Back to Spotlight

We all know that some companies and industries are more mature than others in their cybersecurity. McKinsey has conducted a survey that sought to find evidence for different maturity levels across industries and the underlying reasons. The report also investigates correlation between companies’ cybersecurity maturity and their profitability.



  • McKinsey argues that most companies have not yet reached sufficient levels of cybersecurity maturity. The report finds that 10% of companies have reached advanced cybersecurity maturity levels, 20% of companies have reached somewhat mature foundations, and 70% of companies have yet to advance in their maturity
  • Analysing different industries, McKinsey finds that banking, consumer-facing, and healthcare companies are the most advanced in their cybersecurity maturity, whereas Technology, Media, and Telecommunications companies seem to lag behind.



  • The reasons behind higher levels of cybersecurity maturity are regulators, consumer expectations, and competitive pressures.
  • Another interesting finding of the report is that companies with higher cybersecurity maturity tend to be more profitable. Although such correlation does not imply causation (that is, companies aren’t necessarily more profitable because they are more cyber-mature), it does suggest that companies rarely do everything right except cybersecurity.
  • The report further describes cybersecurity activities that most organisations struggle with, and those activities that most organisations do well.


Why does this matter for businesses?

  • The report closes a gap in our current understanding of cybersecurity maturity across industries.
  • It also suggests that the most profitable companies in their industries have stronger cybersecurity capabilities. Although this does not prove causation, it does suggest that the most successful companies tend to pay attention to building cybersecurity capabilities.
  • Lastly, the report provides seven action areas that helps organisations improve their cybersecurity maturity.


View the full article here