encryption, data purging, and data logging, as they with the process of integrating SaaS products with ensure compliance. the rest of their security environments. The trouble spots cited are as follows: Respondents say that the claims SaaS providers make about product compliance are often — Lack of preexisting connectors to commonly overstated, so they don’t necessarily trust them. A used IAM and SIEM platforms technology company’s CISO said, “For things like — Insufficient functionality of APIs for obtaining GDPR, everyone is trying to figure it out; if anyone the information required, especially log claims that they are mature in their process around visibility at the platform level GDPR, I would question this. I would prefer a sense — Poor API documentation, confusing API-usage of openness [and] honesty around what SaaS semantics, and a shortage of relevant code providers are doing and why they believe they are samples compliant.” — Differently designed APIs for products from Uninformative sales interactions the same vendor Security executives assert that their interactions with SaaS-provider teams on security issues are — Lack of trained vendor personnel to assist in difficult and frustrating. They say that sales reps using APIs. make security claims that don’t appear to be CISOs complained of APIs that are not delivered, backed up by fact, and that vendors don’t have integration that is not achieved, even when the security experts they can talk to. Such experts, road map is followed, missing documentation, a who would know the technical specifications of the lack of active support, and no vendor response offerings, are needed to help companies decide when a problem develops. A biotech CISO how to configure SaaS offerings in a secure way. emphasized “the lack of security monitoring: [SaaS More than 70 percent of respondents said that vendors] forget about the confidentiality and uninformed or misleading claims about security integrity aspects of the monitoring.” capabilities were a cause of dissatisfaction. Reportedly, some sales representatives Limited focus on data privacy even misrepresent certifications or customer As major data breaches proliferate and regulatory references. One manufacturing company’s CISO attention mounts, data privacy is becoming an said, “I am sick of receiving glossy marketing issue in the decision-making process for SaaS materials, which are essentially snake oil when it contracting and implementation. Security teams, comes to security features . . . many, many vendors meanwhile, find vendors scrambling to provide will claim their security features are better than

128 Securing software as a service [what] a very simple assessment will reveal.” integration. After the company had devoted Another pointed out examples where simply significant resources to use the required APIs, checking a reference proved that the referenced it gave up and reverted to the existing version company had not used security features in the way of the application in order to ensure required the sales team had described. performance. In another example, new charges for security-related features were significant enough Implications on software as a service to sour the business case for adoption of a SaaS purchasing and contracting offering, causing the company to continue using the on-premises version. SaaS vendors’ shortcomings in security capabilities are shaping the ways enterprise customers contract for and use SaaS products. Actions software-as-a-service Negotiations about security terms and conditions providers can take to meet the (T&C) can add weeks or months to contracting security requirements of their processes. Survey respondents said the most enterprise customers challenging issues debated included financial For all the value that SaaS promises, security liability for breach events, required cyber- concerns limit enterprise customers seeking to insurance policies, and preferred location for legal make the transition from on-premises solutions to proceedings. SaaSbased ones. Fortunately, providers can take Security issues often disqualify providers from the following steps to remove barriers to SaaS consideration. For those that are considered, adoption. security remains a major concern; a few of our 1. Build agile security capabilities respondents told us that they had reverted to a Every company surveyed expected its SaaS provider’s on-premises solution because they providers to have a robust solution in place, could not become comfortable with the security including a secure development life cycle and provisions of the SaaS offering. When deploying a secure stack for hosting its application in SaaS offerings, security executives cited the cost production. However, changes in software- and complexity of the compensating controls they delivery models have disrupted existing security had to put in place to manage the accompanying practices and architectures. As established risk. Many decide to invest in specialized third- software vendors adopt agile development party tools to manage encryption keys, ensure methods to improve time to market, earlier compliance with corporate policies, analyze practices supporting a waterfall development vulnerabilities, enhance encryption, or track data process – sometimes put in place over decades – usage for SaaS offerings. CISOs also say that are becoming increasingly irrelevant. Since they must expend scarce talent and resources in software companies provide their applications via configuring and managing security offerings to their cloud but also host them on infrastructure meet their standards. provided by hyperscale cloud companies, years In a few reported cases, large companies called off and decades of experience designing secure planned migrations from an on-premises platform on-premise infrastructure stacks also become to an SaaS offering for security reasons. In one less relevant. Finally, the security organization can case, the vendor failed to meet commitments no longer “inspect for security,” since this delays to make the APIs mature for IAM and SIEM the process.

Security issues often disqualify providers from consideration.

Securing software as a service 129 SaaS providers must take a number of steps to Level 3. Create a specialized team to respond build agile security capabilities. They must design to sales-force inquiries, supported by a robust and build security into their agile development knowledge base to help answer more complicated processes. This includes automating security questions. Given the importance of API-based into the development tool chain, placing security integration, this group should act as a developer- champions on scrum teams, and training support function in many respects. It should also every developer on secure coding. They must invest in developing code samples and other furthermore build an infrastructure-operating artifacts that will make it easier for the customer’s model with a clear understanding of security security teams to implement the vendor’s ownership, determining what their cloud- products. infrastructure provider for security will do and Level 4. Provide a clear escalation path to security what they must do themselves. A secure system engineers who can answer the most complicated configuration in the cloud will be especially critical questions about IAM, telemetry, key management, here. Finally, underpinning all this, SaaS providers and other issues. must build an agile security organization, one that enables the business by providing automated Level 5. Prepare for customer T&C requests. security services, rather than slowing it down with Customers will ask about the assumption of inspections and rework. liability, preferred legal venues, and other issues. Vendors need to develop protocols for 2. Adopt a multilevel model for addressing the circumstances under which they will accept security-related customer inquiries requests, such as which requests will be accepted When asked about the characteristics of bestin- and from whom. Just as enterprise customers class SaaS vendors on security, 70 percent of seek to assign prices to security risk, vendors cyber professionals cited transparency on security may want to assign costs to special T&C requests. capabilities. They said that in selling, vendors Even if they cannot pass that cost along to the can distinguish themselves by giving informed, customer, this type of accounting tool can provide straightforward responses regarding security an indication of whether a deal is worth making. capabilities and aftersales onboarding. They also said that vendors should provide transparency 3. Aggressively facilitate integrations regarding updates and expected implications for The day of the stand-alone, monolithic application customer systems. Software vendors can meet ended years ago, for security features as well as these expectations with a multilevel model for for the enterprise-technology environment. SaaS addressing security-related customer inquiries. vendors should thus make it easier to integrate their offerings with the rest of their customers’ Level 1. Partner with third-party security assess- security environments. This requires several ment vendors to make data about security capa- actions. bilities easily available at a low cost. Some third- party platforms capture more than 1,200 data Build a comprehensive set of connectors to points about each vendor’s security capabilities. relevant security tools. Major SaaS providers SaaS providers have no reason to refrain from need to have pre-wired integration capabilities sharing this information with potential customers. for every major enterprise IAM platform, cloud IAM platform, privileged-access-management Level 2. Train the sales force in the basic security platform (PAM), and SIEM platform. So equipped, features of the offerings and ensure that they providers will enable customers to implement their respond to security inquiries accurately and products more quickly, less expensively, and with intelligently. In addition, vendors need to provide greater confidence that they are not introducing incentives to sales people that encourage them to new security vulnerabilities. ask for expert help rather than provide incorrect or incomplete information.

130 Securing software as a service Invest in building better APIs. Too often, SaaS vendors pay little attention to security APIs. Instead, they should create a consistent security- API model across the products they offer. They Over time, SaaS will largely replace traditional should work with customers’ security teams on-premises COTS applications, with enterprises to provide the granular capabilities required in benefiting from faster innovation, reduced the areas of encryption, key management, and complexity, lower operating costs, and massively telemetry. They should deploy simple, easy- reduced management spending on obsolete to-understand API semantics backed up by technologies. However, SaaS disrupts the documentation. traditional relationship between vendors and customers on security. With the vendor taking on Enhance security-related customer-success much more security responsibility than before, the teams. Nearly two-thirds of security executives security team is put right in the middle of SaaS- said that leading vendors were distinguished by adoption decisions. Moreover, companies cannot the superior technical expertise of their support accept SaaS products as security “black boxes.” organizations. This means that vendors should As we have emphasized, they must be able to enhance the security skills of the teams that help determine how to integrate them into the rest of customers implement their products. In addition their security environments. to improving customer outcomes, enhanced customer support could lead to more sales. Our survey indicates that many SaaS vendors have yet to understand this new reality. They do 4. Help customers address data privacy not communicate well with customers on security; With expanding market and regulatory demands their products are hard to integrate with the rest for data privacy, CISOs believe that SaaS vendors of the customers’ security environments; and have not demonstrated sufficient leadership in they have not taken the lead in helping customers this area. They need these vendors to research comply with data-privacy expectations. Security thoroughly the regulatory expectations in issues are causing companies to eliminate the markets they participate in and identify certain vendors from consideration, extending the specific actions required to comply. They procurement processes by weeks and months, need vendors to invest in the encryption, key- and adding significant cost and complexity to management, logging, data-tracking, and data- SaaS deployments. By actively addressing these purging capabilities necessary for compliance. issues, providers will speed the ongoing migration They should also guide CISOs on how to implement from traditional on-premises applications to SaaS. their products to minimize regulatory risk.

Rich Cracknell is a manager of solution delivery in McKinsey’s Silicon Valley office; James Kaplan is a partner in the New York office, where Celina Stewart is a cyber solutions senior analyst; and Wolf Richter is a partner in the Berlin office, where Lucy Shenton is a cyber solutions specialist.

Securing software as a service 131 Enable digital technology delivery Agile, reliable, secure, compliant IT: Fulfilling Agile,the promise reliable, of secure, DevSecOps compliant IT: Fulfilling the promise of DevSecOps By integrating security into DevOps, companies can Bystep integrating up the speed security and into frequency DevOps, of companies software releases can step up the speedwithout and compromising frequency of controlssoftware or releases increasing without risk. compromising

controlsby Santiago or Comella-Dorda, increasing James risk. Kaplan, Ling Lau, and Nick McNamara

by Santiago Comella-Dorda, James Kaplan, Ling Lau, and Nick McNamara

May 2020

132 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps As digital technologies transform industry after What is DevSecOps? industry, businesses are increasingly adopting Pioneered by digital-native companies, modern software-engineering practices DevSecOps is based on the principle of integrating pioneered by tech companies. Agile, DevOps, and development, security, infrastructure, and other methods enable organizations to test, refine, operations at every stage in a product’s life cycle, and release new products and functionality more from planning and design to ongoing use and rapidly and frequently than ever before. However, support (exhibit). This enables engineers to tackle the speed and frequency of releases can come security and reliability issues more quickly and into conflict with established methods of handling effectively, making organizations more agile and security and compliance. How can organizations their digital products and services more secure resolve this tension? and reliable. Security, reliability, and compliance We think the answer lies in DevSecOps, a method considerations are built into every agile sprint for integrating security into agile processes and rather than being handled separately or left until DevOps efforts across the whole product life the end of the development process. cycle. Properly implemented, DevSecOps (literally, Adopting a DevSecOps approach has implications development, Ssecurity, operations) offers for each stage of the product life cycle: enormous advantages. — Planning. From the inception of a new product, Companies can increase the frequency of teams are aware of their security and reliability software releases from quarterly to weekly, responsibilities and trained to handle them. or even daily, without compromising their risk For significant efforts, teams start by quickly posture. They can cut mean time to remediate modeling threats and risks and then identifying vulnerabilities from weeks or months to hours as and prioritizing backlog2 items needed to make well as eliminate delays, cost overruns, product the product secure, reliable, and compliant. defects, and vulnerabilities. Last, but not least, Where possible, teams take advantage of getting security and compliance right from the existing architectural designs that have been outset is imperative as companies’ growing developed in collaboration with security and dependence on digital technologies makes them reliability experts, thereby ensuring that best more vulnerable to cyberattack, especially in the practices are observed, as well as speeding up wake of the uncertainty and confusion wrought by planning and design. the coronavirus pandemic.1 — Coding. To improve code quality, developers In our experience, the companies that are most constantly develop and update their successful at extracting the full value from knowledge of secure and resilient coding DevSecOps commit to managing technology practices. They take full advantage of differently. They have an integrated operating reusable coding patterns, components, and model made up of teams of people – including microservices to quickly build the functionality those from security and compliance – with the full and services needed to meet common security range of necessary capabilities, make practical and resiliency requirements for encryption, use of automation, develop secure modular authentication, availability, and observability. services that are easy to use, and conceive of and build digital products that are secure by design.

1 See Jim Boehm, James Kaplan, and Nathan Sportsman, “Cybersecurity’s dual mission during the coronavirus crisis,” March 2020, McKinsey.com. 2 A backlog is a prioritized list of the features that an agile product team is planning to build and work on.

Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 133 Web 2019 Agile, reliable, and compliant ntegrating security into evps Exhibit 1 of 1 Exhibit Security is is integrated integrated into into every every step in step the product-developmentin the product-development life cycle. life cycle.

Best practices in DevSecOps

Agile teams are aware of their security responsibilities from the outset; security champions are embedded in teams Real-time monitoring of app run time ensures Teams quickly model threats for all signicant eorts potential security issues are identied Backlog items are created, prioritized, and tracked to Host and network-based intrusion detection is meet security and reliability requirements implemented Secure architecture designs are preapproved for Compliance validation and evidence gathering are implementation automated

Planning Operate and design Code

Engineering teams work to Product- Developers upgrade their skills in progressively improve the Deploy development secure and resilient coding practices path to production life cycle Reusable coding patterns, Secure hosting environments components, and microservices “as code” ensure eciency and Review are deployed to improve security repeatability and agility Strong encryption and authentication are built in Test Security is reviewed as part of every sprint and code release Automated code analysis tools Security test cases are developed and (SAST ) are used to validate security automated by agile team members Senior developers with secure coding Automated penetration testing expertise conduct peer reviews (including DAST and IAST²) is performed as part of the development process

¹ Static application security testing. ² Dynamic application security testing and interactive application security testing.

— Reviewing. Instead of having a specialist group checks. After automated code-analysis tools — Reviewing.scrutinize Instead a product of having for security a specialist vulnerabilities group checks.such as After SonarQube automated and code-analysis Fortify have tools looked scrutinizeand resiliency a product issues for securityonce it emerges vulnerabilities from suchfor asknown SonarQube vulnerabilities and Fortify and have issues, looked senior andmonths resiliency of development, issues once it teams emerges review from code fordevelopers known vulnerabilities conduct peer and reviews issues, seniorto discuss monthsas often of development,as every two weeksteams reviewas part code of regular developersthe results conduct and ensure peer reviewsthe software to discuss meets asagile often sprints, as every using two weeksboth automated as part of regularand manual theappropriate results and standards. ensure the software meets agile sprints, using both automated and manual appropriate standards.

Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 3

134 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps — Testing. Engineers create automated security To illustrate what these shifts look like in practice, tests to be run alongside automated functional we’ll draw on examples from two organizations and performance tests. This not only ensures that have recently adopted DevSecOps principles: that testing is consistent and efficient but also a global software-and-services company and a makes security requirements explicit, so that large financial-services provider. The software- developers don’t waste time puzzling over and-services company was already using agile how to satisfy ill-defined policies laid down by methods to develop digital products and manage separate groups. Common security tests, such infrastructure, but it was striving to improve as penetration tests that look for security holes the resiliency of its products while making its in systems, are conducted automatically as internal processes more efficient. By contrast, part of every sprint and release cycle. the financial-services firm still relied on traditional waterfall methods to deliver its projects, and it — Deployment. Code is delivered to production saw DevSecOps as a way to improve performance, hosting environments, not through manual accelerate software releases, and streamline processes itemized in checklists, but via well- controls without increasing risk. engineered automated processes that ensure the right software is built and that it is deployed Organization and talent: Integrated cross- securely and reliably. In addition, best-practice functional teams companies have secure production hosting When organizations struggle with the tensions environments that can be rapidly invoked between being agile and maintaining security, through application programming interfaces reliability, and compliance, it’s often because (APIs), eliminating wait times and reducing risk. the skills and accountabilities for developing, operating, and securing products and validating — Operations. Once software is in production, compliance are split between different groups. automated processes – including real-time The answer is to break down these silos by setting monitoring, host- and network-intrusion up integrated agile teams charged with solving all detection, and compliance validation, and the requirements of the products in their scope, evidence attestation – are used to increase regardless of any functional, security, reliability, efficiency and detect vulnerabilities. If defects or compliance issues they may pose. These teams or vulnerabilities are discovered, resolutions should be staffed not with specialists but with are identified, prioritized, and tracked to well-rounded “full-stack” engineers who can work make sure product reliability and security are across disciplines and pick up new skills quickly. constantly improved. Every team member must be responsible for the security and reliability of the code they create, Adopting DevSecOps principles whether it’s for customer-facing products or Capturing the potential of DevSecOps isn’t easy. internal shared services. It relies on tight collaboration both within IT and The software-and-services company mentioned across IT, security, compliance, and risk. To get earlier reconfigured its product-development it right, companies need to make four shifts teams to own their code bases from end to end in the way they manage technology: create a instead of relying on separate teams to address more integrated operating model, build secure maintenance and defects. The company also set “consumable” services, automate development up site reliability engineering (SRE) teams to help and release processes, and evolve product improve the way products were developed and architectures. operated. The two teams worked closely together,

shared objectives and key results (OKRs), and took part in joint agile events to stay aligned on

Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 135 how to improve the security and reliability of the so on) and continuous integration and continuous company’s products. delivery (CICD) pipelines for getting code safely and securely to production. Thanks to these The financial-services firm took a slightly efforts, it managed to cut setup times for hosting different approach, embedding SREs in product- environments from three months to 15 minutes, as development teams instead of having them in a well as automating deployments that previously separate team. But similar to the software-and- required eight hours of manual release work. services company, it introduced security and reliability OKRs for those product teams as well Similarly, the financial-services firm focused on as common service metrics to drive alignment and creating a secure CICD pipeline, which had to be accountability. able to handle the high level of controls needed to satisfy regulatory requirements. Implementing Consumable services: Developer-owned the pipeline cut software release times by half. operations By introducing mechanisms such as automated In the past, the accountability for a digital security test cases, the firm also streamlined con- product’s functionality, operations, reliability, trols by 50 to 80 percent without increasing risk. security, and compliance was split. A development team created an application, an infrastructure Development and release: Automated pipelines team operated it, and a maintenance team took with built-in security controls care of reliability. With a DevSecOps approach, The traditional path to production for software on the other hand, a single team is given as much code was lengthy and prone to error. Developers accountability and ownership as possible for all wrote code, and then quality-assurance engineers aspects of a product. tested it – usually manually and in settings that bore little resemblance to the environment in In this approach, central enablement teams build which it would eventually be used. Shepherding shared consumable services for development, code through these processes involved many infrastructure, and security. They equip these manual steps. Most testing took the form of basic services with guardrails and transparency so that functional and regression tests. Some defects and subsequent product developers can use them vulnerabilities slipped through and were caught safely, securely, and efficiently in their operations. only after the software was released. Central checks and validations are still performed to ensure that correct procedures and best Over the past decade, the DevOps movement practices are implemented, but the goal is to make has striven to make the path to production more teams accountable for the products they own. efficient and more effective at catching defects This involves providing them with the tools they as early as possible, when they are cheaper to need to meet their responsibilities – tools that are address. Leading companies have adopted CICD convenient to use and designed to ensure that the pipelines to automate workflows and enable best easiest path for developers is also the most secure engineering practices to be followed in the writing, and reliable route. reviewing, testing, and deployment of code. In addition to this, DevSecOps companies need to go Building these consumable services takes time, further by integrating an extra layer of testing into so companies need to prioritize those with the their CICD pipelines to analyze code for potential greatest impact and assign agile teams to build security issues, run security test cases, and and own them. The software-and-services conduct light penetration tests. company decided to prioritize two key services: life-cycle management for its on-premise hosting environments (including provisioning, patching, and

136 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps To improve their development and release Both the software-and-services company and processes, the software-and-services company the financial-services firm had legacy systems and the financial-services firm adopted similar they needed to support, and both pursued an approaches. In designing and implementing evolutionary approach to modernizing their automated CICD pipelines for deployments to application landscape. They used their new both the cloud and on-premise environments, they processes to build new “greenfield” digital took care to involve their security and compliance products and incrementally adapted older specialists to ensure that controls would not be products to support DevSecOps best practices, compromised in any way. They also used OKRs including the use of microservices, unit tests, and metrics dashboards to encourage adoption of security test cases, static code analyses, and the pipelines and increase the levels of automated resiliency patterns. test coverage. Product architecture: Secure by design Common pitfalls to avoid Traditionally, applications have been built from The best path for an organization to take in scratch, with all capabilities locked inside a single adopting DevSecOps depends on many factors, code package and security not usually tackled ranging from its size to its familiarity with agile and until late in the development process. Adding a DevOps methods. But regardless of their starting new feature required extensive testing across the point, all organizations should take care, as they whole system, making upgrades slow and complex set out on their transformation journey, to avoid a to execute. Since applications were seldom few common pitfalls. designed to scale in a linear fashion as additional Pitfall 1: Focusing on tooling alone load was put on the system, maintaining reliability Companies should beware of assuming they can was often a challenge. realize the potential of DevSecOps merely by With DevSecOps, by contrast, digital products implementing tools such as a CICD orchestration are conceived and built from the ground up to system or a static code analysis tool. To capture be secure by design. Security requirements and the full benefit, they need to make the four best practices are factored into all elements of a shifts described earlier. Without that broader product, from the code itself to the infrastructure transformation, new tooling is unlikely to be used it runs on. Engineers take advantage of existing effectively or consistently across the organization. components built by enablement or shared- Pitfall 2: Failing to secure leadership buy-in service teams, such as container templates and If teams are to change their way of working, the standardized monitoring APIs. They also draw leaders of the technology organization must play on open-source libraries released by web-scale an active part in steering the transformation. industry leaders – such as Netflix’s Hystrix library In turn, development leaders must model and for improving fault tolerance – to incorporate best- reinforce target behaviors and equip their teams practice resiliency patterns. Following a “systems of to deliver on their new objectives. Finally, security systems” approach, they integrate pre-engineered and compliance leaders need to be fully involved microservices via loosely coupled interfaces based to ensure that greater agility doesn’t come at on well-maintained APIs. All of this improves agility the cost of higher risk. To help gain leadership as well as security. Instead of struggling to build buy-in, successful companies develop a baseline their own code, waiting for reviews by security and understanding of their agile and DevSecOps compliance teams, and iterating until they pass maturity and communicate the business case for audit checks, product teams reuse code built with improvement. Adding key stakeholders to the team expert input and oversight. leading the transformation is another way to make leaders feel accountable for ensuring its success.

Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps 137 Pitfall 3: Focusing only on greenfield new capabilities, they need to make a major development cultural shift by learning to take ownership for Though DevSecOps principles are easiest to adopt their product’s security, reliability, and compliance, in new development efforts, applying them more no matter which team they are on. At the same broadly can deliver significant value. For instance, time, they need to acquire knowledge and skills secure CICD pipelines can support larger, more in creating and operating resilient products to monolithic applications, which can in turn be meet their new objectives. Culture and capability gradually broken down into loosely coupled building can reinforce one another: when microservices. Organizations should constantly engineers know that the teams they work with explore where they can best deploy DevSecOps to expect them to have particular skills, they will be increase agility, security, and reliability. more motivated to develop them. Pitfall 4: Taking too long to deliver value In addition to avoiding these pitfalls, best-practice In successful DevSecOps transformations, value organizations ensure they pursue a structured is captured from an early stage. Leaders quickly approach to change management. They use identify any changes that need to be made to dedicated change-management and capability- product teams and decide which consumable building workstreams as part of the transformation services they need to launch. When rolling out ,and roll teams out in waves that allow enough changes, they prioritize products and services time for training, team alignment, and planning that will drive the highest impact or reduce the activities, such as agile sprint 0s.3 most risk. By identifying quick wins in the first two or three months, they showcase the value of the transformation and gain support from engineers and the broader organization. Once a niche practice confined to Silicon Valley Pitfall 5: Overlooking capability building and start-ups, DevSecOps has matured to become a culture priority for traditional enterprises, too. Adopting Engineers operating in traditional technology the principles outlined in this article will help organizations are likely to find adopting companies not only acquire the agility to stay DevSecOps a challenge. As well as developing current but also strengthen their security to withstand exposure to cyberattacks in the future.

Santiago Comella-Dorda is a partner in McKinsey’s Boston office, James Kaplan is a partner in the New York office, Ling Lau is a partner in the New Jersey office, and Nick McNamara is an associate partner in the Chicago office. The authors wish to thank Nagendra Bommadevara, Daniel Brosseau, Alharith Hussin, Steve Jansen, Jesus Mathus Garza, Mark Mintz, Thomas Newton, Jan Shelly Brown, Marc Sorel, Kevin Telford, and Charles Wisniewski for their contributions to this article.

3 Agile sprint 0s are short efforts before a team starts working together, used to create a common vision, align on team norms, and create a product backlog for what they plan to build.

138 Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps Help business to address impact of global pandemic Cybersecurity’s dualRisk Practice mission during Cybersecurity’s thedual coronavirus mission during crisis the coronavirus crisis Chief information-security officers must balance two priorities to respond to the pandemic: protecting against new cyberthreats and Chief information-security officers must balance two priorities to maintaining business continuity. Four strategic principles can help. respond to the pandemic: protecting against new cyberthreats and by Jimmaintaining Boehm, James Kaplan, business and Nathan continuity. Sportsman Four strategic principles can help.

by Jim Boehm, James Kaplan, and Nathan Sportsman

March 2020

Cybersecurity’s dual mission during the coronavirus crisis 139 The extraordinary efforts of many organizations — Working from home has opened multiple to protect workers and serve customers during vectors for cyberattacks. A broad shift the COVID-19 pandemic have also increased their toward work-from-home arrangements exposure to cyberthreats. Large-scale adoption has amplified long-standing cybersecurity of work-from-home technologies, heightened challenges: unsecured data transmissions activity on customer-facing networks, and greater by people who aren’t using VPN software, use of online services all present fresh openings, weak enforcement of risk-mitigating which cyberattackers have been quick to exploit. behaviors (the “human firewall”), and physical and psychological stressors that compel The overarching challenge for chief information- employees to bypass controls for the sake of security officers (CISOs) and cybersecurity teams getting things done. The more that homebound will be protecting their institutions while enabling employees struggle to access data and operations to go on without interruption. For systems, the more they will attempt to use example, cybersecurity teams at companies that risky work-arounds (exhibit). Cybersecurity provide web-based services to consumers must teams will need to secure work-from-home adjust their security programs to match scaled-up systems and test and scale VPNs and operations while securing a massive shift to work- incident-response tools. In addition, they may from-home tools. At the same time, CISOs must wish to revisit access-management policies make it possible for security-team members to so that employees can connect to critical look after themselves and their families during a infrastructure via personal devices or open, health crisis. internet-facing channels. Addressing these diverse and sometimes — Social-engineering ploys are on the rise. In competing needs at once won’t be easy. But social-engineering gambits, attackers attempt recent conversations with cybersecurity leaders to gain information, money, or access to suggest that some governing principles are protected systems by tricking legitimate users. helping them meet the challenge. This article Companies have seen more malware-laced recommends four such principles: focusing email-phishing campaigns that borrow the on critical operating needs, testing plans identities of health, aid, and other benevolent for managing security and technology risks, organizations. Scammers posing as corporate monitoring for new cyberthreats, and balancing help-desk teams ask workers for their security protection with business continuity. credentials using text phishing (“smishing”) and voice phishing (“vishing”). Email fraudsters How the response to COVID-19 has have tried to get executives to move money to increased cyberrisk fund vendors, operations, and virus-related- As organizations and people have curtailed response activities. travel and in-person gatherings, they have — Cyberattackers are using websites with shifted a great deal of activity into the digital weak security to deliver malware. With the realm. Workers and students are staying home, creation of new domains and websites to using videoconferencing services, collaboration spread information and resources to combat platforms, and other digital tools to do business the coronavirus, attackers are exploiting and schoolwork. In their free time, they are going the weak security controls on many of online to shop, read, chat, play, and stream. these sites to spread malware via drive-by All these behaviors put immense stress on downloads. A common approach hides readily cybersecurity controls and operations. Several available malware (such as AZORult) inside major vulnerabilities stand out: coronavirus heat maps or early-warning

140 Cybersecurity’s dual mission during the coronavirus crisis GES 2020 Cybersecurity’s dual mission during the coronavirus crisis Exhibit 1 of 1

Exhibit Shifting to work-from-home arrangements can open multiple vectors for cyberattacks.

Changes in app-access rights Use of personal devices Lack of social control and tools

l Under existing policies, access to apps diers l Some employees may have l Click-through based on criticality and cyberrisk appetite (eg, been enabled to work from rates for phishing data in ltration, data-protection loss), from less their own personal devices, emails and critical apps accessible from almost anywhere (eg, but because these devices success rates of public network) to apps accessible through are not centrally controlled fake call-center extranet, apps accessible only through VPN, and, (for patching, network- agents can ultimately, critical apps accessible only on site (eg, access control, and increase if trading, treasury) endpoint data-protection employees no systems), they can introduce longer maintain a l Remote working can require organizations to cybersecurity vulnerabilities “human protection widen access rights by enabling o-site access shield” by asking to some of the most critical apps, which can l To get work done, many coworkers about increase cyberrisk employees use consumer- suspicious emails grade tools, accounts, and or calls l Some users might not have strong multifactor devices and share data over authentication, because their access rights nonsecure and are usually limited; change in access rights, noncontrolled channels combined with weak authentication, constitutes a further threat

instance, a threat applications.actor targeted In one a public-sector instance, a threat actorservices andservices issuing and misinformation issuing misinformation to the to the entity by embeddingtargeted malware a public-sector in a pandemic- entity by embeddingpublic. A majorpublic. hospital A major in hospital Europe in was Europe hit withwas hit a related documentmalware and disguising in a pandemicrelated it as an document cyberattackwith that a cyberattack forced it to that suspend forced scheduled it to suspend and disguising it as an official communiqué scheduled operations, shut down its IT official communiqué from another part of the operations, shut down its IT network, and move from another part of the government. Once network, and move acute-care patients government. Once installed, such a malicious acute-care patients to another facility. And a installed, such a malicious application steals to another facility. And a department of a application stealsa a user’s user’s confidential confidential data data (for example, departmentlocal of a government local government had its website had its encryptedwebsite (for example, personalpersonal information, information, credit-card credit-card information,encrypted by ransomware,ransomware, preventing preventing officials officials from information, and bitcoin-walletand bitcoin-wallet keys). keys). Some Some malware from postingposting information information for the for thepublic public and and keeping malware applicationsapplications launch ransomwarelaunch ransomware attacks, keeping employeesemployees from from accessing accessing certaincertain files. files. which lock a user’s system until they pay a attacks, which lock a user’s system until they pay As the COVID-19 outbreak progresses and alters certain amount of money to the attacker. a certain amount of money to the attacker. As the COVID-19the functioning outbreak of progressesour socioeconomic and alters systems, — Public-sector organizations are experiencingthe functioning cyberattackers of our socioeconomic will continue their systems, efforts to — Public-sector organizationsacute pressure. are experiencing A large government entitycyberattackers exploit will our continue fears and their our digital efforts vulnerabilities. to To acute pressure. Ain large North government America suffered entity from a distributedexploit our remainfears and vigilant our anddigital effective, vulnerabilities. CISOs will need new in North America suffereddenial-of-service from a distributed attack aimed at disruptingTo remain vigilantapproaches. and effective, CISOs will need denial-of-service attack aimed at disrupting new approaches.

Cybersecurity’s dual mission during the coronavirus crisis 141

Cybersecurity’s dual mission during the coronavirus crisis 3 Employees on the front line will play an especially important role in keeping the organization safe as normal on-premise security measures become less relevant.

How to address the challenge: disaster recovery, talent succession, and vendor Strategic practices for chief succession – then test them right away. If your information-security officers organization doesn’t have adequate plans in place, create them and then test them. You While many CISOs and other executives have must determine whether your organization’s drawn on their experiences with past crises to riskresponse approach is effective and efficient. respond to the early stages of the COVID-19 Eliminating risk events is impossible, but you outbreak, the pandemic’s vast scale and can reduce the exacerbated risk associated unpredictable duration are highly unusual. There with a poor response. is no playbook that CISOs can open for guidance. Nevertheless, the CISOs and senior cybersecurity — Monitor. Consider mustering all available managers we have spoken to have found it resources to help with monitoring, which especially helpful to follow four practices: enables risk response and recovery to begin. Areas for stepped-up monitoring can include — Focus. Security- and technology-risk remote monitoring of collaboration tools, teams should focus on supporting only monitoring networks for new and novel strains those technology and security features, of malware, and monitoring employees and capabilities, and service rollouts that are endpoints to catch data-related incidents critical to operations. Examples of focus areas before they result in operational risk. that may justify a surge in capacity over the coming weeks include maintaining security — Balance. Cybersecurity teams are likely operations, mitigating risks of remote access to receive a flood of urgent requests for to sensitive data and software-development cybersecurity-policy exceptions that will environments, and implementing multifactor allow teams elsewhere in the organization authentication to enable employees to work to get work done (for example, to approve from home. Organizations should also reiterate the installation of new apps and allow the to employees their safe remote-working use of USB drives). While CISOs might be protocols and their procedures for threat inclined to deny such requests for the sake identification and escalation. Employees on of preventing undue risk, they must also the front line will play an especially important bear in mind the importance of maintaining role in keeping the organization safe as normal business continuity during a fluid and on-premises security measures become less challenging time for their colleagues. To relevant. support continued operations, CISOs may need to tolerate slightly higher risk in the — Test. If your organization has security- or tech- short term by granting waivers or temporarily nology-risk plans of any kind – such as plans relaxing some controls. An accommodating for incident response, business continuity,

142 Cybersecurity’s dual mission during the coronavirus crisis approach will encourage colleagues to make The COVID-19 crisis is a human challenge intelligent risk trade-offs. That said, CISOs above all else. Everyone is juggling shouldn’t allow these exceptions to weaken professional responsibilities with important an organization’s risk posture permanently. personal ones. The coming weeks and If CISOs grant waivers or relax controls, they months are likely to bring more uncertainty. should establish formal evaluation and review By adhering to the practices we described – processes and implement time limits to force focus, test, monitor, and balance – CISOs periodic reevaluation or limit the exceptions to can fulfill their responsibilities to uphold their particular user groups. institutions’ security and maintain business continuity while also meeting their obligations to their teams.

Jim Boehm is a partner in McKinsey’s Washington, DC, office. James Kaplan is a partner in the New York office, and Nathan Sportsman is the founder and CEO of Praetorian. McKinsey and Praetorian have entered into a strategic alliance to help clients solve complex cybersecurity challenges and promote innovation. As a part of this alliance, McKinsey is a minority investor in Praetorian.

Cybersecurity’s dual mission during the coronavirus crisis 143 Help business to address impact of global pandemic Cybersecurity tactics forRisk Practice the coronavirus Cybersecurity tactics pandemicfor the coronavirus pandemic The pandemic has made it harder for companies to maintain security and business continuity. But new tactics can help The pandemic has made it harder for companies to maintain cybersecurity leaders to safeguard their organizations. security and business continuity. But new tactics can help by Jimcybersecurity Boehm, James Kaplan, leaders Marc Sorel,to safeguard Nathan Sportsman, their and organizations. Trevor Steen

by Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen

March 2020

144 Cybersecurity tactics for the coronavirus pandemic The COVID-19 pandemic has presented chief — Scale up multifactor authentication. information security officers (CISOs) and their Employees working remotely should be teams with two immediate priorities. One is required to use multifactor authentication securing work-from-home arrangements on an (MFA) to access networks and critical unprecedented scale now that organizations have applications. Scaling up MFA can be told employees to stop traveling and gathering, challenging: the protection it will add calls for a and government officials in many places have surge in short-term capacity. Several practices advised or ordered their people to stay home make the rollout of MFA more manageable. as much as possible. The other is maintaining One is to prioritize users who have elevated the confidentiality, integrity, and availability of privileges (such as domain and sys admins, consumer-facing network traffic as volumes and application developers) and work with spike – partly as a result of the additional time critical systems (for instance, money transfers). people are spending at home. Targeting those users in pilot rollouts of modest scale will allow cybersecurity Recent discussions with cybersecurity leaders teams to learn from the experience and use suggest that certain actions are especially helpful that knowledge to shape more extensive to fulfill these two priorities. In this article, we set out implementation plans. Cybersecurity teams the technology modifications, employeeengagement can also benefit from using MFA technologies, approaches, and process changes that cybersecurity such as the application gateways offered leaders have found effective. by several cloud providers, that are already integrated with existing processes. Securing work-from-home arrangements at scale — Install compensating controls for facility- based applications migrated to remote The rapid, widespread adoption of work-fromhome access. Some applications, such as bank- tools has put considerable strain on security teller interfaces and cell-center wikis, are teams, which must safeguard these tools without available only to users working on-site at making it hard or impossible for employees to their organizations’ facilities. To make such work. Conversations with CISOs in Asia, Europe, facility-based applications available to remote and North America about how they are securing workers, companies must protect those apps these new work-at-home arrangements highlight with special controls. For example, companies the changes these executives are making in three might require employees to activate VPNs and areas: technology, people, and processes. use MFA to reach what would otherwise be Technology: Make sure required controls are in facility-based assets while permitting them to place use MFA alone when accessing other parts of As companies roll out the technologies that enable the corporate environment. employees to work from home and maintain — Account for shadow IT. At many companies, business continuity, cybersecurity teams can take employees use so-called shadow IT systems, these actions to mitigate cybersecurity risks: which they set up and administer without — Accelerate patching for critical systems. formal approval or support from the IT Shortening patch cycles for systems, such department. Extended work-from-home as virtual private networks (VPNs), end- operations will expose such systems because point protection, and cloud interfaces, that business processes that depend on shadow IT are essential for remote working will help in the office will break down once employees companies eliminate vulnerabilities soon after find themselves unable to access those their discovery. Patches that protect remote resources. IT and security teams should be infrastructure deserve particular attention. prepared to transition, support, and protect

Cybersecurity tactics for the coronavirus pandemic 145 business-critical shadow assets. They should consumer web services) they believe they need also keep an eye out for new shadow-IT to do their jobs is counterproductive. Instead, systems that employees use or create to security teams must explain the benefits, such ease working from home, to compensate for as security and productivity, of using approved in-office capabilities they can’t access, or to messaging, file-transfer, and document- get around obstacles. management tools to do their jobs. To further encourage safe behavior, security teams can — Quicken device virtualization. Cloud-based promote the use of approved devices – for virtualized desktop solutions can make it example, by providing stipends to purchase easier for staff to work from home because approved hardware and software. many of them can be implemented more quickly than on-premises solutions. Bear in — Increase awareness of social engineering. mind that the new solutions will need strong COVID-19-themed phishing, vishing (voice authentication protocols – for example, a phishing), and smishing (text phishing) complex password, combined with a second campaigns have surged. Security teams must authentication factor. prepare employees to avoid being tricked. These teams should not only notify users that People: Help employees understand the risks attackers will exploit their fear, stress, and Even with stronger technology controls, uncertainty, but also consider shifting to crisis- employees working from home must still exercise specific testing themes for phishing, vishing, good judgment to maintain information security. and smishing campaigns. The added stress many people feel can make them more prone to social-engineering attacks. — Identify and monitor high-risk user groups. Some employees may notice that their behavior Some users, such as those working with isn’t monitored as it is in the office, and therefore personally identifiable information or other choose to engage in practices that open them to confidential data, pose more risk than others. other threats, such as visiting malicious websites High-risk users should be identified and that office networks block. Building a “human monitored for behavior (such as unusual firewall” will help ensure that employees who work bandwidth patterns or bulk downloads of from home do their part to keep the enterprise enterprise data) that can indicate security secure. breaches. — Communicate creatively. A high volume Processes: Promote resilience of crisis-related communications can easily Few business processes are designed to support drown out warnings of cybersecurity risks. extensive work from home, so most lack the right Security teams will need to use a mix of embedded controls. For example, an employee approaches to get their messages across. who has never done high-risk remote work and These might include setting up two-way hasn’t set up a VPN might find it impossible to communication channels that let users post do so because of the in-person VPN-initiation and review questions, report incidents in requirements. In such cases, complementary real time, and share best practices; posting security-control processes can mitigate risks. announcements to pop-up or universal-lock Such security processes include these: screens; and encouraging the innovative use of — Supporting secure remote-working tools. existing communication tools that compensate Security and IT help desks should add for the loss of informal interactions in hallways, capacity while exceptionally large numbers of break rooms, and other office settings. employees are installing and setting up basic — Focus on what to do rather than what not to security tools, such as VPNs and MFA. It might do. Telling employees not to use tools (such as be practical to deploy security-team members

146 Cybersecurity tactics for the coronavirus pandemic Even with stronger technology controls, employees working from home must still exercise good judgment to maintain information security.

temporarily at call centers to provide added to a VPN. Depending on the security stack, frontline support. organizations that do not require the use of a VPN or require it only to access a limited set — Testing and adjusting IR and BC/DR of resources may go largely unprotected. To capabilities. Even with increased traffic, expand monitoring, security teams should validating remote communications and update security-information- and-event- collaboration tools allows companies to management (SIEM) systems with new rule support incident-response (IR), and business- sets and discovered hashes for novel malware. continuity (BC)/disaster-recovery (DR) plans. They should also increase staffing in the But companies might have to adjust their plans security operations center (SOC) to help to cover scenarios relevant to the current crisis. compensate for the loss of network-based To find weak points in your plans, conduct a security capabilities, such as end-point short IR or BC/DR tabletop exercise with no protections of noncompany assets. If network- one in the office. based security capabilities are found to be — Securing physical documents. In the office, degraded, teams should expand their IR and employees often have ready access to digital BC/DR plans accordingly. document-sharing mechanisms, as well — Clarify incident-response protocols. When as shredders and secure disposal bins for cybersecurity incidents take place, SOC teams printed materials. At home, where employees must know how to report them. Cybersecurity might lack the same resources, sensitive leaders should build redundancy options into information can end up in the trash. Set norms response protocols so that responses don’t for the retention and destruction of physical stall if decision makers can’t be reached or copies, even if that means waiting until the normal escalation pathways are interrupted organization resumes business as usual. because people are working from home. — Expand monitoring. Widening the scope — Confirm the security of third parties. of organization-wide monitoring activities, Nearly every organization uses contractors particularly for data and end points, is and off-site vendors, and most integrate IT important for two reasons. First, cyberattacks systems and share data with both contract and have proliferated. Second, basic boundary- noncontract third parties, such as tax or law- protection mechanisms, such as proxies, web enforcement authorities. When organizations gateways, or network intrusion-detection assess which controls must be extended to systems (IDS) or intrusion-prevention systems employees to secure new work-from-home (IPS), won’t secure users working from home, protocols, they should do the same for third- off the enterprise network, and not connected party users and connections, who are likely to

Cybersecurity tactics for the coronavirus pandemic 147 be managing similar shifts in their operations enterprise activities. For example, to find out and security protocols. For example, ask if attackers are becoming more interested in providers whether they have conducted any an organization’s web-facing technologies, remote IR or BC/DR tabletop drills and, if they organizations can conduct increased passive have, ask them to share the results. Should domain-name scans to test for new malicious any third parties fail to demonstrate adequate signatures tailored to the enterprise domain or security controls and procedures, consider for the number of adversarial scans targeting limiting or even suspending their connectivity the enterprise network, among other threats. until they remediate their weaknesses. — Improve capacity management. — Sustain good procurement practices. Overextended web-facing technologies Fast-track procurement intended to close are harder to monitor and more susceptible key security gaps related to work-from- to attacks. Security teams can monitor the home arrangements should follow standard performance of applications to identify duediligence processes. The need for certain suspected malware or low-value security security and IT tools may seem urgent, but agents or even recommend the removal poor vendor selection or hasty deployment of features (such as noncritical functions could do more harm than good. or graphics on customer portals) that hog network capacity. Supporting high levels of consumer- Processes: Integrate and standardize security facing network traffic activities Levels of online activity that challenge the Customers, employees, and vendors all play some confidentiality, integrity, and availability (CIA) part in maintaining the confidentiality, integrity, of network traffic are accelerating. Whether and availability of web-facing networks. Several your organization provides connectivity, serves steps can help organizations to ensure that the consumers, or supports transactions, securing activities of these stakeholders are consistent and the CIA of network activity should be a top priority well integrated: for any executive team that wants to protect — Integrate fraud-prevention capabilities consumers from cyberbreaches during this period with the SOC. Organizations that support of heightened vulnerability. Much as organizations the execution of financial transactions should are stepping up internal protections for enterprise consider integrating their existing fraud networks, security teams in organizations that analytics with SOC workflows to accelerate manage consumer-facing networks and the the inspection and remediation of fraudulent associated technologies will need to scale up their transactions. technological capabilities and amend processes quickly. — Account for increased costs. Many SOC tools and managed-security-service providers Technology: Ensure sufficient capacity base charges for monitoring on usage – for Companies that make it possible for employees example, the volume of log records analyzed. to work from home must enable higher online As usage increases with expanded network networktraffic and transaction volumes by putting traffic, organizations with usage-based fee in place technical building blocks such as a web- arrangements will need to account for any application firewall, secure-sockets-layer (SSL) corresponding increase in costs. certification, network monitoring, anti-distributed denial of service, and fraud analytics. As web- — Help consumers solve CIA problems facing traffic grows, organizations should take themselves. For media providers, enabling additional actions to minimize cyberrisks: customers to access content without interruption is essential, but increased usage — Enhance web-facing threat-intelligence levels can jeopardize availability. Companies monitoring. To anticipate threats and take may wish to offer guides to show users how to preventive measures, security teams must mitigate access problems, particularly during understand how heightened consumer traffic periods of peak use. changes the threat environment for web-facing

148 Cybersecurity tactics for the coronavirus pandemic Securing remote-working arrangements and describe in this article, while not comprehensive, sustaining the CIA of customer-facing networks have helped many organizations to overcome the are essential to ensure the continuity of operations security difficulties they face and maintain their during this disruptive time. The actions we standing with customers and other stakeholders.

Jim Boehm is a partner in McKinsey’s Washington, DC, office. James Kaplan is a partner in the New York office, and Marc Sorel is a partner in the Boston office. Nathan Sportsman is the founder and CEO of Praetorian, where Trevor Steen is a senior security engineer. The authors wish to thank Wolf Richter and Mahir Nayfeh for their contributions to this article. McKinsey and Praetorian have entered into a strategic alliance to help clients solve complex cybersecurity challenges and secure innovation. As a part of this alliance, McKinsey is a minority investor in Praetorian.

Cybersecurity tactics for the coronavirus pandemic 149 Contacts

Asia Middle East Aman Dhingra, Associate Partner Ayman Al Issa, Senior Expert [email protected] [email protected]

Juan Hincapie, Expert Associate Partner Mahir Nayfeh, Partner [email protected] [email protected]

Patrick Nagel, Expert Associate Partner North America [email protected] Bharath Aiyer, Expert Associate Partner Europe [email protected] Vito Di Leo, Expert Associate Partner Venky Anant, Partner [email protected] [email protected]

Peter Merrath, Senior Solution Leader Tucker Bailey, Partner and Associate Partner [email protected] [email protected] Jim Boehm, Partner Thomas Poppensieker, Senior Partner [email protected] [email protected] Kevin Buehler, Senior Partner Wolf Richter, Partner [email protected] [email protected] Rich Isenberg, Partner Gundbert Scherf, Partner [email protected] [email protected] Piotr Kaminski, Senior Partner Latin America [email protected]

Julen Baztarrica, Partner James Kaplan, Partner [email protected] [email protected]

Cristian Berner, Partner Merlina Manocaran, Partner [email protected] [email protected]

Elias Goraieb, Partner Marc Sorel, Partner [email protected] [email protected]

Beltran Simo, Partner David Ware, Partner [email protected] [email protected]

150