Next Gen Technology Transformation in Financial Services

April 2020
Next-gen Technology
transformation in
Financial Services
Introduction
Financial Services technology is currently in the midst of a profound transformation, as CIOs and their
teams prepare to embrace the next major phase of digital transformation. The challenge they face is
significant: in a competitive environment of rising cost pressures, where rapid action and response
is imperative, financial institutions must modernize their technology function to support expanded
digitization of both the front and back ends of their businesses.
Furthermore, the current COVID-19 situation is putting immense pressure on technology capabilities
(e.g., remote working, new cyber-security threats) and requires CIOs to anticipate and prepare for the
“next normal” (e.g., accelerated shift to digital channels).
Most major financial institutions are well aware of the imperative for action and have embarked on the
necessary transformation. However, it is early days—based on our experience, most are only at the
beginning of their journey. And in addition to the pressures mentioned above, many are facing challenges
in terms of funding, complexity, and talent availability.
This collection of articles—gathered from our recent publishing on the theme of financial services
technology—is intended to serve as a roadmap for executives tasked with ramping up technology
innovation, increasing tech productivity, and modernizing their platforms. The articles are organized
into three major themes:
1. Reimagine the role of technology to be a business and innovation partner
2. Reinvent technology delivery to drive a step change in productivity and speed
3. Future-proof the foundation by building flexible and secure platforms
The pace of change in financial services technology—as with technology more broadly—leaves very little
time for leaders to respond. Therefore, CIOs and other executives need to accelerate and scale their
Technology transformation. We hope this collection is helpful in framing and shaping this journey.
Vik Sohoni Xavier Lhuer Somesh Khanna

Senior Partner Partner Senior Partner
3
4
Index
Reimagine the role of technology to be a business and innovation partner
The CEO’s new technology agenda 7
The CIO challenge: modern business needs a new kind of leader 15
The platform play: how to operate like a Tech company 21
How mid-cap banks can solve the conundrum of scale in Technology 29
Transforming a bank by becoming digital to the core 35
After the first wave: How CIOs can weather the coronavirus crisis 39
Reinvent technology delivery to drive a step change in productivity and speed
Transforming bank’s IT productivity 45
An executive’s guide to software development 51
ING’s Agile transformation 57
Flip the ratio: taking IT from bottleneck to battle ready 63
Transforming IT infrastructure organizations using Agile 71
Future-proof the foundation by building flexible and secure platforms
Next-generation core banking platforms: a golden ticket? 77
Cutting through the noise: how banks can unlock the potential of APIs 83
Unlocking business acceleration in a hybrid cloud world 89
Designing a data transformation that delivers value right from the start 99
Cybersecurity: Linchpin of the digital enterprise 107
Cybersecurity tactics for the coronavirus pandemic 117
5
6
The CEO’s new technology agenda
By Klemens Hjartar, Krish Krishnakanthan, Pablo Prieto-Munoz, Gayatri Shenai, and Steve Van Kuiken
Technology performance has become critical to business success.

Here’s how a CEO can focus the technology function on a
company’s strategic priorities.
Reimagine the role of technology to be a business and innovation partner 7

We’ve seen numerous companies boost their is and how closely it is aligned with the business.
financial performance after their CEOs made it a We then lay out one CEO’s successful approach to
priority to strengthen the technology function and modernizing his company’s IT function. Together,
bring more technology capabilities closer to the these insights offer CEOs a guide to shaping a
business’s strategy and operations. Fulfilling this technology function that’s fit for the digital age.
mandate, however, can be a challenge. Most CEOs
already have a long slate of priorities, and relatively
few feel comfortable enough with technology to The modern IT function:
push for transformative changes in that functional
area. Even CEOs who are attuned to the threat of
Concepts to know, questions
digital disruption and are thinking about how their to ask
companies can create value with digital tend to Based on our extensive work with CEOs and top
discount the IT function’s importance. executives at large companies, three concepts
Nevertheless, it’s clear from our experience that define today’s most effective IT functions: a
CEOs can exert a uniquely constructive—and new role that calls for collaboration with the
valuable—influence on the IT function. CEOs can business on strategy and operations; an updated
do more than other executives to transform the IT resource model offering the talent, methods,
function’s role, resource model, and core systems, and tools to accelerate innovation; and a future-
and to bring about the cultural and organizational proof technology foundation of flexible, scalable
changes that such transformations involve. In systems that speed releases of IT products. To
the following section of this article, we lay out the help CEOs assess where their companies stand
ten questions that CEOs should ask their chief with respect to these three concepts, we’ve
information officers (CIOs) and management included ten key questions that CEOs can ask
teams to determine how capable their IT function (exhibit 1).
8 Reimagine the role of technology to be a business and innovation partner

Exhibit 1
Ten questions can help CEOs determine whether their companies’

IT functions possess the qualities that make IT effective
What the CEO should ask to

Modern IT function accelerate technology transformation
Role Collaboration with the business on shaping strategy 1. How are we making key technology
and streamlining operations decisions at all levels of the company?
— Alignment between IT and business 2. How do we track and maximize the

value produced by our major technology
— Targeted technology investments investments?
— Advocacy for end users 3. How often do our tech teams seek input
from users?
Resource Talent, methods, and tools to accelerate innovation 4. Have we placed high-caliber engineers in IT
model roles that contribute the most value to the
— Ample engineering talent company?
— Agile working methods 5. How many projects has IT shut down

because they weren’t providing value?
— Leading-edge tools
6. How long does it take for our company to
— Targeted vendor partnerships deploy new applications?
7. Which of our IT capabilities do vendors

provide, and why?
Technology Flexible, scalable systems that speed releases 8. How much custom development work goes
foundation of IT products into building new IT solutions?
— Modular architecture 9. What % of business decisions are we making

with help from AI?
— Enterprise-wide data and artificial
intelligence (AI) 10. For our developers, is cybersecurity a
hindrance?
— Integrated cybersecurity
Reimagine the role of technology to be a business and innovation partner y 9

A new role for IT: Collaboration with input from users?” If the answer isn’t “at every
the business on shaping strategy and step,” the tech function probably hasn’t adopted
design thinking.
streamlining operations
Many IT functions have trouble matching their
priorities with those of the business. The problem
An updated resource model for IT:
often starts at the top: CIOs aren’t included in
The talent, methods, and tools to
strategic discussions, where they can shape other
executives’ thinking on how the business can
accelerate innovation
best use technology. CEOs are ideally positioned In pursuit of cost savings, traditional IT functions
to correct this. At the successful companies we outsource much of their development and
know, CEOs have defined a strategic role for the engineering work and focus on vendor and project
technology function according to the following management. Modern IT functions, by contrast,
principles: value innovation more highly than cost savings,
and so they assemble top-notch workers and
Alignment between IT and the business.
equip them with sophisticated methods and tools,
We’re seeing companies make organizational
along with specialized vendor support. To build
changes specifically to promote seamless
a resource model that speeds innovation, CEOs
collaboration between the tech function and
should push for the inclusion of the following four
other units and functions. CEOs are adding CIOs
elements:
to their leadership teams and asking CIOs to
report directly to them.[1] Some companies form Ample engineering talent. To keep mission-
unified business and technology teams that each critical technologies ahead of the curve,
support one technology product (for customers or companies recruit skilled engineers and entice
employees) or one IT platform (a component, such them to stay with quality training and appealing
as a customer-relationship-management [CRM] incentives, including non-managerial career
system, that supports multiple functions). CEOs tracks where engineers can concentrate on
can test for these patterns by asking, “How are we technical work without sacrificing the chance
making key technology decisions at all levels of to earn manager-level salaries. To gauge the IT
the company?” They’ll want to hear that business function’s talent mix, CEOs should ask, “Have we
users and tech experts are working side by side. placed high-caliber engineers in enough IT roles
that contribute the most value to the company?” A
Targeted technology investments. Top
number less than 70 percent is a red flag.
economic performers are more likely than
other companies to develop new digital
businesses in addition to digitizing their core
business. Both activities require investments Successful companies run
in technology. However, the typical company’s on flexible, scalable software
wish list of technology investments exceeds its
foundations that let IT teams
technology budget. CEOs must therefore commit
their organizations to prioritizing high-value bring out products quickly and
investments. To reinforce this discipline, the efficiently—a valuable practice
CEO should start by asking: “How do we track for any business.
and maximize the value produced by our major
technology investments?” An effective approach
will involve not only measuring the payback from Agile working methods. Agile working methods
technology investments, but also reallocating produce good results quickly by having technology
capital frequently to promising opportunities— teams develop starter versions of new products,
another practice associated with strong economic share them with users, and make round after
performance. round of improvements that users want. CEOs
Advocacy for end users. Modern IT functions can test IT’s agility by asking, “How many projects
follow design-thinking practices, by which they has IT shut down because they weren’t providing
develop an in-depth understanding of users’ value?” If IT hasn’t shut down some projects, then
needs as the basis for new products and features. the function hasn’t truly embraced agile. That’s
Such practices should interest the CEO: McKinsey because agile practices call for ending projects
research shows that they’re correlated with strong as soon as it’s clear that they aren’t working out—
financial performance. CEOs can probe for them and for celebrating the discretion of the people
by asking, “How often do our tech teams seek involved.
1 McKinsey research shows that companies with the best-performing IT organizations are more likely to say that their CIOs are involved in
shaping overall business strategy.

Leading-edge tools. Modern IT functions create resources). Adding features is cumbersome,
software and artificial-intelligence (AI) tools that and the legacy systems cost a lot to maintain.
automate routine software development, testing, Successful companies run on flexible, scalable
and deployment tasks, thereby shortening time software foundations that let IT teams bring
to market for tech products. They gain more out products quickly and efficiently—a valuable
efficiency by shifting systems into the cloud. To practice for any business. With that practice in
assess their IT functions’ tools, CEOs can ask, mind, CEOs should insist that their companies’ IT
“How long does it take for our company to deploy foundations exhibit the following features:
new applications?” It should take only minutes, if
Modular architecture. “IT architecture”
infrastructure is being automatically configured in
describes a company’s assembly of IT systems.
the cloud.
Modern architectures consist mostly of compact,
Targeted vendor partnerships. Leading IT self-contained software components that are
functions build their expertise and capabilities linked with easy-to-configure APIs [application
in areas where they seek strategic advantages programming interfaces] and stored in the cloud.
and form outsourcing partnerships to obtain CEOs should make sure their companies have
capabilities that are nonstrategic (think versatile, innovation-friendly architectures by
“commodity” IT services) or too specialized asking, “How much custom development work
to recruit for. CEOs can investigate their IT goes into building new IT solutions?” A well-
partnership models by asking, “Which of our designed architecture lets IT teams build solutions
IT capabilities do vendors provide, and why?” by repurposing a lot of previously installed
Vendors should provide few if any strategic software and writing modest amounts of original
capabilities—and IT leaders should have a plan for code.
reducing vendors’ share of the work to administer
Enterprise-wide data and AI. Today’s analytics
or enhance those capabilities.
applications give users a detailed understanding
of business situations so they can make better
decisions. For example, think of segmenting
A future-proof technology customers into several dozen precisely defined
foundation: Flexible, scalable systems groups, rather than a few broad categories,
that speed releases of IT products and precision-marketing to these groups.
Many longstanding companies have a core of This approach works only if the company’s IT
aging enterprise-wide applications (enterprise- foundation provides decision makers with AI tools
resource-planning [ERP] systems and the like) that draw on data from across the business as
running on their own on-premises infrastructure well as from external sources. CEOs can test the
(hardware, such as servers, plus basic software penetration of data and AI capabilities by asking,

“What percentage of business decisions are we support value creation and operational efficiency.
making with help from AI?”
Developing this vision was a different effort from
Integrated cybersecurity. To streamline the company’s prior strategy-setting exercises.
cybersecurity work and make it more effective, Rather than creating a business strategy first and
modern IT functions follow two practices. They then developing a technology strategy to match,
apply lower or higher levels of protection to the leadership team planned a unified strategy
information assets based on their importance and covering business and technology priorities.
risk exposure, rather than protecting all assets
The new strategic vision helped the CEO and
equally. And they integrate security protections
the management team to recognize that the
with the software-development process, rather
company would need to transform its technology
than applying protections after development
function. The CEO and CIO turned their attention
concludes. CEOs should explore their companies’
to developing a plan for redirecting most of the
cybersecurity programs by asking, “For our
IT function’s efforts to delivering digital and
developers, is cybersecurity a hindrance?” If so, it
digitally-enabled products and services, as well
might be time to consider the practices described
as technology solutions, that would help the
above.
business to greatly lower its operating costs. As
part of the plan, the CEO and CIO chose to place
extra emphasis on change management. They
Transforming the technology understood how important it would be to reorient
function: One CEO’s approach the mind-sets of IT staff toward developing
IT products that would be intuitive to use and
The CEOs we work with agree that their
easy to adopt. Accordingly, they called for new
heightened efforts to guide the technology
investments in communication and skill building,
function have paid off, because so many of their
with a focus on agile, user-centered ways of
companies’ strategic priorities now depend on
working. To ensure that the IT function would
technology capabilities. CEOs can’t, and shouldn’t,
be well equipped to fulfill its new expectations,
take over the CIO’s job, but they can use their
the CEO and CIO also called for renewing the
unique influence to assist with the most valuable
company’s core IT systems and adding technology
aspects of a technology transformation. Setting
talent.
priorities is key: CEOs and their leadership
teams should focus the CEO’s efforts on tech-
transformation activities that the CEO is best
Elevating the CIO
positioned to lead—particularly, the organizational
changes required to promote better collaboration The CEO knew that the organization’s business
between IT and the business, and to deliver units and functions would achieve their strategic
innovative IT products. Here’s a look at how the goals only if they aligned their activities closely
newly appointed CEO of one healthcare company with those of the technology function. Tech
changed his approach to technology, in close would need to become their partner in pursuing
partnership with the CIO, to suit the organization’s innovations and seeking operational efficiencies.
strategic needs. The CEO resolved to strengthen the working
relationships between the company’s business
units and functions and the tech function, starting
Establishing a strategic role for the in the company’s uppermost ranks.
technology function The company’s previous CEO had established
The CEO knew well that technology was a leadership team consisting of the heads of
profoundly changing how his company carried out the company’s main business units, the head of
crucial activities such as drug discovery and drug human resources, and the head of supply-chain
development—and that his company’s strategic management. The new CEO added the CIO to this
direction didn’t properly reflect these trends (see leadership team and invited him to all leadership
sidebar, “A CEO’s technology education”). Working meetings. At those meetings, the CIO began
closely with the CIO and the other members of learning firsthand about the business’s aspirations
the company’s leadership team, he began by and framing how technology could support
developing a five-year vision for his company progress toward those aspirations.
that not only laid out a new strategy and business Joined by the CIO, the leadership team also
targets, but also redefined the IT function’s role became a forum for engaging the business in
in creating technology capabilities that would technology decisions and for explaining why

certain technology changes were necessary. Nevertheless, the CEO and CIO were determined
For example, after the IT department determined to try measuring the payoff from at least some
that productivity and collaboration would tech investments. In one instance, they focused
increase if the company consolidated its multiple on the technologies that would support a strategic
communication platforms, the IT leader explained goal of enabling patients to access and order
the opportunity to business leaders firsthand and the company’s products and services online. A
sought their support for pursuing it. Together, few quarters after setting that goal, executives
the leaders developed a plan for promoting the discovered that IT spending allocated to it fell
new communications platform and encouraging short of what would be needed to implement all
employees to use it. As a result, employees the business-process changes they’d outlined—
adopted the new communications platform and was much less than the planned IT spending in
more readily than they had adopted other new nonstrategic areas.
technology tools.
To accelerate improvements in key patient-
Another important change the CEO made was access processes such as tracking inventory
sharing the company’s technology plan with the and dispatching supplies, the team reallocated IT
board. He knew it was unusual for a board of investments toward changes to the patient-access
directors to sign on to a technology plan, but he platform and to underlying systems such as ERP.
also knew that the company’s technology plan They also set up key performance indicators
would have as much strategic importance as (KPIs) and objectives and key results (OKRs) to
the other plans that the board was accustomed measure how much business value resulted from
to considering. He also felt that making a investments in patient-access technologies.
commitment to the board would motivate him and
Once the team could gauge the value of tech
the leadership team to remain focused on the
features to improve patient access, they began to
technology transformation.
release additional investments only for features
that showed a positive return, rather than funding
them with an upfront, no-questions-asked budget
Rebalancing technology investments allocation. The new investment approach helped
and tracking their business value the company achieve a 28 percent increase in
Like many a CEO, the chief executive of the sales in less than a year and made the software-
healthcare company had risen as a leader partly development process more agile and patient-
because of his ability to deliver value, closely centric, leading to improved customer-satisfaction
monitoring the funds that were being disbursed scores and a 30-percent reduction in time to
and the cost savings and revenues associated with market.
those investments. He knew that the company’s
stepped-up technology program would pay off
only if leaders applied the same discipline to Building a world-class tech workforce
tracking its value. The CEO asked his CIO for help As the CEO, the CIO, and the leadership team
devising a system to link technology investments realigned the tech function with the company’s
to business value—both the value from selling other functions and raised its strategic
new tech-enabled products and services, and importance, the CEO realized that IT would need
the operational efficiencies from embedding a new resource model as well—a resource model
technologies into business processes. more like that of other functions, which recruited
Tracking investments in IT and the resulting and trained employees to support the business’s
returns proved to be more difficult than the CEO strategically significant capabilities. Traditionally,
expected. The costs of running core systems and the IT function had relied on external vendors to
developing new applications weren’t consistently perform software-development projects. IT staff
divided among business functions. That made largely oversaw those vendors and managed
it hard to determine which functions were the vendor-created technologies after they’d been
heaviest consumers of IT services and whether implemented. And the caliber of its in-house tech
investments were properly divided between talent wasn’t as high as it was for other functions.
technologies to sell and technologies to streamline The CEO made it one of his priorities to
operations. And when the IT function created new strengthen the tech function’s resource model
applications or features, business functions didn’t by assembling an in-house cohort of skilled
always record the revenues or cost savings that technology workers. He called for hiring dozens
resulted from their use. of proven engineers and experts in technology

disciplines, such as design and user-interface innovation, and reduced the costs of hiring,
(UI) and user-experience (UX) development, that onboarding, and training.
the company formerly obtained from vendors. He
The potential for technology to deliver winning
also approved investments in training and on-the-
business capabilities and change a company’s
job apprenticeships. Finally, the CEO saw to the
fortunes is simply too great for CEOs not to lead
creation of incentives that reflected the value of
technology’s integration with the wider business.
tech workers, along with career paths that would
CEOs who actively influence and shape their
supply them with interesting business problems to
companies’ technology functions can position
work on.
their companies for greater success in an economy
Today, the company’s IT workforce has a better where digital savvy is at a premium.
appreciation of the company’s strategic needs
and a stronger association with colleagues in other
business units and functions than vendors ever
About the author(s)
did. Continuity in staffing has been a major factor: Klemens Hjartar is a senior partner in McKinsey’s
tech specialists spend longer periods working with Copenhagen office; Krish Krishnakanthan is
the same business peers than vendor-provided a senior partner in the Stamford office; Pablo
staff, who were frequently reassigned to other Prieto-Muñoz is an associate partner in the New
accounts. Overall, improvements to the company’s York office, where Gayatri Shenai is a partner; and
tech workforce have increased collaboration Steve Van Kuiken is a senior partner in the
between the business and IT, supercharged New Jersey office.

The CIO challenge: modern
business needs a new kind of leader
By Anusha Dhasarathy, Isha Gill, and Naufal Khan
As technology becomes increasingly important, an organization’s

success depends on whether the CIO can move from being a
functional to a strategic business leader.

There’s no worse time than now to be an average 2. Reinvent technology delivery. IT needs to
CIO.” These words, uttered by an executive at a change how it functions by embracing agile;
recent conference, neatly capture the intense improving IT services with next-generation
pressure on CIOs. For years, executives have capabilities such as end-to-end automation,
stressed the need for CIOs to move beyond
platform as a service, and cloud; building
simply managing IT to leveraging technology to
create value for the business. This priority is now small teams around top engineers; and
a requirement. New technologies have been at developing flexible tech partnerships.
the center of trends—from mobile-first consumer
3. Future-proof the foundation. To keep pace
shopping preferences to the promise of artificial
intelligence in critical decision making—that with rapid technological advancements,
have reshaped the competitive landscape and organizations need to implement a flexible
disrupted business models. For this reason, architecture supported by modular platforms,
companies need to be tech forward: technology enable data ubiquity, and protect systems
needs to drive the business. through advanced cybersecurity.
Despite this pressing need, of the organizations
that have pursued digitization, 79 percent of them
are still in the early stages of their technology
transformation, according to McKinsey’s 2018 IT
Five traits of a transformative
strategy survey. Legitimate factors are delaying CIO
progress, from the scale of the change to the
mind-boggling complexity of legacy systems. We For IT to become a driver of value, the
believe, however, that one of the biggest issues is transformative CIO also needs a new set of skills
that many CIOs have not accepted the degree to and capabilities that embody a more expansive
which their role needs to expand beyond cost and role. In working on tech transformations with
performance responsibilities in order to transform hundreds of CIOs, we have identified five CIO traits
IT into a core driver of business value. that we believe are markers of success.
Three vectors of a holistic 1. Business leader

transformation To help technology generate business value, the
Before understanding the responsibilities of the transformative CIO has to understand business
new CIO, it’s important to understand the nature strategy. Findings from our 2018 IT strategy survey
of tech transformations themselves. In most reveal that companies with top IT organizations
cases we’ve observed, tech transformations are much more likely than others to have the CIO
are implemented as a set of disjointed initiatives very involved with shaping the business strategy
across IT. That leads promising developments and agenda, and strong performance on core IT
to stall out or underdeliver. We have found that tasks enables faster progress against a company’s
a tech transformation must be holistic to deliver digital goals. CIOs who can make this leap tend to
full business value. Creating powerful customer take the following actions.
experiences, for example, requires a data
Learn the business inside and out
architecture to track and make sense of customer
The scope of an IT transformation means that CIOs
behavior. Architecting modular platforms needs
must be prepared to interact with the business
revamped approaches to hiring in order to get top-
in different ways. We have found, for example,
flight engineers.
that the best CIOs go far beyond meeting with
This reality requires a CIO to first come to terms the C-suite or attending strategy meetings.
with the scope of the transformation itself. In our They invest time with functional and business-
experience, it’s been helpful to think about it along unit leaders and managers to gain an in-depth
three vectors: understanding of business realities on the ground
1. Reimagine the role of technology in and go out of their way to develop a nuanced
the organization. This vector includes and detailed understanding of customer issues.
establishing the role of technology as a CIOs do this by continually reviewing customer-
business and innovation partner to design a satisfaction reports, regularly monitoring
tech-forward business strategy (for example, customer-care calls, and participating in user
tech-enabled products and business forums to hear direct feedback.
models), integrate tech management across As one large financial institution set out to build
organizational silos, and deliver excellent user its digital products, the business and technology
experiences. teams jointly led user listening and feedback

panels early and often throughout the strategy discussion and process throughout the
development process. Both technology and organization. Driving a transformation around the
business leaders made it a priority to attend these three vectors we laid out earlier (reimagining the
panel discussions so that they could effectively role of technology, reinventing technology delivery,
guide their teams on developing products that and future-proofing the foundation) starts with a
would best address the needs of end customers. CIO mind-set that both acknowledges the need for
The CIO of a B2B technology-services company, transformative change and commits to a multiyear
meanwhile, meets customers on a regular basis to journey.
get firsthand feedback on both products and the
Partner with business leaders
customer’s experience of doing business with the
company. He uses these perspectives to inform his Generating support for a transformation among
technology decisions. business leaders across the organization requires
creating true partnering relationships with them
Take responsibility for initiatives that generate based on common goals, mutual responsibility,
revenue and accountability. According to a McKinsey
CIOs can further develop business acumen by survey on business technology, in fact, the
taking responsibility for initiatives that generate companies in which IT plays a partner role in digital
business impact, such as building an e-commerce initiatives are further along in both implementation
business, or by working with a business-unit and achieving business impact.
leader to launch a digital product and then
To kick-start the transformation journey, the
measure success by business-impact key
CIO of a transportation-and-logistics company
performance indicators (KPIs), not technology
made it her first priority to meet with every single
KPIs. Such efforts allow CIOs to build a deep
business leader to understand their goals and
understanding of the business implications of
issues and to set expectations on how they could
technology, such as customer abandonment
best work together, by clarifying, for example,
because of slow download times on a site or other
what the business side could expect to get from
poor user experiences.
IT in a consultant role versus IT as a service
As part of a digital transformation, for instance, provider or partner. This effort to understand what
the CIO at a large financial institution committed mattered to each leader established trust, and
to developing digital products to help the business from each of these discussions it became clear
scale its presence in a new market. While the that the business wanted a true partnership with
CIO already understood how to build systems to technology and understood what it meant. The CIO
support financial products, he and his team had further built on the relationship with the business
limited experience in creating new digital products by prioritizing initiatives in the tech transformation
to sell directly to consumers. So the team created that addressed business needs and working
a program built on rapid test-and-learn cycles to closely with business leaders to drive progress.
identify what mattered to customers and meet This active collaboration ensured that the products
those needs. Subordinating tech decisions to and services IT developed were adopted.
customer needs was crucial in allowing the CIO
Articulate the ‘why’
and his team to develop a digital offering that
succeeded where it mattered: with consumers. Gaining support for a transformation requires that
stakeholders understand that true change will
Get on boards come only from tackling all three transformation
Developing a deeper well of business knowledge vectors in a strategic, interlinked manner. That
often requires CIOs to extend their networks means not just explaining how this three-pronged
beyond the organization. One of the best ways to approach is better for IT but also clarifying
do that is by joining the board of another company. how it drives business goals and how it can be
A third of the boards of companies within the implemented. When considering a shift to cloud,
Fortune 500 today include a former CIO or CTO, for example, executives tend to understand it
and that number continues to increase.[1] first as a cost-saving opportunity. But in helping
executives understand the full range of cloud
benefits—improved speed to market, better
2. Change agent developer productivity, and improved resiliency
and disaster recovery—CIOs can help them see
A full technology transformation is not about
how the cloud can unlock new revenue models and
moving to the cloud or embracing new IT solutions.
services tied to business priorities.
It also involves infusing technology into every
1 “The digital CIO has arrived,” MIT Sloan CIO Symposium, 2016.

Have an integrated plan that highlights risks Reimagine how to attract tech stars
and dependencies beyond IT Companies can reap tremendous benefits
Large IT initiatives have always required detailed from outsourcing. In the oil and gas industry,
planning, but business-oriented CIOs ensure that for example, the outsourcing of application
transformation plans account for dependencies development grew 50 percent between 2014 and
outside of IT, such as marketing campaigns or legal 2018. But that needs to change, especially around
implications. They approach planning as a dynamic the most crucial capabilities. CIOs who want to
process rather than something static, which allows reinvent tech’s role need tech stars, particularly
transformation teams to better remove roadblocks the best engineers. By hiring the best tech people,
and to allocate people and spend when and we’ve seen companies reduce their technology
where they are needed. To actively manage this costs by as much as 30 percent while maintaining
process, such CIOs also put in place a “war room,” or improving their productivity.[2] CIOs need to
a dedicated team that ensures transformation move quickly. In just 18 months, one CIO at a
initiatives are delivering value by actively tracking transportation-and-logistics company radically
progress and helping to break through root-cause reshaped its talent profile. All the direct reports
issues. and approximately 50 percent of tech employees
were new, and 80 percent had transitioned to
This was the approach taken in a large global
different roles.
retailer’s digital and technology transformation.
The CIO set up a transformation war-room team The head of technology and analytics at a large
that worked jointly from the beginning with leaders retail organization set up a talent war room to
outside the IT function, including marketing, hire data scientists and engineers. As part of this
operations, sales, and e-commerce. Together, they effort, the war-room team revamped recruitment
created detailed work plans. This detailed early and onboarding processes by using different
planning revealed which systems needed to be talent sources, such as HackerRank and General
upgraded and when. The war-room team actively Assembly, and by updating candidate screenings
tracked progress and quickly escalated issues and interviews with appropriate assessments
for speedy resolution. The results were clear: a of technical and other skills, such as coding
fivefold jump in digital sales, and project delivery and collaboration. In addition, they led weekly
four times faster than projects of similar scope had check-ins to track the talent funnel and adjust the
previously taken. process as needed.
Build up internal talent
Getting good people doesn’t matter if you can’t
3. Talent scout keep them. Top CIOs, therefore, develop diverse
Nearly half of respondents to McKinsey’s 2018 career paths so that top talent can advance in their
IT strategy survey cite skill gaps on traditional own areas of strength—for example, by letting
teams as the top obstacle to a successful digital a top-notch software engineer advance while
transformation. So CIOs need to focus not just on continuing to code design software rather than
recruiting top people but also on retaining them. forcing her to manage others in order to succeed.
Two solutions have proven effective.
2 Klemens Hjartar, Peter Jacobs, Eric Lamarre, and Lars Vinter, “It’s time to reset the IT talent model: Foster an engineering culture of
smaller teams of better engineers to maximize productivity,” forthcoming in Sloan Management Review.

Retraining the existing tech workforce also needs efforts—hackathons, “dev days,” tech spotlights,
to be an important element of this platform. The brown-bag lunches—where product managers,
CIO of a large consumer company made digital developers, data engineers, and architects
and analytics upskilling one of the company’s key could meet on a weekly basis to share details
strategic priorities, launching an enterprise-wide about their projects and bring up ideas or issues
program, in tandem with HR’s learning team. The for discussion. The CIO attended and actively
program invested in an online learning portal to participated.
create personalized online learning experiences
Model and support true collaboration
based on an employee’s goals and learning needs.
These were supplemented by other programs, Promoting collaboration across technology teams
including in-person training, top management and between the business and technology is one
immersion sessions, and the cultivation of an of the most crucial prerequisites for a successful
in-house expert network that people could tap on transformation. Top-quartile IT organizations are
specific topics. more likely to have an integrated or fully digital
operating model, according to McKinsey’s 2018 IT
strategy survey.
4. Culture revolutionary In practice, CIOs can enable collaboration if they’re

willing to relinquish some control. One CIO at a
An effective talent strategy requires a culture that
financial-services firm realized that for his people
supports talent.
to increase their impact, they had to be more
Build a true engineering community closely tied to business teams. So he embedded
Pay matters, of course, but top people want to go them into cross-functional teams aligned around
where they’re valued. One way to create that kind specific products, relying on informal networks
of environment is to provide engineers with more of guilds and chapters to provide guidance and
autonomy by reducing the number of managers light oversight. The most effective CIOs ensure
and often-bureaucratic processes, such as this level of collaboration is the norm within IT
time-consuming reports and multiple rounds of itself as well. This is particularly important around
approval. cybersecurity. IT can radically reduce cycle times
and maintain effective security by incorporating
Creating ways for cohorts of similar skill sets to
security early into development and working
get together can be a powerful way to share best
closely with the cybersecurity team on an
practices and foster a sense of community. The
ongoing basis.
CIO of a software company established various
community-building and knowledge-sharing

5. Tech translator The CIO and his leadership team were involved
from the very beginning in determining the data
In the past, IT transformations have often proven and analytics capabilities needed to fulfill the
expensive, time consuming, and short on value, company’s business strategy. They performed
and this has made some companies leery of deep-dive technical assessments, system and
undertaking them again. To address this issue data-platform compatibility reviews, and tests
and build trust, the best CIOs play an active role of vendor capabilities. The CIO ran a pilot with
in educating leaders about technologies and their a business unit and operations team for three
applications for the business. months to determine whether the final vendor
Make the business implications of tech could deliver on its capabilities. At the end of
decisions clear the process, the business was able to make an
Many tech decisions don’t get sufficient business informed decision.
scrutiny beyond cost and high-level strategy These skills are the tools that enable a CIO’s
discussions. Transformative CIOs don’t settle for ability to transform IT. And in an increasingly tech-
that kind of interaction, articulating instead how a driven business landscape, they position CIOs as
proposed solution solves the underlying business legitimate contenders to lead businesses as well.
problem, what alternative approaches exist, and
the pros and cons of each. The CEO of a B2B
technology-services company found this level About the author(s)
of insight so important that he asked the CIO to Anusha Dhasarathy is a partner in McKinsey’s
present periodically to the board on technology- Chicago office, where Isha Gill is an associate
led business models. partner and Naufal Khan is a senior partner.
This role was particularly important when a retail
giant was looking to acquire an analytics company.

The platform play: how to operate
like a Tech company
By Oliver Bossert, and Driek Desmet
For tech to be a real driver of innovation and growth, IT needs

to reorganize itself around flexible and independent platforms.

The question is not how fast tech companies which consisted of more than 60 applications
will become car companies, but how fast we that previously had been managed independently
will become a tech company.” This is how the from each other. The top team decided to bring
board member of a global car company recently the 300-plus IT people working on development
articulated the central issue facing most and maintenance of payments together with
incumbents today: how to operate and innovate the corresponding people on the business side.
like a tech company. Under joint business/IT leadership, this entity was
empowered to move quickly on priority business
The tech giants of today have been some of the
initiatives, to modernize the IT structure, and to
most innovative companies in the past generation.
allocate the resources to make that happen.
A handful of industry leaders, such as Ping An and
BMW, are fast joining their ranks by reinventing The team shifted its working model and started
their core business around data and digital. running the payments platform as an internal
What distinguishes these tech companies is that business that served all the different parts of
their technology allows them to move faster, the bank (think payments as a service). This
more flexibly, and at greater scale than their approach made it clear where to focus specific
competitors. IT is not a cumbersome estate “that tech interventions: removal of nonstrategic IT
gets in the way,” but an enabler and driver of applications; modernization and accelerated
continuous innovation and adaptation. shift of the target applications into the cloud;
connectivity to enable swapping solutions in or
The reason this is a competitive advantage for
out easily; and, most important, a major step-up
tech companies is because their IT is organized
in feature/solution development for the internal
around a set of modular “platforms,” run by
business clients. This platform-based way of
accountable platform (or product) teams. Each
running the business was then progressively rolled
platform consists of a logical cluster of activities
out across the group. Prioritization is set by the
and associated technology that delivers on a
top team (because empowerment does not mean
specific business goal and can therefore be run
anarchy), and all IT interventions are run the same
as a business, or “as a service,” as technologists
way, to ensure consistency and replicability.
say. These platforms are each managed
individually, can be swapped in and out, and, when This is in stark contrast to the way large
“assembled,” form the backbone of a company’s organizations normally act. Just establishing a
technology capability. Just as important is that business unit to manage a new offering or running
the business and tech sides of the company work a typical large IT project generally becomes a
closely together and have the decision-making multiyear endeavor.
authority to move quickly.
This modular, platform-based IT setup of tech
companies is what enables them to accelerate A closer look at the platform-
and innovate. They can experiment, fail, learn, and based company
scale quickly: they can get products to market
Think of a platform not just as technology but as a
100 times faster than their more lumbering peers
service, or what Silicon Valley calls a “product.”
(think weeks instead of months). With this kind of
speed and flexibility, IT can and should become a Platforms focus on business solutions to serve
focus for innovation and growth at the executive clients (internal or external) and to supply other
committee and board level. With new technologies platforms. They operate as independent entities
and ways of working coming online, tech should be that bring together business, technology,
a competitive advantage, not a burden as it is in far governance, processes, and people management
too many companies today. and are empowered to move quickly. They are
run by a platform owner, who takes end-to-
end responsibility for providing the solution
What a platform-based and operating it like a service. Platform teams
are cross-functional, with business, IT, and
company looks like in practice anything else that is needed, such as analytics,
One of the global leading banks created about risk management, and so on. (Some companies
30 platforms. One such platform was payments, call this a “tribe.”) They work in an agile manner,

delivering the solution itself, enabling continuous business-led innovation, and developing and running
all necessary IT.
A platform-based company will have 20 to 40 platforms, each big enough to provide an important and
discrete service but small enough to be manageable. To simplify platform management, it helps to group
them into three broad areas: customer journeys, business capabilities, and core IT capabilities (Exhibit 1).
Exhibit 1
Platforms are grouped into three broad areas
Customer
Mission Customer-journey platforms (“journeys as a service”) proposition and
control experience platforms
built on reusable
Provides code (internal and
oversight, external)
coordi-nates,
allocates
resources,
sets
standards Business-solution
Business-capability platforms (“company as a service”) platforms, designed
to be modular and
run as a business
(internal and
external)
Core IT provisioning,
Core IT platforms (“IT for IT”) e.g., cloud, data,
automation (internal
and external)
For example, in personal banking, the customer-journey platforms cover the customer experiences
of searching, opening an account, getting a mortgage, and so on. The business-capability platforms
deliver the banking solutions, such as payments and credit analytics, and the support capabilities,
such as employee-pension management, visual dashboarding, and management information systems
(MIS). Finally, the core IT platforms provide the shared technology on which the journeys and business
capabilities run, such as the cloud platform, the data analytics environment, and the set of IT connectivity
solutions (Exhibit 2).

Exhibit 2
Retail and banking examples show the services offered on each platform
Retail example Banking example
Customer — In-store browsing and shopping for weekend — Searching

journey — Clicking and collecting — Account opening
examples
— Same-day home delivery — Transacting
— Subscribing — Buying house (from valuing house
to getting mortgage)
— ...
— ...
Business- “Retailer as a service” “Banking as a service”

capability — Store-and warehouse-inventory management — Payments
platforms
— Merchandising — Real estate valuation
(to enable
journeys) — ... — Credit underwriting
— ...
— Employee-pension management — Employee-pension management

— ... — ...
Core IT — In-store live video data-management platform — Omnichannel IT platform-development

platforms environment
— ...
— ...
— In-store face recognition — In-branch face recognition

— Cloud platform — Cloud platform
— Access and identify management — Access and identity management
— ... — ...
24 Reimagine the role of technology to be a business and innovation partner y

Mission Control to manage 3. Manage and coordinate programs that
cut across platforms. This function is
across platforms more critical than previously understood,
Platforms are distinct units, but their value is because working in a more agile and iterative
based on how effectively they work together. Most way means that many requirements and
companies overlook the criticality of making all IT dependencies, such as data access for
components work together seamlessly because a given business platform, for example,
their attention is focused on individual projects. become clear only as work progresses. This
While most organizations understand the need reality is the blind spot of program managers
to coordinate, the best ones develop a Mission and systems integrators because they
Control capability with the resources and authority understandably focus only on their own tightly
to lead and manage across platforms in three defined mandate and project. Mission Control
ways: acts as the design authority and oversight
team to drive consistency and critical path
delivery. Our research shows that not doing
1. Make strategic and allocation decisions. this severely slows down IT programs and
The best Mission Control teams take a “clean wastes 30 to 40 percent of IT project spend.
sheet” approach to allocation decisions
every year, prioritizing spend and effort
on those platforms that can best support How to take a platform
business goals and/or are in most urgent
technical need. This means much more radical approach
reallocations in budgeting and resourcing Becoming a platform-based company goes
across platforms (and business units) than the a step further than what most think of as
typical 5 to 10 percent increase or decrease traditionally transforming IT. It is a fundamental
that dominates allocation decisions at many organizational and operational change to create an
companies. Mission Control needs to work IT environment that runs as a set of platforms. As
directly with the executive committee to with any major transformation, it requires strong
secure resources and make these difficult CEO leadership, quality teams, strong project
trade-offs, while diving deep enough into management and communication, as well as value
the IT to manage critical path dependencies assurance. We’ve found that the following four
(cloud migration may require application actions have an outsize importance to successful
rationalization first). In one case, the executive completion of the shift to platform-based IT:
committee reduced the IT budget for one
business unit by a third to prioritize platforms
1. 1. Assess the fitness of the platform
in the other two business units, based on
the understanding that the following year’s portfolio. Business and IT should together
allocation would be a clean sheet again. quickly cluster the company’s activities and
associated IT into a set of 20 to 40 platforms
that cover customer journeys, business
2. Set and enforce standards for speed and capabilities, and core IT. This does not have
interoperability. The team establishes to be definitive, just a useful starting point.
business standards, such as how teams Then conduct a fitness check on each
work together in an agile way. It also sets platform: “fit” platforms are in good shape
technology standards, such as platform and only need investment to innovate and
and application interfaces for seamless capture more value; “healthy” platforms work
connectivity, the way code is written now but need modernization to prepare for
and logged in service libraries to ensure future requirements; and “sick” platforms
easy access, and what IT tools should be are no match for what competitors can do.
used for agile team management. Clear They need a complete overhaul. DBS, one
standards empower teams because they no of Asia’s leading banking groups, used a
longer have to worry about redoing work, similar approach and communicated the
miscommunication, or wasted effort in assessment to the whole market at the end
creating applications that won’t work well of 2017. Visualizing the fitness of all platforms
with other applications. Mission Control has is powerful because it enables an executive
the authority to enforce the use of standards team to have the right debate on tough trade-
by, for example, not releasing any budget for offs and priorities and to then assertively
project elements that deviate from them. reallocate resources (Exhibit 3).

Exhibit 3
Companies need to perform a fitness assessment of their platforms
Fit: invest Healthy: modernize Sick: renew/replace
Fitness (from) Target 3 years out (to)
1 1
Customer-
journey
platforms
2
Business-
capability 3
platforms 4
4
5
Core IT
platforms
1 2 3 4 5
Journeys New Journeys New business- Works still under Major shift to core
re-architected added capability platforms way in some; some IT provisioning
for versality added removed platforms and third-
party platforms

2. Set up the initial platform teams and • Technical members, who manage all
Mission Control. A successful transformation the IT applications associated with the
is about putting the right people in place at platform and take full responsibility for
this stage. Establish teams for two to three modernization, renewal, ongoing feature
priority platforms. Typically, a platform team development, and day-to-day operations
will start with 20 to 30 people, which can
• People with necessary functional skills,
then quickly ramp up to hundreds. It includes
from analytics to finance. In parallel,
specific roles:
start building out Mission Control with
• Platform leader—either a business eight to ten of your very best finance, IT
or IT executive, or sometimes both as architecture, and program-management
coleaders; a platform leader should be people. They need to constitute the most
able to act like a real “product owner,” a influential team working directly with the
mini-business CEO with an IT engineering CIO, sometimes even reporting directly to
mind the CEO. Mission Control needs to have
decision rights (or at least veto rights)
• Business members, who share
on all IT spend and all platform budget
responsibility with the technical team
requests.
for all the design and the ongoing
management as a business

3. Transform platform by platform. analytics and data platforms (or starting
The transformation approach should to build them).
progress platform by platform, focusing
• Writing (or rewriting) code as self-
on top priorities. Platform teams take full
contained blocks or modules that can
responsibility for their work. They move
be easily swapped out and replaced
quickly, using agile to carry out fast iterations
wherever possible. Extensive use of
of discrete pieces of work. With guidance
APIs can help to provide the necessary
from Mission Control and following prescribed
flexibility to existing code.
standards, they are spared traditional
alignment meetings, formal approvals, and
other dependencies that slow everything 4. Manage through the executive committee.
down and create unnecessary complexity. While Mission Control plans and tackles
Platform teams generally focus on a few core the platform transformations day to day,
activities: allocating resources (the best people and the
total IT budget) away from less productive
• Converting platform capabilities to
platforms to those that are more productive
serve customers and other platforms.
and critical, the executive committee enforces
Affecting this shift requires a complete
the big decisions, sets a high business bar
focus on the user experience through
for transformation goals, and mediates all
design thinking and digitization/
group-level issues. For example, during
automation, and on interoperability by
the transition, Mission Control may decide
putting in place application programming
to deprioritize a platform but be overruled
interfaces (APIs) based on established
by management on the business side. This
standards and by creating service
is when the executive committee needs to
catalogs.
intervene.
• Evaluating and managing existing and
Becoming a platform-based company is ultimately
necessary applications. This means
a question of mind-set. It requires both the
decommissioning old and infrequently
determination to stay the course and the flexibility
used applications; updating, renewing, or
to change and adjust based on what platform
replacing core applications; and building
teams learn. By committing to this approach,
value-added features outside of old
IT can stop slowing down change and start
applications. This is often where most
accelerating it.
of the work is needed. In conjunction
with this effort is an acceleration into the
public/private cloud. About the author(s)
• Injecting data analytics into all Oliver Bossert is a senior knowledge expert in
possible activities of the platform. This McKinsey’s Frankfurt office, and Driek Desmet is
means piloting and scaling use cases a director emeritus in the London office.
and explicitly accessing the company’s

How mid-cap banks can solve the
conundrum of scale in Technology
By Vishal Dalal, Paul Hyde, Tolga Oguz, and Vik Sohoni
Almost everyone agrees that scale is the name of the game in

banking technology. If that’s true, is there a way for smaller banks
to compete?

Scale in tech spending is projected by many to across all size categories. The cost of technology
become a major differentiator in US banking over will continue to fall, potentially becoming more
the next decade. But thus far investors have not accessible. Many segments are more sensitive to
unequivocally signaled their agreement with this relationship than to technology (e.g., commercial
notion. So, smaller banks face a conundrum about lending, advisory wealth management, or new
when and how much to invest in building their mortgages originated via realtors). Even in
own technology. If they outsource, they will be treasury management, which is often highly
relying heavily on vendors who by definition will tech-enabled, relationships are a crucial part of
not offer differentiating solutions—which defeats the sales approach. And there is more evidence
the original purpose. M&A is another option, but against the primacy of scale: many smaller fintechs
getting to a perceived threshold size may be out are growing rapidly, demonstrating that success
of reach for many small banks, and mergers alone in certain verticals is not scale dependent (e.g.,
cannot cover for poor technology, and may even unsecured or point-of-sale lending). Finally,
create more tech issues. some Wall Street analysts complain that returns
on digital investment have been low and opaque
Given this challenge, mid-cap banks need to make
(while risks have been high).
strategic choices about where and how to play,
and use new talent, operating models, and tools to So, thus far, many smaller banks are not being
overcome their lack of scale in technology. This is penalized by the stock market or by customers,
no easy task, but many Asian banks, and some US creating a real conundrum around when and how
and UK fintechs, are showing that it is possible. It much to invest.
will take urgent action for US mid-caps to follow
But anxiety is growing in the mid-cap space,
these examples, however.
along with a sense that scale could make a real
For US mid-cap banks ($10 billion to $100 billion in difference to smaller institutions in at least three
assets, or $500 million to $5 billion in revenue), the areas.
new age of banking technology is a clear strategic
First, retail deposits could become a key
threat. Like larger banks, mid-caps spend 6 to 8
battleground. While generally among the more
percent of revenue on technology. But given their
“sticky” banking businesses—US banking
size, that’s at most a few hundreds of millions of
consumers keep a vast majority of deposits
dollars, compared to billions for the larger banks.
at far lower rates than they might receive by
Meanwhile, the scale of tech spending is being
switching—the “glue” that keeps customers
widely commented on as a future differentiator.
loyal to their deposit bank shows early signs of
This is creating a sense that outsized investment
weakening. For examples: more than half of US
will confer unassailable competitive advantage
deposit consumers now use their mobile phones
and market value gains, and leave behind banks
to access their deposit accounts at least every
that do not or cannot invest at comparable scale.
three months; experience-based attackers like
Already, for some mid-cap banks, entire areas BankMobile and Chime have reportedly gathered
of banking—such as consumer payments (e.g., millions of customers; and transactions and traffic
credit cards, peer to peer, instant pay), mortgage in branches are dropping at 5 to 10 percent per
origination and servicing, and online deposit year, in line with broader retail trends in the US.
gathering—are becoming inaccessible. The For small banks that rely heavily on retail deposits
advanced capabilities that power these services to fund commercial lending activity, a movement
(e.g., the latest mobile-first capabilities, cloud- by customers toward more digitally sophisticated
based services, or cutting-edge marketing players could be a major disruption they will
analytics tools) are beyond their reach. As a struggle to counter.
result, these banks are increasingly reliant on
The second area where scale could begin to create
commoditized vendors (often of variable quality)
real separation between banks is the broader
or are late joiners to industry consortiums like
payments space, which is witnessing tremendous
Zelle. And as the best engineers, analysts, and
technology-enabled change (e.g., peer-to-peer
product owners are being recruited by larger
payments, faster payments, merchant acquiring
institutions that can offer rich career paths,
for mobile players, point-of-sale terminal
exciting technology, and high salaries, mid-cap
sophistication). It is true that smaller banks
banks struggle to build the talent bench that might
do not really play a big role in this space; but if
prevent a strategic spiral downward.
payments are used to disintermediate the deposit
The wrinkle, however, is that the market has not relationship (or even treasury management
yet actually signaled unequivocally that bigger is relationships), it could lead to serious disruption.
better. For example, many mergers over the past
Third, across the board, the use of data and
decade have not moved returns to shareholders
analytics is a key battleground, though its reliance
significantly. Pure financial performance has
on pure technology is lower than some might
not demonstrated bigger is better—21 of the top
expect. Still, the skills to host and analyze the
25 highest price-to-book value US banks were
massive amounts of data created by consumers
mid-caps as of June 2019. Between 2013 and
interacting digitally in every aspect of their
2018, mid-caps had the highest return on assets
lives are aggregating to the largest financial
and revenue growth, and the best efficiency ratio

institutions. As well, the largest technology on”—maintenance-level work. Or while the CEO
companies are demonstrating they prefer to wants to build analytics and digital marketing and
partner with large financial institutions for cloud skills, most of the projects involve coding
products that plug into their ecosystem. languages from the 1980s or commoditized skills.
Or while the CIO wants to build a talent bench
for the future, the most sophisticated work is
What should mid-cap banks do? outsourced, and the bank’s employees focus on
We suggest there are four interrelated moves that commoditized work.
mid-caps can make to lessen the increasingly
Clarifying the business strategy and ensuring the
disruptive impact of scale:
IT project portfolio and workforce reflects this
1. Clarify what is truly strategically important prioritization is an indispensable first step.
and focus investments on those areas only.
Use this clarity to build a compelling vision for
new talent. 2. Modernizing the delivery
2. Modernize the “delivery infrastructure” in a infrastructure in a targeted way
targeted way; for example, by leveraging new Mid-cap banks’ IT groups often focus their
cloud- based cores for select parts of the development work on customizing vendor
business that will need to move rapidly, and platforms (creating more maintenance work
by building other modern tools to enable rapid for themselves over time). With what capacity
speed to market. they have left, they build new features that try to
3. Dramatically upgrade the technology group’s catch up with what larger banks can achieve by
talent and skills, practices, and counseling deploying their large workforces. And typically,
ability, with the aim of reducing costs by as mid-caps don’t leverage their smaller size to
much as 30 percent. become more nimble—their IT projects move no
faster than those at more complex institutions.
4. Build an operating model that is far more
technology enabled and collaborative. In technology as in nature, being large and fast is
best . . . large and slow can work . . . small and slow
is a pathway to extinction. To be competitive, mid-
1. Clarify what is truly strategically cap banks need to be nimble. But even the best
important intentions cannot overcome Jurassic tools and
infrastructure. Legacy core banking systems slow
Some bank CEOs have asked their teams a very
down time to market for new products, the lack
powerful question: “Does our IT project portfolio
of microservices and APIs, the missing DevOps
reflect the focus of our strategy?” The answer is
tools, the reliance on non-cloud-enabled data and
quite consistently “no.” IT project portfolios can be
analytical packages, and the lack of “agile-scrum”
visualized by duration, strategic business focus,
ways of working—all conspire to hamstring efforts
impact, budget commitment, and resourcing/
to be nimble. And all need to be modernized.
skill level. These visualizations often show that
while mid-cap banks may say that “commercial The technology is now available to help scale-
lending and retail deposits are where we make constrained mid-cap banks to compete. For
money,” their IT projects are geared toward retail example, our analysis suggests that new (albeit
lending and payments; that while the CEO wants to less proven) cloud-based core banking systems
focus on high-impact strategic work, the projects could lead to significant improvements in
are actually geared toward “keeping the lights efficiency over legacy core systems (Exhibit 1).

Exhibit 1
Next-gen cloud-based core banking systems could lead to significant

improvements in efficiency over legacy core systems
FTE days
Time to deliver functionality Time to deliver functionality on

on typical legacy core system typical next-gen core system
Simple functionality 40-100 0-10

(e.g, address change
from mobile app)
Medium complexity 50-150 0-10

functionality
(add family member as
a joint account instantly
from any device)
Complex functionality 200-400+ 10-30

(suspend a card and receive new
card instantly on mobile wallet)
32 Reimagine the role of technology to be a business and innovation partner y

However, given budget constraints as well as 3. Dramatically upgrade the
safety concerns (legacy systems are often very
technology group’s talent, practices,
stable), mid-cap banks need to be careful about
what parts of their delivery infrastructure they and counseling ability
modernize, and how they do it. There have been Moves 2 and 3 are interdependent. It is impossible
several cautionary tales globally of banks investing to upgrade a delivery infrastructure without the
hundreds of millions of dollars in the move to right engineers and tech leaders to manage that
new core systems, and the resulting customer modernization. But those engineers are unlikely
disruption. Smarter ways of leveraging new cores to join the bank unless there is a compelling value
are emerging that may bring down costs and risks proposition and development environment to
significantly, and the first proofs of concept are attract them.
now underway in Europe and the US. In a similar
Breaking this chicken-and-egg cycle requires
way, new approaches in other parts of the delivery
small but meaningful steps. Some banks are
chain (e.g., web services in the existing core to
setting up new business capabilities (e.g., digital
speed up predictable and frequently demanded
deposit attacker, new treasury management
services; automated testing) can make the
lab) using new technologies, in cities with talent
development environment far faster.
bases, to attract talent to the bank and build a
sophisticated and more modern culture. They

are rotating current employees with potential What success could look like
into these new groups to build the expertise. In
At least one Asian bank built on a digital-native
parallel, they are leveraging the deep expertise
stack has a technology cost per customer of
and knowledge of current employees to modernize
$1 compared to the average of $30 to $50
legacy systems as well.
for US banks. On its own, this efficiency is not
Other banks are experimenting with the new game-changing, as total IT expense is only 6 to
technologies while modernizing their legacy 8 percent on average of a bank’s revenue. But
systems. Importantly, experiments all have ROI the capabilities it confers can be disruptive in
targets attached to them. capturing market share; for example, by facilitating
value-creating M&A by enabling rapid onboarding
Finally, nearly all the banks we have seen embark
of new customers (one Asian player that owns a
on this journey are setting an aspirational
payments company was able to onboard 25 million
technology vision, articulating how it will support
customers in one quarter, a population the size of
their strategy, and developing a fit-for-purpose
Texas’); or by increasing flexibility and innovation.
employee strategy.
For example, a digital bank in the UK can provide
And most importantly, they are breaking down the a replacement debit card in 45 seconds directly
walls between business and technology, and the to a customer’s mobile app—exactly the kind of
C-suite is role-modeling the change in mindsets “delightful” moment that will foster loyalty and
and behaviors. generate share gains in a competitive market. It is
not overstating the case to say that for some mid-
cap banks, offering these kinds of experiences to
4. Build a new operating model with retail deposit or treasury management customers
the business could mean the difference between extinction and
According to our analysis, some engineers can success in the next decade. And if they are going
be as much as eight times more productive to begin the transformation, the time is now.
than the lowest performers in their group. But
highly productive individuals do not always make About the author(s)
for productive teams. A talent reset has to be
accompanied by an operating model redesign in Vishal Dalal is a partner in McKinsey’s Sydney
which silos and individuals come together to work office, Paul Hyde and Tolga Oguz are senior
on their teams’ mission. Many larger banks are partners in the New York office, and Vik Sohoni is
already seeing success with this “mission-based”
a senior partner in the Chicago office.
operating model—with some calling the resulting
model a digital factory with very different way
of working and interacting with the rest of the
company.

Transforming a bank by becoming
digital to the core
By David Gledhill, and Vinayak HV
Understanding what it takes to act like a tech company requires

a few key breakthroughs, as this interview with the CIO for DBS
Bank highlights.

The digital transformation of any enterprise is a These last two points were just as important as the
herculean task requiring a willingness to embrace first one. If you focus purely on digital and forget
cultural change, the ability to immerse the entire the organizational change you have to make, you
organization in the customer journey, and a total won’t get very far.
commitment to digitize to the core. DBS Bank
Chief Information Officer David Gledhill shares
his insights on DBS’s digital transformation with Digital to the core
McKinsey’s Vinayak HV, a partner in the Singapore Digital to the core means you have to have a
office. rock-solid foundation of core systems that you’re
going to build on. In fact, we spent the first five
years of our transformation putting in place
DBS’s digital transformation common platforms that are strategic across all of
When we were thinking about the digital our locations. Once you do that, you can start to
transformation of DBS, we saw three key elements think about how you really start to accelerate and
as vitally important. One is how we digitized to become nimble, accelerate speed to market, and
the core. We saw many companies put on digital increase your cadence.
lipstick, some kind of front-end system, and a
And we said to ourselves, “If we want to be digital
fancy website.
to the core and act like a technology company, it’s
The second was: how do we embed ourselves in best we learn from the technology greats, figure
the customer journey and push customer-journey out how they do it and see if we can’t bring in some
thinking throughout the organization? The third of those things internally.”
was changing the culture of the company to make
So we started to learn how the best technology
it feel and operate like a 22,000-person start-up.
organizations operate, how they build technology,

and how they move quickly. We learned a few we did in India. We were trying to figure out how
things along the way. The first thing is that most to scale our presence in India, where we had very
of these technology companies started much like few branches. So how do you attack a market of
where we are today. They had big systems. They a billion people? We came up with a mobile-only
were hard to shift, and they went through this offering.
whole transformation agenda, and along the way,
Now first of all, we had no clue how it was going
built a load of tools that we thought we could also
to work. I understand how to create a mortgage
use. So if they’d done it, we could do it.
product and sell it, and I know how to build
We also learned about their culture and which systems for it. But how do you build a mobile-only
cultural elements we could take on board and bank in India and attract customers at scale? No
shift. So it wasn’t just sharing the latest business idea.
article. It was really going into how these
So we had to learn as we go, which means we had
companies are engineered.
to iterate very fast. We were actually pushing out
releases weekly into the app store.
Our rallying call: Becoming the “D” So, test and learn, test and learn, test and learn
in GANDALF was the only way we could get into a brand-new
The first letters of Google, Amazon, Netflix, Apple, market with a product that we had simply no idea
LinkedIn, and Facebook together spell GANALF. how it was going to operate when we launched it.
That was missing a D, and we, as DBS, fortunately
have a D. So, our mission became how to become
the D in GANDALF.
A scorecard for the mission
Transformation could consume every hour of every
Now that might sound a little cheesy, but in actual employee in the company for the next five years.
fact, it was an amazing rallying call to our people. Obviously, we wouldn’t make any money and that
It had a bigger impact on our technology people wouldn’t be a good outcome.
and many other people in the organization than
anything else we’ve done, because it started So you have to balance it. And the way we balance
to make them think about what was possible. It it is through group scorecards, which really drive
got them to think, “We’re not acting like another everything we do and clearly indicate to people
bank, and here’s how we really start to transform the amount of time we expect them to spend on
ourselves like a technology company.” certain areas.
We came up with five key elements that had to The top part of the scorecard is all financial
change. One was to shift from individual projects metrics, customer metrics, shareholder value-
that need approvals, subcommittees, and things add, and revenue generation. The middle part
like that, to giving the freedom to a group of people is where the core of the digital transformation
to operate like a platform. comes in, and we ascribe 20 percent of the value
of the scorecard to this, which is then used to
Then you fund the platform, look at what outcomes drive compensation for the company. Below
that platform can give, and set it free. With that, that we have the strategic initiatives we need to
you can really start to practice agile at scale. get done, and that’s another 40 percent. So big
Third, you have to really think about organizational transformations like automated lending into India
constructs: How does DevOps work? How do you or how to transform future-ready employees, go in
build infrastructure engineering? How do you build that box.
business-ops teams, and how do they interact? We obsess over those scorecards and critique
You then have to think about how you engineer each other’s scorecards. It’s a collective and
the technology and how you build for modern collaborative thing to come up with each person’s
systems that are scalable, elastic, and made for scorecard and the weightings of those. Once that’s
experimentation. set for the year, it’s very clear what everyone’s
mission is.
Finally, how do you automate everything from
testing through deployment to increase cadence?
So those five elements became the mission that
Advice for others on this journey
we’re on and the delivery pipeline that we started I’d say you really need to boil down the essence of
to build. what your mission is and what the problem is that
you’re trying to solve.
Once you’re clear on that, the rest starts to
Our outcomes become very easy. And I would not necessarily
The outcomes of our transformation are speed focus on the pet projects. Focus instead on what
to market, scalability, experimentation, and all gets the business moving, what gets speed
of those things that you see in these technology to market faster, what gets journey thinking
companies. embedded in the organization, those sorts
One successful example would be a bank offering of things.

If you can crystallize that down to a message that The other learning for us, and perhaps the
everybody can grasp on a single page, then you thing that was most difficult, was that we had
have something very powerful that you can start to learn how to learn. What I mean by that is, we
to push on. When we looked at customer service, understand banking, and we understand credit
for example, we came up with RED: Respectful, and market risk and how to build great mortgage
Easy to deal with, Dependable. It was very clear, systems. But when you get into this new digital
something people could act on, and that drove space of experimenting with ecosystems, with
massive change through the organization. When start-ups, with launching a brand-new product
we thought about how we wanted the business to that nobody’s ever tried in a new market, you get
digitize, we came up with a very simple framework lots of things wrong.
of Acquire, Transact, Engage—customers Acquire
That was hard for us to accept, actually. So you’d
digitally, Transact digitally, Engage digitally—and
have these meetings and people would ask, “How
drove metrics around that.
could we possibly not have known that?” Well, it’s
Without those clear missions, we’d have had an experiment. Of course, we don’t know.
people going in all sorts of different directions.
So this learning that it’s okay to experiment, that
many of the experiments we try will fail, and for
Lessons learned everybody to accept that and actually treasure it
was a very difficult change to make.
We learned you have to embed this thinking into
the management fabric of the company. If you just
say you want customer journeys, that’s not going About the author(s)
to drive results. If you embed that into the KPIs and
scorecards that everybody’s measured by—and David Gledhill is the Chief Information Officer
make sure it’s continually reinforced from the for DBS Bank. This interview was conducted
CEO and the leadership team down—then you get by Vinayak HV, a senior partner in McKinsey’s
results and can shift and move. Singapore office.

After the first wave: How CIOs
can weather the coronavirus crisis
By Sven Blumberg, Peter Peters, and Christian Stüer
Chief information officers must act swiftly to manage IT through

the pandemic in a pragmatic way.

“The new normal is not clear yet, but we need to start moving toward it.”
The implications and repercussions of the COVID-19 crisis are far from certain. But as the quote above
suggests, technology leaders are now starting to think about how to get past the first wave of crisis
management.
This humanitarian crisis is still unfolding: quarantines, lockdowns, and harrowing images of hospitals
straining under the weight of sick patients all underscore the devastating human effects of the
pandemic. The economic picture for many countries is dire. As we wrote recently, COVID-19 is a crisis
that requires companies to address lives and livelihoods. CIOs have a critical role to play because social
distancing and the lockdown of economies require technology not just to maintain business activities but
also to lead businesses.
CIOs must still focus on emergency measures and navigating through the chaos of the first wave of this
crisis. But the economic implications require CIOs to start thinking ahead as well and to position their
organizations and businesses to weather the downturn.
CIOs are already balancing important priorities across horizons. Polls we conducted during two recent
webinars with more than 150 IT leaders highlighted their top concerns: putting in place collaboration
tools and operating norms for working from home at scale, a near-term priority, and the increased strain
on financials, a medium- and longer-term consideration (Exhibit 1).
Exhibit 1
High demand for collaborative tools and operating norms and increased strain
on company financials are the top concerns for chief information officers.
Top technology concerns for organizations,1%
32 12 12 5
High demand for Increased Increased strain Immediate boost

collaborative tools, cybersecurity on infrastructure in online traffic
guides, training, and threats
operating norms
22 12 4
Increased strain New tech-enabled Reinvestments

on company financials business models in critical areas
1 Question: Which of these are key concerns for you and your organization? Percentage of 161 participants attending 2 McKinsey webinars.
Source: McKinsey webinar, March 20 and 26, 2020, “The CIO moment: Leadership through the first wave of the coronavirus crisis”

Given the gloomy economic outlook, CIOs may be tempted to take a radical slash-and-burn approach in
an attempt to shore up IT. That would be a mistake. While containing costs must be a crucial element of
the second-wave response, CIOs have an opportunity to accelerate programs and push priorities that
can help position the business to succeed when the downturn ends. There’s no point in winning
the battle but losing the war.
As CIOs begin to shift their focus toward the next wave of the crisis, they should concentrate
on three dimensions (Exhibit 2):
• Stabilize emergency measures.
• Scale down in the interim.
• Pivot to new areas of focus.
Exhibit 2
Chief information officers in the next phase will need to take swift actions
along three dimensions
9 actions to weather the crisis
A. Strengthen remote-working capabilities

Stabilize B. Improve cybersecurity
emergency
measures C. Adjust ways of working for agile teams
D. Prepare for a breakdown of parts of the vendor ecosystem
E. Address immediate IT-cost pressures l. Portfolio

Scale down
prioritization
in the interim F. Creatively redeploy IT workforce
Pivot to new G. Optimize online channels

areas of focus H. Enable new interactions and services for customers
These moves will require a corresponding reprioritization of the project portfolio.
Stabilize emergency measures

We expect that the emergency measures taken as an immediate response to the COVID-19 lockdown will be sustained as long
as the crisis continues. CIOs should prioritize four areas on this front.
Strengthen remote-working capabilities

Companies moved at mind-boggling speed to support remote work. It’s now important to revisit those emergency measures
to understand what must be updated, changed, or replaced to deal with issues that continue to hurt productivity.
First, organizations must review their ad hoc vendor-selection procedures in light of the alternatives in the market, increase
network capacity, implement scalable support processes, and tighten controls that can secure and deploy temporary
solutions at scale.

Second, CIOs will need to address the needs of remote environments amplify any previous lack of
special user groups, such as contact centers, clarity in roles, responsibilities, and objectives.
users of critical systems, and employees of finance
Yet there are some companies that have tran-
functions, to ensure that they can continue to
sitioned their digital units almost seamlessly to
operate in an effective way remotely. For contact
remote settings, where individual team members
centers, this may mean changing the routing of
feel that they are working more productively than
calls to a dedicated COVID-19 subteam to adjust
before. One tech company, for example, has fos-
for changes in questions from customers. Users of
tered an outcome-driven culture that empowers
critical systems may need to build up redundancy
teams to undertake their work outside traditional
in their remote-working setups. One energy com-
working hours. In weekly review meetings, they are
pany can now run an entire trading floor from the
still held accountable for getting things done.
homes of employees, though with limited access to
information and slower decision support. When we looked more closely at companies that
have moved beyond shifting employees to work
Finally, hardware supply-chain interruptions have
from home during the first wave of the crisis, we
already proved to be a significant challenge as
found four differentiating factors: they changed
peaks in short-term demand for devices and IT
the structure of teams to create smaller agile ones
hardware confront a breakdown of international
of around five people, strengthened direction
logistics. It might be an option, if not a necessity,
setting through leadership, emphasized cultural
to reprioritize demands by their importance—for
elements and delegated decisions, with clear
example, prioritizing critical “tier 0” users, such as
accountability, to individual team members, and
traders in banks or board members; reducing ser-
expanded the use of technology that promotes
vices; determining which of them can be migrated
effective collaboration.
to the cloud; and using alternative purchasing
channels and geographies.
Prepare for a potential breakdown
Improve cybersecurity of parts of vendor ecosystems
In general, social engineering and insufficient se- IT-outsourcing and offshoring vendors, as well
curity measures for remote work are the two main as shared-service centers, may well shut down
cybersecurity risks that organizations face during at times. To address that risk, CIOs are strongly ad-
this time of crisis. vised to make their vendor dependencies and in-
dividual situations transparent—both their location
In recent weeks, we have seen an increase in and the fallback options. Mitigation efforts should
COVID-19–focused social-engineering cyberat- be prepared not only with existing vendors but
tacks, which have exploited the current confusion also with alternative sources in different regions. A
and decreased the effectiveness of the “human McKinsey survey found that some global capability
firewall” (for instance, the verification of uncertain- centers already launching mitigation measures
ties with colleagues sitting nearby). CIOs, working report that “full” (more than 80 percent) produc-
with their chief information-security officers must tion capacity can be maintained for an average of
shore up their cyber protocols to deal with com- 40 days during the crisis.
promised credentials and data, as well as intellec-
tual-property theft, fraud, and other crimes.
Scale down in the interim
To address these problems, technology lead- Meanwhile, CIOs must address the immediate
ers should continue to focus on people-based pressures on IT costs and creatively redeploy the
initiatives that heighten the awareness of risk. The IT workforce.
initiatives may include placing messages on lock
screens or pop-up windows and creating secure,
dedicated, quick, and effective two-way commu-
Address immediate IT cost pressures
With revenues and margins for many businesses
nication channels to the security team. To support
plummeting during the crisis, cost pressures on
these solutions, organizations need to beef up key
IT will increase. In addition, emergency decisions
processes, such as IT capacity to help employees
to manage the initial crisis response might have
install and set up security tools, not to mention
increased costs—both operational and capital
implementing at scale security technologies such
expenditures. Technology and IT departments will
as multifactor authentication-and-control mech-
be asked to find short-term cost-reduction op-
anisms that provide remote access to on-premise
portunities to mitigate those effects. CIOs should
applications (for instance, teller interfaces).
therefore consider some guiding principles:
Adopt new best practices for agile • Be aggressive in IT cost reductions not only
to free up capital but also to invest in capabil-
ways of working ities for the “new normal” (more remote work,
Co-location is an important factor for agile ways of
more online interaction, and more automa-
working to be productive. Remote work obviously
tion). We have found that IT costs can typically
introduces real challenges, such as disrupting a
be reduced by up to 30 percent quickly.
team’s continuous alignment, limiting interactions,
and complicating agile ceremonies—all of which • Fully exploit areas of flexibility to address
threaten to drive productivity down. Furthermore, cost pressures quickly before cutting into

capabilities that might affect the future busi- We believe this kind of thoughtful and creative
ness. In practice, this means deferring nones- redeployment helps organizations cope with the
sential projects and investments that can be crisis, strengthens the sense of contribution and
reversed, before considering more permanent purpose among employees, and keeps them en-
and potentially damaging changes. gaged during a period of remote work.
• Quickly build a task force to establish the
baseline and full potential of cost-reduction Pivot to new areas of focus
measures that then can be deployed in line Looking ahead, CIOs must also bolster the online
with the developing business situation. Addi- channels of their organizations and support new
tionally, define thresholds when cost-reduc- interactions and services for customers.
tion measures affect business operations and
align on them with stakeholders. Bolster online channels
With people forced to work at home and to mini-
Creatively redeploy the IT workforce mize visits to brick-and-mortar stores, online sales
Disruptive changes in customer behavior and and service channels are experiencing a massive
emergency responses have dramatically shifted spike in traffic—in China, we have recently seen
workloads within organizations. Many on-site increases of 200 to 300 percent. In the medium
operations have been drastically reduced and term, the traffic baseline for online behavior will
long-term software-transformation efforts probably rise as a result. For now, organizations
paused, but call centers and online channels still must act to optimize and bolster their existing
must be scaled up rapidly to meet demand. These online channels to improve customer interactions
realities must guide CIOs when they redeploy their and solidify retention.
people—which includes reevaluating the role of
The management of traffic spikes is the most
outsourcing partners. Other examples include
pressing matter for online channels. Mildly invasive
back-filling for colleagues most affected by the
short-term measures might include expanding
crisis (for instance, those who must take care of
hardware capacity, decreasing or redistributing
small children or affected family members) and
loads (for instance, by running promotions during
filling roles left open by external workers affected
off-peak hours), technical optimization (such as
by the crisis.
horizontally scaling the caching layer), or rerouting
In the past week, we have also seen many highly of traffic to scalable cloud solutions.
inspiring examples of companies repurposing
their capabilities to help society cope with the Support new interactions and
crisis. Tech companies have partnered with the
World Health Organization, pooling tech talent to
services for customers
Some companies have responded quickly to the
work on projects tackling challenges caused by
new digital customer behavior by establishing new
COVID-19. Another recent example: SAP set up
products, such as mortgage deferrals and cri-
a team of 40 developers and created an emer-
sis-related insurance, or shifting customer interac-
gency web application in 24 hours for the German
tions to online channels. A government in Western
Federal Foreign Office to manage the repatriation
Europe, for example, embarked on an “express
of citizens abroad after the legacy system became
digitization” of quarantine-compensation claims to
overloaded.
deal with a more than 100-fold increase in volume.

Sometimes this effort is about taking loads from vendors?” “In what way does the project address
call centers, but more often it addresses real new new business priorities?” “Does the project as-
business opportunities. To engage with consum- sume functioning supply chains?”
ers, for example, retailers in China increasingly
With a clear crisis checklist in place, CIOs and
gave products at-home themes in WeChat.
their teams can objectively continue, stop, defer,
Technology departments must anticipate and or ramp down projects to maintain focus on what
prepare to offer more of these kinds of digital ser- really matters. As the crisis continues to unfold
vices, products, and channels. The key to reaching and CIOs develop greater clarity about what the
customers will be creating suitable access inter- next normal will look like, they will need to adjust
faces between internal IT systems and external their criteria.
social platforms and accelerating the integration
CIOs are already under a lot of pressure. After the
of new vendors and distributors.
first shock and successful response, however,
CIOs must now manage multiple planning horizons
Portfolio prioritization in parallel to handle the current crisis, prepare for
Given the enormous pressures CIOs are facing, the the downturn, and ultimately position the business
entire project portfolio must come under scruti- for success when the recovery comes.
ny to measure the tangible impact it can deliver
and how it fits in with the new priorities. One CIO, About the author(s)
for example, said that he has already committed Sven Blumberg is a senior partner and Peter
himself to continuing only projects that are already Peters is a partner in McKinsey’s Düsseldorf
nearly complete, reshaping or reducing in scope office. Christian Stüer is a partner in the Abu
other projects, and applying a much more rigor- Dhabi office.
ous process to the selection and advancement of
projects. The authors wish to thank Raphael Bick, Andrea
We believe that CIOs should apply a crisis checklist Del Miglio, Philipp Khuc Trong, Sebastian Peick,
to review portfolio projects systematically against Gérard Richter, and Simon Sester for their
key criteria, including these: “Are we still able to contributions to this article.
deliver, either internally or with potentially affected

Transforming banks’
IT productivity
By Kumar Kanagasabai, Phil Tuddenham, Irina Shigina, and Tomas Thiré
Banks need highly efficient IT delivery models to meet the

challenges of digital disruption and control costs.
Reinvent technology delivery to drive a step change in productivity and speed 45

Bank CIOs are facing a perfect storm. IT demands are escalating while pressures to keep costs down are
intensifying, as banks cope with generally meager returns on equity. We believe that CIOs must look for
ways to control costs through productivity gains in order to make room in their budgets for investments
in critical tech-enabled changes and be true partners to the bank’s business side.
Historically, banks have offset some IT cost increases with productivity gains. A McKinsey Digital 20/20
survey of global banks showed that IT costs rose from 16.5 percent of expenses in 2014 to 18.5 percent
in 2017. While run spending remained largely flat, change spending increased roughly 40 percent in
the same period (Exhibit 1). But going forward we expect CIOs will need to improve productivity efforts
considerably, aiming for structural productivity gains of 25 to 40 percent over the next five years just to
keep costs flat (Exhibit 2).
Exhibit 1
Banks’ IT costs are rising, driven largely by IT change spending
Application maintenance
Data center
End-user services
Network services
Total IT run
Application development
IT run spend (2011=100%)1, % of expenses

140%
120% +22%
+2%
100%
-5%
80% -16%
IT spend1, % of operating expenses -21%
60%
2011 2012 2013 2014 2015 2016 2017
25
20
+2pp
15
IT change spend (2011=100%)1, % of expenses

0
2011 12 13 14 15 16 2017 160%
140%
+36%
120%
100%
2011 2012 2013 2014 2015 2016 2017
1 N=8 Global Banks for 2011-17

Source: McKinsey Digital 20/20 Survey
46 Reinvent technology delivery to drive a step change in productivity and speed

Exhibit 2
Banks will need to achieve 25-40% in structural productivity gains to create capacity for
new demand
IT cost evolution over next 5 years,
Indexed to 100
125-140
25-40 25-40
100 100
33
50 Change
67
50 Run
Typical Net new New skills Data and Security Future Producti- Future
cost base demand analytics and cost vity gain cost after
20181 resilence before producti-
prouctivity vity gain
gain
1 Based on Digital 2020 benchmarking of Financial sector firms, 2017

Source: McKinsey Digital 20/20 Survey
Fortunately, CIOs have many ways to improve productivity. Our experience working with banks in the last
five years suggests the full set of levers can lead to 20 to 30 percent in productivity gains (Exhibit 3). The
investment required would be about 1 to 1.5 times run-rate savings, with 5 to 10 percent run-rate savings
achievable within the first year. A well-planned rollout could break even within two years.

Exhibit 3
The full range of levers can deliver 25-40% in productivity gains, which can be reinvested
in new demand
Hypothetical example; IT cost indexed to 100=baseline IT run cost, 150=baseline IT total cost
150 4-8
6-9
3-4
7-9
25-40% lower
6-10 total IT cost
Change 50
9-13
6-10
90-112
100 = IT run 6-8
costs 2-3
25-40% lower
Application opera- 11-14 31
IT run cost
tions and license 38
27
X86 and mainframe 39
25
Helpdesk and EUC 9

7
Network and 14
telephony 12
Base- A B C D E F G H I De- Future

line IT Infra Cloud Main- Agile Engi- Demand Vendor dupli- IT cost
Appli- Labor
cost auto- frame, neering reduc- optimi- cation
cation optimi-
mation EUC talent tion zation
rational- zation
and and and
ization
DevOps network culture
opti-
miza-
tion
Structural levers Rapid payback levers
Three rapid payback levers

1. Demand reduction. For most banks, a comprehensive review of IT expenditures can reduce
demand significantly and deliver 5 to 10 percent savings within six to 12 months. Examples include
prioritizing projects that are directly linked to the bank’s strategic goals (for example, next-
generation payments strategies), reducing service levels to match real demand, reducing non-
value-adding service levels, shifting workloads away from peak times, capping usage, purging
historic data, matching the number of licenses to the number of users, and capping end-user usage.
2. Vendor optimization. Banks can reduce third-party expenditures by working more efficiently with
vendors (for example, standardizing laptop images), moving vendors to alternative pricing models
(for example, fixed- or performance-based pricing where appropriate), renegotiating prices (for
example, estimating “clean-sheet” costs), and consolidating relationships. These efforts typically
deliver 5 to 10 percent savings within six to 12 months.
3. Labor optimization. Replace simple labor models, such as wholesale outsourcing, with a strategic
mix of insourcing, outsourcing, offshoring, and strategic partnerships that balance costs with
responsiveness, controllability, and agility. For example, many institutions are restricting the usage
of temp labor to only those roles which are truly scarce or flex capacity, which can save up to 20
percent of temp labor costs.

Six longer-term structural levers more productive than novices. However, many
institutions routinely source large teams of
1. Cloud. Transitioning to public cloud can
offshore novices, leading to lower costs but
improve efficiency 30 to 40 percent
very low productivity. Leading banks are
compared to traditional hosting for some
insourcing roles that can provide competitive
workloads. In particular, labor savings can
advantage and increasing the share of expert
reach up to 90 percent, and banks can
engineers (relative to novices) to improve
reduce non-labor costs by eliminating
productivity.
data-center related spending (e.g., housing,
networking assets) and through better 5. Application rationalization. Banks can
utilization management (e.g., shutting down optimize and modernize their application
development/test servers). Cloud also landscapes by increasing cloud-based
enables other transformation levers, such as functionality and SaaS, microservices and
infrastructure automation. highly configurable API-based architectures.
A systematic, top-down, simplification
2. Infrastructure automation and DevOps
program can reduce applications by 30
at scale. It’s possible to automate 30 to
to 40 percent and the cost of ownership
35 percent of activities across the IT value
of applications by 15 to 20 percent. One
chain—particularly provisioning, testing,
European bank managed to reduce its
deployment, patching, and support. One
total IT costs by 8 to 10 percent per year by
large traditional European bank reduced
rationalizing its application landscape.
its IT infrastructure team by 45 percent in 9
months by moving to standardized, automated 6. Mainframe, end-user computing, and
infrastructure products that development network optimization. By optimizing core
teams could use without manual intervention. infrastructure components banks can build a
solid foundation for the other transformation
3. Agile. Agile ways of working allow CIOs to
levers and reduce their run costs. Mainframes
rapidly take ideas to market, speeding up the
can be managed by offloading applications
release of new functionality from quarterly
or transactions, using a shared mainframe
or monthly to several times per week. Agile
environment, or smoothing peaks—which
improves application development and
together can reduce costs by 20 to 30
maintenance efficiency by 20 to 30 percent,
percent. Helpdesk and end-user computing
which banks can capture either as savings or
costs can be reduced by automating common
as freed up capacity.
requests (e.g., password resets), harmonizing
4. Engineering talent and culture. Experienced device specifications, and through systematic
software engineers are an order of magnitude root-cause analysis of the most common

issues—which can reduce costs 20 to 30 • How should I get started on these initiatives
percent. Network costs can be reduced in a way that balances the benefits, risks, and
through software-defined networking that execution challenges?
responds to demand fluctuations rather than
Digital disruption continues to change the banking
provisioning fixed capacity.
landscape and put pressure on the traditional
Done right, the new IT function will have banking model; meanwhile, growth is becoming
a structurally lower cost base, improved more difficult for banks as the global economy
customer-oriented mindsets and capabilities, appears to slow. To thrive in this environment,
and significantly improved speed and quality of banks must build highly efficient IT delivery
delivery. It will also be better equipped to deliver models. The eventual winners will be those
future platform needs such as APIs and customer that use these productivity gains to create the
authentication, as well as business enablement necessary “headroom” in their budgets to invest
needs such as digital services, AI, and so on. in critical tech-enabled changes, thus ensuring
they are a true partner to the business in an
As they begin this transformation journey,
increasingly dynamic environment.
forward-thinking CIOs are asking themselves
three questions:
• How much headroom in the IT budget do I About the author(s)
need in order to deliver new value-adding
capabilities? Kumar Kanagasabai is a partner and Tomas
Thiré is an associate partner in McKinsey’s
• How do I sequence the IT productivity
transformation in a way that is self-funding New York office, Phil Tuddenham is a partner and
or close to self-funding? Irina Shigina is an engagement manager in the
London office.

An executive’s guide to software
development
By Chandra Gnanasambandam, Martin Harrysson, Rahul Mangla, and Shivam Srivastava
This essential capability is a blind spot for many nontech leaders.

In his 2013 message to GE shareholders, CEO • Vulnerability to tech-based disruption.
Jeffrey R. Immelt wrote, “We believe that every Increasingly, business models are being
industrial company will become a software disrupted through tech-driven innovation—just
company.” Last year, he doubled down, moving ask Uber’s competitors in the taxi business.
GE’s corporate headquarters from Fairfield, • Subpar user experience and churn. With
Connecticut, to Boston, in large part to lure world- the pervasive availability and use of high-
class software engineers in the area. quality applications on mobile platforms, the
GE is not alone in upping its bet on software- customer’s expectations have been reset. It’s
driven innovation. Today, a Tesla car has more hard to imagine a successful business without
lines of code than macOS or the Windows Vista a strong online and mobile presence.
operating system. However, the fact is that many • Higher costs and lower margins. Beyond
companies that have made their fortunes outside customer experience and differentiation,
of high tech—in medical devices, retail, and other software is pivotal in helping optimize
analog industries—have been slow to catch operations and rein in costs. Global freight
on to this game-changing shift in what drives companies like FedEx extensively use
sustainable innovation, the shift from creating technology to optimize supply-chain
physical goods and experiences to smart software operations.
development.
Fortunately, leaders in all industries can learn from
Despite the mission-critical nature of software, the last two decades of software innovation and
it gets surprisingly little attention in the C-suite. adopt the processes, tools, and organizational
Even those who have built decent software- structures that have proved to be most effective.
development capabilities often have done so on
To make software an advantage, executives need
the cheap; software executives are rarely given a
to be fluent in leading software-development
seat at the table of top management, and software
practices and carefully determine how software is
strategy is often determined three to five layers
integrated into the organization. Most important
down the hierarchy. Companies pay a steep price
for executives to get right from the start, however,
for dismissing software’s importance. These
is making software development a strategic
include the following:
priority, not an afterthought.

Understand leading software-development capabilities
The innovations behind software are just as critical as the software itself. Executives don’t need to
code (their developers may insist they don’t!), but must understand leading development practices to
determine the right approach for the company. According to McKinsey’s software-maturity diagnostic
framework, 15 practices across five stages define the software-development life cycle, and world-class
companies typically excel in a majority of these areas (exhibit 1).
Exhibit 1
Fifteen parctices help define a world class software-development organization
Setup decisions that guide the stratefic Product-management practices

road map to aid in product conceptualization
and design
1. Cloud-migration path
4. Product-management
2. Platform choice
excellence
3. Microservices/
5. Human-centric design
container
architecture
Product-delivery practices Product-development practices to

to ensure quality delivery build and test quality solutions
10. Analytics and 6. DevOps (CI/CD1)
use of telemetry
7. Test automation and TDD2
11. A/B testing
8. API3-based architecture
12. Community-driven development
9. Productivity and quality
Enablers
Enabling elements to plan and operate

13. Portfolio management
and product economics
14. Talent and governance
15. Product security and risk
management
1 Continous integration/continuous deployment

2 Test-driven development
3 Application programming interface

Setup decisions business savvy; this is in contrast to the
on-premise world, when product managers
The strategic choices about how software is
were tech-savvy businesspeople.
set up—where it is hosted and the underlying
architecture—are one-time decisions with long- • Human-centric design. Design thinking has
term implications. Such decisions should be taken center stage in building products that
made with the same degree of rigor as any capital users love and admire. First, product design
investment that is expensive and difficult to is shaped by insights from user research,
unwind. customer-journey analysis, and storyboarding.
The design concepts are then constantly
• Cloud-migration path. With cloud
iterated upon with customers. Finally, design
technologies more pervasive than ever,
execution is made central to the development
organizations not already in the cloud need to
process, with user-experience designers
chart a path to get there. One course is fast
included as a core part of the development
and direct: companies can create an extensible
team.
architecture that uses the on-premise code
base as the core, with cloud-based applications
developed from scratch. This approach is Product-development practices
ideal to achieve a shorter time to market.
Alternatively, a clean-sheet approach is better As software delivery has moved from multiyear
if the company plans to make the cloud the releases to daily updates, software-development
primary medium of delivery and the customer practices have evolved to focus on building high-
use case for cloud solutions differs significantly quality software at an increasingly fast pace.
from the on-premise offering. • DevOps. DevOps is the next frontier in
• Platform choice. Coupled with the selection the evolution toward increasingly agile
of a cloud migration path is the adoption of a development methodologies. In a DevOps
cloud platform. There are a variety of choices model, engineers have extensive operational
available that range from virtual private cloud responsibilities to enable the release of
environments to platform-as-a-service production code. Companies need to master
offered by established cloud players such as five core-competence areas to achieve DevOps
Amazon Web Services and Microsoft Azure. at scale. These are continuous integration
Four key factors drive the platform choice: and delivery, automated testing, self-
commercial terms, such as the up-front cost service access to infrastructure, automated
of onboarding, recurring expenses, and performance management, and infrastructure
contract flexibility; ease of use, including the that can scale automatically.
ability to onboard quickly and support ongoing • Test automation and test-driven
management; platform features, such as development. By automating testing and
data complexity, compliance flexibility, and integrating it into the development process,
platform architecture; and data-sovereignty teams create high-quality code that meets
considerations based on where data reside. business requirements and can be deployed
• Microservices/container architecture. It is quickly. In test-driven development, test
imperative to maintain a clear architectural cases that describe user requirements are
road map across the portfolio of products. written first and are then applied immediately
Successful organizations use data to select to test new code. For high-value test cases,
containers among open-source, cloud platform, particularly all regressions tests, tests are
and internal options (for example, J2EE app automated to ensure the quality of code in
server). important areas.
• Architecture based on application
programming interfaces (APIs). Historically,
Product-management practices companies have suffered from building and
Effective product management is vital in the maintaining “spaghetti code,” which is as
software-development life cycle. The function messy and difficult to manage as overcooked
(and demands from product managers) have angel-hair pasta. An effective API-based
dramatically evolved in the cloud and mobile era. architecture solves this problem and instead
provides an extensible framework of building
• Product-management excellence. Expect
blocks that can be used to compose powerful
product managers to act as the CEO of the
applications. Like Legos, such blocks are easy
products they manage, meaning that they
to separate, update, and then replace. Effective
own both the six-month feature road map and
API management extends beyond the initial
the three-year strategic plan. To meet this
design and covers life-cycle management
task, most leading software companies now
and tracking, which is addressed by emerging
require that product managers have both deep
providers such as Apigee and MuleSoft.
technical expertise and business acumen. For
the cloud era, world-class product managers
tend to be deeply technical people who are

Productivity and quality lines of code than Windows, but with a
fraction of Microsoft’s software-development
Once thought impossible, measuring software-
capabilities. How did Tesla achieve this without
development productivity is becoming
an army of engineers and three decades of
mainstream, with “complexity points” being one of
experience? Through the extensive use of
the emerging standards for evaluating software
available and mature open-source software.
productivity and quality. Robust measurement also
Companies are now assembling capabilities
enables better forecasting of the effort required
through available libraries rather than writing
for new projects. An analysis of more than 1,600
code from scratch.
software teams shows that top-performing teams
significantly outperform in all aspects of software
development. Top teams beat others to market Enablers
with fewer people and defects.
To tie it all together, organizations require a set
of enabling functions and practices that, while
Product-delivery practices nontechnical in nature, are imperative to building
effective software.
Cloud-based development has also enabled a
more mature set of product-delivery practices that • Portfolio management and product
allow companies to gather more data than ever economics. As the volume of software
before, engage users on live experiments, and assets and capabilities explodes, there’s an
leverage the open-source community for faster ever-increasing need for better portfolio
development. management. There are five classic elements
of portfolio management that should now be
• Analytics and telemetry. Cloud-based
applied to software: market attractiveness,
delivery generates real-time data with deep
strategic positioning, investment analysis, risk
granularity across the product portfolio,
assessment, and investment allocation.
enabling a variety of uses. For example, a
rich data set allows product managers to • Talent and governance. Organizational
make fact-based decisions on features structure and governance have evolved
and capabilities. Performance data can be alongside technology in recent years. Most
analyzed to estimate usage trends and predict software-development teams are now
periods of high activity and stress on the structured in “pods” that bring together user
system. Additionally, data-driven insights can experience, product management, DevOps,
help identify sales opportunities that can be quality, analytics, and security resources. At
delivered to the customer in real time. Finally, the same time, governance now distributes
anonymized data from multiple users can also decision rights across the pod, with the
be used to create industry benchmarks that product manager acting as the CEO of the
would be invaluable to customers. product.
• A/B testing. The capability to test different • Product security and risk management.
variants of functionality in real time with end To build a secure product, security and risk-
users is now mainstream with cloud-enabled management thinking must be incorporated
software. Leading companies integrate across the product-development life cycle.
A/B testing practices into the software- This implies that security transcends secure-
development life cycle to ensure that coding practices. It includes involving a
development teams get feedback from users security champion in the DevOps team
early in the development process. from inception, building a secure customer
experience, and investing in tools and
• Community-driven development. Tesla
hackathons to identify security issues early in
has created a software platform with more
the development cycle.

Summary industry or category leadership must be a great
software company at its heart. Leaders of these
The trends are clear. Over the last 20 years, the
firms need to have a secure understanding of how
number of top-100 product and service companies
software development works and how to create an
that are software dependent has doubled to nearly
enabling organization around it.
40 percent. Revenues from digitized products
and channels are expected to exceed 40 percent It’s not too late to get up to speed on software,
in industries such as insurance, retailing, and but time is running short. The arrival of cloud
logistics. technologies and the fast-cresting Internet
But the message here is not just that software of Things wave are two unstoppable forces
matters or that it is increasingly found in things promoting digital capabilities. Competitors that
where software never existed before. All have already made the digital transformation
executives worth their salt already understand are busy at work building tough-to-overcome
this in their daily lives, every time they drive their competitive advantages. The next move is up
computer-controlled, high-performance sports to you.
sedans or take a fitness-tracking wearable on
a run.
About the author(s)
The point is that the C-suite has to take a more Chandra Gnanasambandam is a senior partner
active role in how software is developed and in McKinsey’s Silicon Valley office, where Martin
make investments to build world-class software- Harrysson and Rahul Mangla are partners, and
development practices in their organizations. Shivam Srivastava is an associate partner.
A modern company with any intentions toward

ING’s Agile transformation
By Peter Jacobs, Bart Schlatmann, and Deepak Mahadevan
Two senior executives from the global bank describe their

recent journey.

Established businesses around the world and was rapidly changing in response to new digital
across a range of sectors are striving to emulate distribution channels, and customer expectations
the speed, dynamism, and customer centricity were being shaped by digital leaders in other
of digital players. In the summer of 2015, the industries, not just banking. We needed to stop
Dutch banking group ING embarked on such a thinking traditionally about product marketing and
journey, shifting its traditional organization to start understanding customer journeys in this new
an “agile” model inspired by companies such as omnichannel environment. It’s imperative for us to
Google, Netflix, and Spotify. Comprising about provide a seamless and consistently high-quality
350 nine-person “squads” in 13 so-called tribes, service so that customers can start their journey
the new approach at ING has already improved through one channel and continue it through
time to market, boosted employee engagement, another—for example, going to a branch in person
and increased productivity. In this interview with for investment advice and then calling or going
McKinsey’s Deepak Mahadevan, ING Netherlands online to make an actual investment. An agile way
chief information officer Peter Jacobs and Bart of working was the necessary means to deliver
Schlatmann, who, until recently, was the chief that strategy.
operating officer of ING Netherlands, explain
why the bank needed to change, how it manages
without the old reporting lines, and how it The Quarterly: How do you define agility?
measures the impact of its efforts. Bart Schlatmann: Agility is about flexibility and
the ability of an organization to rapidly adapt and
steer itself in a new direction. It’s about minimizing
The Quarterly: What prompted ING to introduce handovers and bureaucracy, and empowering
this new way of working? people. The aim is to build stronger, more rounded
Bart Schlatmann: We have been on a professionals out of all our people. Being agile
transformation journey for around ten years now, is not just about changing the IT department
but there can be no let up. Transformation is not or any other function on its own. The key has
just moving an organization from A to B, because been adhering to the “end-to-end principle” and
once you hit B, you need to move to C, and when working in multidisciplinary teams, or squads, that
you arrive at C, you probably have to start thinking comprise a mix of marketing specialists, product
about D. and commercial specialists, user-experience
designers, data analysts, and IT engineers—all
In our case, when we introduced an agile way of focused on solving the client’s needs and united by
working in June 2015, there was no particular a common definition of success. This model [see
financial imperative, since the company was exhibit 1] was inspired by what we saw at various
performing well, and interest rates were still at technology companies, which we then adapted to
a decent level. Customer behavior, however, our own business.

Exhibit 1
ING’s new agile organizational model has no fixed structure – it constantly evolves
Product owner Chapter lead
Tribe
Squad Squad Squad Squad Tribe lead Agile coach
Chapter
Chapter
Tribe Squad Chapter
(Collection of squads with (basic of new agile organization) (develops expertise and
interconnected missions) knowledge across squads)
— Includes on average 150 people — Includes no more than 9 people; Chapter lead
— Empowers tribe lead to establish is self-steering and autonomus — Is responsible for one chapter
priorities, allocate budgets, and form — Comprises representatives of diffrent — Represents heirarchy for
interface with other tribes to ensure functions working in single location squad members (re: personal
knowedge/insights are shared
— Has end-to-end responsibility for development, coaching,
acheiveing client-related objectie staffing, and performance
Agile coach
— Can change functional composition as management)
— Coaches individuals and squads to mission evolves
create high-performing teams
— Is dismantled as son as mission is
executed
Product owner (squad member, not its

leader)
— Is responsible for coordinating squad
activities
— Manages backlog, to-do lists, and
priority setting
Source: ING

The Quarterly: What were the most important to embrace agility through daily team stand-ups
elements of the transformation? and other tactics. Functions such as legal, finance,
and operational risk are not part of a squad per se,
Peter Jacobs: Looking back, I think there were
as they need to be independent, but a squad can
four big pillars. Number one was the agile way
call on them to help out and give objective advice.
of working itself. Today, our IT and commercial
colleagues sit together in the same buildings, It took about eight or nine months from the
divided into squads, constantly testing what they moment we had written the strategy and vision, in
might offer our customers, in an environment late 2014, to the point where the new organization
where there are no managers controlling the and way of working had been implemented across
handovers and slowing down collaboration. the entire headquarters. It started with painting
the vision and getting inspiration from different
Number two is having the appropriate
tech leaders. We spent two months and five board
organizational structure and clarity around
off-sites developing the target organization with
the new roles and governance. As long as you
its new “nervous system.” In parallel, we set up
continue to have different departments, steering
five or six pilot squads and used the lessons to
committees, project managers, and project
adapt the setup, working environment, and overall
directors, you will continue to have silos—and that
design. After that, we were able to concentrate on
hinders agility.
implementation—selecting and getting the right
The third big component is our approach to people on board and revamping the offices, for
DevOps[1] and continuous delivery in IT. Our example.
aspiration is to go live with new software releases
on a much more frequent basis—every two weeks
rather than having five to six “big launches” a year The Quarterly: Was agility within IT a prerequisite
as we did in the past. The integration of product for broader organizational change?
development and IT operations has enabled us
Peter Jacobs: Agility within IT is not a prerequisite
to develop innovative new product features and
for a broader transformation, but it certainly
position ourselves as the number-one mobile bank
helps. At ING, we introduced a more agile way of
in the Netherlands.
working within IT a few years ago, but it was not
Finally, there is our new people model. In the old organization-wide agility as we understand it
organization, a manager’s status and salary were today, because it did not involve the business. You
based on the size of the projects he or she was can certainly start in IT and gradually move to the
responsible for and on the number of employees business side, the advantage of this being that the
on his or her team. In an agile performance- IT teams can test and develop the concept before
management model, there are no projects as such; the company rolls it out more widely. But I think
what matters is how people deal with knowledge. you could equally start with one value stream, let’s
A big part of the transformation has been about say mortgages, and roll it out simultaneously in the
ensuring there is a good mix between different business and in IT. Either model can work.
layers of knowledge and expertise.
What you can’t do—and that is what I see many
people do in other companies—is start to cherry
pick from the different building blocks. For
The Quarterly: What was the scope of this
example, some people formally embrace the agile
transformation? Where did you start, and how long
way of working but do not let go of their existing
did it take?
organizational structure and governance. That
Bart Schlatmann: Our initial focus was on the defeats the whole purpose and only creates more
3,500 staff members at group headquarters. frustration.
We started with these teams—comprising
previous departments such as marketing, product
management, channel management, and IT The Quarterly: How important was it to try
development—because we believed we had to to change the ING culture as part of this
start at the core and that this would set a good transformation?
example for the rest of the organization.
Bart Schlatmann: Culture is perhaps the most
We originally left out the support functions—such important element of this sort of change effort. It
as HR, finance, and risk—the branches, the call is not something, though, that can be addressed in
centers, operations, and IT infrastructure when a program on its own. We have spent an enormous
shifting to tribes and squads. But it doesn’t mean amount of energy and leadership time trying
they are not agile; they adopt agility in a different to role model the sort of behavior—ownership,
way. For example, we introduced self-steering empowerment, customer centricity—that is
teams in operations and call centers based on appropriate in an agile culture. Culture needs to be
what we saw working at the shoe-retailer Zappos. reflected and rooted in anything and everything
These teams take more responsibility than they that we undertake as an organization and as
used to and have less oversight from management individuals.
than previously. Meanwhile, we have been
For instance, one important initiative has been
encouraging the sales force and branch network
1 The integration of product development with IT operations.

a new three-week onboarding program, also ourselves where we could learn about being a
inspired by Zappos, that involves every employee best-in-class technology company. The answer
spending at least one full week at the new was not other banks, but real tech firms.
Customer Loyalty Team operations call center
If you ask talented young people to name their
taking customer calls. As they move around the
dream company from an employment perspective,
key areas of the bank, new employees quickly
they’ll almost always cite the likes of Facebook,
establish their own informal networks and gain a
Google, Netflix, Spotify, and Uber. The interesting
deeper understanding of the business.
thing is that none of these companies operate in
We have also adopted the peer-to-peer hiring the same industry or share a common purpose.
approach used by Google. For example, my One is a media company, another is search-
colleagues on the board selected the 14 people engine based, and another one is in the transport
who report to me. All I have is a right of veto if they business. What they all have in common is a
choose someone I really can’t cope with. After particular way of working and a distinctive people
thousands of hires made by teams using this culture. They work in small teams that are united
approach at every level in the organization, I have in a common purpose, follow an agile “manifesto,”
never heard of a single veto being exercised—a interact closely with customers, and are constantly
sure sign that the system is working well. It’s able to reshape what they are working on.
interesting to note, too, that teams are now better
Spotify, for example, was an inspiration on how to
diversified by gender, character, and skill set than
get people to collaborate and work across silos—
they were previously. We definitely have a more
silos still being a huge obstacle in most traditional
balanced organization.
companies. We went to visit them in Sweden a
A lot is also down to the new way we communicate few times so as to better understand their model,
and to the new office configuration: we invested and what started as a one-way exchange has now
in tearing down walls in buildings to create more become a two-way exchange. They now come to
open spaces and to allow more informal interaction us to discuss their growth challenges and, with it,
between employees. We have a very small number topics like recruitment and remuneration.
of formal meetings; most are informal. The whole
atmosphere of the organization is much more that
of a tech campus than an old-style traditional bank The Quarterly: Without traditional reporting
where people were locked away behind closed lines, what’s the glue that holds the organization
doors. together?
Bart Schlatmann: Our new way of working starts
with the squad. One of the first things each squad
The Quarterly: Was a traditional IT culture an
has to do is write down the purpose of what it is
impediment to the transformation?
working on. The second thing is to agree on a way
Peter Jacobs: In IT, one of the big changes was of measuring the impact it has on clients. It also
to bring back an engineering culture, so there’s decides on how to manage its daily activities.
now the sense that it’s good to be an engineer
Squads are part of tribes, which have additional
and to make code. Somehow over the years,
mechanisms such as scrums, portfolio wall
success in IT had become a question of being a
planning, and daily stand-ups to ensure that
good manager and orchestrating others to write
product owners are aligned and that there is
code. When we visited a Google IO conference
a real sense of belonging. Another important
in California, we were utterly amazed by what we
feature is the QBR [quarterly business review],
saw and heard: young people talking animatedly
an idea we borrowed from Google and Netflix.
about technology and excitedly discussing the
During this exercise, each tribe writes down what
possibilities of Android, Google Maps, and the like.
it achieved over the last quarter and its biggest
They were proud of their engineering skills and
learning, celebrating both successes and failures
achievements. We asked ourselves, “Why don’t
and articulating what it aims to achieve over the
we have this kind of engineering culture at ING?
next quarter—and, in that context, which other
Why is it that large enterprises in Holland and
tribe or squad it will need to link up with. The QBR
Western Europe typically just coordinate IT rather
documents are available openly for all tribes: we
than being truly inspired by it?” We consciously
stimulate them to offer input and feedback, and
encouraged people to go back to writing code—
this is shared transparently across the bank. So
I did it myself—and have made it clear that
far, we have done four QBRs and, while we are
engineering skills and IT craftsmanship are what
improving, we still have to make them work better.
drive a successful career at ING.
In the beginning, I think the regulators were at
times worried that agile meant freedom and chaos;
The Quarterly: Can you say more about the that’s absolutely not the case. Everything we do is
companies that inspired you? managed on a daily basis and transparent on walls
around our offices.
Peter Jacobs: We came to the realization that,
ultimately, we are a technology company operating
in the financial-services business. So we asked

The Quarterly: Can traditional companies with The Quarterly: Do you see any risks in this agile
legacy IT systems really embrace the sort of agile model?
transformation ING has been through?
Peter Jacobs: I see two main risks. First, agility in
Peter Jacobs: I believe that any way of working is our case has been extremely focused on getting
independent of what technology you apply. I see software to production and on making sure that
no reason why an agile way of working would be people respond to the new version of what they
affected by the age of your technology or the size get. If you are not careful, all innovations end up
of your organization. Google and ING show that being incremental. You therefore have to organize
this has nothing to do with size, or even the state yourself for a more disruptive type of innovation—
of your technology. Leadership and determination and you can’t always expect it to come out of an
are the keys to making it happen. individual team.
Second, our agile way of working gives product
The Quarterly: Are some people better suited to owners a lot of autonomy to collect feedback from
agile operating approaches than others? end users and improve the product with each
new release. There is a risk that people will go in
Bart Schlatmann: Selecting the right people is different directions if you don’t align squads, say,
crucial. I still remember January of 2015 when we every quarter or six months. You have to organize
announced that all employees at headquarters in such a way that teams are aligned and mindful of
were put on “mobility,” effectively meaning they the company’s strategic priorities.
were without a job. We requested everyone to
reapply for a position in the new organization.
This selection process was intense, with a The Quarterly: What advice would you give
higher weighting for culture and mind-sets than leaders of other companies contemplating a
knowledge or experience. We chose each of similar approach?
the 2,500 employees in our organization as it is
Bart Schlatmann: Any organization can become
today—and nearly 40 percent are in a different
agile, but agility is not a purpose in itself; it’s the
position to the job they were in previously. Of
means to a broader purpose. The first question
course, we lost a lot of people who had good
you have to ask yourself is, “Why agile? What’s
knowledge but lacked the right mind-set; but
the broader purpose?” Make sure there is a clear
knowledge can be easily regained if people have
and compelling reason that everyone recognizes,
the intrinsic capability.
because you have to go all in—backed up by
Peter Jacobs: We noticed that age was not such the entire leadership team—to make such a
an important differentiator. In fact, many whom transformation a success. The second question
you may have expected to be the “old guards” is, “What are you willing to give up?” It requires
adapted even more quickly and more readily than sacrifices and a willingness to give up fundamental
the younger generation. It’s important to keep an parts of your current way of working—starting
open mind. with the leaders. We gave up traditional hierarchy,
formal meetings, overengineering, detailed
planning, and excessive “input steering” in
The Quarterly: How would you quantify the impact exchange for empowered teams, informal
of what has been done in the past 15 months? networks, and “output steering.” You need to
Bart Schlatmann: Our objectives were to look beyond your own industry and allow yourself
be quicker to market, increase employee to make mistakes and learn. The prize will be an
engagement, reduce impediments and handovers, organization ready to face any challenge.
and, most important, improve client experience.
We are progressing well on each of these. In
addition, we are doing software releases on a About the author(s)
two- to three-week basis rather than five to six
Peter Jacobs is the chief information officer of ING
times a year, and our customer-satisfaction and
Netherlands; Bart Schlatmann, who left ING in
employee-engagement scores are up multiple
January 2017 after 22 years with the group, is the
points. We are also working with INSEAD, the
former chief operating officer of ING Netherlands.
international business school, to measure some
This interview was conducted in October 2016
of these metrics as a neutral outsider.
by Deepak Mahadevan, a partner in McKinsey’s
Brussels office.

Flip the ratio: taking IT from
bottleneck to battle ready
By Nagendra Bommadevara, Steve Jansen, Lauren Klak, and Maneesh Subherwal
A new way to focus on outcomes and results can free IT

organizations to spend more time on business priorities.

What if an investor managed your IT? One thing it would likely hit on quickly is an important detail: for
many companies, a larger proportion of the IT organization is focused on support and administrative
work that’s often manual and inefficient—testing, deployment, maintenance, code fixes, and so on.
At two financial services organizations we analyzed, a stunning 90 percent of the IT organization
was focused on these kinds of tasks. That left just 10 percent of technologists’ capacity for business
priorities and market-differentiating work (Exhibit 1).
Exhibit 1
Too little of IT’s resources go to business– differentiating activities
Business-oriented software development

— ~30% of IT organization is developers
Other software development
— <30% development on truly market-differentiating
business features
— >70% development on repeat/non-value -add work
(e.g., lack of application programming interfaces)
Support for software development

Business-oriented
Significant support for developers to get code into
software development
production (e.g., testers, deployment specialists)
Administrative IT
Administrative and maintenance
— Application maintenance
— IT infrastructure
All other IT
What business What IT provides

wants from IT
This state of affairs partly explains why IT is often viewed as a cost center and a bottleneck by the
business. It also highlights one of the reasons that incumbents are struggling to keep up with tech
companies. With just 10 percent of IT allocated to generating new business value, incumbents are not
battle ready when it comes to contending with nimble tech players.
As any investor would tell you, place your resource bets where you believe there is value. For IT, that
means flipping the ratio, so that the great majority of IT resources are working on products that build
value for the business. As simple as that may sound, few IT organizations have been able to do it. Some
companies have managed to pull it off, however, by following a specific recipe that allows them to work
better and smarter. Typical payback in making this shift—freeing as much as 30 to 40 percent of IT labor
costs—occurs within 18 to 24 months. Flipping the ratio can improve time to market and quality. The
framework also allows organizations to quickly evaluate the business value of new technologies (cloud,
microservices, automation, AI) and then rapidly scale adoption.
How to escape the trap

IT leaders have been trying to increase the productivity of their teams, and many have made good
progress. But too often, cloud and other solutions languish in proof-of-concept stages with little funding
and, in many situations, no business case. Meanwhile, the day-to-day pressure of running an IT shop—
improving service levels while lowering costs for existing systems—continues.
To flip the ratio, four things need to happen.

1. Extend agile to back-end IT
One of the main reasons back-end systems demand so many resources is that they do not take
advantage of agile ways of working that have become second nature to most software developers. Either
back-end teams confuse “doing” agile rather than actually “being” agile, running waterfall projects using
the scrum method but not working in small teams rapidly iterating on small chunks of code, or agile
doesn’t even make it to the back-end teams. Even application maintenance and IT infrastructure can
benefit from agile principles, which is significant, since these areas often make up 40 to 60 percent of
the IT organization. By introducing true agile methods—small, cross-functional teams or squads working
in rapid iterations—to relevant enterprise IT work, companies can radically reduce the resources needed
to support those systems while substantially improving service quality and the potential for automation.
One midsize US-based financial services company discovered just how much value using agile for back-
end IT functions could be realized. At first, application-maintenance and IT-infrastructure functions—
about 40 percent of the organization—did not use agile. Making matters worse, most of the demand on
this group was reactive, handling incidents—data fixes and batch updates, for example—that required
handoffs across multiple product teams and caused frequent interruptions, significantly reducing
productivity.
The company decided to move to an agile operating model. It started by rigorously quantifying demand
to improve transparency and looking at products based on how they fit into the end-to-end value chain,
which allowed the company to better understand the dependencies across multiple products.
With better insight into demand, the company created small, self-sufficient teams to not just meet
demand but figure out how to reduce it. By better understanding business needs, teams eliminated
some demand by providing self-service options. Cross-functional teams had the people needed to not
only identify the root cause of incidents but correct them immediately. They also focused on preventive
maintenance and predictive monitoring to address issues before they became significant problems
(Exhibit 2).
Exhibit 2
An agile operating model can reduce IT administration
Headcount focused on administrative IT
30%
30%
Application operations
Infrastructure
Starting point 6 months 18 months

(interim state)
— Well-defined, business oriented — Root-cause elimination of

services with high visibility into recurring incidents
coming demand — Self-service for most common
— Small, self-sufficient teams with requests
end-to-end ownership for each — Proactive monitoring, predictive
service being provided maintenance, and self-healing
— OKR1-based self-governance of solutions for next level of
each team for improvements improvements
1 Objectives and key results

Within six months, the company had reduced application operations spend by more than 30 percent
and improved system stability (reduced incident volume and elimination of false alerts) by more than 20
percent. Further, the company was on track to reduce capacity dedicated to administrative IT by another
20 to 30 percent and improve system stability by 30 to 50 percent over the following six months.
2. Measure the things that create value

You are what you measure. That old adage still applies, and it is one of the keys to improving how IT
works. IT collects an overwhelming volume of data and metrics but often struggles to use them to drive
business value. For example, the common metrics of product-delivery time and budget incentivize teams
to release products quickly and under budget. There’s nothing wrong with that, of course, except that it
can mask a very real issue: a product could perform well against these metrics but still be a bad product
that demands lots of time to fix its defects or maintain it.
IT leaders need instead to measure the performance and health of the organization based on the desired
outcomes. In the case of the financial services company’s application-operations team, elimination of
reactive demand was the desired outcome, and percentage of false alerts was a key metric. The best
metrics not only show progress but also are specific and useful enough to be tracked every day, easy
to measure, and highlight what changes are needed. YouTube, for example, realized that the amount of
time people viewed a video (viewed hours) was the most important determinant of increasing revenue, so
it focused all activities on improving that metric.[1] The right metrics can also be measured at the squad,
tribe, and organizational level, which allows for higher levels of self-governance through objectives and
key results (OKRs) while providing the transparency that leadership needs (Exhibit 3).[2]
Exhibit 3
Use the right metrics to measure what matters
Key question(s) being addressed Likely top-level metric(s)
Business Are the stories/features being worked on by Percentage and volume of stories/features that
relevance IT considered “business relevant” or “market are considered “market differentiating” by the
differentiating”? business
Flexibility How flexible is IT in changing directions with Percentage and volume of stories that can be
changes in the market/business needs? deployed into production standalone
Technology How much technology debt (currency, defects, etc.) Indexed technolgoy debt of the applications
debt can be a business risk or preclude IT from working underlying a service/product, e.g.,
on business-relevant stories/features?
• Currency of the technology stack
• Defect backlog
Customer How satisfied are the business users/owners with One-click surveys to the business users/
satisfaction the stories/features being delivered? owners after deploying story/feature
Team-member How excited are the team members (employees Anonymized pulse survey conducted at the
engagement or contractors) to be part of the team? team level
1 John Doerr, Measure What Matters: How Google, Bono, and the Gates Foundation Rock the World with OKRs, New York: Portfolio/Penguin, 2018.
2 For a good introduction to OKRs, see John Doerr, Measure What Matters: How Google, Bono, and the Gates Foundation Rock the World with OKRs, New York:
Portfolio/Penguin, 2018.
3. Harness market dynamics to develop ‘IT for IT’ solutions and drive
their adoption
There are typically multiple improvement opportunities that cut across many teams or products in IT—
for example, a platform for the creation of application programming interfaces (APIs). These “IT for IT”
solutions can help teams work more efficiently and effectively by standardizing processes and making
code easy to reuse, for example. However, one of the big issues contributing to IT administrative bloat is
that these sorts of IT-for-IT solutions often end up languishing unused. Not only are resources tied up in
developing them, but further work is often needed because they don’t work as expected.
At one insurance company, this became a glaring issue. The API enablement team had done what it
was asked to do: establish an API platform to let developers build new APIs more efficiently. Yet after
investing in the platform, fewer than 100 APIs had been created on it, and worse, fewer than ten of
those had been referenced more than five times—and this was in an organization of 500 developers.
Why weren’t they using the platform? It turned out that it was just too difficult to use. Developers had to
submit a manual request, which took a week to fulfill, so they found it easier to just write new code.
A better solution relies more on market-demand mechanisms. Agile teams create demand for tools and
solutions they need to help hit their OKRs. As developers spot these needs, they propose a solution
(such as developing a platform for API development or a portal for developers to find existing code) to
meet the demand, which is quickly reviewed and funded (or rejected) by an oversight team. If approved,
an enablement team is formed, made up of people with the right skills. IT organizations provide
incentives for enablement teams to form, such as bonuses and recognition. The key difference, however,
is that enablement teams have specific OKRs for not just delivering the product but showing that it works
and is adopted. Developed tools and solutions need to solve the problem, be easy to use, and easily
deployed (Exhibit 4).
Exhibit 4
Enablement teams can be set up to design and drive the adoption of solutions common to
multiple agile squads
Typical goals for an
enablement team Illustrative example: API enablement team
— Lay out the strategy,

Rational for setting up the API team
design, and impact of the
technology innovation
APIs (and their reuse) free up developer capacity to focus more on new, market-
diffrentiating features; in addition, reuse reduces the potential for rework
— Create guardrails and tool
kits (“backpack”) needed by
the other IT teams to adopt
the technolgoy Elements of API solution Evangelism with other teams
— Act as evangelists, 1. Self-service platform to 1. “Dojo” sessions with teams to learn and
promoting the solutions to create APIs launch
other teams
2. Portal to search for existing APIs 2. Community channels for cross-learning
— Self-govern the enablement and celebrating success
team through OKRs
3. Connecting with other enablement
focused on adoption of the
technology teams (e.g., APIs in cloud)
Metrics for measuring success and driving OKRs
1. Number of (static) references per API
We have found that a venture-capital (VC) funding model, in which IT leadership acts as the venture
capitalist, works well to fund IT-for-IT solutions. In this system, anyone in the IT organization can submit
an idea for creating a new enablement team; if an idea is deemed attractive, IT leadership provides seed
funding and sets OKRs. Quarterly assessments show progress, and leadership decides whether to
allocate another round of funding to that enablement team and what OKRs to pursue next (Exhibit 5).

Exhibit 5
A VC-style funding mechanism ensures that enablement teams’ OKRs are aligned
with the goal – to flip the ratio
New-investment
prioritization forum
Funding to
build v2
Yes
Articulate Develop Executive Release v2 Scale

product pilot and get develop- product
vision support ment
Yes Yes
Approval to Evaluate
conduct pilot delivered
impact
New-investment Steering committee/

prioritization forum product executive
In this model, the company’s executive committee acts as investors in a VC fund, so IT leadership goes
to them annually (or more often, depending on the need) to demonstrate impact from the enablement
teams and request VC funds for the next year. The effect is to force the teams in the tribe to behave like
start-ups, moving quickly to demonstrate the value of their work.
4. Stay focused on driving the program

As in any transformation, time is the enemy. After an initial set of wins, progress often bogs down
because teams run into problems, issues become more complex, or leadership simply loses interest.
Without firm leadership and guidance, the full value potential of the resource allocation isn’t met, or—
worse—the organization slides back to the old way of working. But too much leadership control stifles
enthusiasm and the sense of autonomy that’s necessary for teams to be successful.
We have found that a thoughtful and disciplined quarterly IT review (QIR) process can be helpful (Exhibit
6). Similar to the quarterly business review (QBR) at most highly mature, agile organizations, the QIR
process allows IT leaders to take stock of the progress, resolve issues, reallocate budgets as needed,
and provide guidance on the next quarter’s priorities for pushing forward to flip the ratio. For their part,
each agile squad/tribe assesses its progress on its top-level metrics, sets aspirational OKRs for the next
quarter, and submits them to their peers and leadership for review.

Exhibit 6
A quarterly IT review governs the journey to flip the ratio
Start of next
Start of quarter End of quarter (6 weeks) quarter
IT leadership 1 1 2 3 4 5 6
team (ITLT) 7 Program
Regular review
processes leadership
meeting
4 Q&A sessions
Product/ 3 5
service
leadership 2 Pre-QIR Write QIR Review QIR 6 Marketplace
session
1 ITLT, with support from the executive committee, sets 4 Q&A sessions with ITLT are set up to provide tribe
the “enablement” budget on a yearly basis and adapts leads the opportunity to receive extra guidance on
quarterly within the QIR their objectives, road map, or impediments
2 ITLT sets the “what needs to be accomplished next 5 Tribe leaders read and comment on the QIR memo
quarter” by providing tribe leads with priorities drafts of other tribe leaders
3 Tribes leads draft and publish a 5-10 page QIR memo, 6 A 1-day QIR marketplace event resolves dependencies
which includes a retrospective of last quarter as well as and finalizes QIR memos
the OKRs for the next quarter
7 A joint meeting with ITLT and tribe leaders resolves

constraints/dependencies and validates that the
current budget (resource) level is adequate

To be sure, flipping the ratio is not easy. But if IT About the author(s)
organizations want to help build business value,
they can only do so if their resources are allocated Nagendra Bommadevara is a partner in
to value-creating activities. McKinsey’s New York office, Steve Jansen is
an expert associate partner in the Charlotte
office, Lauren Klak is an associate partner in the
Cleveland office; and Maneesh Subherwal is an
alumnus of the New Jersey office.

Transforming IT infrastructure
organizations using Agile
By Santiago Comella-Dorda, Peter Dean, Vito Di Leo, Nick McNamara, and Pankaj Sachdeva
Traditional ways of managing IT infrastructure can impede the

fast-paced delivery of digital solutions. Agile methods can be used
to boost efficiency, speed, and quality.

Many companies have accelerated application similar principles and tailored to their needs,
development by adopting agile principles and can help modernize their IT infrastructure
modern software-engineering best practices, organizations while improving performance
such as automated testing. Yet it remains significantly. At a large provider of software
uncommon to apply these methods and tools to and services, the infrastructure staff of several
IT infrastructure and operations, even though thousand people managed a global footprint
doing so presents opportunities to increase capable of handling millions of active users and
productivity and the pace at which digital thousands of log-ins a second. The processes that
products and services are brought to market. the company had used to provide infrastructure
The typical IT infrastructure organization services had grown more complex and labor
continues to emphasize stability over speed. intensive as the company grew, so it could take
Requests for infrastructure services still often months to bring new products and features to
go through an assembly line-style process market.
involving many handoffs, long delays, and frequent
When the company’s IT infrastructure leaders
misunderstandings.
modeled the effects of applying agile methods
Traditional IT infrastructure processes made sense to their organization, they saw an opportunity to
in the past. But now that the latest technology improve productivity by 20 to 25 percent in 12 to
advances have eliminated the need for manual 18 months. Given the scale of the infrastructure
configuration work and consumers expect to group, the leadership team chose to roll out
interact with companies digitally, it has become agile ways of working over that span of time
essential for companies to modernize their IT iteratively, launching about 150 agile teams to
infrastructure organizations, thereby accelerating bring new methods and technologies to the entire
IT deployments and shortening time to market company. The leadership had teams focus first
for technology projects. Four shifts can enable on improving the infrastructure department’s
IT infrastructure organizations to operate in a internal operations by simplifying and automating
more agile and efficient manner. The first of these processes and then on developing self-service
shifts involves managing infrastructure much as tools and application programming interfaces
application developers manage code, by using (APIs) that could be used more broadly.
software to configure environments in a swift,
A European financial-services company with a
reliable way. The other three are organizational:
far smaller IT infrastructure organization also
forming cross-functional teams (or “squads”)
recognized that traditional processes for building
of well-rounded infrastructure engineers that
and managing infrastructure were slowing the
work using agile methods, simplifying processes
release of digital products and services, as well
for delivering infrastructure service offerings,
as the adoption of more efficient, sophisticated
and improving how infrastructure teams and
application-development practices and tools. This
development teams work together.
company too set out to introduce agile methods
Using an agile transformation to modernize an and to implement highly automated infrastructure
IT infrastructure organization isn’t easy, but it is service offerings within its organization. However,
worthwhile. In our experience, agile approaches its approach was to roll out a new agile operating
can enable IT infrastructure groups to boost model to its entire infrastructure organization at
their productivity by 25 to 30 percent in six to once instead of iteratively, as the software-and-
18 months, depending on the size of the services company did. The company also chose
organization. The gains can increase further as to focus from the start on building an operating
automated solutions are built and fully adopted. model and tools that would empower developers
Additional benefits often include improved to manage the operations of their applications
infrastructure service delivery and shortened directly.
time to market for digital products and features.
Another business—a large US-based financial-
In this article, we explore how infrastructure
services company—also adopted an agile
organizations can modernize themselves using
approach in its 250-person IT infrastructure &
agile methods, starting with a glimpse of what
operations group. Like the European financial-
the shift looked like at three companies. We also
services company, it rolled out a new agile
provide a look at the four shifts described above,
operating model to its entire infrastructure
along with practical recommendations for how to
organization at once. However, the company chose
get the transition under way.
to focus initially on improving its processes. In six
months, it completed a transformation that cut
IT costs by more than 35 percent and doubled
Three transitions to agile overall productivity. With the new operating
IT infrastructure model in place, the company now plans to focus
Three companies demonstrate how unique on automating up to 80 percent of its operations
approaches to agile transformation, based on work.

• fdfsafsadfsfdaf
Principles for agile transformation

Despite the differences between their transformation approaches, these companies followed many
of the same principles. In the sections below, we’ll explore those principles in four areas: technology,
organization and talent, processes, and collaboration with developers (exhibit 1).
Exhibit 1
A modern agile IT infrastructure organization relies on well-rounded engineers to work
closely with developers and deliver solutions efficiently, making extensive use of automation
Traditional organization Agile organization
Technology • Highly customized infrastructure, • Standardized infrastructure service
provisioned on request offerings with largely automated delivery
• Significant manual effort required from • Self-service tools let application developers
infrastructure teams configure and control infrastructure on their
own, with appropriate guardrails
Organization • Technology-or function-specific teams • Integrated, cross-functional teams (or squads)

and talent • Staff with highly specialized skill sets build well-defined infrastructure service offerings
focused on operations and administration • Infrastructure engineers with sophisticated
development skills
Processes • Rigidly sequenced processes, with many • Squads responsible for end-to-end delivery
handoffs among groups of specialists of service offerings
• Repetitive tasks (such as deployment and • Processes in which repetitive work is
incident resolution) performed manually automated and stream lined
Collaboration • Infrastructure requests submitted as ‘tickets’ • Application-development and operations

with • Relationship and service managers deal responsibilities become more integrated
application primarily with application developers on • Self-service tools let developers handle
development behalf of the infrastructure function more operations directly
• Developers not accountable for application
code after it is put into production
Technology: Defining infrastructure with software

One reason traditional infrastructure organizations operate slowly is that their technology systems
require teams to configure infrastructure manually for each new application. To bring agility to the
infrastructure function, companies can not only eliminate manual work by building automated systems
that allow infrastructure to be defined by software but also provide “guardrails” that enable application-
development teams to manage more of their own operations safely. And while it’s possible to build
such systems with existing infrastructure, automation becomes easier as a company moves more of its
infrastructure onto modern platforms, especially cloud platforms offering a wide array of enabling tools
and technologies.
At the software-and-services company, even though the infrastructure team had standardized much of
the hardware and virtualization architecture, it still spent a lot of time creating custom virtual-machine
and operating-system configurations for product-development teams. Solution engineers reviewed the
needs of each application with its developers and then set up the necessary environments, which often
involved performing many steps manually.
As part of the company’s agile transformation, agile infrastructure teams implemented automated
solutions to streamline the provisioning and configuration of servers. One agile team built and
maintained a centralized platform that automated the provisioning of servers and could be accessed
through self-service tools. Other agile infrastructure teams, each aligned with specific software-as-a-
service (SaaS) products, automated the configuration of those servers for the products they supported,
using a configuration-management tool to define the servers’ configurations entirely in code. This
change reduced build times for environments from several months to about ten minutes. After

these solutions were implemented, whenever a defined and prioritized the backlog of activities
cluster of servers had to be updated or expanded, that their squads would work on. Infrastructure
teams could make the necessary changes rapidly, squads focused on developing highly automated
with minimal manual effort and risk of error. foundational infrastructure solutions (such as
server provisioning) that other teams could use to
The European financial-services company
set up, manage, and decommission infrastructure.
chose to automate its IT infrastructure offerings
Product squads were aligned closely with specific
using similar technologies. As part of a broad
SaaS product-development teams and worked to
push to adopt DevOps principles, it also sought
engineer and automate hosting and operations
to empower application developers to manage
for their applications, leveraging services from
their own operations as much as possible. IT
infrastructure squads when available.
infrastructure squads built automated, self-service
infrastructure solutions for application developers
and taught them how to use those solutions. Processes: Simplifying and
Developers could then, for instance, produce
code to tell the system how to configure or update
integrating activities to minimize
servers given the unique requirements of their delays
applications. The traditional IT infrastructure organization’s
functionally oriented structure imposes a
particular working style—specialized resources
Organization and talent: Building complete tasks in a prescribed order, with many
cross-functional teams handoffs between groups. This working style
At traditional companies, infrastructure causes innumerable delays: every time a request
organizations have long been structured around is passed to a new group, it goes to the bottom of
teams with narrowly defined responsibilities that group’s task list, where it might languish for
for specific technical functions (for example, days. Frequently, tasks are sent back to previous
managing relational databases or operating groups for clarification, increasing wait times even
systems) or stages of the plan-build-run IT further.
service life cycle. Neither this structure nor Companies can eliminate many of these delays
the specialization it promotes is conducive to by creating small cross-functional teams as
efficiency or agility, because multiple teams must described in the previous section. Such teams
typically work on each service request. To become can minimize or even eliminate process handoffs
more agile, infrastructure organizations can by managing the end-to-end delivery of specific
organize their staffs into small cross-functional service offerings. They should be empowered not
teams focused on providing well-defined services. only to deliver service offerings but also to improve
They can also develop modern workforces of well- their delivery by streamlining processes and
rounded engineers who can learn new skills rapidly engineering fully automated solutions.
and work across multiple functional domains to
carry out the end-to-end delivery of infrastructure The processes of the software-and-services
services, as we describe below. company’s infrastructure group had become
increasingly complex as the company grew and
CIOs and technology leaders should bear in mind added new customer-facing products. That led
that engineers in agile infrastructure organizations to the use of project coordinators to help push
typically need more diverse skill sets than service requests through the organization. After
application developers do. For infrastructure, that the company grouped its infrastructure engineers
makes agile transformations more challenging. into agile squads, however, the waiting periods
The infrastructure organization at the European that had previously followed handoffs among
financial-services company found some of the functional groups vanished. That change alone
well-rounded infrastructure engineers it needed halved the amount of time required to provide
by carefully screening existing employees. many core service offerings. The company’s
The most capable ones were offered roles on squads also redesigned common processes to
infrastructure squads charged with building the simplify workflows or eliminate unnecessary steps,
highly automated self-service solutions described such as certain approvals. The number of steps
above. in virtual-server provisioning, for example, was
At the software-and-services company, the cut by more than two-thirds, and the remaining
leaders of the infrastructure group chose to steps were then largely automated through better
organize their staff into skill-focused “chapters” engineering.
to help with capability building, professional By contrast, the US-based financial services
development, and standard setting. Chapter company mentioned earlier took a different
leaders determined which new skill sets their approach to compensate for the limited
areas needed and were asked to develop training development skills of its infrastructure
or hiring plans to meet those needs. For working organization. First, it set up cross-functional
purposes, the company organized everyone squads to simplify processes without automation.
from those chapters into two types of cross- The resulting productivity gains bought employees
functional agile squads led by product owners who enough time to learn more advanced engineering

skills. Then they began planning the development under way quickly.) This can be effective as part
of automated capabilities to address common of a broader effort to transform a company with
requests. agile methods, or as an effort that is solely focused
on the IT infrastructure group. Either way, the key
steps in structuring an agile transformation of an
Collaboration with application IT infrastructure function are as follows.
development: Fostering 1. Create a vision for the new infrastructure
understanding and accountability organization, particularly how the organization
Traditional infrastructure organizations should operate and how quickly it should evolve.
have minimal interaction with application- Several key questions will help IT and business
development teams. Collaboration between leaders to define their vision for the organization.
the two camps is normally limited to the initial What infrastructure service offerings should the
setting up of systems for new applications and organization provide to application developers
the resolution of critical incidents. As a result, and business users? Establishing a catalog of
typical infrastructure engineers know too little infrastructure service offerings helps companies
about each of the applications they support to to design and define the scope of agile teams and
help improve the stability of those applications. to decide which of them should own the tasks of
Moreover, developers lack the awareness of delivering and improving those services.
operational issues they would need to engineer
robust, easy-to-support applications. Modern How should the infrastructure organization
agile organizations, by contrast, make a point collaborate with application developers and how
of increasing the level of collaboration between should the interaction model evolve over time?
their application-development and infrastructure Teams that are closely aligned with application-
functions. development teams can be beneficial if the
infrastructure organization has responsibilities
The European financial-service company related to operating applications (for example,
described earlier exemplifies one collaboration deploying code).
style: making developers accountable for
operating their applications. Involving developers How quickly should the organization push to
in the incident-response and postoutage follow-up engineer automated solutions and adopt cloud
processes for their applications makes them more technologies? The structures, processes, and
aware of issues in their application code. Involving skills of agile teams that focus on operations
developers in operations also encourages them to can be very different from those that focus on
write code easy to manage and support—they can engineering infrastructure offerings.
be awakened in the middle of the night if incidents How will infrastructure leaders and business
occur. executives gauge the efficacy of the
transformation? Going into an agile transformation
The large software-and-services company
of the infrastructure organization, business and IT
demonstrates a contrasting approach. Its
leaders should set clear objectives for improving
infrastructure organization continued to support
performance and value creation, so that they
operations for application-development
can track progress and results with well-defined
teams but found a new way of doing so: closely
measurements.
aligning agile product squads and application-
development teams. The alignment greatly 2. Segment and prioritize opportunities with
increased coordination and collaboration. Many respect to the potential to create value for the
of the product squads were co-located, at least in organization. It is important to assess demand
part, with the application-development teams they for infrastructure by developing a data-driven
partnered with. Core members of each product understanding of past consumption patterns and
squad would attend some of the agile ceremonies projected future needs. Knowing how much work
of the application-development teams. In addition, is involved in delivering specific infrastructure
the close alignment helped infrastructure offerings helps with organizing the work into
engineers to gain familiarity with the applications scopes appropriate for an agile team. If, for
they managed, so they had a stronger attachment instance, demand for storage-related work calls
to the success of those applications, which could for a workforce of 24 people—too many for a single
now be better monitored and supported. team—the effort might be divided among two
teams: one focused on block storage and another
on file storage services.
An approach to transforming
Analyzing demand can also help with identifying
infrastructure using agile the greatest opportunities for improving
In our experience, the challenges of modernizing efficiency and with prioritizing the rollout of teams
IT infrastructure using agile can be overcome accordingly. For example, a company can realize a
using a structured approach to designing, great deal of value in a transformation by assigning
launching, monitoring, and enabling agile teams. the first agile infrastructure teams to handle and
(At larger organizations, applying that kind of improve frequently performed labor-intensive
approach in waves can help the transformation get services.

3. Design each agile infrastructure team to agile coach attended key ceremonies during the
match the focus of each team with the working first several sprints of the team to make sure it was
methods it will use. Teams focused on developing stable.
automated infrastructure service offerings tend
5. Focus on the sustainability of the
to be relatively small—typically with eight to 12
transformation. Soon after agile infrastructure
people. They usually find that they work best using
teams have been launched, governance bodies
the scrum methodology, developing solutions in
(such as a committee composed of senior IT
two- to three-week development sprints. Teams
leaders) will probably be needed to ensure that the
focused mainly on operations (such as level-one
teams are advancing toward their goals, refreshing
support teams) might benefit from longer rosters
their objectives as the organization’s priorities
of up to a couple of dozen people. These teams
change, and improving their use of agile practices.
often use the kanban or scrumban methodologies,
In addition, many infrastructure organizations
which are more appropriate for managing a
quickly discover a range of opportunities to build
continuous flow of unplanned or event-driven
on the agile transformation’s initial improvements.
work.
These include revising career models to support
Over the long term, it is often preferable to have new agile roles, adopting more flexible budgeting
the same infrastructure team own both the processes, and making strategic planning more
planned development work and the unplanned agile.
operational work for a specific offering. This
Addressing these improvement opportunities
approach encourages teams to identify
will take time, but senior IT infrastructure leaders
operational issues and fix them. However, at the
can handle the work by using the same methods
beginning of an agile transformation, separating
their newly launched teams do. They can organize
out unplanned operational work can help newly
themselves as a team, create a backlog of
established infrastructure teams to focus on
opportunities, determine priorities, assign owners,
engineering highly automated solutions.
and carry out the work in sprints.
4. Create a structured process for rolling out
Legacy IT infrastructure processes common
agile infrastructure teams. The process should
at companies that weren’t “born digital” can
give all the people involved enough time to prepare
impede the rapid delivery of new digital products
for the launch of their teams. Our experience
and features. Agile methods can speed up the
shows that it is critical to provide time and
process significantly, and the benefits often start
guidance to train team members, develop a strong
to materialize within the first six months of an
team charter, align key stakeholders, and build out
agile transformation. A modern IT infrastructure
an initial backlog.
organization that collaborates closely with
At the software-and-services company, for developers and uses automation to accelerate
example, before each agile squad launched, its configuration and maintenance can greatly boost
product owner and scrum master received two its own performance, along with that of the wider
days of role training on how to perform their company. For incumbents facing the threat of
new roles. They then completed a six-week disruption from digital challengers, this can
self-organized program, facilitated by agile help make the difference between success and
coaches, in which they designed their teams’ obsolescence.
vision, scope, objectives, performance metrics,
minimum viable product for improving delivery, and
composition. Product owners also had to identify About the author(s)
their key stakeholders up front and to review Santiago Comella-Dorda is a partner in
their plans with them and with the sponsors of McKinsey’s Boston office, Peter Dean is a expert
the transformation so that everyone was aligned. AP, digital in the San Francisco office, Vito Di Leo
Once the product owner and scrum master had is expert AP in the Zurich office, Nick McNamara
finished these steps, the agile coach would lead is an associate partner in the Chicago office, and
the full team through a one-week “sprint zero,” Pankaj Sachdeva is a partner in the Philadelphia
when it received training on agile and built out an office.
initial backlog of work. After the sprint zero, the

Next-generation core banking
platforms: A golden ticket?
By Xavier Lhuer, Phil Tuddenham, Sandhosh Kumar, and Brian Ledbetter
Incumbent banks are concerned about the limitations of their core

architecture platforms. Newly available tools make the challenge
less daunting.
Future-proof the foundation by building flexible and secure platforms 77

Competition in the banking industry is intensifying. Time to market. Being able to launch products
Neo-banks are winning market share and serving quickly is a critical competitive differentiator
customers at around one third of the cost of in the current crowded marketplace. However,
traditional banks. Fintechs are targeting lucrative faster product delivery is restrained by
niches in the value chain. Big tech players, with monolithic architectures (leading to multiple
their large customer bases, pose a real threat interdependencies and bottlenecks), poorly
and a few incumbents are investing heavily in documented legacy code (causing over-reliance
innovation, putting laggards in the shade. on a small number of subject matter experts), and
manual delivery processes.
Attackers are growing their businesses and
attracting customers with the help of modern core Personalization. Customers increasingly expect
technology architecture, which enables them to a personalized experience. But banks often store
innovate faster and operate more efficiently. Not data in multiple product-aligned core systems,
surprisingly, incumbent banks are increasingly which inhibits catering to individual needs.
concerned about the limitations of their own core For instance, one major bank had to invest in a
architectures and their relatively slow pace of major two-year program just to offer customers
change. As a result, some 70 percent of banks are a combined view of savings accounts and
reviewing their core banking platforms, according investment products.
to a McKinsey survey of 37 banking executives in
Ecosystems. Partnerships are becoming critical
May 2019.
to creating the products and services of the future.
We see four key areas in which legacy platforms Yet current architectures lack the connectivity to
inhibit performance: third parties that would enable innovation (e.g.,
property related services for mortgage buyers).
Cost. Cost is more important than ever given low
industry return on equity (ROE). Yet technical The good news for incumbents is that the tools
debt in legacy systems consumes large chunks of are at hand to address these challenges. In
IT spend—one mid-sized bank spent two-thirds particular, a new generation of cloud-native core
of its digitization budget on this alone. Clunky banking platforms is emerging, including Mambu,
legacy systems are associated with manual 10X, Thought Machine, and FinXact, alongside
software delivery (manual regression testing and offerings from the traditional core platform
deployment) and low straight-through-processing vendors. These promise to help banks radically
rates (accumulated layers of complexity leading to modernize and bring the possibility of benefits
fragmented and manual operational processes), including (Exhibit 1):
which conspire to keep costs higher than
necessary.
78 Future-proof the foundation by building flexible and secure platforms

Exhibit 1
Bank anatomy based on a next-generation core banking platform
Built by bank Services built leveraging third-party services
d-party providers
Thir
Call KYC Differentiators enabled by next-gen core
ch center Cre
Bran dit banking service providers
Ris
p p
ap kto
l km
AM
ne Hyper-parameterized product ranges enabling
s
L
De
an a
faster time to market and ultra-personalization
na
Ch
app e
Fra
bil
Ge
ge
Mo
ud
ct
men
er Real-time data analytics enabled by a single
u
Transaction
al l
monitering
Prod
source of truth for customer and transaction

Reporting
edger
Modern
t
Reg.
data
core
E c o sy
Acco
nts Cloud-native architecture resulting in lower run
Card
or at
untin
a
C
ec
u sto m er d cost, automation, and resilience
me
st e
g
k
ay
P
m
an
Lo
erb
C Micro-services and APIs to enable faster

an
m aunsto m eernt
Int
s
B. agem -
er l integration and increase re-use
I. Int iona
Ide na
t of capabilities
man ntity ng
agem keti
en t CRM Mar
Thir Third-party ecosystems to leverage best
d-party providers of breed solutions with ease of switching in the
future
Source: McKinsey analysis
Reduced IT costs. Banks can cut spending through higher developer productivity and removal of
technical debt. They can achieve further efficiencies by leveraging cloud-based services (which enable
them to deploy new products and scale infrastructure quickly) and by using development tools that
support automation (DevSecOps).
Accelerated time to market. Banks can more easily and speedily develop new products and services,
aided by hyper-parameterized configuration capabilities. Higher levels of standardization make it
simpler to leverage modern tools such as automated testing and therefore to implement more frequent
deployment cycles.
Data and a customer-centric proposition. Data capabilities are set to become a critical differentiator.
Modern platforms support integrated data sets and a single source of truth. These in turn create the
ability, in real time, to offer personalized experiences and run advanced analytics for sharper decision-
making (e.g., for front-line staff).
The ability to scale through partnerships and innovate. New platforms enable rapid scaling and
less expensive development of ecosystems and ancillary services. Integration is easier with modular
architectures and communication via APIs.
Given these benefits, it’s not surprising that more than 65 percent of the banks we surveyed are
exploring the potential of next-generation platforms. Indeed, around the world, several have announced
partnerships and are on the way to realizing significant benefits.
As attackers and some incumbents move forward, banking leaders remaining on the sidelines have three
practical options (Exhibit 2)

Exhibit 2
Banks have three options to replacing the core
Low
Replaced
Medium
Preserved High
2: Journey-led progressive
1: Big-bang replacement of core modernization 3: Greenfield tech stack
User
interface
Integration
Core
systems
Description — “Big bang” approach with — Top customer journeys — Greenfield tech stack leveraging
monolithic system upgrades reinvented end-to-end through cloud-native architecture (e.g.,
every few years zero-based design hyper-parametrized, real time,
— Selected systems upgraded — New business logic built modular, API first)
or replaced according to iteratively as modular — New customer onboarded
architecture roadmap (through microservices (and selectively on the new platform; existing
“buy” or “build” approach) “hollowed out” from existing customers migrated (e.g.,
systems) with shared utilities cancel and re-enroll, recreate
accounts)
What — Current core is dated or out of — Current core has support and is — Risk appetite and budget to
bank support and there is an urgent usable for the next 5 to 10 years experiment with a technology
needs to need to replace — Lower appetite for risk of data hedge
migration required than for big- — Speed of product innovation
believe
bang or greenfield option over risk of data migration
— Highly complex product setup challenge for legacy customers
or legacy customers making
migration a challenge
Risk profile
Speed
Investment $100 million to $500 million+ $50 million to $200 million $50 million to $100 million
Note: Based on flash survey conducted in 2019 during a banking conference with over 100 banks
Source: McKinsey analysis; annual reports

Full replacement of the core with a new Most advanced banks start with the most critical
tech stack. Banks often pursue this course of customer journeys and a “strangler pattern”—
action when they urgently need to replace their hollowing out frequently-used functionalities
core platforms because of obsolescence or and rebuilding them as microservices. Still, while
regulatory imperatives. However, it can be risky. the approach is lower risk than the first option,
It requires extensive data migration and the transition timelines are generally slow and banks
benefits are typically only realized when the final may not achieve the desired levels of efficiency
customer is migrated and the legacy systems and time-to-market.
are decommissioned. Banks generally choose a
A greenfield banking proposition built on a new
traditional platform as the replacement, reflecting
tech stack. CXOs focused on staying ahead of the
concerns that next-generation platforms are not
curve often pick the greenfield option because it
yet fully proven or focused on a subset of products
enables them to launch new offerings and deliver
and features.
value quickly. It is often considered less expensive
Progressive modernization. Most banks have than the other options and safer because the
pursued this strategy. It comprises retaining the existing customer base is not exposed until the
legacy platform but progressively minimizing proposition and technology are proven. With many
it as they build a modern architecture around banks exploring next-gen core platforms, this
it. It is often seen as a safe option if the current option arguably provides the best way to elicit the
architecture is viable for the next five to ten years. most value.

A few institutions are also exploring the possibility which technology leaders will put clear blue water
of migrating a large incumbent customer base between themselves and the competition. The
using a “reverse takeover” approach. bottom line? CXOs need a clear strategy to avoid
being left behind.
In terms of budget, the majority have earmarked
$10 million or more over the coming year (sufficient
for experimentation), with around 20 percent
planning to invest $20 to $40 million, according to About the author(s)
our survey. Xavier Lhuer a partner in McKinsey’s New York
The platform decisions leaders make now will set office, Phil Tuddenham is a partner in the London
their direction of travel for the next five years or office, where Sandhosh Kumar is an associate
more. They need to think carefully about their next partner, and Brian Ledbetter is a senior partner.
move. Still, there is scant opportunity for delay.
The industry is approaching an inflection point, at

Cutting through the noise: How
banks can unlock the potential
of APIs
By Harald Kube, Timo Mauerhoefer, and Nik Tavakoli
API-driven products and services represent both a competitive

threat to incumbent banks and a significant opportunity.

Application programming interfaces (APIs) McKinsey estimates that the value at stake across
are shortcuts that make it easier for software global banking is significant — approximately
developers to build new applications. In the 50 percent of revenues or 65 percent of profits
banking context, however, they are something (the money banks make from distribution rather
more. APIs enable easy access to banking than manufacturing) over the coming decade. On
services, products, and data. This transforms them that basis, efforts to date represent the tip of the
into keys, capable of unlocking a range of business iceberg.
opportunities. Add the impact of regulation and
they change again, becoming agents of disruption
with transformative potential. Three basic models, but no
APIs are in effect multipurpose tools, enabling big bang
compliance with open banking regulation such as
Europe’s Payment Services Directive 2 (PSD2), As API-driven financial services expand, individual
access to ecosystems of related businesses, institutions are developing applications based
and simplification of legacy IT systems. They on their own priorities. These are aligned with
represent a significant opportunity to innovate, three generic API models, which most banks
work more efficiently, and develop new products apply in combination. One is focused on internal
and services. processes, systems, services, and data and
two are external-facing and oriented either to
When it comes to API implementation, progress commercial partners or the general public.
is patchy. Many banks have taken initial steps,
and have seen positive returns in terms of Each model is associated with a distinct set of
technology development, customer engagement, business priorities. Internal APIs are designed
and business expansion. In China, for example, primarily to streamline software development
various ecosystem models are bringing together and simplify systems and operational processes.
fintechs, companies, banks, and other financial These currently represent the vast majority
services providers to buy and sell products, of use cases. Partner APIs, meanwhile, allow
share technology, and expand their networks. external firms to access data that can enhance
Banks in Europe and the US are also starting products and services or create new ones. Finally,
to get involved, often working with, or investing public APIs open up bank data, products, and
in, fintechs to create new revenue streams and services to communities of developers, with
more tailored customer experiences. Some have the aim of encouraging rapid development and
launched aggregator apps, bringing together commercialization. One example of this kind of
account information from a number of institutions, innovation is integration of a credit application on
or have created online marketplaces in which a real-estate website.
partners can pick and choose products and For now, most banks are focused on internal API
services, sometimes to integrate into their own development. A McKinsey survey conducted in late
platforms. 2018 shows that more than 91 percent of APIs are
Still, while some banks are ahead of the curve, internal (Exhibit 1). Just 7 percent are partner APIs
the majority have work to do. Most are in the (mostly arising from regulation such as PSD2).
development phase, and few fully understand how Partners are mainly fintechs and customers. Less
a data-driven business model will work for them. than 2 percent are public.

Exhibit 1
Most banks focus on internal APIs to cut costs and boost efficiency
Overview of different API types
Share of For which partners do you

API type Attributes total APIs provide services via APIs?
Public/open Innovation through 2% Share of responses, multiple

engaging developer selection possible
APIs used by external
community
developers to build innovative New players 33%
apps and products Extended market reach (e.g., fintechs)
P ub li c
Customers (e.g., 28%
Partner/B2B Reduce partnering 7%
Internal large corporates)
costs
APIs used by business
Pa r t n er
partners, including suppliers, API monetization Incumbent partners 17%
providers, resellers, and others, (e.g., insurers)
Enhanced security
for tighter partner integration
Internal Cost reduction 91% Government 17%
APIs used by developers Operational efficiency

Other 6%
within enterprise
Enhanced security
Source: McKinsey Global API Banking Survey
Where they are building external models, many banks are providing banking-as-a-service to fintechs,
aiming to use existing assets to construct new products and services. Another powerful use case is to
integrate offerings into customer IT platforms. One large European bank, for example, is developing a
“treasury cockpit,” which can be integrated with customer systems to enhance transparency and enable
faster interactions.
While the majority of APIs by number are internally focused, most banks have some kind of outward-
looking program. According to a McKinsey survey and publicly available data, some 65 percent of the
40 European institutions among the 100 leading global banks (ranked by balance-sheet assets) have
a developer portal to share APIs externally. On a global level, 47 percent of the top 100 do the same
thing. Regulation is often a primary driver, but equally banks are seeking to innovate where they see an
opportunity.
Where banks have externally facing portals, some 43 percent of APIs are focused on complying with
PSD2. These may, for example, offer access to account data or enable third-party payments. The rest
relate to functions outside PSD2 requirements, including services such as branch/ATM finders, account
opening and closing, FX, and loan applications (Exhibit 2). In fact, some 57 percent of external APIs are
not required under PSD2 compliance.

Exhibit 2
Banks are increasingly implementing APIs in areas other than regulatory compliance
APIs offered by the top 1001 global banks by function, in % of total number of APIs released externally
57% of APIs relate to functions

43% of APIs relate to PSD2 outside of PSD2 requirements,
requirements, including: including:
57%
Account data (e.g., Banking services (e.g., branch of
transaction histories) ATM finder)
Payments (i.e, enabling 43% Deposit (e.g., opening and
transactions via third-party closing deposit accounts)
applications)
FX (e.g., query for current FX
spot rate)
Loans (e.g., credit application
programming interfaces)
1 Measured by balance-sheet assets

Source: Publicly available API developer portals of top 100 global banks
Banks’ willingness to innovate beyond regulation is usually a reflection of strategic objectives.

Respondents to our survey say their most important rationale for API investment is reduction of IT
complexity. Next come revenues and cost cutting, followed by regulatory requirements and to enable
partners. Of course, API development also represents an opportunity to boost fee income, a welcome
benefit in a low-interest-rate environment.
Despite this wide range of motivations, the API “revolution” is still in its infancy. One reason is that many
banks suffer from a strategic deficit. Executives understand the principles, but are unsure of how they
create a material impact on the bottom line. As a result, there is little sign of a “big bang” in API-based
propositions.
What does it take to unlock the potential?

Based on our work with financial institutions and insights from our survey, McKinsey has developed a
standardized framework for building a cutting-edge API capability. The framework comprises four key
elements: strategy, operating model, technology, and people (Exhibit 3).

Exhibit 3
What it takes to become an API leader
Key elements of an API program
Operating model
Establish a central integration team to gain momentum; over time the
team might disperse across the organization
Technology People
API strategy
Establish a single API Build API
platform and clear Set a clear strategy for capabilities
standards (e.g., API internal and external APIs internally and
taxonomy) to ensure based on business value establish a strong
re-usability and scalability creation (e.g., monetization culture focusing on
across the organization potential) and establish an exposing services
API-first model and data
Source: McKinsey analysis
One core underlying principle is that API development must be business-value focused. This means
for external APIs, banks need a well-thought-through API monetization model, potentially including a
combination of schemes such as freemium and pay-per-use. Internal APIs should add value through
factors such as costs savings, speedier time to market, and increased quality of products and services.
From an operating model perspective, there are two basic steps, starting with a centralized model and
progressively moving to a decentralized approach. Centralized models, with a single team developing
APIs, can create critical mass and act as a focal point for learning. A decentralized version, meanwhile,
suits more mature scenarios. It most often comprises agile teams working across the business. Funding
strategy may echo this approach, with funding initially provided centrally but later shared between
teams.
From a technology perspective, it makes sense to build a central API management platform, which can
act as a single source of truth for developers. A single platform is also an antidote to duplication and
supports the use of monitoring tools. In addition, principles of recycling should apply. APIs should be
designed to be reusable, and over time should become first choice for delivering new business features.

Equally, in a dynamic marketplace, banks should significant opportunity. Most management teams
aim to develop API capabilities quickly and to understand the potential and are starting to roll
focus on continuing to innovate, even as they out projects to streamline internal processes
reach maturity. and reach out to third parties. Some are already
realizing significant benefits. Still, as digitization
Finally, talent is crucial. Banks need to recruit the
accelerates, the competitive temperature is
best people and hold onto them. This is a sure
rising. Banks that have made a slow start need
route to competitive advantage. A related point
to accelerate and focus more intently on turning
is the necessity of senior level buy-in. The most
innovation into real impact on the bottom line.
successful API initiatives are supported by senior
management, in most cases directly by CXOs— More information on our API transformation
ensuring a strong focus on business value. Still, approach, case examples, and the API survey
senior executives may require education on the results can be requested via Global-API-Survey@
relevance and potential of APIs—it makes sense mckinsey.com.
to develop ways of talking about APIs that are
not too technical. Once engaged, leaders should
adopt an API-first mentality, so that every product
About the author(s)
initiative is gauged in terms of its API potential. Harald Kube is a partner in McKinsey’s Frankfurt
Incentivization schemes should also reflect this office, where Timo Mauerhoefer is an associate
priority. partner, and Nik Tavakoli is a fellow senior
associate in the Cologne office.
API-driven products and services represent both
a competitive threat to incumbent banks and a

Unlocking business acceleration
in a hybrid cloud world
By Arul Elumalai, and Roger Roberts
Companies that have moved operations to the cloud still aren’t

achieving the desired operational agility. A renewed focus on
people, processes, and policies can unlock the cloud’s full potential.

Digital technologies continue to transform every facet of business. Across industries, CEOs have a
consistent top priority—harness technology to jump-start growth, speed time to market, and foster
innovation. Several factors are ratcheting up pressure: investors are valuing top-line revenue growth;
rising customer expectations for simple cross-channel experiences are compelling companies to
systematically tear down silos; and an organization’s ability to respond to market shifts is becoming a
core differentiator. Meanwhile, digital leaders across sectors have changed the competitive landscape
by demonstrating that agility and velocity can beat scale.
Senior technology leaders are feeling this pressure. In recent McKinsey research, when chief information
officers (CIOs) or equivalent tech leaders were asked about their CEO’s top priorities (see sidebar, “About
the research”), 71 percent pointed to agility in reacting to changing customer needs and faster time to
market, while 88 percent of respondents cited revenue acceleration (Exhibit 1).
Exhibit 1
To stay relevant and ahead of the competition, CEOs across industries

are prioritizing growth and speed of innovation over cost
“What would you say are the top 3 priorities for your CEO?”
Chief information officers who mentioned this as a top 3 CEO priority, %
CEO priorities
Revenue acceleration 88
Improved agility and faster time to market 71
Cost reduction 47
Better management of regulatory and 29
compliance risks
Increased customer satisfaction 29
Other (e.g., brand reputation, other financial 41
goals, strategic initiatives)
Source: McKinsey expert interviews (N=52)
These priorities are playing out across every industry, with huge implications for business models.
• • A clothing company, for example, traditionally had several weeks between the introduction of a
new product line in stores and when competitors could get their cheaper versions to market. That
cushion has dropped significantly thanks to digital channels: the company indicates that it now has
just 48 hours to launch a new design and gain buyers through digital, direct-to-consumer routes,
and rapid (sometimes same-day) delivery.
• • A digital-media company regularly saw spikes in viewership upon releasing new content, so its need
to ramp up infrastructure in order to accommodate increases in demand has suddenly become
critical to satisfy its subscribers.
• • In financial services, a line-of-business leader at a large retail bank cited tremendous pressure to
shorten product-development cycles. The industry’s average product release time has ranged from
nine to 24 months—a glacial pace compared with that of fintech companies, which can deploy code
daily and run dozens of A/B tests a month.
The common thread running through these examples is the ongoing, urgent need to gain market
advantage through business acceleration.

Role of digital and the ever-increasing reliance on
technology leaders
IT strategy has long been part of business strategy, but C-suite executives (CxOs) are increasingly
seeking a larger impact from investments in digital technologies. Digital innovation has become central
to the full range of business transformation initiatives and is no longer just one category among many.
Since technology is integral to a company’s performance and competitiveness, identifying prudent
investments in IT modernization becomes even more critical. CEOs recognize the importance of getting
it right: good choices establish a favorable course, and the business soars; however, poor choices will
siphon away much-needed organizational energy and resources and undermine competitiveness.
The task of translating ambitious tech-driven strategies into accelerated performance falls to CIOs and
chief technology officers (CTOs). Nearly 60 percent of CIOs indicated that their CEO depends on them to
achieve the organization’s top three business priorities (Exhibit 2).
Exhibit 2
IT leaders clearly realize CxOs’ dependence on them to deliver on growth

priorities and agility expectations
“Which of the top 3 CxO priorities depend on you?”
CIOs who indicated that at least 2 of CxOs’ top 3 priorities depend on them, %
59
35
6
0
None One Two Three
As a CTO at a large US insurance company points out, “I think all CEO priorities depend on the office
of the CTO. It is all about bringing products to market faster. We have to innovate on new policies and
change our business model rapidly.” And the CIO of a retailer indicates that the IT team is mutually
accountable with the chief marketing officer (CMO) to achieve the growth objective: “The CIO and CMO
will have to work together. We have common metrics to track. If a campaign fails, both of us are on the
hook. So to say that the CMO is dependent on me to deliver the objectives is an understatement. It’s our
joint responsibility.”
The IT infrastructure modernization imperative

To meet CxO and board expectations, IT modernization is critical. According to our research, CIOs
believe that the organization cannot capture agility benefits by simply shifting applications to cloud
platforms. Instead, they recognize the need to reassess the infrastructure stack and the way it works.
Emphasizing agility while managing cost and risk

When asked about the principal benefits of infrastructure modernization, CIOs prioritize increased
agility and better quality of service to customers. They are also looking to reduce costs and improve their
security posture (Exhibit 3).

Exhibit 3
CIOs believe that business benefits cannot be achieved by lifting and shifting
applications and need to rethink the infrastructure stack
CIO reasons for pursuing infrastructure modernization
100 points allocated across
Agility and time to market 28
Quality of services or reliability 27
Cost efficiency 20
Security and risk reduction 19
Other (e.g., employee satisfaction, 6

talent retention)
Source: McKinsey exppert interviews (N=52)
CIOs see the cloud as a predominant enabler of IT architecture and its modernization. They are
increasingly migrating workloads and redirecting a greater share of their infrastructure spending to
the cloud. The companies we surveyed currently have around 50 percent of all workloads running on
public- and private-cloud platforms. By 2022, that share is projected to rise to 75 percent, with roughly
two-thirds of that workload housed in shared public platforms within data centers built out by the major
cloud-service providers (Exhibit 4).
Exhibit 4
CIOs see cloud as crucial to modernizing technology and are increasingly migrating
workloads to cloud
PPrivate
rivate cloud
cloud
PPublic
ublic cloud
cloud
X % of respondents On premmise
On premise
Workloads distribution 16
in 2019 vs. in 2022 6 28
47
% of workloads 63
12
≥2x 18 25 10
26 78
60
52 22
Increase 35
25 15
in cloud
workloads
23
within
49 15 21
3 years 33
25 9
13 58
<2x 10 38 55
76
66
28
29
14
2019 2022 2019 2022
<35 ≥35
% of workloads currently in cloud

While this migration represents a dramatic technology overhaul, astute tech executives also view it as
a trigger to reevaluate how the IT function works. One large retail chain’s CIO notes, “I need a forcing
device to jolt my organization out of its old ways of working. I see cloud as that catalyst. Our current tools
enable the old ways, not the new. Until we implement the tools and data, we can’t reap the full benefits.”
Identifying key challenges

Thus far, modernization efforts have largely failed to generate the expected benefits. Despite migrating
a portion of workloads to the cloud, around 80 percent of CIOs report that they have not attained the
level of agility and business benefits that they sought through modernization. Further analysis indicates
that companies are falling short of their IT agility expectations, regardless of their level of cloud migration
(Exhibit 5). Even organizations that have transitioned the majority of workloads to the cloud remain within
the same range of IT agility as their slower-moving counterparts.
Exhibit 5
Analysis indicates that companies are falling short of their IT agility expectations,
irrespective of migration level to cloud
Companies with interviewed CIO, bubble size based on revenue
IT agility index1 (archieved)
% of workloads in public-and private-cloud platforms

1 Parameters used to calculate IT agility score are the following, self-reported and rated on a scale of 0 to 10; speed of application and feature development, maturity of
IT operation, and agile application-development capabilities
Our research found that CIOs face several entrenched challenges when pursuing IT modernization:
survey respondents indicated talent gaps were their top barrier, followed by security and compliance
requirements (Exhibit 6).
Exhibit 6
CIOs’ inability to deliver on agility objectives is due to valid constraints and challenges
Top challenges CIOs are facing in infrastructure modernization
CIOs who indicated this as a challenge, %
Talent gaps (including technical and
managerial talent) 58
Security requirements and compliance

52
constraints
Change management and
implementation complications 33
Gaps in executives’ understnading of
cloud capabilites and value at stake 32
CIOs’ progress in hindered
Complexity of current enviroment 28 by these challenges and
resulting compromises. In
High or unforseen costs 25 most cases, modernization
efforts run out of steam and
Operating-model transformation CIOs stop pursuing the next
19
complications set of progress objectives

The CIO of an automaker reflects on the struggle of hiring candidates with the requisite cloud expertise:
“Finding someone with skills similar to engineers who are attracted by large cloud providers and
software as a service (SaaS) companies is too difficult.”
Notably, 28 percent of respondents cited the complexity of their current environment. The technology
leader in financial services notes, “We were surprised by the hidden complexity, dependencies and
hard-coding of legacy applications, and slow migration speed.” Thus, it becomes critical for many
applications to refactor for modern architecture. This approach—characterized by microservices and
containerization—enables companies to balance the projected cost to run against cost to modernize,
focus on the pace of innovation and enhancements, and improve responsiveness to fast-changing needs
and dynamic markets. We have seen CEOs seek this guidance from their IT leaders and teams.
Managing trade-offs on the IT modernization journey

The inability of CIOs to achieve greater agility is in part due to valid constraints (such as gaps in skills and
training), but our research finds that avoidable compromises also hinder progress. Few organizations
have the luxury of starting with a clean-sheet approach to IT infrastructure, and so CIOs are making
trade-offs in the name of balancing the ideal with the practical. Our analysis identified five common
compromises that IT leaders feel they are frequently forced into and that negatively affect agility
(Exhibit 7). Furthermore, some CIOs debate whether such compromises are valid or not. Some say these
responses reflect real constraints, while others say that adopting new technology and operating-model
innovations can easily address these constraints—hence, these are not trade-offs at all.
Exhibit 7
Some cases of compromise prove to be avoidable, according to CIOs’ assessments
Real trade-off Contrived

Trading... In favor of... Interviewees’ assessment of the compromises
% of CIOs
Control and security

Developer agility 69 31
governance
Single-cloud-vendor Leverage in vendor contract

economies of scale and negotiation and avoiding 83 17
talent focus concerns of lock-in
Best-of-breed toolchain Standardization and

choices best suited for familiarity of a single 77 23
each environment tool set
Customer or employee
Security lockdown 50 50
experiences
In-house talent Immediate outsourced

81 19
development talent
While a majority of CIOs indicate that they are living with these suboptimal choices, deeper analysis of
companies that have successfully navigated these trade-offs highlights best practices to avoid these
compromises and, in turn, increase business agility.
Giving up developer agility for the sake of control and governance. One of the top benefits of
transitioning operations from legacy infrastructure to cloud-native solutions is the speed at which
developers can work. However, 69 percent of organizations indicate that implementing stringent
security guidelines and code review processes can slow developers significantly. According to the chief
information security officer of a multinational cloud-based solutions provider, “In the old world, when a
developer checks in bad code, I can find it and control the blast radius. But in cloud, it happens too fast—
I still have those codes go through manual reviews and sign-offs.” Some leaders have found a way to
work around this compromise through the following approaches:

• Acquiring and upgrading talent. Leading concerns of vendor lock-in with public-cloud
companies hire developers with security providers by betting on a single vendor. This is
architecture expertise and entrust them to not a new concept for us. However, some of our
design secure architectures from a project’s stakeholders take a different view. They hear
inception. about outages and want us to source from two
or more providers.” Help is coming in the form
• Provisioning process improvements.
of emerging solutions that work across cloud-
DevOps engineers use application
service-provider platforms, enabling enterprises
programming interfaces (APIs) for
to avoid this compromise. In the meantime, leaders
environment creation, which include functions
are working around vendor lock-in through the
that specify secure configuration.
following methods:
• Changing development processes. By
• Abstracting infrastructure. Seasoned
bringing security teams more deeply into
architects are choosing technologies such
agile development and DevOps processes,
as containerization to abstract infrastructure
companies have avoided the added
and to enable portability across disparate
complexity of cross-team coordination and
environments.
alignment across development and security
teams. • Minimizing dependencies on infrastructure
or platforms as a service (IaaS or PaaS).
• Investing in toolchain and technology.
Developers at leading companies build
CIOs are integrating the right set of DevOps
applications that are not tied to platforms
toolchains that can automate security
by avoiding using proprietary cloud services
policies.
offered in the PaaS layer. And in cases that
• Automating code reviews. Security-code necessitate dependencies, developing
scanners are used to conduct automated modular code enables services to be easily
code reviews for common vulnerability. swapped out when companies move from one
cloud provider to another.
• Automating test suites for code elevation.
Development teams are investing in test- • Safeguarding contracts. Companies
driven development, and test suites are concerned about future price increases from
foundational to automate the elevation of cloud providers draft and negotiate contracts
code from development to test, sandbox, and that both set boundaries and offer downside
production environments. protection from escalation of costs.
• Implementing developer self-service. • Educating executives and the board on
Standardizing the service catalog for vendor strategy. CIOs and CTOs who prefer
infrastructure, implementing cost guardrails, using a single cloud provider are making
and enabling self-service can speed the effort to educate board members and
infrastructure procurement approval collaborate with them to come up with
processes for developers. solutions for vendor lock-in or service
disruptions.
Forgoing single-vendor benefits in the name of
avoiding vendor lock-in. Companies can realize Missing out on the benefits of best-of-breed
economies of scale and build deeper expertise tool kits for the sake of standardization and
(especially given the cited talent shortages) if familiarity. Toolchains optimized for different
they use fewer vendors or deploy technology to environments— and those with which developers
allow them to scale across multiple vendors with and operators are most familiar—help boost
common controls. For 83 percent of CIOs, the productivity. In our research, 77 percent of CIOs
potential loss of flexibility from vendor lock-in expressed concern over having to standardize
can loom large, forcing them to choose multiple a lowest-common-denominator solution.
vendors and thereby split their focus, divide Consequently, this trade-off means accepting
their talent to learn and work on different vendor reduced functionality and fit for the work at
solutions, and reduce their speed of execution. hand. Modern developers need to be free to
The CIO of a North American retailer notes that choose combinations of languages, libraries, and
when it comes to picking public-cloud providers frameworks that enable accelerated delivery.
to migrate applications, “This is a true debate. Leading companies are working around this trade-
Without multiple vendors, you run into technical off in the following ways:
and financial lock-in.”
• Adopting open, vendor-agnostic solutions.
CIOs can also accelerate application development Emerging cross-platform open-architecture
by using native services offered by providers. and open-source solutions provide coverage
However, in some cases developers are being for hybrid and multicloud environments.
discouraged from creating new dependencies on
• Continuously upskilling talent. IT
native services because of concerns that it will be
organizations are adopting best-of-breed
harder to move away from the platform if needs
tools and investing in upskilling for developers
evolve in the future. As a CIO for a professional
and operators on multiple solutions.
services company explains, “We don’t see

Trading customer and employee experience in the cloud operations talent and developers
for the sake of security. Providing reliable who bring modern full-stack skills and
“anytime-anywhere access” of applications to mindsets. These workers represent a truly
users (developers or agile teams in marketing, for strategic resource, assuring that any cloud
example) allows organizations to rapidly innovate, modernization effort accounts for skill
respond to customer needs, and scale up tests building—even if organizations need a boost
and experiments. It also enables employees to from contractors to get rolling quickly.
be more productive and complete tasks from
• Building capabilities with external
anywhere. In our research, we observed leaders
help. Companies are bringing in external
pursuing the following strategies to improve
expertise for skill building (such as agile team
customer experience without compromising
facilitators, DevOps coaches, and analytics
security:
and data science practitioners) to augment
• Adopting a DevSecOps approach. IT in-house talent.
organizations are pursuing a DevSecOps
• Offering employee-education programs.
style of management for high-velocity code
Companies are providing their employees
and model-development pipelines. Doing
with tuition and external-training expenses
so not only combines the security and
for selected continuing education, such as AI
DevOps functions—it also blurs lines across
and machine-learning programs, accelerated
formerly distinct roles in “waterfall” software
software engineering reskilling programs, and
development life cycles, simplifying the end-
DevOps training.
to-end application development and delivery
process. • Partnering with technology vendors. IT
collaborates with vendors such as cloud
• Adding layers of security. Leaders are
service providers and other partners to gain
implementing multiple layers of security,
expertise and educate in-house talent.
especially for identity and access
management. They are using multifactor • Freeing up capacity to invest in new skills.
authentication and refreshing end-point Automating routine monitoring, reporting, and
security for applications that are accessed troubleshooting tasks can create capacity for
remotely or use mobile devices. operators to develop new skills and take on
additional responsibilities.
• Investing in data security. IT organizations
are investing to not only secure their data,
the perimeter, and applications, but also to
encrypt at-rest and in-motion data. Unlocking the full range of
• Remediating applications. Companies business benefits through an
are remediating applications opened up for
external access to employees and end users.
operating-model transformation
Technology leaders can avoid making these
• Assessing security automatically and trade-offs by harnessing the right combination of
more frequently. Leaders have increased IT solutions in their hybrid environment—ranging
the frequency of application scanning and from on-premise platforms, edge nodes, and cloud
penetration testing (against apps and source services. But no matter how powerful, technology
code). on its own is insufficient to achieve acceleration.
• Ensuring application version compliance. So CIOs must transform their operating model
Automating patch scheduling for external- to see material benefits, including shorter time
facing apps ensures compliance with the to value, improved business agility, and reduced
latest, most secure versions. business risk. Business acceleration is best
achieved by extending IT modernization efforts to
Delaying talent development and upskilling
encompass far-reaching changes in the operating
and augmenting talent with contractors. A
model along three dimensions: people, processes,
shortfall of tech talent is a recurring challenge for
and policies.
CIOs. Companies often feel they face two options:
develop in-house capabilities slowly or rely on
external vendors to get initiatives done quickly.
People
Despite the best intentions to build capabilities,
IT teams often compromise by outsourcing Many enterprises have IT workforces with
projects to contractors or partners to patch specialized skill sets and knowledge developed
holes in their talent pipelines. The challenge is over years (for example, about custom legacy
that a short-term solution often leads to long- systems and platform configurations). But
term dependence—without a parallel focus on this expertise is increasingly outdated—even
promoting skills transfer, retraining current staff, if the knowledge of a business or functional
and systematically backfilling contractors. Leading domain is not. In such cases, organizations
companies tackle this issue in several ways: must make significant investments to retrain,
upskill, or reskill their employees. In addition,
• Hiring new talent. IT functions are investing

the IT function typically covers a range of roles: As such, companies can struggle to maintain
networking engineers, capacity planners, system consistency across existing environments and
administrators and operators, data storage and extend established policies to new environments.
security specialists, analysts, developers, quality- Slow response times to evolving internal rules and
assurance engineers, database administrators, external regulations result in increased business
data architects, and many more. risk. Furthermore, many of these policies were
developed for older IT paradigms, serving to
We see an opportunity for organizations to
reinforce legacy ways of working and hindering
radically simplify their IT team structures.
agility and speed.
Specifically, they can consolidate positions to a
smaller set of critical roles that bring together Leading organizations are characterized by
skills formerly divided across jobs. These roles will policies that engage technology for automatic
move from structured tasks (likely to be replaced distribution of change as well as for monitoring
by increasingly powerful IT-management tools) and enforcement. Standard policies across hybrid
toward more fulfilling ones (adapted to a world environments (for example, on-premise and cloud)
of increasing automation). Instead of supplying lead to better compliance at lower cost. These
more resources or convening cumbersome companies can quickly respond to and mitigate
investigations over a system instability, the best emerging business risks by consistently pushing
companies will develop the talent to address root policy changes out across their hybrid operating
problems (for example, going under the hood environments.
and changing how code consumes infrastructure
An IT modernization journey will vary, depending
resources).
on an organization’s starting point and its
aspirations for agility. Companies may seek to shift
Processes the bulk of their operations into hybrid or public-
cloud operating environments, move discrete
Many organizations depend on ad hoc manual
parts of their application portfolio, or eliminate
operations and adopt a reactive stance, building
particular legacy infrastructure platforms. Some
excess capacity to provide reliability. Design
prefer building applications based on their skills
decisions are marked by a lack of transparency
and competitive context over buying them, while
and coordination across different functions in
others are highly selective in their build strategies
IT, resulting in more expensive custom solutions
and focus on integrating third-party SaaS
that still underperform. And when incidents arise,
solutions. Additional factors include a company’s
they are often funneled to technology silos. These
industry, level of maturity, tolerance for risk, and
functions either are slow to respond or depend
organizational readiness for pursuing agility.
on orchestrating numerous internal and vendor
resources to manage escalated incidents and Overall, we see tremendous opportunities to
resolve problems. accelerate progress on business agility—if
organizations are ready to take the right steps
The ideal organization does little to no
across all these elements to transform the way
infrastructure planning and instead uses a
they work.
DevOps approach and self-service to expedite the
development and implementation of solutions. In
other words, rather than estimating demand and
planning for worst-case scenarios, a company Central questions for IT leaders
can simply be agile in ramping up resources as to consider as they plan their
needed. The IT function focuses on customer-
centric journeys rather than product- or service- journey
centered processes. After setting a course, IT Chief information officers can overcome the
automation delivers the necessary service levels perceived trade-offs in modernization efforts and
to optimize the user experience despite changing maximize the business acceleration from these
conditions and surprises. For example, self-driving investments. No matter where they start, a few
cars hold the potential to automate travel on even primary issues must be addressed. To set the
chaotic roads; however, no “IT drivers” are ready best path forward, IT leaders should consider five
to take their hands off the wheel just yet. So the central questions:
tremendous potential of process automation must
be designed to complement judgment and the 1. Do we have the right talent
uniquely human capabilities needed to assure to support the technology
reliability, scalability, and security. transformation and needed
operating-model shifts?
Policies Exemplary organizations view IT as a business-
Typical organizations have policies for a wide acceleration partner that proactively identifies
range of issues—such as security, information opportunities—such as those from digital,
access, and data management. These are data-driven decision making, and AI—to
often manually enforced, increasing the cost encourage growth. These IT functions have
of compliance and reducing effectiveness. shifted skill profiles: from project managers to

product managers, from operations engineers 4. How are we building security
to automation engineers. They have upskilled
by design?
developers with security expertise and recruited
cloud architects, security engineers, and full-stack Leading IT organizations have integrated security
engineers. More advanced organizations have into every aspect of planning, building, and
in-house DevOps or site reliability engineer (SRE) operating. They have managed to incorporate
talent. Organizations are beginning to add data secure thinking and design earlier in the process
scientists and AI or machine-learning specialists and automated security enforcement based on
to integrate more data-driven intelligence into IT policy. DevSecOps and API-based security are
operations. core enablers in such organizations. This effort
starts with hiring developers with knowledge of
security architecture. In the implementation phase,
2. Have we implemented the right developers create modular security components
that can be easily reused, thereby eliminating the
metrics tied to business strategy need for separate design and implementation.
so that IT can prioritize business During the review phase, automatic code scanners
building over just keeping the are used for code reviews to detect vulnerabilities.
lights on? In the testing phase, security tests are automated
and integrated into the functional testing process.
IT organizations with an effective talent engine Last, during the deployment phase, APIs for
have successfully created performance metrics environment creation include functions to enforce
and commitments aligned with business targets secure configurations. By taking this approach,
rather than technical objectives. Objectives leading organizations have accelerated—rather
and key results (objectives and key results) than slowed—developer agility and innovation.
methodology has proven effective in conjunction In parallel, they have also created delightful
with agile teams, and these metrics need to be customer and employee experiences.
leading indicators that link to the key objectives
of modernization. Organizations are increasingly
using metrics such as APIs published, test scripts 5. What architectural approaches
created, and configuration scripts automated
as metrics to improve automation. They are are we implementing to dramatically
also implementing metrics to track how much accelerate time-to-release features?
time is spent by individuals in building new Approaches that increase flexibility, abstract
features as opposed to routine monitoring and the infrastructure, and let organizations focus
troubleshooting tasks. on applications in line with business use cases
are the hallmarks of leading IT organizations.
They have adopted containerized and serverless
3. Are we automating IT to architectures and built applications dependent
the fullest? on open standards. When using proprietary
Leaders that have achieved agility differ platforms, decisions are based on the clear time-
dramatically from laggards in their rate of to-market advantage and technical superiority.
automation. The most successful companies are Fast-moving IT organizations have heavily invested
increasingly adopting DevOps or SREs as part in API-based approaches and meticulously plan
of their operations approach. As a foundation, for code reuse. They also have a clear migration
companies are implementing test-driven path in mind should a superior platform emerge.
development and aiming to achieve full automation We see exciting innovations coming faster
of unit and integration tests. They are also and faster from technology providers. These
baking in standardized configurations as part of innovations hold the potential to overcome the
deployment automation. They are then providing compromises and constraints that have held back
the setup of develop-and-test environments to enterprise IT. The pace by which organizations can
developers through self-service mechanisms, accelerate business change through these cloud
eliminating wait times and enabling “one-click” platform capabilities will be set by the pace at
deployments. Application performance tracking which they can change the way they work.
and troubleshooting are supported by heavily
instrumented code and telemetry. Furthermore,
these organizations are incorporating automation About the author(s)
into service-request management and incidence Arul Elumalai is an alumnus and Roger Roberts is
response. They are also beginning to use machine a partner in McKinsey’s Silicon Valley office.
learning and data to inform and accelerate
decision making, ultimately leading with policy- The authors wish to thank Arif Cam, Lisa Donchak,
based operations and control. Jordan Rohrlich, and Chaitali Thakur for their
contributions to this article.

Designing a data transformation
that delivers value right from
the start
By Chiara Brocchi, Davide Grande, Kayvaun Rowshankish, Tamim Saleh, and Allen Weinberg
While most companies understand the importance of analytics,

fewer than 20 percent have maximized the potential and
implemented AA at scale.

The CEOs of most financial institutions have their data transformation and ensure disciplined
had data on their agenda for at least a decade. data governance.
However, the explosion in data availability over
Successful data transformations can yield
the past few years—coupled with the dramatic
enormous benefits. One US bank expects to
fall in storage and processing costs and an
see more than $400 million in savings from
increasing regulatory focus on data quality,
rationalizing its IT data assets and $2 billion in
policy, governance, models, aggregation, metrics,
gains from additional revenues, lower capital
reporting, and monitoring—has prompted a
requirements, and operational efficiencies.
change in focus. Most financial institutions
Another institution expects to grow its bottom line
are now engaged in transformation programs
by 25 percent in target segments and products
designed to reshape their business models by
thanks to data-driven business initiatives. Yet
harnessing the immense potential of data.
many other organizations are struggling to capture
Leading financial institutions that once used real value from their data programs, with some
descriptive analytics to inform decisionmaking are seeing scant returns from investments totaling
now embedding analytics in products, processes, hundreds of millions of dollars.
services, and multiple front-line activities. And
A 2016 global McKinsey survey found that a
where they once built relational data warehouses
number of common obstacles are holding financial
to store structured data from specific sources,
institutions back: a lack of front-office controls
they are now operating data lakes with large-scale
that leads to poor data input and limited validation;
distributed file systems that capture, store, and
inefficient data architecture with multiple legacy
instantly update structured and unstructured data
IT systems; a lack of business support for the value
from a vast range of sources to support faster
of a data transformation; and a lack of attention
and easier data access. At the same time, they are
at executive level that prevents the organization
taking advantage of cloud technology to make
committing itself fully (Exhibit 1). To tackle these
their business more agile and innovative, and their
obstacles, smart institutions follow a systematic
operations leaner and more efficient. Many have
five-step process to data transformation.
set up a new unit under a chief data officer to run

Exhibit 1
Here are typical challenges in data transformations at banks

Challenges faced in improving data quality at the enterprise level, ranked by perceived importance,
number of respondents ranking the challenge in 1st or 2nd place (n = 43)
Biggest challenges
Lack of front-office controls (eg, poor quality of data entry at system 13

of origin with no/limited validation)
Inefficient data architecture (eg, multiple data warehouses with no

12
common data model, legacy systems, complex lineage)
Lack of business buy-in for value of data transformation 12
Data doesn’t get enough board and senior management attention

12
(eg, seen as an IT issue, not considered a business asset)
Lack of central direction in driving transformation (eg, disparate

10
business-unit-led efforts)
Ineffective governance model (eg, unclear ownership of data, weak or

9
unenforced policies)
Insufficient funding/resource allocation for enterprise-level data

8
transformation program
Data transformation is driven primarily by regulatory compliance needs;

6
no focus on data quality
Manual effort required for reconciliation and remediation of

4
data-quality issues
1. Define a clear data strategy

Obvious though this step may seem, only about 30 percent of the banks in our survey had a data strategy
in place. Others had embarked on ambitious programs to develop a new enterprise data warehouse or
data lake without an explicit data strategy, with predictably disappointing results. Any successful data
transformation begins by setting a clear ambition for the value it expects to create.
In setting this ambition, institutions should take note of the scale of improvement other organizations
have achieved. In our experience, most of the value of a data transformation flows from improved
regulatory compliance, lower costs, and higher revenues. Reducing the time it takes to respond to data
requests from the supervisor can generate cost savings in the order of 30 to 40 percent, for instance.
Organizations that simplify their data architecture, minimize data fragmentation, and decommission
redundant systems can reduce their IT costs and investments by 20 to 30 percent. Banks that have
captured benefits across risk, costs, and revenues have been able to boost their bottom line by 15 to 20
percent. However, the greatest value is unlocked when a bank uses its data transformation to transform
its entire business model and become a data-driven digital bank.
Actions: Define the guiding vision for your data transformation journey; design a strategy to transform
the organization; establish clear and measurable milestones

2. Translate the data strategy into tangible use cases
Identifying use cases that create value for the business is key to getting everyone in the organization
aligned behind and committed to the transformation journey. This process typically comprises four
steps.
In the first step, the institution breaks down its data strategy into the main goals it wants to achieve, both
as a whole and within individual functions and businesses.
Next it draws up a shortlist of use cases with the greatest potential for impact, ensures they are aligned
with broader corporate strategy, and assesses their feasibility in terms of commercial, risk, operational
efficiency, and financial control. These use cases can range from innovations such as new reporting
services to more basic data opportunities, like the successful effort by one European bank to fix quality
issues with pricing data for customer campaigns, which boosted revenues by 5 percent.
Third, the institution prioritizes the use cases, taking into account the scale of impact they could
achieve, the maturity of any technical solutions they rely on, the availability of the data needed, and the
organization’s capabilities. It then launches pilots of the top-priority use cases to generate quick wins,
drive change, and provide input into the creation of a comprehensive business case to support the
overall data transformation. This business case includes the investments that will be needed for data
technologies, infrastructure, and governance.
The final step is to mobilize data capabilities and implement the operating model and data architecture
to deploy the use cases through agile sprints, facilitate scaling up, and deliver tangible business value at
each step (Exhibit 2). At one large European bank, this exercise identified almost $1 billion in expected
bottom-line impact.
Exhibit 2
Banks can deliver end-to-end use cases at speed via agile sprints
Core principles Approach Q1 Q2
End-to-end
Next product
delivery of End-to
customer and to buy
internal use cases end use
case
Churn analytics
Jointly owned Regulatory reporting

by IT and the
business
Financial reporting
Vertically
integrated agile
teams extract, Foundations
structure, and
surface data
Data
architecture
Deliver minimum
viable products, Data
making data and governance
fields available
only when needed

Actions: Select a range of use cases and prioritize and analytics—has inspired many organizations to
them in line with your goals; use top-priority use delegate their infrastructure management to third
cases to boost internal capabilities and start laying parties and use the resulting savings to reinvest in
solid data foundations. higher-value initiatives.
Consider ANZ’s recently announced partnership
with Data Republic to create secure data-sharing
3. Design innovative data architecture environments to accelerate innovation. The bank’s
to support the use cases CDO, Emma Grey, noted that “Through the cloud-
Leading organizations radically remodel their based platform we will now be able to access
data architecture to meet the needs of different trusted experts and other partners to develop
functions and users and enable the business useful insights for our customers in hours rather
to pursue data-monetization opportunities. than months.”
Many institutions are creating data lakes: large,
Actions: Define the technical support needed for
inexpensive repositories that keep data in its raw
your roadmap of use cases; design a modular,
and granular state to enable fast and easy storage
open data architecture that makes it easy to add
and access by multiple users, with no need for
new components later.
pre-processing or formatting. One bank with data
fragmented across more than 600 IT systems
managed to consolidate more than half of this data
into a new data lake, capturing enormous gains
4. Set up robust data governance to
in the speed and efficiency of data access and ensure data quality
storage. Similarly, Goldman Sachs has reportedly The common belief that problems with data quality
consolidated 13 petabytes of data into a single usually stem from technology issues is mistaken.
data lake that will enable it to develop entirely new When one bank diagnosed its data quality, it found
data-science capabilities. that only about 20 to 30 percent of issues were
attributable to systems faults. The rest stemmed
Choosing an appropriate approach to data
from human error, such as creating multiple
ingestion is essential if institutions are to avoid
different versions of the same data.
creating a “data swamp”: dumping raw data into
data lakes without appropriate ownership or a Robust data governance is essential in improving
clear view of business needs, and then having data quality. Some successful financial institutions
to undertake costly data-cleaning processes. have adopted a federal-style framework in which
By contrast, successful banks build into their data is grouped into 40 to 50 “data domains,”
architecture a data-governance system with a data such as demographic data or pricing data.
dictionary and a full list of metadata. They ingest The ownership of each domain is assigned
into their lakes only the data needed for specific to a business unit or function that knows the
use cases, and clean it only if the business case data, possesses the levers to manage it, and
proves positive, thereby ensuring that investments is accountable for data quality, with metadata
are always linked to value creation and deliver management (such as mapping data lineage)
impact throughout the data transformation. typically carried out by “data stewards.” A
central unit, typically led by a chief data officer,
However, data lakes are not a replacement for
is responsible for setting up common data-
traditional technologies such as data warehouses,
management policies, processes, and tools across
which will still be required to support tasks such
domains. It also monitors data quality, ensures
as financial and regulatory reporting. And data-
regulatory compliance (and in some cases data
visualization tools, data marts, and other analytic
security), supports data remediation, and provides
methods and techniques will also be needed to
services for the business in areas such as data
support the business in extracting actionable
reporting, access, and analytics.
insights from data. Legacy and new technologies
will coexist side by side serving different purposes. Best-in-class institutions develop their own tools
to widen data access and support self-service
The benefits of new use-based data architecture
data sourcing, like the search tool one bank
include a 360-degree view of consumers; faster
created to provide users with key information
and more efficient data access; synchronous data
about the definition, owner, lineage, quality,
exchange via APIs with suppliers, retailers, and
and golden source of any given piece of data
customers; and dramatic cost savings as the price
(Exhibit 3). Organizations with readily accessible
per unit of storage (down from $10 per gigabyte in
information and reliable data quality can deliver
2000 to just 3 cents by 2015) continues to fall.
solutions much more quickly and with greater
In addition, the vast range of services offered by precision. They can also create enormous
the hundreds of cloud and specialist providers— efficiencies along the whole data lifecycle
including IaaS (infrastructure as a service), GPU from sourcing and extraction to aggregation,
(graphics-processing unit) services for heavy-duty reconciliation, and controls, yielding cost savings
computation, and the extension of PaaS (platform that can run as high as 30 to 40 percent.
as a service) computing into data management

Exhibit 3
A custom-designed search tool provides users with key information on data elements
Definition of
Basic
A the term being
definition
searched
Details of the data

Data
B owner and history
owner
of ownership
Navigation of the
Data data tree to trace
C lineage the search term’s
components
Indicator of
Data
D quality: red,
quality
amber, or green
Golden Good-quality
E
source source of the data
Actions: Assess data quality; establish robust data governance with clear accountability for data quality;
provide self-service tools to facilitate data access across the whole organization.
5. Mobilize the organization to deliver value

Successful data transformations happen when a company follows an approach driven by use cases,
promotes new ways of working, and mobilizes its whole organization from the beginning. Adopting a use-
case-driven approach means developing target data architecture and data governance only when it is
needed for a specific use case. One European bank implemented this approach in three steps (Exhibit 4):

Exhibit 4
Data governance is rolled out domain by domain
Cluster data Implement data governance

Plan the rollout of data domains in waves
into domains in each data domain
Systems Data Key

of records domains Rollout plan by data domain Area activities
Year 1 Year 2 Year 3 Data Data domain
manage- definition
Pilots 2nd wave 4th wave ment Identification of
common data
Collateral data Accounts Business elements
Customer banking
Customer data Product catalog Mapping of
data
General tables Securities data lineage
Employees Insurance Population
Q1 Private banking of data dictionary
Mortgage
&
Consumer Choice of “golden
Q2
lending sources”
Consumer Definition
deposits of security
requirements
Collateral 1st wave 3rd wave 5th wave Data Assessment

data quality of current data
Risk Commercial Other data quality
management lending domains
Definition of KQls2
MIS 1 data Commercial
Design of data-
Q3 Finance data real estate
quality controls
& Regulatory Leasing
Number Number of Q4 reporting Treasury
of systems domains
Operational management Data Definition of
~1 ,400 50-100
risk Capital markets technology tools required for
and tools implementation
1 Management information system

2 Key quality indicators
First, it identified the data it needed for key use cases and prioritized those data domains that included it.
Typically, 20 percent of data enables 80 percent of use cases. Second, the bank developed a rollout plan
for implementing data architecture and governance in three to four data domains per quarter.
Third, the bank set up a cross-functional team for each data domain, comprising data stewards,
metadata experts, data-quality experts, data architects, data engineers, and platform engineers. Before
data was ingested into the data lake, these teams worked to identify key data elements, select golden
sources, assess data quality, carry out data cleansing, populate the data dictionary, and map data
lineage. Each team worked in agile sprints in a startup-like environment for three to four months.
A central team took care of value assurance and defined common standards, tools, and policies.
This approach delivered numerous benefits for the bank, including rapid implementation, capability
building, and the creation of tangible business value at every stage in the journey. During any
transformation, calling out and celebrating such achievements is critical. As the CDO of JPMorgan
Chase, Rob Casper, observed, “The thing that achieves buy-in and builds momentum better than
anything is success . . . trying to deliver in small chunks incrementally and giving people a taste of that
success [is] a very powerful motivator.”
More broadly, senior executives need to champion their data transformation to encourage widespread
buy-in, as well as role-modeling the cultural and mindset changes they wish to see. Formal governance
and performance-management systems, mechanisms, and incentives will need to be rethought to

support new ways of working. At the same time, most organizations will need to develop new capabilities;
only 20 percent of the banks we surveyed believe they already have adequate capabilities in place. Given
the scarcity of external talent, in particular for key roles such as business translators, organizations will
need to provide on-the-job training for employees involved in the transformation, and complement this
effort with a data and analytics academy to build deep expertise in specialist roles (Exhibit 5).
Exhibit 5
Banks need new roles to compete effectively in a data-driven market
Data-
Senior Head of data Data-quality
Translator Data scientist Data owner technology
executive governance manager
manager
Digital culture
Design and Design and Design and Fundamentals Fundamentals Fundamentals Fundamentals
agile thinking agile thinking agile thinking of data of data of data quality of data- tech-
management governance nology tools
Use-case Source of value Source of value Data culture Data Data Data
reflections management management management
Best practices Best practices Data quality Data-quality Data modeling

in data in testing and tools
engineering piloting
Best practices Technical Data design

in data leadership
management program
Best practices Data science Data- software

in data ecosystem
modeling
Technical Advanced
leadership analytics
program
“Train the
trainer”
approach
Actions: Adopt a use-case approach to the whole journey; establish central governance to ensure cross-
functional working, the use of standard methods, and clear role definition; build new data capabilities
through hiring and in-house training.
In the past few years data has been established as a fundamental source of business value. Every
financial institution now competes in a world characterized by enormous data sets, stringent regulation,
and frequent business disruptions as innovative ecosystems emerge to break down the barriers between
and across industries. In this context, a data transformation is a means not only to achieve short-term
results, but also to embed data in the organization for long-term success.
About the author(s)

Chiara Brocchi is an alumnus of McKinsey’s Milan office, where Davide Grande is a partner. Kayvaun
Rowshankish is a partner and Allen Weinberg is a senior partner, both in the New York office. Tamim
Saleh is a senior partner in the London office.

Cybersecurity: Linchpin of the
digital enterprise
By James Kaplan, Wolf Richter, and David Ware
As companies digitize businesses and automate operations,

cyberrisks proliferate; here is how the cybersecurity organization
can support a secure digital agenda.

Two consistent and related themes in enterprise technology have emerged in recent years, both
involving rapid and dramatic change. One is the rise of the digital enterprise across sectors and
internationally. The second is the need for IT to react quickly and develop innovations aggressively to
meet the enterprise’s digital aspirations.
Exhibit 1 presents a “digitization index”—the results of research on the progress of enterprise digitization
within companies, encompassing sectors, assets, and operations.
Exhibit 1
Across sectors, companies are digitizing, with profound implications for

cybersecurity functions
Low digitization High digitization

Digitization levels
Asset Usage Labor
Digital
Overall Digital Digital- Transac- Interac- Business Market spend on Digital Digitization
Sector digitization spend asset stock tions tions processes making workers capital of work
Media
Professional
services
Finance and
insurance
Wholesale trade
Personal and
local services
Government
Transportation
and warehousing
Healthcare
Entertainment
and recreation
Source: Appbrain; Blue Wolf; ContactBabel; eMarketer; Gartner; IDC; LiveChat; US Bureau of Economic Analysis; US Bureau of Labor Statistics; US
Census Bureau; Global Payments Map by McKinsey; McKinsey Social Technology Survey; McKinsey analysis; McKinsey Global Institute analysis
As IT organizations seek to digitize, however, many face significant cybersecurity challenges. At

company after company, fundamental tensions arise between the business’s need to digitize and the
cybersecurity team’s responsibility to protect the organization, its employees, and its customers within
existing cyber operating models and practices.
If cybersecurity teams are to avoid becoming barriers to digitization and instead become its enablers,
they must transform their capabilities along three dimensions. They must improve risk management,
applying quantitative risk analytics. They must build cybersecurity directly into businesses’ value
chains. And they must support the next generation of enterprise-technology platforms, which include
innovations like agile development, robotics, and cloud-based operating models.

Cybersecurity’s role in What does that mean? They have consolidated
cybersecurity-related activities into one or a few
digitization organizations. They have tried to identify risks and
Every aspect of the digital enterprise has compare them to enterprise-wide risk appetites to
important cybersecurity implications. Here understand gaps and make better decisions about
are just a few examples. As companies seek to closing them. They have created enterprise-wide
create more digital customer experiences, they policies and supported them with standards. They
need to determine how to align their teams that have established governance as a counterweight
manage fraud prevention, security, and product to the tendency of development teams to prioritize
development so they can design controls, such as time to market and cost over risk and security.
authentication, and create experiences that are They have built security service offerings that
both convenient and secure. As companies adopt require development teams to create a ticket
massive data analytics, they must determine how requesting service from a central group before
to identify risks created by data sets that integrate they can get a vulnerability scan or a penetration
many types of incredibly sensitive customer test.
information. They must also incorporate security All these actions have proven absolutely
controls into analytics solutions that may not use necessary to the security of an organization.
a formal software-development methodology. Without them, cybersecurity breaches occur
As companies apply robotic process automation more frequently—and often, with more severe
(RPA), they must manage bot credentials consequences. The needed actions, however, exist
effectively and make sure that “boundary cases”— in tension with the emerging digital-enterprise
cases with unexpected or unusual factors, or model—the outcome of an end-to-end digital
inputs that are outside normal limits—do not transformation—from the customer interface
introduce security risks. through the back-office processes. As companies
Likewise, as companies build application seek to use public cloud services, they often find
programming interfaces (APIs) for external that security is the “long pole in the tent”—the
customers, they must determine how to identify most intractable part of the problem of standing
vulnerabilities created by interactions between applications on public cloud infrastructure.
many APIs and services, and they must build and At one financial institution, development teams
enforce standards for appropriate developer were frustrated with the long period needed by the
access.[1] They must continue to maintain rigor security team to validate and approve incremental
in application security as they transition from items in their cloud service provider’s catalog for
waterfall to agile application development. production usage. Developers at other companies
have puzzled over the fact that they can spin
up a server in minutes but must wait weeks
Challenges with existing for the vulnerability scan required to promote
cybersecurity models their application to production. IT organizations
everywhere are finding that existing security
At most companies, chief information officers models do not run at “cloud speed” and do not
(CIOs), chief information-security officers provide enough specialized support to developers
(CISOs), and their teams have sought to establish on issues like analytics, RPA, and APIs (Exhibit 2).
cybersecurity as an enterprise-grade service.
1 An API is software that allows applications to communicate with each other, sharing information for a purpose.

Exhibit 2
Current cybersecurity operating models do not operate at ‘cloud speed’
Architecture Architecture Stage gates

and design Implementation Designing secure architecture
must receive
security sign-off requires special knowledge
Secure code review, test design,
Security review and implementation require
required specially trained developers not
Security review available to many teams
required Cloud environments must be
configured to security standards
Cloud and instrumented with monitoring
Deployment deployment Code review before deployment into production
cycle
Separate security Security review

testing required required
Testing
Activities
Architecture and
design Implementation Code review Testing Deployment
Analyze resource Instantiate Review code Develop test cases Instantiate cloud
availability from cloud development and infrastructure
Conduct automated Do continuous testing
service provider testing environments
code scanning Establish cloud
Fix bugs and errors;
Analyze capacity Begin solution services
Accept code into code make changes
requirements implementation
base Deploy production
Do regression testing
Develop initial solution application
design
Do final testing
Design interfaces
The misalignment between development and cybersecurity teams leads to missed business
opportunities, as new capabilities are delayed in reaching the market. In some cases, the pressure to
close the gap has caused increased vulnerability, as development teams bend rules to work around
security policies and standards.
Cybersecurity for the digital enterprise

In response to aggressive digitization, some of the world’s most sophisticated cybersecurity functions
are starting to transform their capabilities along the three dimensions we described: using quantitative
risk analytics for decision making, building cybersecurity into the business value chain, and enabling the
new technology operating platforms that combine many innovations. These innovations include agile
approaches, robotics, cloud, and DevOps (the combination of software development and IT operations
to shorten development times and deliver new features, fixes, and updates aligned with the business).
Using quantitative risk analytics for decision making

At the core of cybersecurity are decisions about which information risks to accept and how to mitigate
them. Traditionally, CISOs and their business partners have made cyberrisk-management decisions

using a combination of experience, intuition, judgment, and qualitative analysis. In today’s digital
enterprises, however, the number of assets and processes to protect, and the decreasing practicality
and efficacy of one-size-fits-all protections, have dramatically reduced the applicability of traditional
decision-making processes and heuristics.
In response, companies are starting to strengthen their business and technology environments with
quantitative risk analytics so they can make better, fact-based decisions. This has many aspects. It
includes sophisticated employee and contractor segmentation as well as behavioral analysis to identify
signs of possible insider threats, such as suspicious patterns of email activity. It also includes risk-based
authentication that considers metadata—such as user location and recent access activity—to determine
whether to grant access to critical systems. Ultimately, companies will start to use management
dashboards that tie together business assets, threat intelligence, vulnerabilities, and potential mitigation
to help senior executives make the best cybersecurity investments. They will be able to focus those
investments on areas of the business that will yield the most protection with the least disruption
and cost.
Building cybersecurity into the business value chain

No institution is an island when it comes to cybersecurity. Every company of any complexity exchanges
sensitive data and interconnects networks with customers, suppliers, and other business partners. As
a result, cybersecurity-related questions of trust and the burden of mitigating protections have become
central to value chains in many sectors. For example, CISOs for pharmacy benefit managers and health
insurers are having to spend significant time figuring out how to protect their customers’ data and
then explaining it to those customers. Likewise, cybersecurity is absolutely critical to how companies
make decisions about procuring group health or business insurance, prime brokerage, and many other
services. It is the single most important factor companies consider when purchasing Internet of Things
(IoT) products (Exhibit 3).
Exhibit 3
Priority requirements have changed for acquiring Internet of Things products:
Cybersecurity has moved to the top
Top 5 priorities when buying IOT products,1
number of survey responses
312
290
251
235
206
Strong Reliability Compatibility Compatibility Ease of use

cyber- with existing with installed by end user
security enterprise production
software hardware
1
IoT = Internet of Things. Besides basic functionality.
Source: McKinsey 2019 IOT Pulse Survey of more than 1,400 IOT practitioners (from middle managers to C-suite) who are executing IOT at scale
(beyond pilots).
Composition was 61% from US, 20% from China, and 19% from Germany, with organizations of $50 million to more than $10 billion in revenue. This
question on loT-product purchases received 1,161 responses.

Leading companies are starting to build • Treat cybersecurity as a core feature of
cybersecurity into their customer relationships, product design. For instance, a hospital
production processes, and supplier interactions. network would have to integrate a new
Some of their tactics include the following: operating-room device into its broader
security environment. Exhibit 4 presents an
• Use design thinking to build secure and
example of how security is embedded in a
convenient online customer experiences.
product-development process.
For example, one bank allowed customers to
customize their security controls, choosing • Take a seamless view across traditional
simpler passwords if they agreed to two-factor information security and operational
authorization. technology security to eliminate
vulnerabilities. One autoparts supplier found
• Educate customers about how to interact in
that the system holding the master version
a safe and secure way. One bank has a senior
of some of its firmware could serve as an
executive whose job it is to travel the world and
attack vector to the fuel-injection systems it
teach high-net-worth customers and family
manufactured. With that knowledge, it was
offices how to prevent their accounts from
able to put additional protections in place.
being compromised.
Pharma companies have found that an end-to-
• Analyze security surveys to understand what end view of information protection across their
enterprise customers expect and create supply chains was needed to address certain
knowledge bases so that sales teams can key vulnerabilities (Exhibit 5).
respond to customer security inquiries during
• Use threat intelligence to interrogate supplier
negotiations with minimum friction. For
technology networks externally and assess
instance, one software-as-a-service (SaaS)
risk of compromise.
provider found that its customers insisted
on having particularly strong data-loss-
prevention (DLP) provisions.

Exhibit 4
How to embed security into a product-development process
From treating security and privacy as after- ...to incorporating them by designing and
thoughts… building an agile security-and-privacy model
Developers are unclear Product owners don’t Prioritize security and Make product owners
when security and consider security and privacy tasks according aware of need to
privacy requirements privacy tasks during to product risk level prioritize security and
are mandatory sprint planning privacy tasks and be
accountable for their
Requirements inclusion in releases
Design
Unclear how to handle Chief information- Security and privacy Add capacity through
distribution of tasks security and privacy champions (tech CISPOs, who clarify
within development officers (CISPOs) have leads) assist teams in security and privacy
team limited capacity to distributing tasks requirements with
support development Development champions and product
teams owners
No unified real-time standardized monitoring Product-assessment dashboards give developers

of state of security and privacy tasks real-time views of security and privacy within
products
Testing
Security and privacy Teams unclear how Launch delays Simplified

needs are often dealt often to engage CISPOs eliminated as security predeployment
with before deployment, and privacy tasks are activities with CISPOs
causing launch delays Deployment executed across life only for releases
cycles meeting risk criteria
Unclear accountability Lack of integration in Define and Integrate and automate

for security and privacy security and privacy communicate roles and security- and privacy-
in product teams tool sets introduces Throughout responsibilities during related testing and
complexity process agile ceremonies tracking tools

Exhibit 5
An end-to-end view of information across the pharma supply chain in needed

to address vulnerabilities
Product flow Dynamic, cloud-based

Data flow network optimization
Suppliers Bulk manufacturing Finishing and Smart-warehouse Customers

packaging distribution center
Advanced business capability Resulting cyber risks
Suppliers Finishing and packaging Overarching technologies

Predictive supplier risk protection Fully integrated and automated Machine-learning forecasting
production and integrated production
Risk of exposed vendor details planning
and trade secrets Attack on process, leading to
shutdowns or errors Inaccurate business decisions
and bad-actor access
Bulk manufacturing Transition from closed to open
systems prompts new security
Yield optimization through Real-time monitoring
risks
advanced analytics and digitized Unauthorized monitoring of
operations Customers processes and leakage of
No-touch order management business decisions
Hacking of legacy equipment
Unauthorized changes in safety Leak of customer data, leading
to loss of customer trust and
or compliance regulations
competitive data
Loss of intellectual property and
competitive advantage
Done in concert, these actions yield benefits. They enhance customer trust, accelerating their adoption
of digital channels. They reduce the risk of customers or employees trying to circumvent security
controls. They reduce friction and delays as suppliers and customers negotiate liability and responsibility
for information risks. They build security intrinsically into customer-facing and operational processes,
reducing the “deadweight loss” associated with security protections.
Enabling an agile, cloud-based operating platform enhanced

by DevOps
Many companies seem to be trying to change everything about IT operations. They are replacing
traditional software-development processes with agile methodologies. They are repatriating
engineering talent from vendors and giving developers self-service access to infrastructure. Some are
getting rid of their data centers altogether as they leverage cloud services. All of this is being done to
make technology fast and scalable enough to support an enterprise’s digital aspirations. In turn, putting
a modern technology model in place requires a far more flexible, responsive, and agile cybersecurity
operating model. Key tenets of this model include the following:
• Move from ticket-based interfaces to APIs for security services. This requires automating every
possible interaction and integrating cybersecurity into the software-development tool chain. That
will allow development teams to perform vulnerability scans, adjust DLP rules, set up application
security, and connect to identify and gain access to management services via APIs (Exhibit 6).

• Organize security teams into agile scrum or scrumban teams that manage developer-recognizable
services, such as identity and access management (IAM) or DLP. Also, recruiting development-team
leaders to serve as product owners for security services can help, just as business managers are
product owners for customer journeys and customer-oriented services.
• Tightly integrate security into enterprise end-user services, so that employees and contractors can
easily obtain productivity and collaboration tools via an intuitive, Amazon-like portal.
• Build a cloud-native security model that ensures developers can access cloud services instantly and
seamlessly within certain guardrails.
• Collaborate with infrastructure and architecture teams to build required security services into
standardized solutions for massive analytics and RPA.
• Shift the talent model to incorporate those with “e-shaped” skills—cybersecurity professionals
with several areas of deep knowledge, such as in integrative problem solving, automation, and
development—as well as security technologies.
Exhibit 6
Automation, orchestration technology, and application programming interfaces can

eliminate manual security processes and interactions
Automation opportunities in a notionally secure DevOps model
Architecture Implementation Code review Testing Deployment

and design
App application API-configurable APIs for Automated code Automated and Fully configured,
programming application- configuration review systems configurable production-
interfaces (APIs) level controls and debugging modified to search security test ready application
designed into new (eg., test for application- cases added to possible via API
applications instrumentation) specific threat nightly testing calls alone
added during scenarios regime
implementation
phase
Process APIs New application Configurable Configurable Nightly testing Predeployment

level API security tests automated code results collected security-review
options added added to nightly reviews added and curated process replaced
to deployment testing regime to precommit/ for individual by automated
configuration preacceptance developers/teams tests and
process process for newly via configurable configuration
written code test-management checks
system
Infrastructure API for Configuration Automated Cloud Security tools

APIs deployment and options for code scanning environments and configuration
instantiation instantiation implemented for regularly tested options applied
processes of automated, deployed web for security via API to new
rearchitected to project-specific applications to via automated environments at
accommodate development maintain quality vulnerability deployment time
new applications environment and code integrity assessment and
made available identification tools
Security-trained developers and engineers enable automation and orchestration

throughout cloud-development, -deployment, and -operations phases

Taken together, these actions will eliminate value chains, and enable operating platforms
roadblocks to building digital-technology that encompass the latest innovations. These
operating models and platforms. Perhaps more actions will require significant adaptation from
importantly, they can ensure that new digital cybersecurity organizations. Many of these
platforms are inherently secure, allowing their organizations are still in the early stages of this
adoption to reduce risk for the enterprise as journey. As they continue, they will become more
a whole (see sidebar, “How a large biopharma and more capable of protecting the companies
company built cybersecurity capabilities to enable while supporting the innovative goals of the
a digital enterprise”). business and IT teams.
With digitization, analytics, RPA, agile, DevOps,
and cloud, it is clear that enterprise IT is evolving
rapidly and in exciting and value-creating ways. About the author(s)
This evolution naturally creates tension with James Kaplan is a partner in McKinsey’s
existing cybersecurity operating models. For New York office, Wolf Richter is a partner in
organizations to overcome the tension, they the Berlin office, and David Ware is a partner
will need to apply quantitative risk analytics in the Washington DC office.
for decision making, create secure business

Cybersecurity tactics for the
coronavirus pandemic
By Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen
The pandemic has made it harder for companies to maintain

security and business continuity. But new tactics can help
cybersecurity leaders to safeguard their organizations.

The COVID-19 pandemic has presented chief that knowledge to shape more extensive
information security officers (CISOs) and their implementation plans. Cybersecurity teams
teams with two immediate priorities. One is can also benefit from using MFA technologies,
securing work-from-home arrangements on an such as the application gateways offered
unprecedented scale now that organizations have by several cloud providers, that are already
told employees to stop traveling and gathering, integrated with existing processes.
and government officials in many places have
• Install compensating controls for facility-
advised or ordered their people to stay home
based applications migrated to remote
as much as possible. The other is maintaining
access. Some applications, such as bank-
the confidentiality, integrity, and availability of
teller interfaces and cell-center wikis, are
consumer-facing network traffic as volumes
available only to users working onsite at
spike—partly as a result of the additional time
their organizations’ facilities. To make such
people are spending at home.
facility-based applications available to remote
Recent discussions with cybersecurity leaders workers, companies must protect those apps
suggest that certain actions are especially helpful with special controls. For example, companies
to fulfill these two priorities. In this article, we might require employees to activate VPNs and
set out the technology modifications, employee- use MFA to reach what would otherwise be
engagement approaches, and process changes facility-based assets while permitting them to
that cybersecurity leaders have found effective. use MFA alone when accessing other parts of
the corporate environment.
• Account for shadow IT. At many companies,
Securing work-from-home employees use so-called shadow IT systems,
arrangements at scale which they set up and administer without
formal approval or support from the IT
The rapid, widespread adoption of work-from-
department. Extended work-from-home
home tools has put considerable strain on security
operations will expose such systems because
teams, which must safeguard these tools without
business processes that depend on shadow IT
making it hard or impossible for employees to
in the office will break down once employees
work. Conversations with CISOs in Asia, Europe,
find themselves unable to access those
and North America about how they are securing
resources. IT and security teams should be
these new work-at-home arrangements highlight
prepared to transition, support, and protect
the changes these executives are making in three
business-critical shadow assets. They should
areas: technology, people, and processes.
also keep an eye out for new shadow-IT
systems that employees use or create to
Technology: Make sure required ease working from home, to compensate for
in-office capabilities they can’t access, or to
controls are in place
get around obstacles.
As companies roll out the technologies that enable
employees to work from home and maintain • Quicken device virtualization. Cloud-based
business continuity, cybersecurity teams can take virtualized desktop solutions can make it
these actions to mitigate cybersecurity risks: easier for staff to work from home because
many of them can be implemented more
• Accelerate patching for critical systems.
quickly than on-premises solutions. Bear in
Shortening patch cycles for systems, such
mind that the new solutions will need strong
as virtual private networks (VPNs), end-
authentication protocols—for example, a
point protection, and cloud interfaces, that
complex password, combined with a second
are essential for remote working will help
authentication factor.
companies eliminate vulnerabilities soon after
their discovery. Patches that protect remote
infrastructure deserve particular attention. People: Help employees understand
• Scale up multifactor authentication. the risks
Employees working remotely should be Even with stronger technology controls,
required to use multifactor authentication employees working from home must still exercise
(MFA) to access networks and critical good judgment to maintain information security.
applications. Scaling up MFA can be The added stress many people feel can make
challenging: the protection it will add calls for a them more prone to social-engineering attacks.
surge in short-term capacity. Several practices Some employees may notice that their behavior
make the rollout of MFA more manageable. isn’t monitored as it is in the office and therefore
One is to prioritize users who have elevated choose to engage in practices that open them to
privileges (such as domain and sys admins, other threats, such as visiting malicious websites
and application developers) and work with that office networks block. Building a “human
critical systems (for instance, money transfers). firewall” will help ensure that employees who work
Targeting those users in pilot rollouts of from home do their part to keep the enterprise
modest scale will allow cybersecurity secure.
teams to learn from the experience and use

• Communicate creatively. A high volume phishing), and smishing (text phishing)
of crisis-related communications can easily campaigns have surged. Security teams must
drown out warnings of cybersecurity risks. prepare employees to avoid being tricked.
Security teams will need to use a mix of These teams should not only notify users
approaches to get their messages across. that attackers will exploit their fear, stress,
These might include setting up two-way and uncertainty but also consider shifting to
communication channels that let users post crisis-specific testing themes for phishing,
and review questions, report incidents in vishing, and smishing campaigns.
real time, and share best practices; posting
• Identify and monitor high-risk user groups.
announcements to pop-up or universal-lock
Some users, such as those working with
screens; and encouraging the innovative
personally identifiable information or other
use of existing communication tools
confidential data, pose more risk than others.
that compensate for the loss of informal
High-risk users should be identified and
interactions in hallways, break rooms, and
monitored for behavior (such as unusual
other office settings.
bandwidth patterns or bulk downloads of
• Focus on what to do rather than what not enterprise data) that can indicate security
to do. Telling employees not to use tools (such breaches.
as consumer web services) they believe they
need to do their jobs is counterproductive.
Instead, security teams must explain the Processes: Promote resilience
benefits, such as security and productivity, of Few business processes are designed to support
using approved messaging, file-transfer, and extensive work from home, so most lack the right
document-management tools to do their jobs. embedded controls. For example, an employee
To further encourage safe behavior, security who has never done high-risk remote work and
teams can promote the use of approved hasn’t set up a VPN might find it impossible to
devices—for example, by providing stipends do so because of the in-person VPN-initiation
to purchase approved hardware and software. requirements. In such cases, complementary
security-control processes can mitigate risks.
• Increase awareness of social engineering.
Such security processes include these:
COVID-19–themed phishing, vishing (voice

• Supporting secure remote-working tools. pathways are interrupted because people are
Security and IT help desks should add working from home.
capacity while exceptionally large numbers
• Confirm the security of third parties. Nearly
of employees are installing and setting up
every organization uses contractors and off-
basic security tools, such as VPNs and MFA.
site vendors, and most integrate IT systems
It might be practical to deploy security-
and share data with both contract and
team members temporarily at call centers to
noncontract third parties, such as tax or law-
provide added frontline support.
enforcement authorities. When organizations
• Testing and adjusting IR and BC/DR assess which controls must be extended to
capabilities. Even with increased traffic, employees to secure new work-from-home
validating remote communications and protocols, they should do the same for third-
collaboration tools allows companies to party users and connections, who are likely to
support incident-response (IR) and business- be managing similar shifts in their operations
continuity (BC)/disaster-recovery (DR) and security protocols. For example, ask
plans. But companies might have to adjust providers whether they have conducted any
their plans to cover scenarios relevant to the remote IR or BC/DR tabletop drills and, if they
current crisis. To find weak points in your have, ask them to share the results. Should
plans, conduct a short IR or BC/DR tabletop any third parties fail to demonstrate adequate
exercise with no one in the office. security controls and procedures, consider
limiting or even suspending their connectivity
• Securing physical documents. In the office,
until they remediate their weaknesses.
employees often have ready access to digital
document-sharing mechanisms, as well • Sustain good procurement practices.
as shredders and secure disposal bins for Fast-track procurement intended to close
printed materials. At home, where employees key security gaps related to work-from-home
might lack the same resources, sensitive arrangements should follow standard due-
information can end up in the trash. Set norms diligence processes. The need for certain
for the retention and destruction of physical security and IT tools may seem urgent, but
copies, even if that means waiting until the poor vendor selection or hasty deployment
organization resumes business as usual. could do more harm than good.
• Expand monitoring. Widening the scope
of organization-wide monitoring activities,
particularly for data and end points, is Even with stronger technology
important for two reasons. First, cyberattacks controls, employees working
have proliferated. Second, basic boundary-
protection mechanisms, such as proxies, web from home must still exercise
gateways, or network intrusion-detection good judgment to maintain
systems (IDS) or intrusion-prevention systems
(IPS), won’t secure users working from home, information security.
off the enterprise network, and not connected
to a VPN. Depending on the security stack,
organizations that do not require the use of a Supporting high levels of
VPN or require it only to access a limited set consumer-facing network traffic
of resources may go largely unprotected. To
Levels of online activity that challenge the
expand monitoring, security teams should
confidentiality, integrity, and availability (CIA)
update security-information-and-event-
of network traffic are accelerating. Whether
management (SIEM) systems with new
your organization provides connectivity, serves
rule sets and discovered hashes for novel
consumers, or supports transactions, securing
malware. They should also increase staffing
the CIA of network activity should be a top priority
in the security operations center (SOC) to
for any executive team that wants to protect
help compensate for the loss of network-
consumers from cyberbreaches during this period
based security capabilities, such as end-
of heightened vulnerability. Much as organizations
point protections of noncompany assets. If
are stepping up internal protections for enterprise
network-based security capabilities are found
networks, security teams in organizations that
to be degraded, teams should expand their IR
manage consumer-facing networks and the
and BC/DR plans accordingly.
associated technologies will need to scale up their
• Clarify incident-response protocols. technological capabilities and amend processes
When cybersecurity incidents take place, quickly.
SOC teams must know how to report
them. Cybersecurity leaders should build
redundancy options into response protocols Technology: Ensure sufficient
so that responses don’t stall if decision capacity
makers can’t be reached or normal escalation Companies that make it possible for employees

to work from home must enable higher online suspected malware or low-value security
network-traffic and transaction volumes by putting agents or even recommend the removal
in place technical building blocks such as a web- of features (such as noncritical functions
application firewall, secure-sockets-layer (SSL) or graphics on customer portals) that hog
certification, network monitoring, antidistributed network capacity.
denial of service, and fraud analytics. As web-
facing traffic grows, organizations should take
additional actions to minimize cyberrisks: Processes: Integrate and standardize
• Enhance web-facing threat-intelligence
security activities
monitoring. To anticipate threats and take Customers, employees, and vendors all play some
preventive measures, security teams must part in maintaining the confidentiality, integrity,
understand how heightened consumer traffic and availability of web-facing networks. Several
changes the threat environment for web- steps can help organizations to ensure that the
facing enterprise activities. For example, activities of these stakeholders are consistent and
to find out if attackers are becoming more well integrated:
interested in an organization’s web-facing • Integrate fraud-prevention capabilities
technologies, organizations can conduct with the SOC. Organizations that support
increased passive domain-name scans to the execution of financial transactions should
test for new malicious signatures tailored to consider integrating their existing fraud
the enterprise domain or for the number of analytics with SOC workflows to accelerate
adversarial scans targeting the enterprise the inspection and remediation of fraudulent
network, among other threats. transactions.
• Improve capacity management. • Account for increased costs. Many SOC
Overextended web-facing technologies tools and managed-security-service
are harder to monitor and more susceptible providers base charges for monitoring on
to attacks. Security teams can monitor the usage—for example, the volume of log records
performance of applications to identify analyzed. As usage increases with expanded

network traffic, organizations with usage- About the author(s)
based fee arrangements will need to account
Jim Boehm is a partner in McKinsey’s Washington,
for any corresponding increase in costs.
DC, office; James Kaplan is a partner in the New
• Help consumers solve CIA problems York office; and Marc Sorel is a partner in the
themselves. For media providers, enabling Boston office. Nathan Sportsman is the founder
customers to access content without and CEO of Praetorian, where Trevor Steen is a
interruption is essential, but increased usage senior security engineer.
levels can jeopardize availability. Companies
may wish to offer guides to show users how to
The authors wish to thank Wolf Richter and Mahir
mitigate access problems, particularly during
Nayfeh for their contributions to this article.
periods of peak use.
Securing remote-working arrangements and
McKinsey and Praetorian have entered into a
sustaining the CIA of customer-facing networks
strategic alliance to help clients solve complex
are essential to ensure the continuity of operations
cybersecurity challenges and secure innovation.
during this disruptive time. The actions we
As a part of this alliance, McKinsey is a minority
describe in this article, while not comprehensive,
investor in Praetorian.
have helped many organizations to overcome the
security difficulties they face and maintain their
standing with customers and other stakeholders.

Technology leaders in North America Banking & Securities
Aamer Baig, Senior Partner

aamer_baig@mckinsey.com
Daniel Brosseau, Partner

daniel_brosseau@mckinsey.com
Nagendra Bommadevara, Partner

nagendra_bommadevara@mckinsey.com
Ondrej Dusek, Partner

ondrej_dusek@mckinsey.com
Danny Kalmar, Partner

danny_kalmar@mckinsey.com
Kumar Kanagasabai, Partner

kumar_kanagasabai@mckinsey.com
James Kaplan, Partner

james_kaplan@mckinsey.com
Somesh Khanna, Senior Partner

somesh_khanna@mckinsey.com
Eric Lamarre, Senior Partner

eric_lamarre@mckinsey.com
Ling Lau, Partner

ling_lau@mckinsey.com
Xavier Lhuer, Partner

xavier_lhuer@mckinsey.com
Jorge Machado, Partner

jorge_machado@mckinsey.com
Mark Mintz, Partner

mark_mintz@mckinsey.com
Srini Ramadath, Partner

srinivas_ramadath@mckinsey.com
Vik Sohoni, Senior Partner

vik_sohoni@mckinsey.com
Belkis Vasquez-McCall, Partner

belkis_vasquez-mccall@mckinsey.com
123
April 2020
Copyright © McKinsey & Company
Designed by VG&M
www.mckinsey.com
@McKinsey
@McKinsey

Next Gen Technology Transformation in Financial Services

Uploaded by

Copyright:

Available Formats

Next Gen Technology Transformation in Financial Services

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Next Gen Technology Transformation in Financial Services

Uploaded by

Copyright:

Available Formats

April 2020

1. Reimagine the role of technology to be a business and innovation partner

2. Reinvent technology delivery to drive a step change in productivity and speed

3. Future-proof the foundation by building flexible and secure platforms

Vik Sohoni Xavier Lhuer Somesh Khanna

Reimagine the role of technology to be a business and innovation partner

The CEO’s new technology agenda 7

The CIO challenge: modern business needs a new kind of leader 15

The platform play: how to operate like a Tech company 21

How mid-cap banks can solve the conundrum of scale in Technology 29

Transforming a bank by becoming digital to the core 35

Reinvent technology delivery to drive a step change in productivity and speed

Transforming bank’s IT productivity 45

An executive’s guide to software development 51

ING’s Agile transformation 57

Flip the ratio: taking IT from bottleneck to battle ready 63

Transforming IT infrastructure organizations using Agile 71

Future-proof the foundation by building flexible and secure platforms

Next-generation core banking platforms: a golden ticket? 77

Unlocking business acceleration in a hybrid cloud world 89

Cybersecurity: Linchpin of the digital enterprise 107

Cybersecurity tactics for the coronavirus pandemic 117

Technology performance has become critical to business success.

Reimagine the role of technology to be a business and innovation partner 7

8 Reimagine the role of technology to be a business and innovation partner

Ten questions can help CEOs determine whether their companies’

What the CEO should ask to

— Alignment between IT and business 2. How do we track and maximize the

— Agile working methods 5. How many projects has IT shut down

7. Which of our IT capabilities do vendors

— Modular architecture 9. What % of business decisions are we making

Reimagine the role of technology to be a business and innovation partner y 9

10 Reimagine the role of technology to be a business and innovation partner

Reimagine the role of technology to be a business and innovation partner 11

12 Reimagine the role of technology to be a business and innovation partner

Reimagine the role of technology to be a business and innovation partner 13

14 Reimagine the role of technology to be a business and innovation partner

As technology becomes increasingly important, an organization’s

Reimagine the role of technology to be a business and innovation partner 15

Three vectors of a holistic 1. Business leader

16 Reimagine the role of technology to be a business and innovation partner

Reimagine the role of technology to be a business and innovation partner 17

18 Reimagine the role of technology to be a business and innovation partner

4. Culture revolutionary In practice, CIOs can enable collaboration if they’re

Reimagine the role of technology to be a business and innovation partner 19

20 Reimagine the role of technology to be a business and innovation partner

For tech to be a real driver of innovation and growth, IT needs

Reimagine the role of technology to be a business and innovation partner 21

22 Reimagine the role of technology to be a business and innovation partner

Platforms are grouped into three broad areas

Reimagine the role of technology to be a business and innovation partner 23

Retail example Banking example

Customer — In-store browsing and shopping for weekend — Searching

Business- “Retailer as a service” “Banking as a service”

— Employee-pension management — Employee-pension management

Core IT — In-store live video data-management platform — Omnichannel IT platform-development

— In-store face recognition — In-branch face recognition

24 Reimagine the role of technology to be a business and innovation partner y

Reimagine the role of technology to be a business and innovation partner 25

Companies need to perform a fitness assessment of their platforms