A security-first culture means conveying cybersecurity needs throughout the enterprise, but it isn’t easy to maintain. Communication can be hard no matter who you’re working with. For many IT teams, the profit-and-loss conversation doesn’t come naturally. But these teams need to communicate with executives in order to get the resources they need to protect the enterprise as a whole.

As a result, it’s critical for both IT teams and C-suite executives to cultivate a lingua franca — a shared operational language that establishes common ground to help executives and cybersecurity experts communicate about what security-first culture means. The challenges faced by financial firms offer an ideal language launchpad by calling out concrete connections between enterprise revenue and security risk. Here’s a script for how to encourage a security-first business by talking about money in a way that works.

‘Cyber Hygiene’ Isn’t What It Sounds Like 

‘Cyber hygiene’ remains a popular catchphrase across industries and enterprises looking to shore up information security (infosec). It makes sense, but it doesn’t tell the whole story. The idea that simple actions — such as deploying more defensible passwords or tightening basic access controls — can improve infosec outcomes offers a straight line between existing processes and enhanced protection. This appeals to people, especially those running the business who haven’t fully embraced a security-first culture. 

However, this cleanliness comparison only goes so far. Unlike biological systems, digital environments don’t naturally evolve to combat new threats. Instead, IT teams must create comprehensive cybersecurity cultures that combine new technologies and current staff training. Ideally, you’ll proactively correct for potential problems. The challenge? Communicating this need to the executives. 

Leveraging a Lingua Franca for Security-First Culture

For many executives, conversations around security culture are often problematic, especially if there’s no evidence of a recent breach. While IT teams are pitching spend for problems that haven’t happened yet in an effort to limit total costs, boardroom members prioritize the bottom line. Both sides become frustrated.

Thankfully, there’s a way to help companies become security-first businesses: speaking the language of money. 

While many C-suite players now recognize the need for security-first culture to effectively combat both existing and emerging threats, the Society for Human Resource Management notes that “money talks” when it comes to C-suite communication.

Making the Case

Three concepts from finance can help IT teams change the conversation around security-first culture:

1. Crisis of Confidence

Clients now prioritize security when dealing with digital banks. If financial data isn’t properly secured, consumer confidence — and corporate reputation — suffers. According to The Financial Brand, 54% of U.S. consumers cite increased risk as their top reason for not making the digital switch, and 78% will actively consider security when selecting their primary provider.

Put simply, improved security posture drives profit. Increased infosec spending drives greater consumer confidence and conversion.

2. Reduction of Revenue

Financial firms remain a top target for malicious actors. CIO Dive notes that in 2019, 62% of breached data came from financial services, while Security Boulevard reports that post-incident remediation took banks anywhere from 24 to 55 days.

In practice, this means the compromise of key systems or theft of critical financial assets forces firms to pivot from revenue generation to recovery and remediation. This, in turn reduces profit. Absent cybersecurity culture creates the same disconnect, forcing companies to focus on repairing key systems rather than generating profit.

3. Failure of Function

Ransomware, malware and distributed denial of service attacks can take core financial systems offline, shutting down critical services. According to research firm McKinsey, general system faults and more specific issues such as authentication failures and declined transactions can cost firms more than $160 million each year. There’s also the problem of risk repetition. Organizations must not only find the root causes of a failure but ensure systems aren’t subject to the same problems again.

With C-suite executives increasingly cognizant of compliance and regulatory concerns, functional failures offer effective inroads for IT teams. Use basic language. Let them know that if systems go down due to a lack of security-first culture, costs rapidly increase.

Crafting Security-First Culture

Effective IT security now offers line-of-business benefits. It can be hard to explain that when security teams and executives don’t always speak the same language, especially when it comes to spending at scale.

By aligning cybersecurity issues with financial threat frameworks, however, it’s possible for enterprises to create a lingua franca for security. If you emphasize observable outcomes that provide actionable ways to define budget allotments and identify profit priorities, you can bridge that gap within your organization. 

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today