Security budgets are under more scrutiny than ever. While cybersecurity remains a board-level priority, the pressure to “do more with less” is intensifying, especially for CFOs balancing cost discipline with strategic investment.

On average, cybersecurity budgets grew just 4% in 2025, down from 8% the year before, a reflection of growing economic uncertainty and shifting C-suite priorities.

At the same time, AI is reshaping enterprise strategy, but not without concern. About three-quarters of finance leaders believe AI introduces security and privacy risks that could threaten their organization’s financial health. That risk-aversion could stall innovation, even as many CFOs view AI as a key driver of transformation in the years ahead.

Here is the opportunity: CFOs and chief information security officers have more in common than they think. Both are stewards of enterprise risk. Both are accountable to the board. And both are under mounting pressure to quantify results. When they align, cybersecurity evolves from a cost center into a competitive advantage, a lever for resilience, efficiency and performance.

CFO-CISO collaboration gap

Despite sharing responsibility for enterprise risk, CFOs and CISOs often do not collaborate effectively due to differences in language, metrics and perceived value.

Viewing cybersecurity as an ongoing cost only is not strategic. This is especially true when security investments are framed without clear ties to business outcomes or operational impact. Without quantifiable metrics that translate risk into financial terms — like how each dollar spent reduces business disruption, improves uptime, or avoids regulatory and reputational costs — CFOs are left with little to justify increased or sustained spend.

CISOs must move beyond technical jargon and translate cyber risk into metrics that matter to the CFO. At the same time, CFOs must also evolve to see cybersecurity as more than protection; it is resilience.

A useful shift is to evaluate cybersecurity investments through a “value per dollar” lens — how much risk is being mitigated relative to what’s being spent. This allows finance leaders to compare security decisions with other business initiatives using familiar ROI frameworks.

Many Fortune 500 organizations are already treating security as a strategic advantage and backing it with data their CFO can take to the board. By managing residual risk to a mature level and showing an impressive value-per-dollar ratio, they have shown how cybersecurity investments can yield measurable business outcomes.

A 5-step playbook for CFO–CISO alignment

The following are five keys for improving CFO-CISO partnerships: 

1. Speak a common language. CISOs must translate cybersecurity into financial terms (cost per incident, risk reduction ROI, and operational impact) while CFOs should understand that not all security value is immediate or visible.
2. Define shared KPIs. Metrics like “mean time to respond,” “cost per threat mitigated,” or “coverage of critical assets” create accountability and alignment across both teams.
3. Prioritize consolidation projects. Work together to identify overlapping tools and vendor sprawl. Consolidation can free up budget and improve visibility, a win for both finance and security.
4. Quantify residual risk. Frame cybersecurity investments in terms of how much risk they reduce relative to board-approved thresholds. This helps justify spending with measurable impact.
5. Plan for the long game. Do not just budget for compliance. Invest in capabilities, like automation and AI, that scale with the business and reduce long-term costs.

CFO-CISO alignment should be seen as a competitive advantage. As financial pressure and cyber risk rise in parallel, organizations must treat cybersecurity as a strategic investment, not just an ongoing cost. The path forward is clear: partner, translate risk into value, and invest in cybersecurity that delivers measurable dividends.