Data & research · 4 MIN READ · GREG NOTCH · JAN 13, 2026
Security and finance leaders both say they’re aligned on cybersecurity priorities. However, our new research—The CISO-CFO Disconnect: Why security and finance struggle to align on security investment—reveals why budget and investment conversations often stall out. We surveyed 300 senior-level security and finance professionals to uncover where collaboration breaks down and what it takes to bridge the gap.
I’ve spent years working in security, and I’ve learned that protecting an organization isn’t just about managing risk —it’s about building relationships. One of the most critical relationships? The one between security and finance leadership.
Today, we’re releasing new research that reveals a fundamental problem: CISOs and CFOs think they’re aligned, but when you dig into the data, they’re often speaking completely different languages.
After reviewing hundreds of survey responses from security and finance leaders, three findings jumped out at me—not just because they confirm what I’ve suspected, but because they point to specific, fixable problems that are holding back cybersecurity programs across the industry.
Finding #1: We’re reporting metrics that finance doesn’t actually need
Here’s the disconnect that frustrated me most: Security leaders are diligently reporting on program maturity levels, while finance leaders rank maturity versus industry benchmarks as their second-least useful metric for understanding cybersecurity value.
Meanwhile, 54% of finance leaders say they actually need to see strategic alignment with enterprise goals, and 50% want investment efficiency metrics. But that’s not what we’re giving them.
This isn’t finance being difficult. It’s security failing to translate its outcomes into business value. Measuring security ROI is genuinely hard. But here’s the thing: finance teams work with uncertainty all the time. They understand models and ranges. What they don’t tolerate is hand-waving or security teams who can’t explain their assumptions.
Instead of falling back on maturity metrics, leaders need to communicate in the language of risk. The calculation requires taking the percentage likelihood you’ll have a breach and the cost of said breach. From there, you can determine that an investment that costs $x will likely lower your percentage likelihood of breach by x%. With that information, you can decide if that’s something you’re willing to take on.
That’s a conversation finance understands. And it’s the conversation we should be having.
Finding #2: Security leaders don’t define risk the way CFOs do
When we asked security leaders to define “unacceptable risk” for the board or CFO, financial loss came in dead last at just 15%. Legal/compliance risk and loss of customer trust topped the list at 24% each.
Think about that for a moment. We’re going to the CFO—the Chief Financial Officer—and we’re not leading with financial impact.
Is it any surprise that 38% of security leaders think CFOs perceive cybersecurity as merely a cost center rather than a strategic enabler?
The real issue isn’t that finance sees security as a cost center—at the end of the day, security is in many ways a cost center. The real issue is that too many security leaders haven’t learned to articulate value in terms finance understands. Security leaders should spend their time showing how that cost translates to business protection. Finance teams make cost-benefit decisions all day long. They’re not afraid of costs; they’re afraid of costs they can’t quantify or understand.
These days, security needs to think of risk in terms of business resilience. For a while, breach prevention was the goal. Now, everyone accepts that breaches are inevitable. The trick is determining how to keep the business going post-breach while the breach is being remediated. This shift changes the conversation with finance entirely. Instead of asking for budget to prevent all attacks—which is impossible—security has to ask for investments in resilience that have a clear ROI.
Finding #3: Director-level collaboration isn’t enough
Here’s a finding that should make every CISO rethink their calendar: Only 24% of security leaders regularly engage with CFOs. Most are talking to Directors of Finance instead.
The data shows exactly what this costs us. Security leaders who primarily interact with CFOs report 63% “very aligned” relationships with finance, compared to just 46% overall. That’s a 17-point difference—and it matters when you’re trying to secure budget.
Yet nearly half of finance leaders only meet with security leadership quarterly, and 16% meet just annually.
Cybersecurity is a team sport, and it’s a game of inches—not yards. The most successful security programs aren’t built by CISOs working in isolation or CFOs approving budgets without context. But we’re not going to get there through director-level coordination alone.
Be extremely crisp on the metrics that matter to the business. It’s about identifying the three to five business outcomes that actually matter to the organization—revenue protection, operational continuity, customer trust, etc.—and relentlessly connecting every security initiative back to those outcomes. If you can’t draw a clear line from a security investment to a business metric that matters, you probably shouldn’t be making that investment.
And here’s the thing: you need to be making that case directly to the CFO, not through intermediaries.
The language barrier is fixable
What gives me hope about this research is that both teams already know what needs to happen. When we asked finance leaders what would improve collaboration, 51% said clearer business cases for security investments, and 46% said training or education to bridge knowledge gaps.
They’re not asking for the impossible. They’re asking us to speak their language.
Cybersecurity needs to learn to speak in the language of the business. And finance is the lingua franca of the boardroom. Everyone needs to learn to speak in the terms that finance uses—which is impact to bottom line, risk of business disruption, etc.
The gap between security and finance isn’t about conflicting priorities. It’s about translation. And that’s something we can fix.
Download the full report to see all the data, including detailed frameworks for translating security metrics into financial terms, practical tips for improving CISO-CFO collaboration, and insights from 300 security and finance leaders about what’s really holding back cybersecurity investment.
Greg Notch serves as Chief Security Officer at Expel, where he brings over 25 years of cybersecurity and technology leadership to delivering secure, seamless outcomes for customers. Before joining Expel, Greg spent 15 years at the National Hockey League (NHL), where he played a transformative role in modernizing the league’s technology and security operations. Beyond his corporate roles, Greg’s a frequent speaker at security industry events, a guest on popular media and vendor podcasts, and contributes to leading security publications as a freelance writer.
