Has the maturity-based cybersecurity approach had its day? Uh, no.
This McKinsey & Company report on cyberrisk maturity models is clickbait-y, tone-deaf, judgemental, and even a little elitist. And it looks like they know it. The irony is delicious.
Quantifying Risks is Better Than Maturity
They start off their position saying that the maturity approach “has had its day” and that organizations should move to a “risk-based” approach. What they mean, though, is a “risk-quantified” approach, but:
- They choose a broad term that connotates that a maturity approach is not risk-based, and;
- They assume that everyone has the kind of data necessary to quantify risks.
So, they start off by contriving that “they know better” and they have insight into a “golden path” (clickbait), which is actually a plain, vanilla path. But they misrepresent their position and the concept of a maturity approach.
The whole reason why organizations shifted to a maturity approach in the first place is that they did not have the data to quantify risks or mitigation effectiveness. Should organizations quantify risks if they can? Of course. I can’t imagine anyone suggesting otherwise.
But, what does an organization do if it cannot? The McKinsey report helpfully offers a solution to this problem: use a maturity model (the very thing they just said has “had its day”) until your organization is ready. But they couch this in terms that they believe all organizations should already be ready for this. I guess McKinsey only sees a certain kind of client. This comes off as tone-deaf, judgemental, and a little elitist, especially when they use the phrase “security schmecurity” to describe organizations in the initial stages of cyberrisk management (well, when you are writing a report condemning maturity, I guess you start to lose a mature perspective).
Tangentially, I could go on for quite a while (I’ve written papers on the topic) on the problems with trying to quantify all digital technology risks and how the results can provide false accuracy and false assurance because not everything can be legitimately quantified, but, that is a topic for another article (or a paper or two). Here is a hint to whet your appetite: the constant evolution of the technology stack within an organization (patches, updates, connections, new layers, new use cases, emerging use, etc.) means that historical data quickly loses its value in determining threat likelihood and impact. And by “quickly” I mean measured in weeks and months.
But let us get back to the report.
Improving Risk Controls Using Maturity
The report critiques maturity approaches by saying that organizations use this approach to blanketly and blindly mature everything, regardless of the effectiveness, impact, or cost of the activity. I have to grant them half a point on this one as I have seen some teams think they have to do this when they are first presented with the concept. But in practice, I have not seen this happen. At some point, without the guidance below, someone asks what the cost/benefit ratio is and activities are adjusted.
Just with all risk approaches, there needs to be a target state, an acceptable level of risk or maturity for a given control. The devising of those levels should be risk-informed. This one simple factor added to maturity approaches defeats the report’s entire critique on this point.
One wonders if the report writers have ever seen a risk maturity approach used in practice or if they are working from an academic and not a practitioner’s perspective. If they thought this was a real issue, then McKinsey missed an opportunity to help lead better practice in this area when they failed to suggest how organizations can set an acceptable level of maturity. Instead, it looks like they were more focused on their prejudice towards a quantified approach (or, in their words, what “more sophisticated organizations do”) and as a result, they were manufacturing reasons to condemn alternate approaches.
Maturity is a Step in the Path
“[A maturity-based approach] can never be more than a proxy for actually measuring, managing, and reducing enterprise risk.” I completely agree (to a point: not all cyberrisk can be quantified cleanly). But what McKinsey completely misses in this report is that many organizations (or perhaps all the organizations that cannot afford McKinsey’s services to make them feel “sophisticated”) are unable to move beyond this stage. And because of this reality, McKinsey misses an opportunity to analyze why this is the case and how to empower organizations to be able to take the next steps.
This report is clickbait-y, tone-deaf, judgemental, and elitist. Most damningly, it is a distraction from the work that needs to be done in order for organizations to get to the state that the report writers value so highly.
Maturity approaches are a very useful step on the way to a quantified risk approach. Organizations grow beyond the utility of maturity approaches, to be sure, but the approach, as a concept, is a very important tool to help equip an organization to start bringing risks under control. If you strip out all the judgementalism and the distractions from the report, you will see that, in fact, McKinsey agrees with that conclusion.
So to McKinsey, I say: grow up, muck in, and start to actually help. Your “Mean Girls” impression is sooooo immature.