A security-first culture means conveying cybersecurity needs throughout the enterprise, but it isn’t easy to maintain. Communication can be hard no matter who you’re working with. For many IT teams, the profit-and-loss conversation doesn’t come naturally. But these teams need to communicate with executives in order to get the resources they need to protect the enterprise as a whole.

As a result, it’s critical for both IT teams and C-suite executives to cultivate a lingua franca — a shared operational language that establishes common ground to help executives and cybersecurity experts communicate about what security-first culture means. The challenges faced by financial firms offer an ideal language launchpad by calling out concrete connections between enterprise revenue and security risk. Here’s a script for how to encourage a security-first business by talking about money in a way that works.

‘Cyber Hygiene’ Isn’t What It Sounds Like 

‘Cyber hygiene’ remains a popular catchphrase across industries and enterprises looking to shore up information security (infosec). It makes sense, but it doesn’t tell the whole story. The idea that simple actions — such as deploying more defensible passwords or tightening basic access controls — can improve infosec outcomes offers a straight line between existing processes and enhanced protection. This appeals to people, especially those running the business who haven’t fully embraced a security-first culture. 

However, this cleanliness comparison only goes so far. Unlike biological systems, digital environments don’t naturally evolve to combat new threats. Instead, IT teams must create comprehensive cybersecurity cultures that combine new technologies and current staff training. Ideally, you’ll proactively correct for potential problems. The challenge? Communicating this need to the executives. 

Leveraging a Lingua Franca for Security-First Culture

For many executives, conversations around security culture are often problematic, especially if there’s no evidence of a recent breach. While IT teams are pitching spend for problems that haven’t happened yet in an effort to limit total costs, boardroom members prioritize the bottom line. Both sides become frustrated.

Thankfully, there’s a way to help companies become security-first businesses: speaking the language of money. 

While many C-suite players now recognize the need for security-first culture to effectively combat both existing and emerging threats, the Society for Human Resource Management notes that “money talks” when it comes to C-suite communication.

Making the Case

Three concepts from finance can help IT teams change the conversation around security-first culture:

1. Crisis of Confidence

Clients now prioritize security when dealing with digital banks. If financial data isn’t properly secured, consumer confidence — and corporate reputation — suffers. According to The Financial Brand, 54% of U.S. consumers cite increased risk as their top reason for not making the digital switch, and 78% will actively consider security when selecting their primary provider.

Put simply, improved security posture drives profit. Increased infosec spending drives greater consumer confidence and conversion.

2. Reduction of Revenue

Financial firms remain a top target for malicious actors. CIO Dive notes that in 2019, 62% of breached data came from financial services, while Security Boulevard reports that post-incident remediation took banks anywhere from 24 to 55 days.

In practice, this means the compromise of key systems or theft of critical financial assets forces firms to pivot from revenue generation to recovery and remediation. This, in turn reduces profit. Absent cybersecurity culture creates the same disconnect, forcing companies to focus on repairing key systems rather than generating profit.

3. Failure of Function

Ransomware, malware and distributed denial of service attacks can take core financial systems offline, shutting down critical services. According to research firm McKinsey, general system faults and more specific issues such as authentication failures and declined transactions can cost firms more than $160 million each year. There’s also the problem of risk repetition. Organizations must not only find the root causes of a failure but ensure systems aren’t subject to the same problems again.

With C-suite executives increasingly cognizant of compliance and regulatory concerns, functional failures offer effective inroads for IT teams. Use basic language. Let them know that if systems go down due to a lack of security-first culture, costs rapidly increase.

Crafting Security-First Culture

Effective IT security now offers line-of-business benefits. It can be hard to explain that when security teams and executives don’t always speak the same language, especially when it comes to spending at scale.

By aligning cybersecurity issues with financial threat frameworks, however, it’s possible for enterprises to create a lingua franca for security. If you emphasize observable outcomes that provide actionable ways to define budget allotments and identify profit priorities, you can bridge that gap within your organization. 

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…