A culture of security is one of the most important things that you can have in your bank or credit union. It will make it easier to mature your cybersecurity program and will make it more effective and efficient.
There are several key pieces of a culture of security in your organization, but one of the areas I want to focus on today is communication.
Communication among the various stakeholders is critically important in having a culture of security in the organization. Maybe one of the most important channels is the communication between your technical staff and your management team.
When I talk about technical staff, I mean your Information Technology team, your Information Security team, your Information Security Officer (or CISO), and other vendors/partners that may be involved in filling some of those roles. When I talk about the management team, I'm talking about your business unit leaders, your C-Suite (CEO, CFO, COO, etc.), and your board of directors.
The challenge with good communication between those two groups is that oftentimes, they're speaking different languages and that can be very frustrating. So today's blog post is the five tips for your management team to successfully communicate with your technical team.
This is the follow-up post from last week’s article, so go check it out: 5 Tips for Technical People to Successfully Communicate with Management.
Tip #1: Assume the Best of Your People
You need to understand that most technical people in community banks and credit unions are absolutely dedicated to their organization. And oftentimes they feel like they have the weight of the world on their shoulders. Sometimes it means that they make decisions based on that mindset.
I can promise you that, 99% of the time, if these people are doing something that seems completely irrational to you, it's done with the best of intentions. Having that in mind during communication will make it easier to try to understand.
Tip #2: Establish a Healthy Culture
This is going to feel a little like circular logic, but a good culture needs communication and communication needs good culture. Management has to set that tone. Here’s what I’m talking about:
- Build a cohesive team based on trust,
- Make it okay for your team to not have all the answers,
- Establish accountability, and
- Set clear common objectives (that trump personal pet projects).
Tip #3: Have a Clear, Consistent Risk Appetite
You have to understand that perfection does not equal excellence. You also can't have conflicting goals when it comes to risk and spending. What I'm trying to say is that the less risk you're okay with typically means you're going to spend more money.
You, as a leader, need to communicate to your technical team what an acceptable loss looks like; is it $50,000 or is it $500,000? It's tough for them to make decisions and row in the same direction if they don't know.
Tip #4: Tech Experience on Your Board
We're seeing more and more community banks do this in an effort to bridge the technology/security gap. While it doesn't solve every problem, having that person on your board that your technical team can relate to can help open up those communication channels and heighten your awareness at the management level.
Just be sure to communicate to that techie board member where the boundaries are of what are board-level responsibilities and what starts to be micro-managing.
Tip #5: Take an Interest
It's really hard to have good communications with your technical team, if they feel like you just don't care what they're working on.
You need to ask questions and be interested in what they are doing. Technology is forever embedded in banking, so treat it with the importance it deserves.
One way we've found to improve this is by establishing a really good key risk indicator dashboard. The one we implement in the banks that we work with allows anyone to look at the dashboard and ask contextual questions about what's going on in the program. If you haven't done so I'd suggest implementing something like this in your organization. (Or send me an email if you’d like to see a sample – chris@bedelsecurity.com.)
Closing
Communication is so important to information security programs, but it's not easy to do. Hopefully, you found these five tips to be helpful in strengthening your culture of security.
Shoot us an email at support@bedelsecurity.com with any questions you have.
Or if you'd like one of our experienced vCISOs to take a look at your cybersecurity program with actionable recommendations, check out our CISO Assessment Page.
Additional Resources:
5 Tips for Technical People to Successfully Communicate with Management
https://www.bedelsecurity.com/blog/5-tips-for-technical-people-to-successfully-communicate-with-management
Culture of Security: Critical Conversations
https://www.bedelsecurity.com/blog/culture-of-security-critical-conversations
5 Reasons Information Security is a Team Sport
https://www.bedelsecurity.com/blog/5-reasons-information-security-is-a-team-sport
Culture Counts
https://www.bedelsecurity.com/blog/culture-counts