Let's use our imaginations for a few minutes.
Let's pretend that your leadership team is concerned about the financial fitness of your bank.
Whether it was identified internally, whether examiners told you, or whether it was your auditors that told you, doesn't really matter. But someone has come to the realization that if you don't change some of the things you're doing from a financial fitness standpoint, there are events that could happen, that would put your bank out of business.
Your board and your executive team decide it's time to make organizational changes on how you work with money, think about money, and monitor money. And they've asked you to establish a “culture of fiscal responsibility” from top to bottom.
What would you do?
Well, you'd probably talk to all your staff about why good financial health is important to your bank. Because if they can understand why it's important, they can get behind your efforts.
You'd probably educate them on good financial decision-making, so they can make decisions in the moment that support your “culture of fiscal responsibility”.
You'd probably ask them to help identify areas where you were wasting money or areas of risk from a financial standpoint. “Are there things we can do better?”
You'd make sure that you have an expert on your team pointing you in the right direction. Not only to help establish goals and set the direction but to make sure you're on track to get there. This would likely be a CFO or a fractional CFO.
You'd want to work with the CFO to identify key metrics to see how you're performing against your roadmap.
You would hold regular meetings to discuss how the bank is performing against the goals and metrics - you might do it weekly, but you'd certainly do it at least monthly.
You might even sit down and talk about potential events that could happen that might impact your financial fitness. Examples might be: “what if we unexpectedly had an expense that costs us a million dollars?” “what if we lost 25% of our annual revenue?”.
So, my question in all of this is: why do we treat cybersecurity any differently?
Cybersecurity is consistently in the top three risk categories in the community banking space and has been for half a decade.
Industry experts are saying it. Your examiners are saying it. Your auditors are saying it.
This is not only a key component for the future success of your bank but could potentially put you out of business.
If I were to take the examples from above, every one of them is applicable in building a cybersecurity culture.
Talk to your staff - explain why it's important.
Educate them on the threat threats and good cyber hygiene.
Ask them to be involved in the risk assessment process.
Find an independent and qualified expert to set the roadmap – either an in-house CISO or 3rd party relationship.
Establish a Key Risk Indicator (KRI) dashboard.
Hold monthly meetings with your CISO to discuss KRI metrics as well as other events that may have an effect on your goals.
Hold regular Incident Response tabletop tests, where you talk about potential events that would impact your bank from a cybersecurity standpoint.
So in closing, what's the one thing you can do to improve your cybersecurity program?
Treat it like any other major division of your bank: Make it Important.
Additional Resources:
5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport
What Does it Mean to Be a Good Partner?
https://www.bedelsecurity.com/blog/what-does-it-mean-to-be-a-good-partner
Culture of Security: Critical Conversations
https://www.bedelsecurity.com/blog/culture-of-security-critical-conversations
Change, Conflict and Culture
https://www.bedelsecurity.com/blog/change-conflict-and-culture
Two Essential Ingredients to Improve Your Information Security Program
https://www.bedelsecurity.com/blog/two-essential-ingredients-to-improve-your-information-security-program