Data & research · 4 MIN READ · SCOUT SCHOLES · JAN 22, 2026 · TAGS: leadership & management
Expel’s latest research, The CISO-CFO disconnect: Why security and finance struggle to align on security investment, is a survey of 300 senior-level security and financial professionals. To learn more, download the full report.
TL;DR
- There’s a clear disconnect between CISOs and CFOs, but it can be partially resolved with more frequent communication (sorry, more meetings incoming)
- Contrary to what you might expect, finance teams don’t have negative connotations of cybersecurity, they just want to quantify cybersecurity outcomes
- Learn more by downloading our latest research, The CISO-CFO disconnect: Why security and finance struggle to align on security investment
Here’s something that should worry every CISO: 74% of security leaders say they collaborate with finance early and often on cybersecurity matters. Finance agrees—68% say the same thing about working with security.
Sounds great, right? Except when you dig into what’s actually happening in these conversations, you find something troubling. Despite all this reported collaboration, finance leaders indicate notably lower confidence in security’s core business capabilities; only 52% are very confident that security can communicate business impact clearly. Just 48% are very confident security can protect the organization from major cyber events. And a mere 40% are very confident security can align with business strategy.
It’s what we call the collaboration paradox: teams meet regularly, claim to work together effectively, yet remain fundamentally frustrated with each other.
The problem? They’re meeting at the wrong level and discussing the wrong things.
Meeting quarterly isn’t the same as being aligned
Our recent research—a study of 300 executive leaders across cybersecurity and finance decision-makers and leaders—reveals a structural problem that goes beyond communication style or personality conflicts.
Nearly half of finance leaders (49%) say they only meet with security leadership quarterly to discuss cybersecurity strategy or investment. Another 16% meet just annually. And most of those meetings aren’t even happening between C-suite peers.
Only 22% of finance leaders regularly engage with their CISO. The majority interact primarily (and only) with directors. On the flip side, just 24% of security leaders regularly collaborate with their CFO, while 41% work mainly with directors.
This matters more than you might think.
According to our research, 63% of security leaders who primarily interact with CFOs report having “very aligned” relationships with finance, compared to just 46% overall. Finance leaders who work directly with CISOs are 72% more likely to view cybersecurity as a core strategic driver for business planning, versus 55% overall.
Director-level coordination during budget cycles isn’t strategic alignment. It’s tactical negotiation.
What security reports vs. what finance actually needs
Let’s be real—the problem isn’t that security and finance don’t talk enough. But when they do talk, they’re operating in completely different frameworks (hence the resemblance to a negotiation, not alignment).
When we asked security leaders what metrics they report to finance or executive leadership, they cited:
- Business impact of actual security incidents
- Cost of control versus potential losses
- Security program maturity level
- Risk reduction score
Finance leaders say those aren’t the metrics they need to make strategic decisions. In fact, program maturity level versus industry benchmarks is the second least popular metric among finance leaders.
So what does finance actually want to see?
- Strategic alignment with enterprise goals
- Investment efficiency measured as cost versus coverage
- Potential financial loss avoided
- Audit readiness
- Time savings from less manual alert review
We’re spending energy on reports our stakeholders don’t find valuable for decision-making. Instead of falling back on maturity metrics, leaders need to communicate in the language of risk.
Finance isn’t saying security is too expensive (no, seriously)
When reviewing cybersecurity budget requests, finance leaders’ top concerns center on high costs (55%), inability to quantify return or risk (47%), insufficient visibility into performance (45%), and lack of clear business alignment (42%).
Notice that three of the top four concerns are about measurement and communication, not about the actual cost of security. Finance isn’t saying security is too expensive. They’re saying they can’t make informed decisions with the information they’re receiving.
When we asked what would make it easier for finance to justify increased security budgets, the most common responses were quantified risk reduction (40%), improved reporting and transparency (38%), and benchmarked security performance (35%).
These aren’t impossible demands. They’re reasonable requests for the kinds of data that finance teams use to evaluate every other business investment.
There’s still hope
Despite the misalignments, there’s reason for optimism. When we asked finance leaders what would improve collaboration, more than half cited clearer business cases for security investments, and nearly as many said training or education to bridge knowledge gaps.
They’re not asking for the impossible. They’re asking for translation.
And the vast majority of both security and finance leaders expect cybersecurity budgets to increase over the next 12 months. The resources are there. The business case for security has never been stronger. What’s missing is the shared framework for making investment decisions.
Three things you can do this month
Push for C-suite engagement. Not annual budget reviews—regular strategic conversations with your CFO. Make it a standing monthly meeting focused on business context, not tactical spending discussions.
Translate your top three security initiatives into cost avoidance metrics. Take your major projects and work backward: if faster detection prevents X hours of downtime, and your organization’s revenue-per-hour is Y, that’s Z dollars of potential loss avoided. Finance understands this math.
Ask your CFO which three business metrics they care most about. Then map your security outcomes to those specific metrics. If they care about customer retention, show how your incident response capabilities protect customer trust. If they care about operational efficiency, show the time savings from automation.
The gap between security and finance isn’t about conflicting priorities. It’s about communication frameworks, measurement approaches, and organizational dynamics. These are structural problems, which means they have structural solutions.
The language barrier is fixable. It just requires both sides to commit to the work—and for security leaders to take the first step in meeting finance where they are.
Want the full picture? Download our complete research report with data from 300 executive leaders on how security and finance teams can bridge the alignment gap.
