McKinsey: Six common beliefs that create unnecessary risks

Six common beliefs that create unnecessary risks to NewCos. Credit: Tima Miroshnichenko
Management consultancy McKinsey & Co identifies and shares six risk management and cybersecurity misconceptions that pose threats to new businesses

“Every executive needs to be a student of crisis,” said Julia Houston, the Chief Strategy and Marketing Officer at Equifax, a company which fell victim to a 2017 data breach.

Speaking from experience, Houston’s sentiment serves as a warning to individuals and companies alike with the aim of setting up a new company (NewCo).

In a recent McKinsey Global Survey, eight in 10 CEOs cited new-business building as a top five priority, despite heightened economic volatility. The report also found how business leaders are building 50% more new businesses per year than they did two to five years ago. 

Youtube Placeholder

The worldwide management consulting firm warns how despite some business builders not being convinced that risk management and cybersecurity should be early priorities, it should not be overlooked. A common challenge for smaller companies, McKinsey observes, is that leaders understand the importance of risk and cyber oversight but are uncertain about how to build and manage the required capabilities. 

Here, we share six of McKinsey’s often-observed misconceptions when it comes to risk management and cybersecurity as well as the beliefs that reflect these perspectives, and what the implications are in practice.

Six common beliefs that create unnecessary risks to NewCos

1. “We definitely don’t need to be concerned about data privacy as we don’t have any customers yet”

According to McKinsey, if an executive team has decided to form a NewCo around a business concept, then the concept is probably mature enough to warrant investment in resources including talent, tech and processes. These are valuable assets that are susceptible to cyberattacks, the consultancy warns.

2. Establishing cybersecurity measures will delay the launch of a new business and make a business opportunity ‘lose its edge’

McKinsey assures that adding risk management and cybersecurity will consume time, but not significantly enough to derail wider plans, with the effort required at the beginning preventing work later down the line. Conversely, it observes, NewCos that rush to launch without structured risk thinking may face more significant problems — such as regulatory fines, data breaches, or lawsuits — down the road.

3. Spending on risk management and cybersecurity is not a guarantee of protection

The consultancy highlights the apparent often mismatch in cyber spending and cyber maturity among large corporations, but brings home that, at launch, there is a foundational level of risk management and cybersecurity that every company needs. Explaining how the basics are not difficult to implement, McKinsuey acknowledges that they do however require experience and expertise. And the longer they go unaddressed within the product development life cycle, the harder and more expensive it becomes to incorporate them into the product over time.

4. Product leaders and CTOs have cybersecurity under control

Product team leaders and team members have varying levels of knowledge, McKinsey establishes, for example, in relation to the latest data encryption standards or security operations centre monitoring solutions. And with cybersecurity being a vast discipline that requires specialised knowledge, the consultancy shines a spotlight on how even the most experienced professionals seek opinions and consultations from others when innovating new products and services, highlighting the common need for external expertise.

5. We don’t need risk management and cybersecurity because our parent company is a behemoth

McKinsey puts forward how parent company security teams often do not have the capacity to secure a NewCo. This may be because of tech stack mismatches or because the parent company’s security resources are already stretched, meaning it cannot pay a lot of attention to the NewCo when decisions need to be made.

6. We already have a tool, so we are covered for the main risks

With cybersecurity and risk management growing increasingly important as risks increase at an exponential rate, in the eyes of McKinsey, a tool alone is never sufficient. It advises that a combination of process, people and technology is required. It also poses the question that, even if you can buy the best tool on the market, will its utility reflect your needs? After investing, McKinsey has witnessed many NewCos not having the capabilities to leverage more than 80% of the solution.


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Cyber Magazine is a BizClik brand 



Featured Articles

CrowdStrike & HPE: Unifying IT and Security for Secure AI

CrowdStrike and HPE are joining to integrate their Falcon platform and GreenLake cloud and OpsRamp AIOps to give an overview of AI infrastructure

Zscaler and NVIDIA Join to Upskill Zero Trust with Gen AI

NVIDIA is joining with Zscaler to help integrate its AI solutions into their Zero Trust Exchange platform and Zscaler ZDX Copilot

Gigamon Sound Alarm on Cloud Security as Unseen Attacks Soar

Gigamon's latest Hybrid Cloud Security Survey shows unseen cyber attacks have increased 20% year on year

Helping APAC Curb the Threat of Cyber Attacks

Hacking & Malware

SolarWinds: IT Staff Dubious on Organisation's AI Readiness

Technology & AI

Is Stress a Driving Force Behind the Cyber Skills Shortage?

Operational Security