On May 5, 2022, presenters Justin Greis, Charlie Lewis, and Jeffrey Caso gave the lecture “The Future of Cyber Security”. The lecture covered trends and insights shaping the future of cyber security and was moderated by Dr. Angie Raymond
View the slides from this seminar.
Below you will find the Q&A from the seminar:
 Where does Cyber Security fit into the broader Cyber Defense program?
 How do you plan for disruption and practice from scratch in this continuing uphill battle environment against bad actors?
 Do you think the trend towards consolidation is saturating the need for innovation?
Although it is true that McKinsey’s research shows a slowdown in new cyber company formation in favor of M&A/consolidation (starting in about 2017), the relentless pace at which attackers continue to innovate means that new attack methodologies and vectors require defenders to innovate their capabilities even more so [and hopefully at a faster rate than the attackers]. According to the poll surveyed during this presentation, a majority of respondents believed that attackers were out-pacing defenders.
 Is there a trend towards shared Security Operations Center (SOC) services or is software getting advanced enough to act as a SOC for Small and Medium-Sized Businesses (SMBs)?
The answer is probably a combination of both! As a result of the cyber talent shortage and increased attacks moving down-market, the SMB and midmarket – which in many cases don’t even have a formal cybersecurity program – is beginning to look to lower-priced, more scalable security services (e.g., MDR) to provide 24/7 security operations. At the same time, visibility tooling such as that provided by public cloud providers and SaaS applications, combined with more intelligence native security tooling (e.g., endpoint, anti-phishing) gives smaller companies some more accessible security operations tooling. This is especially true when SMBs are cloud-native from day-one; it’s far easier to be secure from the get-go with advanced cloud-native tooling than to retrofit legacy infrastructure.
 What industries are most “at-risk” currently, in terms of cybersecurity?
We’ve seen an increase in attacks on critical infrastructure (e.g., Energy, Healthcare, Government), which have been in the media as a result of recent regulation (e.g., Executive Order on cyber) as requiring additional attention (see here for the 16 critical infrastructure sectors). Another interesting lens for answering this question is to look at novel attacks, such as the Solarwinds attack with SUNBURST malware, which used the software industry as an entry point into other companies and verticals. The push towards a software bill of materials (SBOM) is one step towards re-thinking inherent software supply chain risk and how all industries are working to address this risk. We believe we will see more of these types of regulatory requirements emerge in the future.
 Do you see Governance, Risk and Compliance (GRC) becoming more integrated with cyber?
Absolutely! However, the degree to which will likely vary based on company and how integrated vs. siloed their second line of defense is across functions. GRC has many different purposes and objectives, and as a result crosses over many teams. GRC as a platform and tool is also integrating into cyber in new ways and often automates manual processes and allows the security organization to scale. Additionally, many organizations are shifting towards a risk-based view of security, which requires deep integration with the GRC function to understand business risks and how to measure them in terms of cyber risks.
 How is the market for cybersecurity insurance evolving in response to this dynamic environment?
Cyber insurance in many ways is still an emerging market. Offerings from the big insurance providers often carry some minimum coverage that organizations find “no-regrets” to have on their policy, however the coverage is often not enough that it shifts how organizations think about response to major incidents. For smaller companies, the partnerships that insurance companies provide with forensics and breach response firms can be very helpful. Given the evolving nature of cyber insurance, it is critical to understand your unique cyber risk and focus on preparation, response, and recovery – it is not possible to “transfer” (i.e. shift the accountability for) 100% of your cyber risk in today’s world.
 When thinking of building a career in cloud & cyber security – do you believe it is essential to learn to code? If so which languages do you recommend?
There are so many different roles in cloud and cyber security. While understanding how to code is important for certain roles and activities, it is not necessary for other roles (like cyber risk, crisis response, strategy, etc). What is most important is to understand the technology and how security can best support the business across all key security domains. Of course, there is always merit in understanding how the technology works so it is helpful if you do decide to learn it. And never forget, to stay relevant in technology, one must constantly learn new things – from new methods, trends and strategies to coding, automation, and tooling!
Justin Greis is a Partner in McKinsey & Company’s Chicago office. He is a leader of McKinsey Digital and the Risk & Resilience Practices, with a focus on cybersecurity, cloud, technology
strategy, and digital transformation. Justin designs, builds, and activates secure and trusted digital transformations to help organizations accelerate their mission and protect their purpose. Justin brings a wealth of experience across a wide variety of industries. In addition to his work with McKinsey, Justin serves as a professor at the Kelley School of Business, Indiana University, where he teaches IT governance, risk, and controls in the MSIS and MBA programs. He has won numerous awards for his real-world curriculum and innovative teaching methods. Justin holds a bachelor of Science and a master of business administration in accounting and information systems from the Kelley School of Business, Indiana University, and holds the following professional certifications: CDPSE, CGEIT, CIPP/US, CISA, CISM, CISSP, CRISC, GIAC/GSEC, ITIL, PMP, and TOGAF.
Charlie Lewis is a Cyber Expert Associate Partner who seeks to protects the world’s best known brands through cybersecurity, focusing on human digital risk and cyber talent to value. Prior to joining McKinsey, Charlie served over 13 years in the U.S. Army, where he served in a variety of roles, including time with the 101st Airborne Division and as an Assistant Professor of American Politics at the United States Military Academy. He finished his career focused on cyber curriculum and scenario development and as the second in command of a 5000 person communications and cyber operations training organization. Charlie currently serves in the U.S. Army Reserves as a Professor of American Politics and Academy Liaison for the United States Military Academy. He holds an M.P.P. from Harvard University’s Kennedy School and a B.S. in Geography and Systems Engineering from the United States Military Academy.
Jeffrey Caso is a Cyber Expert Associate Partner who focuses on market growth strategy and is passionate about bringing to market next-generation cybersecurity offerings and moonshots. He serves clients on digital risk and technology strategy with an emphasis on business-building in cybersecurity, working with enterprises, investors, and many of the top cybersecurity providers. Jeffrey is published on cyberwarfare, privacy regulation, COVID-19 impact on cyber markets, and is an active speaker at roundtables and conferences. He holds a BSFS from the Georgetown University School of Foreign Service and lives in Washington, DC.
For further information on the webinar please contact Professor Jun Yang, Director of the Institute for Corporate Governance at firstname.lastname@example.org.