ImpactBased on insights gleaned in the interviews, we identified more than 20 drivers of how the cybersecurity environment could evolve over the next five to seven years and synthesized those into two macro-level drivers: intensity of threat and quality of response. From there, we derived three future state scenarios: muddling into the future, digital backlash, and digital resilience. Based on input from the interviews and surveys, we estimated how each scenario would affect the adoption of a range of important technology innovations such as cloud computing, enterprise mobility, and the Internet of Things – and what impact this would have on value creation.
Again, based on the interviews and surveys, we highlighted the most important actions for each participant in the cybersecurity ecosystem, with a particular focus on the actions individual companies would have to take across all their business functions to protect themselves.
Once we defined the scenarios, assessed the economic impact, and identified the critical actions, we reviewed these interim findings with dozens of CIOs, CISOs, policymakers, and other relevant executives. These reviews took place at working sessions in Silicon Valley, Geneva, and Washington, D.C.; at executive roundtables convened by McKinsey; and at the World Economic Forum’s Annual Meeting of New Champions in Dalian, China.
We summarized our findings in a high-level report published on January 26, 20143 and discussed the results in a spirited private session with more than 80 senior executives and policymakers at the Forum’s meeting in Davos. There is already strong evidence that this effort is starting to achieve its objectives. CSO magazine explained that our estimate of a $3 trillion impact is “getting everyone’s attention because it looks not only at direct losses, but also at unrealized value creation as businesses and individuals avoid ‘digitization’ – or the adoption of technology.”4
Since presenting the findings, both McKinsey and the Forum have worked on what it will take to get to digital resilience. Based on its work supporting leading institutions in developing cybersecurity strategies and implementing cybersecurity programs, McKinsey has further validated and fleshed out the actions that individual institutions should take to protect themselves. Meanwhile, the Forum has conducted dozens of working sessions involving hundreds of companies to build support for collaboration among all participants in the ecosystem to get from cybersecurity to digital resilience in this world where $3 trillion is at stake.
Executive Summary
The theft of information assets and the intentional disruption of online processes are among the most important business risks facing major institutions. If companies, governments, and other organizations continue to address this issue in the way that they have, the risk of cyber-attacks could slow the pace of technology innovation with as much as $3 trillion in lost economic value in 2020.
Companies, with the support of a broader ecosystem, must instead build cybersecurity into their business and information technology (IT) processes in order to achieve digital resilience.
At its heart, this book addresses three questions:
1. What is the risk of cyber-attacks, and how could their impact evolve over the next few years?
2. How can companies achieve digital resilience and protect themselves from attacks while still creating value from technology investments and innovation?
3. What practical steps should business and public-sector leaders be taking to facilitate this progress toward digital resilience?
$3 TRILLION AT RISK
Companies are losing ground to cyber-attackers. Nearly 80 percent of technology executives said that they cannot keep up with attackers’ increasing sophistication and many said they are seeing attack strategies filter down from nation-states to a wide range of criminals and hacktivists, who have much more destructive ambitions.
Although companies are spending tens, and sometimes hundreds of millions of dollars protecting themselves, they lack the facts and processes to make effective decisions about cybersecurity. Of more than 60 institutions whose practices we surveyed in detail, a third had only a “nascent” level of cybersecurity maturity, while the next 60 percent were still “developing.” Very few were “mature” and not a single one was “robust.” Many institutions simply appear to be throwing money at the problem, but larger expenditures have not translated into greater maturity.
The controls required to protect against cyber-attacks are already having a negative impact on business. For example, security concerns are delaying the rollout of more advanced mobile functionality in companies by an average of six months, and are even more dramatically limiting the extent to which companies are using public cloud services. For nearly three quarters of companies, security controls reduce frontline productivity by slowing employees’ ability to share information, and even though direct cybersecurity spend is relatively small, the indirect costs can be substantial: some CIOs told us that security requirements drove as much as 20 to 30 percent of their overall activity.
The cybersecurity environment could evolve in many different ways over the next five to seven years. However, if attackers continue to increase their advantage over defenders, the result could be a cyber-backlash that decelerates digitization. In this scenario, a relatively small number of destructive attacks would reduce trust in the economy, causing governments to impose new regulations and institutions to slow the pace of technology innovation. The world would capture less of the $8 trillion to $18 trillion we predict can be generated by 2020 from technological innovations such as big data and mobility – the ultimate impact could be as much as $3 trillion in lost productivity and growth.
Companies, governments, and society at large must strive for digital resilience in order to realize the full potential value of innovation. This means cybersecurity must move up the corporate and political agenda.
The first section of this book deals with this issue. Chapter 1 demonstrates why concerns about cyber-attacks are already affecting companies’ ability to derive value from technology investments. Chapter 2 lays out the potential scenarios that describe how the cybersecurity environment could evolve over the next five to seven years and explains in more detail why we believe that $3 trillion is at risk.
DIGITAL RESILIENCE PROTECTS THE BUSINESS AND ENABLES INNOVATION
As recently as seven or eight years ago, cybersecurity was not a priority for many companies. Even large and sophisticated IT organizations spent relatively little protecting themselves from attack and had little insight into the business risks caused by technology vulnerabilities. What protections existed were focused on defending the perimeter of the corporate network, and IT security organizations’ role was to manage tools such as remote access and antivirus software. Managers and frontline employees faced few consequences for violating security policies, and insecure application code and infrastructure configurations were pervasive.
Since then, most technology executives tell us that they have made significant progress in establishing cybersecurity as a control function. There are now true cybersecurity organizations with significant budgets and headed by chief information security officers (CISOs). They have locked down desktops and laptops to prevent end users from unwittingly introducing vulnerabilities into the environment; they have introduced architecture standards; and they review processes to identify and remediate security flaws in new applications.
Establishing cybersecurity as a control function was a necessary step that dramatically reduced risk for a great many institutions, but it is less and less tenable as the threat of cyber-attacks continue to rise (Figure E.1). It places the responsibility for security
World Economic Forum, in collaboration with McKinsey & Company, “Risk and Responsibility in a Hyperconnected World,” January 2014.
Bragdon, Bob, “When Leadership Gets on Board,”
