A security-first culture means conveying cybersecurity needs throughout the enterprise, but it isn’t easy to maintain. Communication can be hard no matter who you’re working with. For many IT teams, the profit-and-loss conversation doesn’t come naturally. But these teams need to communicate with executives in order to get the resources they need to protect the enterprise as a whole.

As a result, it’s critical for both IT teams and C-suite executives to cultivate a lingua franca — a shared operational language that establishes common ground to help executives and cybersecurity experts communicate about what security-first culture means. The challenges faced by financial firms offer an ideal language launchpad by calling out concrete connections between enterprise revenue and security risk. Here’s a script for how to encourage a security-first business by talking about money in a way that works.

‘Cyber Hygiene’ Isn’t What It Sounds Like 

‘Cyber hygiene’ remains a popular catchphrase across industries and enterprises looking to shore up information security (infosec). It makes sense, but it doesn’t tell the whole story. The idea that simple actions — such as deploying more defensible passwords or tightening basic access controls — can improve infosec outcomes offers a straight line between existing processes and enhanced protection. This appeals to people, especially those running the business who haven’t fully embraced a security-first culture. 

However, this cleanliness comparison only goes so far. Unlike biological systems, digital environments don’t naturally evolve to combat new threats. Instead, IT teams must create comprehensive cybersecurity cultures that combine new technologies and current staff training. Ideally, you’ll proactively correct for potential problems. The challenge? Communicating this need to the executives. 

Leveraging a Lingua Franca for Security-First Culture

For many executives, conversations around security culture are often problematic, especially if there’s no evidence of a recent breach. While IT teams are pitching spend for problems that haven’t happened yet in an effort to limit total costs, boardroom members prioritize the bottom line. Both sides become frustrated.

Thankfully, there’s a way to help companies become security-first businesses: speaking the language of money. 

While many C-suite players now recognize the need for security-first culture to effectively combat both existing and emerging threats, the Society for Human Resource Management notes that “money talks” when it comes to C-suite communication.

Making the Case

Three concepts from finance can help IT teams change the conversation around security-first culture:

1. Crisis of Confidence

Clients now prioritize security when dealing with digital banks. If financial data isn’t properly secured, consumer confidence — and corporate reputation — suffers. According to The Financial Brand, 54% of U.S. consumers cite increased risk as their top reason for not making the digital switch, and 78% will actively consider security when selecting their primary provider.

Put simply, improved security posture drives profit. Increased infosec spending drives greater consumer confidence and conversion.

2. Reduction of Revenue

Financial firms remain a top target for malicious actors. CIO Dive notes that in 2019, 62% of breached data came from financial services, while Security Boulevard reports that post-incident remediation took banks anywhere from 24 to 55 days.

In practice, this means the compromise of key systems or theft of critical financial assets forces firms to pivot from revenue generation to recovery and remediation. This, in turn reduces profit. Absent cybersecurity culture creates the same disconnect, forcing companies to focus on repairing key systems rather than generating profit.

3. Failure of Function

Ransomware, malware and distributed denial of service attacks can take core financial systems offline, shutting down critical services. According to research firm McKinsey, general system faults and more specific issues such as authentication failures and declined transactions can cost firms more than $160 million each year. There’s also the problem of risk repetition. Organizations must not only find the root causes of a failure but ensure systems aren’t subject to the same problems again.

With C-suite executives increasingly cognizant of compliance and regulatory concerns, functional failures offer effective inroads for IT teams. Use basic language. Let them know that if systems go down due to a lack of security-first culture, costs rapidly increase.

Crafting Security-First Culture

Effective IT security now offers line-of-business benefits. It can be hard to explain that when security teams and executives don’t always speak the same language, especially when it comes to spending at scale.

By aligning cybersecurity issues with financial threat frameworks, however, it’s possible for enterprises to create a lingua franca for security. If you emphasize observable outcomes that provide actionable ways to define budget allotments and identify profit priorities, you can bridge that gap within your organization. 

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today