Speaking the Same Language: Decoding the CISO-CFO Disconnect

13:28

By Cam Sivesind

What this means for CISOs

For CISOs, the report is a wake-up call regarding their perceived business acumen. While security leaders feel they are working hard to protect the organization, finance remains skeptical of their execution.

The translation gap: Only 52% of finance leaders are "very confident" that their security team can communicate business impact clearly.
Prioritization doubts: Just 43% of finance leaders feel very confident that security can prioritize investments based on actual risk.
Strategy versus operations: Only 40% express full confidence in security's ability to align with business strategy.

CISO takeaway: As Greg Notch, Chief Security Officer at Expel, notes, you must be "extremely crisp" on metrics that matter to the business, such as revenue protection and operational continuity. If you cannot draw a clear line from an investment to a business outcome, you risk losing your seat at the table.

What this means for CFOs

Chief Financial Officers are increasingly taking responsibility for enterprise risk management and cyber insurance, yet they feel they are operating with incomplete data.

Efficiency concerns: Only 46% of finance leaders are very confident that security can deliver cost-efficient solutions.
Perception of value: CFOs are split, with 38% viewing cybersecurity as a strategic enabler, while another 38% still view it as a cost center.

CFO takeaway: The solution lies in deeper education. CFOs who view security as a "strategic enabler" report significantly higher confidence (54%) in their alignment with security priorities than those who view it as a "cost center" (38%).

"I wrote my book Fire Doesn’t Innovate based in large part on the working relationship I had with my CFO when I was CISO at PEMCO Insurance in Seattle. He taught me that cybersecurity is a business problem, not a technical problem," said Kip Boyle, vCISO, Cyber Risk Opportunities LLC. "Once I understood that, everything changed. You can approach cybersecurity like any other business risk: something you can manage without being an expert. CFOs likely have more skills that apply to cybersecurity than they realize. The disconnect isn't about technical knowledge; it's about recognizing cyber as a material risk that belongs in the same conversation as revenue protection and operational continuity."

"Much of the analysis around the CFO-CISO relationship closely mirrors the work I've done on the General Counsel (GC)–CISO relationship," said Shawn Tuma, Partner, Cyber | Data | Artificial Intelligence Practice Group, at Spencer Fane LLP. "In both cases, surface alignment is common—everyone agrees cybersecurity matters—but real alignment breaks down when leaders haven't aligned on how risk is evaluated, prioritized, and governed as a business decision. Those disconnects are rarely confined to just two roles; the CFO-CISO dynamic often reflects broader governance and leadership challenges across the organization."

Tuma authored The GC-CISO Connection book and has a podcast by the same name.

He continued, "When senior leadership doesn't share a common, risk-based framework for decision-making, organizations end up either spending heavily without meaningfully reducing risk or accepting risk without fully understanding it. That's not a security failure, it's a leadership and governance issue. In my experience, CISOs who recognize this dynamic are far better positioned to engage effectively with senior leadership by framing cybersecurity in business and risk terms, rather than in the technical minutiae of ones and zeros."

What this means for CEOs and COOs

As the managers of both roles, CEOs and COOs must recognize that cybersecurity is a "team sport."

The CEO optimism bias: 49% of security leaders believe CEOs see them as strategic enablers, but that perception drops significantly when looking at the Board of Directors (31%) and Business Unit (BU) leaders (27%).
The organizational friction: 36% of BU leaders view cybersecurity as a cost center, and 35% see it as a mere operational necessity.

Leadership takeaway: High-performing teams bridge these gaps through intentional collaboration. CEOs must move beyond siloed budget approvals and foster an environment where security and finance share a common risk-based language.

"At PEMCO, my CFO and I discovered that the NIST Cybersecurity Framework gave us a shared language," Boyle said. "It's designed to address cyber risk as a business problem, not just a technical issue. It requires a top-down approach led by executive leadership to ensure all aspects (people, processes, management, and technology) are considered and implemented. That's the 'team sport' model in practice: the framework forces security and finance to work from the same playbook instead of talking past each other."

Implications for the enterprise

The "disconnect" isn't just an interpersonal issue; it's a systemic risk.

Investment uncertainty: 60% of security leaders are not fully confident that their organization's investments align with actual business risk exposure.
Measurement immaturity: While 71% of security leaders think they are mature in measuring business impact, only 56% of finance leaders agree. This misalignment leads to wasted spend and unmitigated vulnerabilities.

"When security is done right, it doesn't slow the business down—it gives leadership the confidence to move faster. And to do that, you have to be able to connect with your CFO and COO through stories. Dashboards full of red, yellow, and green don't help a CFO," said Krista Arndt, Associate CISO at St. Luke's University Health Network. "Show me the probability of business interruption, the financial exposure, and how fast we can recover. Remember, at minimum, every security investment should answer one question: what business risk am I reducing, and by how much? And for the vendors who fail to articulate value in a way that a CISO can defend... if you can't help a CISO explain your product in CFO language, you're not selling security—you're selling noise.”

Implications for cybersecurity vendors

Vendors competing for budget must shift their sales strategy to address this CISO-CFO dynamic.

Sell outcomes, not features: If a vendor cannot help a CISO explain how a product protects revenue or ensures operational continuity, the CFO is likely to view it as "tool sprawl" rather than a strategic investment.
Empower the CISO as a business leader: Tools that offer clear, business-centric reporting and risk-quantification features will win out over those that focus solely on technical indicators of compromise.

We asked some experts from the cybersecurity vendor community their thoughts on the CFO-CISO relationship topic.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, said:

"This only further underscores the critical importance of establishing cyber risk committees with active participation from peer C-executives."
"The cadence of the risk committee opens the door to enabling the business leaders to inform risk trade-offs, and to get involved personally in investment and risk acceptance decisions, further grounding business impacts to risks, whether treated or accepted."
"Quarterly Business Reviews (QBRs) should not be the first time peer executives are briefed on program metrics, business impacts, and risk exposure lacking coverage."
"I challenge CISOs to approach business leaders answering three questions—and to focus less on what they're telling them. Help their peer executives understand 'what do I need to know,' probably more importantly 'why do I care,' and have a clear ask addressing 'what do you need from me.'"
"The alignment challenge many CISOs struggle with is helping peer executives understand the interdependent nature of the many controls we need for program outcomes. Helping address the honest question of 'how much is enough' requires the consensus of the risk committee—not the conviction of the CISO's expertise."

Shane Barney, CISO at Keeper Security, said:

"CISOs are being forced to get disciplined about where security dollars actually move the needle. That means prioritizing solutions that demonstrably reduce breach likelihood, shorten recovery time, or eliminate operational drag. If you can't explain in plain terms how a security investment saves money or avoids loss, finance will rightly question why it matters."

Agnidipta Sarkar, Chief Evangelist at ColorTokens, said:

"This report validates what I have been evangelizing: security without business alignment is just technical theater. For the sake of collaboration, CISOs and CFOs need to agree to measure two parameters together. The first is the percentage of the business the CISO must invest to remain 'unaffected' when cyberattacks occur, and the second is the amount of dollars in material impact the CFO must tolerate should a cyberattack occur. While cybersecurity organizations sell 'features,' CISOs must remain focused on delivering strategic business outcomes that CFOs recognize as investments, not expenses. CISOs need not become financial experts, and neither do CFOs need to be cyber experts, but a heady mix of respect for each other helps the collaboration magic happen."
"The Expel data proves what we've long known: the organizations that survive the next decade won't be those with the strongest firewalls, but those with the strongest CISO-CFO partnerships. We need future organizations to have breach-ready CISOs who understand the value of being prepared to keep the relevant parts of the organization 'unaffected,' and we need breach-ready CFOs who can determine and ensure that the right investments keep the material impact under control."

Rich Seiersen, Chief Risk Technology Officer at Qualys, said:

"A major wildcard organizations must think about is the possibility of a systemic cyber event—a cloud outage, widespread supply-chain compromise, or high-impact ransomware wave that hits many insureds at the same time. An event like this could push the market into a sharper hardening cycle. Still, it's imperative to recognize that insurance pricing is shaped just as much by macroeconomic factors, such as interest rates, capital flows, and reinsurance pricing, as it is by cyber-specific incidents. Losses matter, but wider financial conditions often dominate the cycle."
"This environment also influences how CISOs should think about cyber insurance as part of a coordinated risk-management strategy. Increasingly, CISOs are partnering with CFOs to treat cyber insurance not as a compliance checkbox but as one component of a broader risk-financing portfolio. With many organizations undergoing rapid digital and AI-driven transformation, this may be a perfect time to reassess the balance between risk transfer (insurance) and risk reduction (controls)."
"There is meaningful opportunity here for forward-looking companies:

- Firms with strong security postures can often secure more favorable coverage and larger limits without dramatically increasing cost.
- Brokers and underwriters are actively looking for ways to differentiate good risks from poor ones, and software platforms that provide clearer visibility into controls and exposure can help insurers deploy capital more efficiently without damaging their loss ratios.
- For buyers, this creates room to increase coverage economically during a softening cycle, while simultaneously improving resilience."

Gareth Lindahl-Wise, CISO at Ontinue, said:

"Many CISO are being asked to participate in more strategic business activities, which for many can be a steep and intensive learning curve. In reality, many of the existing responsibilities of a CISO are insufficiently optimized to a point where they don't require constant attention. A CISO must work at these to create the space to take on additional responsibilities."
"For many years, CISOs have sat on issues which they either think won't get resolved or that management doesn't want to hear about. Personal accountability should drive those situations in to the open, to the benefit of all in the end. The trick, of course, is navigating the potential political minefield to do that in the best way."

Tags: CISO / CSO, Security Leadership, CFO,

Comments

Speaking the Same Language: Decoding the CISO-CFO Disconnect