This article by the consulting firm McKinsey and Company—which provides consulting services in the area of travel, logistics, and transport infrastructure—provides practical advice for how infrastructure owners can bolster the cybersecurity of their organizations. It begins by noting that some reasons that leaders within the infrastructure sector do not place enough emphasis on establishing cybersecurity defenses include the misconception that the technology underlying physical infrastructure fundamentally differs from that of other industries, and that advanced knowledge of the particular kinds of cybersecurity needed to protect infrastructure is necessary to build an effective defense. The article dispels these myths, and describes some basic principles that should guide the establishment of cyberdefenses for infrastructure organizations. These include (1) that past vulnerabilities frequently persist rather than become obsolete as technology changes, (2) one must presuppose that a cyberattack will take place in order to adequately prepare for it, and (3) that cybersecurity must be integrated across the whole system to be effective, not just parts of it. Based on these principles, the article outlines the following three concrete steps to help infrastructure owners begin to improve the cybersecurity of their organizations, so as to be adequately prepared for the imminent digital threats of the future: (1) Recruit new talent, specifically by pooling resources for cybersecurity expertise among many infrastructure organizations local to an area, since the availability of expertise is limited and funds may be scarce. (2) Establish a specific emergency response team for cyberattacks, which must be subject to regular training to ensure preparedness, and be composed of individuals experienced in the general operation of the infrastructure in addition to focused cybersecurity experts. (3) Execute a plan for changing the organizational culture around cybersecurity, specifically by using the concept of cyber war gaming (already used commonly in the corporate world) to visualize exactly what a cyberattack would look like, as well as by integrating cybersecurity into the performance measures used to evaluate both individuals and teams.