8 Ways to Create a Sustainable Security Culture in Banking or Any Industry

“Cybercrime is the greatest threat to every company in the world,” says Ginny Rometty, IBM’s chairman, president and CEO. She is right. A cyberattack occurs every 39 seconds, according to a recent University of Maryland study. Your leadership may not be deep in the security trenches like you are, yet leadership is critical in helping your bank implement a successful cybersecurity strategy.

The financial sector saw 148 data breaches in 2017, with 92 percent of threats coming from external sources. There’s no question that security threats put your organization and your customers’ sensitive information at constant risk, potentially costing you in customer loss, diminished trust in your brand, regulatory fines, class action lawsuits, and even jail time.

Protecting sensitive and regulated information should be an executive leadership priority for banks, and it is for security-minded executives. Yet, in banking, IT security is often put into the “IT corner.” Getting your executives to invest in cybersecurity requires an understanding of risk and the likelihood of being ill-prepared. Often, two dynamics are at play: executives don’t understand and technologists are not good communicators.

Instilling a culture of security starts with information governance 

Here are eight ways this can be done:

• Establish a Task Force. It doesn’t all have to fall on your shoulders. Establish a security task force: a cross-functional team of key stakeholders that include legal, compliance, security, IT and operations. This team will assist and advise executive management in ensuring the security needs of the entire organization are being met.
• Executive Sponsorship. Critical to the success of the task force is the buy-in from executives and/or board, however, as we mentioned, this can be the most difficult step. The key to gaining buy-in is communicating the program’s benefits that will specifically address the executive’s unique pain points and build the risk case. Business leaders and board members are typically focused on the costs, overall impact a security breach has on the bottom line. When you communicate the value, avoid using technical terms, industry acronyms, and IT-related impacts. Instead, translate your IT outage into dollars and cents. For example, 120 minutes of server downtime should be translated into two hours x 25 employees x $20.00/hour = $1,000 in lost productivity. Practice converting all of your technical impacts into business and financial impacts and you will start speaking the language of your executive team.
• Structure and Fresh Thinking. With executive sponsorship secured, the team must analyze the current infrastructure, policies, and processes. This includes evaluating systems, how they are used in day-to-day operations, and employee attitudes toward security and compliance in the current environment. The people part of the equation is essential to enabling long-term transformation. Consider bringing in external security expertise: the introduction of new thinking and ideas will lead to companywide behavioral changes that can refresh and renew the culture. In addition, outside consultants can be effective in breaking barriers with your executive leadership that can be difficult for internal employees.
• Incentives. A key part of gaining companywide adoption for any new program is to help employees understand what’s in it for them. By understanding what incentivizes people and tying those incentives to employees’ active participation in new processes, such as security protocols, you can significantly improve the adoption and pace at which new standards are embraced.
• Change Management. The task force must communicate the fundamental legal and regulatory drivers behind the proposed security changes and ensure the company understands just how important these factors are to the organization’s overall success and business continuity.
• Training. Leveraging executive sponsors can be particularly helpful in ensuring that training is mandatory for everyone in the organization—a key factor in maintaining long-term change. Outside advisors, including Redhawk Network Security, can be useful at this stage, as they help internal teams outline the critical security vulnerabilities and necessary components of the program, develop audience-specific training materials, identify what users will need to be trained on, and determine what the depth of that training should be.
• Mobile Workforce. The expansion of the Internet of Things (IoT), mobile devices, and text messages has greatly increased the number of challenges that impact compliance and security. For example, the data on a custodian’s personal mobile phone, including text messages, is not only vulnerable to a possible data breach, but it might be in scope in almost any investigation or litigation. Companies that are proactive about their mobile workforce and maintain up-to-date and enforceable policies, will find it easier to navigate compliance and security issues.
• Enforcement. Maintaining change and enforcing adoption of new processes is critical to shaping a culture of security that grows and strengthens over time. There are a handful of approaches and technologies that enable compliance monitoring, and they work by flagging violations of new protocols and enabling stakeholders to take remedial action.

While your executives’ priorities are likely increasing revenue, reducing costs, and improving efficiencies, of course they want to secure data. They will need your help in our dynamic, high-threat security environment. No bank, or any other organization, wants to suffer a data breach, including the cost of one, which is now averaging $1,027,053, according to Ponemon Institute.

This edited article was originally published in Western Banker’s July/August 2018 issue. View article.