McKinsey has been recognized as a Leader in cybersecurity consulting services, the highest designation possible, in The Forrester Wave™: Cybersecurity Consulting Services, Q2 2024 report.
Forrester evaluated 15 providers on 24 criteria. McKinsey received the highest score possible on 11 of these, including Cybersecurity strategy and vision delivery, and Customer retention and satisfaction.
“Deep technology expertise matters most right now in this market,” according to the Forrester report, and our firm also ranked among the highest in the Use of emerging technologies in client delivery criterion.
We recently caught up with Ida Kristensen, the McKinsey senior partner who leads our cybersecurity team and co-leads the Risk & Resilience Practice, to learn more about the work they do.
What does this Forrester ranking of a ‘Leader’ in cybersecurity consulting services mean for you?
We are incredibly proud of receiving this external recognition; for us, this is something to celebrate. It acknowledges what we have been hearing from our clients: that they value our unique ability to combine their strategic agenda—of their board, CEO, and executive management team—with our deep technical expertise.
It wasn't always like this. The chief information security officer (CISO) within organizations used to be quite isolated. Management would say, “Thank you for doing your thing. We don't fully understand what you're doing, but good luck with it.”
Now cybersecurity has become such a strategic imperative for institutions that all parties—from the CEO to the front lines—need to both inform and understand the strategy. It influences all aspects of a business: designing new products and services, upgrading technologies, managing supply chains and customers, and it’s a critical aspect of organizational transformations. Cybersecurity has become a business enabler, rather than a roadblock.
Tell us more about McKinsey’s team
In the past five years, our practice has undertaken some 570 projects across industries. We've tripled the size of our team to more than 240 cyber experts, many of whom are veterans from U.S. military and intelligence operations, and from the leadership and frontlines of cybersecurity organizations.
Cybersecurity
One thing that is unique from our usual practice is that our experts work across sectors, since cybersecurity isn’t industry specific. For example, they can credibly say to an industrial, tech or CPG client: “We should look at this new approach the financial services industry has been taking.” This makes them even better prepared to serve our clients.
What work are you particularly proud of?
We've served a number of clients who’ve experienced a very severe cyber-attack. We helped them restore operations, get back up on their feet, minimize the cost and implications from the attack, and used the opportunity to help them build greater resilience to move forward. And as terrible as it is, these crises can be a defining, learning moment.
A second example at a micro level: we often conduct war games and tabletop exercises where there's this moment of revelation. We recently did a three-hour ransomware exercise with a leader of a tech company. It was very fast paced and pulses were racing. As we were debriefing, the CEO said, “If this was real, I would now hand in my resignation because we were clearly not prepared for that.” He walked away knowing they would have to take a different approach. It was a small exercise, but the impact was profound, which makes me very proud.
One of the interesting things is the human element…Ninety percent of all cyber-attacks start with a phishing attempt…it makes a big difference in all of us just getting wiser.
How is gen AI impacting cybersecurity?
It adds to the sophistication of the attacks. The ability to impersonate others, for example in creating very real videos, is leading to breaches of security.
And the sophistication of phishing attempts has gone up wildly. The latest research shows that malicious phishing emails have increased 1,265% since the launch of ChatGPT at the end of 2022. Adversaries are now using gen AI to write emails that are much better. Companies are experiencing thousands of attacks on a daily basis. In the past, it was just like throwing spaghetti against the wall—trying lot of different attacks to see which ones would go through. Now with gen AI, the attackers have an ability to learn as they go, seeing which ones are more effective, and updating the strategy in real time. Even if the volume doesn't go up, the success rate does.
On the flip side, this same aspect of gen AI is helping companies learn in real-time which defenses and detections work best, so they can isolate attacks more quickly. Companies are using gen AI to fight gen AI, if you will.
Cyber risks are constantly changing. What makes you optimistic looking forward?
We have evolved as a society to recognize this is a common problem. Significant resources from both public and private sectors are being invested, and different groups are collaborating to solve it. Governments are taking an active role and setting guidelines to protect security, privacy, and safety.
One of the interesting things is the human element. Ninety percent of all cyber-attacks start with a phishing attempt. Despite this being a very technical topic, a huge part of the defense is educating human beings. We've all obviously had the joys of the phishing exercises.
But these things matter, right? If we educate everyone who has contact with this, it makes a big difference in all of us just getting wiser.