MDR · 5 MIN READ · BEN BAKER · FEB 6, 2026 · TAGS: leadership & management / Resource / Webinar
TL;DR
- This is the first in a multi-part series exploring key insights from our recent webinar A CISO’s guide to speaking CFO.
- The discussion, featuring a panel of Expel and non-Expel security and finance leaders, unpacked findings from our research surveying 300 security and finance leaders about working dynamics.
- Throughout this series, we’ll examine the gaps, the language barriers, and most importantly, the practical solutions that can bridge them.
Security teams think they’re communicating progress. Finance teams aren’t getting the information they need to make decisions—especially when it comes to understanding cybersecurity ROI.
According to recent research we conducted surveying 300 security and finance leaders, most organizations report having good collaboration between their security and finance teams. But scratch beneath the surface, and you’ll find a troubling disconnect: Security leaders are reporting metrics that finance leaders don’t find useful, and sometimes actively dismiss.
The most striking example? Program maturity versus industry benchmarks—a metric security teams frequently report—ranked as the second least useful metric among finance leaders surveyed.
“There’s a language difference,” said Greg Notch, Chief Security Officer at Expel, during our recent webinar on the CISO-CFO relationship. “The way that security people, particularly ones with technical backgrounds, talk about problems and talk about solutions to problems look very different than the way a finance person will talk about those things.”
Why maturity scores don’t demonstrate cybersecurity ROI
Security professionals understand why program maturity matters. Moving from “ad hoc” to “managed” to “optimized” represents real progress in how an organization handles threats. Industry frameworks like NIST CSF and CIS Controls provide structured paths for improving security capabilities, making maturity assessments valuable internal benchmarks.
But here’s the problem: Maturity scores don’t answer the questions finance leaders actually need answered.
When a CFO reviews budget requests, they’re making risk management decisions across the entire business, according to Notch. According to Raconteur, two-thirds of CFOs surveyed don’t fully understand the CISO role and struggle to see tangible return on cyber investment, which makes the translation challenge even more critical.
“CFOs are making risk management decisions all day long across the entire business,” Notch explained. “How much insurance should we buy? What’s my regulatory financial risk in this other environment? They’re making these risk calculus decisions in all different domains.”
Security needs to fit into that framework—not expect finance to learn an entirely new one.
What finance actually wants to see
Instead of maturity benchmarks, finance executives are looking for reporting that weighs the costs and coverage of security programs. They want to understand they cybersecurity ROI—what they’re getting for their investment.
During the webinar, Notch offered a formula that translates security work into finance’s language: “This is how much money I spend to deflect this amount of risk off the balance sheet.”
It mirrors how finance thinks about any other form of insurance or risk mitigation. What’s the premium? What’s the coverage? What’s the deductible? Security programs, in many respects, function as an insurance policy—and they should be discussed in similar terms.
Patrick Brodie, Executive Director and Head of Information Security Operations at Sumitomo Mitsui Banking Corporation (SMBC), emphasized the importance of understanding the business cycle. “You have to know your business. You can’t just plan things in a vacuum,” he said. “Understanding how they’re going about their budget planning process—I think that’s really key. And you should be able to tie your new investments to specific programs.”
Converting threats into estimated financial losses helps security leaders speak the board’s language, creating a shared framework for discussing acceptable risk levels and control priorities.
The operational metrics trap: when security metrics miss ROI
Security teams often report metrics they use to operate their function—mean time to respond, vulnerability counts, phishing test results. These metrics matter for running a security program, but they rarely translate to business impact in ways finance can act on.
“Cybersecurity kind of got stuck there,” Notch said. “Taking metrics that they should be using to operate their function and drive efficiency and quality of their function, and exposing it to people like, ‘Look, I’m doing stuff right. And, look, we’re making things better.’ But that often doesn’t align with where the business is.”
What the business needs to know: Are you going to let us go faster to ship a new product? What needs to be true for this to survive regulatory scrutiny? What are you doing to make sure our people can use AI safely?
These are business alignment questions. Everything else—the controls, the frameworks, the maturity levels—are implementation details.
Pierre Noel, Field CISO EMEA at Expel, pointed out that even well-known security standards focus on maturity rather than impact. “If you look at different standards, the well-known cybersecurity standards…they all speak about maturity. They don’t speak in terms of impact,” he said. “So there is almost a systemic disconnect, again, in the language and in representation of priorities.”
How to demonstrate cybersecurity ROI to finance leaders
The solution isn’t to stop tracking operational metrics—security teams need those to do their jobs effectively. The solution is to create a translation layer between what you measure internally and what you report externally.
Here’s how to start:
- Lead with business outcomes, not technical achievements
Instead of reporting blocked intrusion attempts, translate this into business impact, such as the percentage reduction in estimated financial risk due to mitigation efforts.
- Connect security investments to business initiatives
Brodie emphasized tying security work to specific business programs. “If there’s a new customer-facing application, and you’ve got something in your IAM program, you want to be able to tie it to that business initiative.”
- Quantify cybersecurity ROI in financial terms
Work to express likelihood and impact in dollar amounts. If you can’t provide precise figures, provide ranges. The goal is helping non-technical executives comprehend what cybersecurity risk means in broader financial and business terms.
- Use their risk management framework
According to PwC, only 47% of CISOs are involved in strategic planning with CFOs on cyber investments. Get involved earlier in the planning cycle, and learn how finance evaluates other forms of risk across the organization.
- Make it a two-way conversation
It’s not just about security learning finance’s language. Noel strongly advocated for bringing finance leaders into tabletop exercises so they can experience the stress and time pressure of security incidents firsthand.
“When you put them in front of an incident, and they realize that to solve that incident has nothing to do with technology, but you’ve got to make some quick decisions, and there is a financial impact—now they realize the seriousness and they are more keen to listen to us,” Noel explained.
The cost of misalignment
When security and finance can’t communicate effectively, the consequences extend beyond budget frustration. Organizations may underfund critical security initiatives because leaders can’t articulate their value. Or they may overfund flashy but less effective controls because they sound more impressive than the boring fundamentals.
Our research found that CISOs who engage directly with CFOs—rather than only with directors of finance—report 63% higher alignment versus the overall average of 46%. The C-suite gap matters.
“You have to learn to speak the language of the people at the table,” Notch said. “You have to understand what they care about and align what you care about to what they care about.”
The metrics gap isn’t insurmountable. It just requires security leaders to step outside their technical comfort zone and learn how the business actually makes decisions—then translate their work into that context.
Your maturity score might be climbing. But if finance can’t see how that reduces business risk or enables business outcomes, you’re reporting to an empty room.
Want to dive deeper into building better security-finance relationships? Watch the full webinar or download our complete research report. In our next post, we’ll explore why good security is boring—and why that’s actually your best investment argument.
