The McKinsey article “The risk-based approach to cybersecurity” caught my attention and is worth discussing. The risk-based approach that it advocates is based on strong principles and is not a novel concept. In fact, it closely resembles the strategy that Corix Partners has been creating and implementing with partners and clients for the past ten years.
However, I do not think it makes sense to reject maturity-based and risk-based approaches, nor does it actually aid in the advancement of the sector. Furthermore, it is just plain ridiculous to refer to maturity-based models as “a dog that had its day.” The quantification of maturity-based approaches as leading to over-engineering and over-spending by a factor 3 compared to risk-based approaches is simply misleading (a footnote actually refers to the costs mentioned as “illustrative and extrapolated from real-world examples and estimates”). The assumption that risk-based approaches are somehow more advanced than maturity-based ones and represent a “evolution” of cyber security practices is highly disputable.