Organizational cyber maturity: A survey of industries

| Article

This article was a collaborative effort by Kevin Eiden, James Kaplan, Bartlomiej Kazimierski, Charlie Lewis, and Kevin Telford, representing views from McKinsey’s Risk & Resilience Practice.

The S-curves of cybersecurity: Toward digital resilience

Companies are moving to a cybersecurity stance based on risk reduction and resilience but still need underlying capabilities.

The seven action areas of digital resilience

Seven action areas can be mapped to industry standards, such as the Cybersecurity Framework of the National Institute for Standards and Technology.

The McKinsey survey on cybersecurity maturity levels

Most companies have yet to reach the advanced levels of cybersecurity management demanded by today’s business environment.

Cybersecurity levels by industry sector

Cybersecurity maturity varies within sectors more than it varies from sector to sector.

Relation between maturity in cybersecurity and profitability

More profitable companies build stronger cybersecurity capabilities.

Cybersecurity maturity and organizational size and ownership structure

Leading organizations—those with the highest average level of cybersecurity maturity—are mostly larger companies.

The distinctive capabilities of cybersecurity leaders

The survey probed companies for cybersecurity maturity for all the activities in each action area.

All organizations perform these activities well

All organizations perform certain cybersecurity activities well.

Most organizations find these activities challenging

All organizations find certain cybersecurity activities to be challenging.

Leaders outperform on these activities

Leaders outperform competitors on certain cybersecurity activities.

As they embrace a risk-based cybersecurity approach, leading organizations can become proactive. The survey also revealed that these organizations outperform in a number of other activities arising from the recognition of cyberrisk as a business risk. These include senior management making cyberrisk and cyber culture a part of business decision making, the use of tested cybersecurity scenarios in business-continuity planning and disaster recovery, taking a holistic approach to cybersecurity so that the supply chain as well as the organizational perimeter are covered, encryption protection for sensitive data at rest, and a deep understanding and use of threat intelligence.

Finally, the survey found that both leading organizations and aspiring leaders performed well on ten other technical and nontechnical activities, showing the overall trend toward risked-based security. These activities include the application of strong technical controls around mobile devices, the inclusion of business leaders as part of cyberrisk decision making, having segmented and more tightly secured networks to better protect sensitive information, and putting in place information and policies that enable mature cybersecurity.


The survey provides a measure of hard evidence to support the experiential knowledge of the most advanced cybersecurity professionals. The attackers have the edge right now, and while organizations have made some progress, most have a good deal to do to become resilient against existing cyberthreats and proactive on the rapidly changing threat landscape. Organizations have no time to lose in advancing toward holistic cyberresilience.

Explore a career with us