Search GSSD

A framework for improving cybersecurity discussions within organizations

This article offers a framework for improving the cybersecurity culture of a company. It introduces the idea of “trust gaps” to understand how communication about cybersecurity breaks down across a company’s hierarchy: the C-suite, board of directors, cybersecurity teams, marketing teams, and so on. The relationships between each of these are considered in this article, carefully identifying where and why miscommunication occurs. For example, the C-suite and cybersecurity team should be consistently evaluating the companies assets and the corresponding cyber-risk. This is done by weighing the severity of the cyber-risk impact and the likelihood of it occurring. Severity includes consideration about what threat exists, what action could be taken, and what actions or inactions would cost. The likelihood metrics considers what entities might have reason to threaten the company, what could cyber attackers gain by compromising the company’s assets, and how vulnerable are the assets? For the relationship between the company and the government, the article identifies the shifting landscape. The government is holding private companies to a higher standard, since attacks on private companies can have national scale, political impacts. Keywords: trust gap, cybersecurity framework, organizational learning, cyber-risk impact
Jason Choi, Harrison Lung, James Kaplan
McKinsey & Company
Domains-Issue Area: 
Industry Focus: 
Information & Telecommunication
Internet & Cyberspace
United States
Case Studies