The Security-Finance Disconnect That Costs More Than Breaches

Cyber threats are intensifying, and enterprise security budgets are growing in response. But the real pressure point lies in the increasingly critical relationship between cybersecurity and financial leadership.

CFOs are taking on more responsibility for enterprise risk and investment decisions, which puts new pressure on CISOs to justify security spending in terms that reflect business impact and financial return.

Although the two functions often share objectives, a fundamental disconnect still separates how they define success and communicate value.

Expel’s 2025 study, based on responses from 300 senior finance and security leaders, reveals that while collaboration is common, alignment often lacks depth. Ongoing misunderstandings continue to slow decision-making and prevent both sides from working toward unified outcomes.

The research makes clear that progress depends on redefining how value is measured and how priorities are set between teams.

Why It Matters: Cybersecurity helps protect operations and keeps the business running during disruptions. When CISOs and CFOs do not agree on how value is defined and measured, progress slows and risk becomes harder to manage. A stronger connection between these roles is necessary to maintain long-term resilience.

• Alignment Lacks Depth: While 88% of CISOs believe their priorities reflect business goals and 55% of CFOs see cybersecurity as important to the business, confidence fades beyond that point. Only 40% of finance leaders say they are very confident in security’s ability to align with business strategy or deliver cost-effective outcomes. This suggests that although intent is aligned, faith in execution remains limited.

• Metrics Do Not Translate: Security teams often report metrics like threat volumes, program maturity, and compliance readiness. While these are meaningful within the security function, they rarely support the kind of financial decision-making CFOs require. Instead, 54% of finance leaders want reports that tie directly to enterprise goals, and 50% are looking for investment efficiency. When only 15% of CISOs define financial loss as an unacceptable risk, it reinforces the view that security is a cost center rather than a driver of value.

• Collaboration Happens, But Rarely at the Right Level: A majority of leaders on both sides report regular collaboration, with 74% of CISOs and 68% of CFOs saying they engage early and often. Most of these interactions take place at the director level, which makes it harder to set shared direction. CISOs who work directly with CFOs report stronger alignment, with 63% saying finance is very aligned with their goals, compared to 46% overall. Still, only 24% of CISOs and 22% of CFOs say they collaborate consistently at the executive level, which limits the potential for lasting progress.

• Measurement Gaps Create Stalemates: 55% of CFOs cite high upfront or ongoing costs as a barrier to approving cybersecurity budgets. 47% say they lack clear return or risk quantification. On the other side, 56% of CISOs struggle with competing budget priorities and 49% say finance has a limited understanding of cyber risk. Both functions are trying to make decisions using different definitions of value.

• Security Needs a Business Frame: The report describes a way to close the gap by translating technical risk into financial terms and connecting investments more directly to resilience and continuity. CFOs say quantified risk reduction and clearer reporting would make it easier to support larger budgets, while CISOs need to keep the conversation grounded in business outcomes rather than security mechanics.

Go Deeper -> New research reveals the “language barrier” holding back cybersecurity investment – Expel