This is the third and final blog in a multi-part series exploring key insights from our recent webinar A CISO’s guide to speaking CFO. Here are parts one and two of the series. The discussion, featuring security and finance leaders from Expel and SMBC, unpacked findings from our research surveying 300 CISOs and CFOs about the security-finance relationship.
TL;DR
- The communication gap between finance and security isn’t just an internal problem—it can turn into a security risk
- Expel’s 2026 Annual Threat Report and CISO-CFO disconnect report show how and why this is happening
- The reports together tell a compelling story, but also provide support in fixing this gap
Security leaders and CFOs say they collaborate. They say they’re aligned. They say they meet regularly and share the same priorities.
So why are identity-based attacks still succeeding at scale—in most cases, because basic controls were never fully funded or deployed?
Two research reports published by Expel in early 2026 answer that question. Read separately, each is valuable. Read together, they expose something the industry has been reluctant to say plainly: the communication gap between security and finance isn’t a soft problem. It’s a security risk.
What nearly a million alerts reveal about preventable breaches
Expel’s 2026 Annual Threat Report draws on close to a million alerts triaged by our SOC across our entire customer base in 2025. The findings don’t point to a new generation of sophisticated threats. They point to the same exploitable gaps, successfully exploited again.
James Shank, Expel’s Director of Threat Operations, puts it plainly: the attacks succeeding today “aren’t new, they’re not novel, they’re not even terribly sophisticated or interesting. They’re just hitting the gaps where the technology hasn’t been deployed to solve the problem.”
68.6% of all incidents were identity-based—attackers using stolen credentials or hijacked authentication tokens to access accounts through legitimate means. Nearly half of those incidents (47.7%) resulted in successful account access. Not because defenders lacked the tools to stop them, but because controls like MFA weren’t fully deployed or properly configured.
Where those controls were enforced, they worked. More than half of credential-based identity attacks failed on contact with properly implemented security measures. The tools existed. The investment decisions to deploy them fully—and maintain them rigorously—often didn’t follow through. As Shank observes, “the security industry has responded to the specific threat already by positioning technology solutions targeting the exact elements that the attacks are using—but for whatever reason, the solutions are not in play in the environment that the attackers are hitting.”
Cloud infrastructure, while only 2.5% of incident volume, carries consequences that far outweigh its statistical share. A single cloud compromise—through misconfiguration, exposed secrets, or unpatched vulnerabilities—can cascade into organizational disruption at a scale that no other incident type can match so quickly.
The throughline across all three attack surfaces: the threat landscape isn’t primarily winning through innovation. It’s winning through persistence against known, underfunded gaps.
The investment gap behind the security gap
This is where another one of our reports becomes essential context.
The CISO-CFO disconnect study surveyed 300 executive leaders—136 security decision-makers and 164 finance leaders—about how the two functions collaborate on cybersecurity investment. On the surface, the results look encouraging. Nearly three-quarters of security leaders say they work with finance early and often. Most finance leaders report the same.
But beneath that surface, the confidence numbers tell a different story.
Only 52% of finance leaders say they’re very confident their security team can communicate business impact clearly. Just 40% are very confident security can align with business strategy. A mere 43% trust security to prioritize investments based on actual risk.
These aren’t abstract perception scores. They directly affect how budget requests get evaluated. When a CFO isn’t confident that a security team can connect its investment asks to business outcomes, those requests compete poorly against other organizational priorities—regardless of how real or urgent the underlying risks are.
The metrics no one aligned on
Part of the problem is structural. Security and finance aren’t just using different languages, they’re operating in entirely different measurement frameworks.
When security teams report to finance, they typically lead with security program maturity levels, number of threats blocked, and incident response metrics. When finance evaluates the ROI of security investments, they model cost avoidance, risk reduction, and business continuity impact. Only 15% of finance leaders say they rely on the security team’s own metrics when assessing ROI. Security program maturity—one of security’s most commonly reported measures—ranked near the bottom of what finance finds useful.
Meanwhile, finance leaders said the metrics they actually want are strategic alignment with enterprise goals, investment efficiency (cost versus coverage), and potential financial loss avoided. These aren’t exotic demands. They’re the same frameworks finance applies to every other capital investment decision. Security just isn’t consistently delivering them.
The level problem
There’s also an engagement gap that compounds the metrics gap. Most security-finance collaboration isn’t happening at the right organizational level.
Only 22% of finance leaders regularly engage with their CISO. Nearly half (49%) interact primarily with directors of cybersecurity. The security side mirrors this: just 24% of security leaders regularly collaborate with their CFO.
The data shows exactly why this matters. Security leaders who engage directly with CFOs report significantly higher alignment. 63% describe their finance relationship as “very aligned,” compared to 46% among those who work primarily with directors. Finance leaders who engage with CISOs are far more likely to view cybersecurity as a core strategic driver rather than a cost center.
Director-level coordination during budget cycles produces operational outcomes. C-suite engagement produces strategic alignment. These are not the same thing, and the difference shows up in how investment decisions get made.
Connecting the two reports: Why this matters right now
Read together, these two datasets describe a self-reinforcing problem.
Attacks succeed when foundational controls—MFA, configuration management, timely patching—aren’t fully deployed. Those controls aren’t fully deployed, in part, because security leaders struggle to make the case for sustained investment in the language finance actually uses to evaluate risk. Finance, operating with limited confidence in security’s ability to quantify impact and align with business strategy, allocates resources cautiously. The gaps persist. The attacks succeed.
This cycle isn’t broken by better threat detection alone. It’s broken when security leaders learn to translate operational risk into financial terms—and when organizations build the cross-functional relationships that make those conversations productive.
Frameworks for breaking the cycle
Both reports, taken together, point toward the same set of practical shifts.
- Ground investment conversations in financial exposure, not security metrics. The threat data provides the raw material: identity attacks dominate, endpoint techniques are well-documented, cloud misconfigurations carry outsized risk. Translate each category into expected financial impact—potential downtime cost, breach recovery expense, regulatory exposure—and show specifically how proposed investments reduce that number. This is the ROI language finance already uses.
- Report what finance evaluates, not what security produces. Stop leading budget conversations with maturity scores and detection counts. Lead with cost avoidance, potential financial loss prevented, and business continuity protected. The threat intelligence report gives concrete data points to build these estimates, including the financial value of faster detection and earlier intervention in the attack lifecycle.
- Elevate the relationship, not just the ask. Push for regular C-suite engagement beyond annual budget cycles. A standing monthly conversation between a CISO and a CFO—focused on business risk, not tactical spending—builds the trust and context that makes investment decisions more straightforward. The data on alignment outcomes at the C-suite level makes a compelling case for prioritizing this.
- Shift the narrative from prevention to resilience. Finance responds poorly to requests framed around preventing all attacks because sophisticated finance leaders know that’s not achievable. They respond well to resilience framing: how quickly can the organization detect, contain, and recover while keeping revenue-generating operations intact?
- Use external research to validate internal priorities. When a CISO cites internal risk assessments, a CFO may view that as advocacy. When a CISO presents findings from independent research across thousands of organizations, showing that identity controls are the most common point of failure and that early detection measurably reduces financial impact, that’s evidence-based decision-making.
And when it comes to the fundamentals, Shank’s advice is direct: “focus on the fundamentals. And when you get the fundamentals done, start over and audit them again.” He’s seen it firsthand. “Very basic attacks succeeding across even some of the most sophisticated and the most enabled security teams.” The answer isn’t more sophisticated tooling. It’s discipline and consistency. As Shank puts it: “Stay vigilant…keep doing the things that you know are going to deliver value.”
The 2026 threat landscape isn’t primarily an adversary innovation story. It’s a prioritization story. The attacks that succeeded last year largely exploited known gaps in controls that organizations understood but hadn’t fully funded or maintained.
Fixing that requires more than better technology. It requires security leaders who can make the financial case for foundational investments—and finance leaders who have enough visibility into the threat environment to evaluate that case accurately.
The language barrier is real. But unlike most things in cybersecurity, it’s entirely fixable with the right frameworks, the right relationships, and the willingness to meet the other side where they are.
You can start now with the 2026 threat intelligence report (where you’ll also find James Shanks’ full interview) and the CISO-CFO disconnect report.
