A security-first culture means conveying cybersecurity needs throughout the enterprise, but it isn’t easy to maintain. Communication can be hard no matter who you’re working with. For many IT teams, the profit-and-loss conversation doesn’t come naturally. But these teams need to communicate with executives in order to get the resources they need to protect the enterprise as a whole.
As a result, it’s critical for both IT teams and C-suite executives to cultivate a lingua franca — a shared operational language that establishes common ground to help executives and cybersecurity experts communicate about what security-first culture means. The challenges faced by financial firms offer an ideal language launchpad by calling out concrete connections between enterprise revenue and security risk. Here’s a script for how to encourage a security-first business by talking about money in a way that works.
‘Cyber Hygiene’ Isn’t What It Sounds Like
‘Cyber hygiene’ remains a popular catchphrase across industries and enterprises looking to shore up information security (infosec). It makes sense, but it doesn’t tell the whole story. The idea that simple actions — such as deploying more defensible passwords or tightening basic access controls — can improve infosec outcomes offers a straight line between existing processes and enhanced protection. This appeals to people, especially those running the business who haven’t fully embraced a security-first culture.
However, this cleanliness comparison only goes so far. Unlike biological systems, digital environments don’t naturally evolve to combat new threats. Instead, IT teams must create comprehensive cybersecurity cultures that combine new technologies and current staff training. Ideally, you’ll proactively correct for potential problems. The challenge? Communicating this need to the executives.
Leveraging a Lingua Franca for Security-First Culture
For many executives, conversations around security culture are often problematic, especially if there’s no evidence of a recent breach. While IT teams are pitching spend for problems that haven’t happened yet in an effort to limit total costs, boardroom members prioritize the bottom line. Both sides become frustrated.
Thankfully, there’s a way to help companies become security-first businesses: speaking the language of money.
While many C-suite players now recognize the need for security-first culture to effectively combat both existing and emerging threats, the Society for Human Resource Management notes that “money talks” when it comes to C-suite communication.
Making the Case
Three concepts from finance can help IT teams change the conversation around security-first culture:
1. Crisis of Confidence
Clients now prioritize security when dealing with digital banks. If financial data isn’t properly secured, consumer confidence — and corporate reputation — suffers. According to The Financial Brand, 54% of U.S. consumers cite increased risk as their top reason for not making the digital switch, and 78% will actively consider security when selecting their primary provider.
Put simply, improved security posture drives profit. Increased infosec spending drives greater consumer confidence and conversion.
2. Reduction of Revenue
Financial firms remain a top target for malicious actors. CIO Dive notes that in 2019, 62% of breached data came from financial services, while Security Boulevard reports that post-incident remediation took banks anywhere from 24 to 55 days.
In practice, this means the compromise of key systems or theft of critical financial assets forces firms to pivot from revenue generation to recovery and remediation. This, in turn reduces profit. Absent cybersecurity culture creates the same disconnect, forcing companies to focus on repairing key systems rather than generating profit.
3. Failure of Function
Ransomware, malware and distributed denial of service attacks can take core financial systems offline, shutting down critical services. According to research firm McKinsey, general system faults and more specific issues such as authentication failures and declined transactions can cost firms more than $160 million each year. There’s also the problem of risk repetition. Organizations must not only find the root causes of a failure but ensure systems aren’t subject to the same problems again.
With C-suite executives increasingly cognizant of compliance and regulatory concerns, functional failures offer effective inroads for IT teams. Use basic language. Let them know that if systems go down due to a lack of security-first culture, costs rapidly increase.
Crafting Security-First Culture
Effective IT security now offers line-of-business benefits. It can be hard to explain that when security teams and executives don’t always speak the same language, especially when it comes to spending at scale.
By aligning cybersecurity issues with financial threat frameworks, however, it’s possible for enterprises to create a lingua franca for security. If you emphasize observable outcomes that provide actionable ways to define budget allotments and identify profit priorities, you can bridge that gap within your organization.