A security-first culture means conveying cybersecurity needs throughout the enterprise, but it isn’t easy to maintain. Communication can be hard no matter who you’re working with. For many IT teams, the profit-and-loss conversation doesn’t come naturally. But these teams need to communicate with executives in order to get the resources they need to protect the enterprise as a whole.

As a result, it’s critical for both IT teams and C-suite executives to cultivate a lingua franca — a shared operational language that establishes common ground to help executives and cybersecurity experts communicate about what security-first culture means. The challenges faced by financial firms offer an ideal language launchpad by calling out concrete connections between enterprise revenue and security risk. Here’s a script for how to encourage a security-first business by talking about money in a way that works.

‘Cyber Hygiene’ Isn’t What It Sounds Like 

‘Cyber hygiene’ remains a popular catchphrase across industries and enterprises looking to shore up information security (infosec). It makes sense, but it doesn’t tell the whole story. The idea that simple actions — such as deploying more defensible passwords or tightening basic access controls — can improve infosec outcomes offers a straight line between existing processes and enhanced protection. This appeals to people, especially those running the business who haven’t fully embraced a security-first culture. 

However, this cleanliness comparison only goes so far. Unlike biological systems, digital environments don’t naturally evolve to combat new threats. Instead, IT teams must create comprehensive cybersecurity cultures that combine new technologies and current staff training. Ideally, you’ll proactively correct for potential problems. The challenge? Communicating this need to the executives. 

Leveraging a Lingua Franca for Security-First Culture

For many executives, conversations around security culture are often problematic, especially if there’s no evidence of a recent breach. While IT teams are pitching spend for problems that haven’t happened yet in an effort to limit total costs, boardroom members prioritize the bottom line. Both sides become frustrated.

Thankfully, there’s a way to help companies become security-first businesses: speaking the language of money. 

While many C-suite players now recognize the need for security-first culture to effectively combat both existing and emerging threats, the Society for Human Resource Management notes that “money talks” when it comes to C-suite communication.

Making the Case

Three concepts from finance can help IT teams change the conversation around security-first culture:

1. Crisis of Confidence

Clients now prioritize security when dealing with digital banks. If financial data isn’t properly secured, consumer confidence — and corporate reputation — suffers. According to The Financial Brand, 54% of U.S. consumers cite increased risk as their top reason for not making the digital switch, and 78% will actively consider security when selecting their primary provider.

Put simply, improved security posture drives profit. Increased infosec spending drives greater consumer confidence and conversion.

2. Reduction of Revenue

Financial firms remain a top target for malicious actors. CIO Dive notes that in 2019, 62% of breached data came from financial services, while Security Boulevard reports that post-incident remediation took banks anywhere from 24 to 55 days.

In practice, this means the compromise of key systems or theft of critical financial assets forces firms to pivot from revenue generation to recovery and remediation. This, in turn reduces profit. Absent cybersecurity culture creates the same disconnect, forcing companies to focus on repairing key systems rather than generating profit.

3. Failure of Function

Ransomware, malware and distributed denial of service attacks can take core financial systems offline, shutting down critical services. According to research firm McKinsey, general system faults and more specific issues such as authentication failures and declined transactions can cost firms more than $160 million each year. There’s also the problem of risk repetition. Organizations must not only find the root causes of a failure but ensure systems aren’t subject to the same problems again.

With C-suite executives increasingly cognizant of compliance and regulatory concerns, functional failures offer effective inroads for IT teams. Use basic language. Let them know that if systems go down due to a lack of security-first culture, costs rapidly increase.

Crafting Security-First Culture

Effective IT security now offers line-of-business benefits. It can be hard to explain that when security teams and executives don’t always speak the same language, especially when it comes to spending at scale.

By aligning cybersecurity issues with financial threat frameworks, however, it’s possible for enterprises to create a lingua franca for security. If you emphasize observable outcomes that provide actionable ways to define budget allotments and identify profit priorities, you can bridge that gap within your organization. 

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today