McKinsey & Company
JUN 25, 2014 5:00am ET

Related Links

Conn. Attorney General Wants to Talk Privacy with Apple
September 17, 2014
Big Data Gets Bigger Footprint in Insurance
September 16, 2014
More Than 75 Percent of Mobile Apps Will Fail Basic Security Tests
September 16, 2014

Web Seminars

Why Data Virtualization Can Save the Data Warehouse
September 17, 2014
Essential Guide to Using Data Virtualization for Big Data Analytics
September 24, 2014

Why Senior Leaders Are the Front Line Against Cyberattacks


Why isn’t more being done to protect critical information assets? Senior executives understand that the global economy is still not sufficiently protected against cyberattacks, despite years of effort and annual spending of tens of billions of dollars. They understand that risk alone undermines trust and confidence in the digital economy, reducing its potential value by as much as $3 trillion by 2020. They understand most institutions have technology- and compliance-centric cybersecurity models that don’t scale, limit innovation, and provide insufficient protection. And they understand that institutions need to develop much more insight into the risks they face, implement differential protection for their most important assets, build security into broader IT environments, leverage analytics to assess emerging threats, improve incident response, and enlist frontline users as stewards of important information.

The importance of cybersecurity is no secret to anyone who’s opened a newspaper or attended a board meeting. So, senior executives may ask, what’s the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks.

Structural hurdles to addressing cybersecurity

There are a number of factors that make getting the right cybersecurity capabilities in place difficult for large institutions. First, competitive imperatives mean executives must accept a certain level of cyberattack risk. As a chief information-security officer (CISO) at an investment bank said, “If I did as thorough a security assessment as I would like before we nailed up a direct connection to a hedge fund, our prime-brokerage business would cease to exist.” What this means is that in order to protect themselves without limiting their ability to innovate, companies have to make sophisticated trade-offs between risks and customer expectations.

Second, the implications of cybersecurity are pervasive—and that alone impedes the adoption of risk-mitigation strategies. Cybersecurity touches every business process and function, not only in operations but also in customer care, marketing, product development, procurement, human resources, and public affairs. Just two examples: product-development decisions often increase the volume of sensitive customer data that is collected, while procurement decisions can create the risk that vendors will treat sensitive intellectual property with less care than required.

Get access to this article and thousands more...

All Information Management articles are archived after 7 days. REGISTER NOW for unlimited access to all recently archived articles, as well as thousands of searchable stories. Registered Members also gain access to:

  • Full access to including all searchable archived content
  • Exclusive E-Newsletters delivering the latest headlines to your inbox
  • Access to White Papers, Web Seminars, and Blog Discussions
  • Discounts to upcoming conferences & events
  • Uninterrupted access to all sponsored content, and MORE!

Already Registered?


Comments (1)
While I can partially empathize with the first two reasons, purely for the fact that there is always this sort of tight rope for any major business to walk; I see no reason to even buy three and four. Seriously? user behavior and security hard to quantify? Just get a couple of ethical hackers and you can quantify it down to a fairly good dollar amount of business and transactions lost. And any user should have no excuse to adapt to a better work culture which brings in more value and secures the business further. If they need to go through training, certifications or another round of security compliance, so be it. Data security is directly proportional to how market perception of a business is, and customer trust building.
Posted by Eamon W | Tuesday, July 22 2014 at 2:28PM ET
Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Login  |  My Account  |  White Papers  |  Web Seminars  |  Events |  Newsletters |  eBooks
Please note you must now log in with your email address and password.