In this episode, we’re joined by Charlie Lewis, a partner at McKinsey & Company who leads its cyber practice across North America and Europe. Charlie advises organizations on reducing cyber and technology risk in an increasingly complex threat environment. And yes, he’s also Jenny’s brother, so expect a little sibling energy in today’s conversation.
Before McKinsey, Charlie spent more than 13 years in the US Army and continues to serve in the Army Reserves as an assistant professor at the United States Military Academy. He brings a unique blend of military, academic, and private-sector experience to today’s cyber challenges.
What does your day-to-day look like?
I like to explain what I do using the story of an ice cream sandwich.
If you think about an ice cream sandwich, it’s made of fairly simple parts: a chocolate wafer, ice cream, and a wrapper. On the surface, that’s all you need. But what I actually spend my time worrying about is whether all of those parts show up when you need them.
I worked with a client whose wafer supplier was hit by ransomware. Suddenly, they had to think about business continuity, vendor risk, and supply chain resilience just to keep ice cream sandwiches on shelves. It sounds funny, but it’s a real example of how cyber risk shows up in everyday business.
Day to day, I’m on the phone with large financial institutions, utilities across the US and Europe, and life sciences companies, helping them think about their most critical technology risks. That can mean foundational issues like IT asset management and identity and access management, emerging areas like quantum security and agentic AI, or broader ecosystem questions like third- and nth-party risk.
What excites me is that the work feels societal. In the Army, the mission was narrow and targeted. Now, it’s about helping reduce risk across systems we all rely on. Breaches will happen, but how do we do a better job of making society more secure in a world that depends so heavily on digital platforms?
Do you see overlap between the cyber threats you saw in the Army and what businesses face today?
It’s honestly frightening how much overlap there is.
In some ways, I think it’s worse in the private sector. The military operates with a clear battlefield and an offensive mindset. In the private sector, what we protect matters to everyone—healthcare, food supply, energy, financial systems, data.
We’ve seen this with Colonial Pipeline, with JBS and meat prices, and even with companies like Hasbro being targeted. It’s not just nation-state actors anymore. It’s criminals who now have scale, access, and the ability to disrupt entire industries remotely. They don’t need to steal something physically—they can shut down operations and extract millions of dollars from anywhere in the world.
And it’s happening every single day.
Have you seen an increase in cyberattacks tied to global events? What should we be watching for?
I wouldn’t say there’s been a dramatic increase yet, but I do think it’s about to happen.
Geopolitical cyber activity has been consistent for years, whether in utilities or telecom, or in conflicts involving Ukraine, Russia, or the Middle East. What’s really changing the game now is the use of agents in cyberattacks.
Researchers and, increasingly, attackers are using agents to identify vulnerabilities, determine attack paths, and execute attacks much faster. Often, these are old-school techniques, like SQL injection, but delivered through a novel attack path. Because the agents can adapt and move quickly, traditional alerting and web application firewall rules often miss them.
This means vulnerabilities that used to be considered low risk are suddenly much more serious. At RSA, I mentioned an overly verbose endpoint vulnerability, and a CISO (chief information security officer) literally left the room to call his team and make sure they didn’t have it exposed. That’s the shift we’re seeing.
Organizations now have to fight speed with speed. Detect, contain, respond, and recover faster than ever before.
If you could give business owners three cybersecurity priorities for the coming year, what would they be?
First, continue to focus on the fundamentals. You need to know where your assets are, where your data lives, and what your critical applications are. You can’t restore your business if you don’t know what you’re restoring. Identity and access management remains foundational, as does strong third- and nth-party risk management.
Second, start building agentic workflows now, especially in the security operations center. Organizations should seriously consider making their first agentic use case a SOC (security operations center) use case. There’s cost efficiency in automating tier-one triage and response, but more importantly, you’ll soon need agents to fight agents. In three to six months, many organizations will be targeted this way.
Finally, teams need to keep learning. Security leaders and practitioners should understand how agents are built, how governance changes with AI, and how to integrate AI risk into existing compliance and security programs.
And through all of this, it’s important to remain human. Pressure on security teams and business owners is only going to grow. Leadership, context, and empathy still matter, especially as the world fills up with more automation and more robots.
This conversation has been edited for clarity and length. Thank you, Charlie Lewis, for sharing your insights.