This interesting piece from McKinsey made me think and deserves some comments: “The risk-based approach to cybersecurity”. The risk-based approach itself which it promotes has solid foundations, and in fact is nothing new. Actually, it echoes in many ways the model we – at Corix Partners – have been developing and delivering with clients and associates for the past 10 years .But I don’t think it makes sense – or indeed helps the industry move forward – to oppose maturity-based approaches and risk-based approaches. And the characterization of maturity-based models as “a dog that had its day” is frankly excessive. The assumption that risk-based approaches are somehow more advanced than maturity-based ones, and represent an “evolution” of cyber security practices is highly disputable, and the quantification of maturity-based approaches as leading to over-engineering and over-spending by a factor 3 compared to risk-based approaches is simply misleading (a foot note actually refers to the costs mentioned as “illustrative and extrapolated from real-world examples and estimates”).