McKinsey: Six common beliefs that create unnecessary risks

Management consultancy McKinsey & Co identifies and shares six risk management and cybersecurity misconceptions that pose threats to new businesses

“Every executive needs to be a student of crisis,” said Julia Houston, the Chief Strategy and Marketing Officer at Equifax, a company which fell victim to a 2017 data breach.

Speaking from experience, Houston’s sentiment serves as a warning to individuals and companies alike with the aim of setting up a new company (NewCo).

In a recent McKinsey Global Survey, eight in 10 CEOs cited new-business building as a top five priority, despite heightened economic volatility. The report also found how business leaders are building 50% more new businesses per year than they did two to five years ago. 

The worldwide management consulting firm warns how despite some business builders not being convinced that risk management and cybersecurity should be early priorities, it should not be overlooked. A common challenge for smaller companies, McKinsey observes, is that leaders understand the importance of risk and cyber oversight but are uncertain about how to build and manage the required capabilities. 

Here, we share six of McKinsey’s often-observed misconceptions when it comes to risk management and cybersecurity as well as the beliefs that reflect these perspectives, and what the implications are in practice.

Six common beliefs that create unnecessary risks to NewCos

1. “We definitely don’t need to be concerned about data privacy as we don’t have any customers yet”

According to McKinsey, if an executive team has decided to form a NewCo around a business concept, then the concept is probably mature enough to warrant investment in resources including talent, tech and processes. These are valuable assets that are susceptible to cyberattacks, the consultancy warns.

2. Establishing cybersecurity measures will delay the launch of a new business and make a business opportunity ‘lose its edge’

McKinsey assures that adding risk management and cybersecurity will consume time, but not significantly enough to derail wider plans, with the effort required at the beginning preventing work later down the line. Conversely, it observes, NewCos that rush to launch without structured risk thinking may face more significant problems — such as regulatory fines, data breaches, or lawsuits — down the road.

3. Spending on risk management and cybersecurity is not a guarantee of protection

The consultancy highlights the apparent often mismatch in cyber spending and cyber maturity among large corporations, but brings home that, at launch, there is a foundational level of risk management and cybersecurity that every company needs. Explaining how the basics are not difficult to implement, McKinsuey acknowledges that they do however require experience and expertise. And the longer they go unaddressed within the product development life cycle, the harder and more expensive it becomes to incorporate them into the product over time.

4. Product leaders and CTOs have cybersecurity under control

Product team leaders and team members have varying levels of knowledge, McKinsey establishes, for example, in relation to the latest data encryption standards or security operations centre monitoring solutions. And with cybersecurity being a vast discipline that requires specialised knowledge, the consultancy shines a spotlight on how even the most experienced professionals seek opinions and consultations from others when innovating new products and services, highlighting the common need for external expertise.

5. We don’t need risk management and cybersecurity because our parent company is a behemoth

McKinsey puts forward how parent company security teams often do not have the capacity to secure a NewCo. This may be because of tech stack mismatches or because the parent company’s security resources are already stretched, meaning it cannot pay a lot of attention to the NewCo when decisions need to be made.

6. We already have a tool, so we are covered for the main risks

With cybersecurity and risk management growing increasingly important as risks increase at an exponential rate, in the eyes of McKinsey, a tool alone is never sufficient. It advises that a combination of process, people and technology is required. It also poses the question that, even if you can buy the best tool on the market, will its utility reflect your needs? After investing, McKinsey has witnessed many NewCos not having the capabilities to leverage more than 80% of the solution.


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Cyber Magazine is a BizClik brand 



Featured Articles

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

See Below for a Newly Announced Speaker List for Tech Show London 2024, as it Promises to Showcase Technology Trends Will Impact Various Sectors

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI

IT and OT security with Ilan Barda, CEO of Radiflow

Cyber Security