Dive Brief:

• CFOs and chief information security officers are significantly misaligned when it comes to cybersecurity investment goals and priorities, a survey by cybersecurity firm Expel found.
• The breakdown revolves around metric and decision-making mismatches, according to the report released this month. Security leaders typically make decisions based on industry best practices, compliance requirements and ease of integration, while finance chiefs zero in on areas such as cost avoidance and risk reduction.
• “Rather than doubling down on metrics that their counterparts don’t value or can’t understand, CISOs and CFOs can both benefit from educating their counterparts,” the report said. “By bridging the knowledge gap, finance and security leaders work toward better alignment, clearer communication, and more strategic cybersecurity investments.”

Dive Insight:

The findings come as escalating threats are heightening pressure on organizations to make strategic cybersecurity investments, Expel said.

Cyberattacks are expected to surge this year as criminals continue exploring ways to capitalize on advancements in artificial intelligence.

“Now, new AI-driven threat vectors stand to increase the scope, frequency and cost of data breaches,” global information services firm Experian said in its 2026 data breach forecast report.

As cyber threats become more sophisticated and the financial impact of breaches rises, CFOs are taking a more proactive role in cybersecurity strategy and investment decisions, Jack McCullough, president and founder of the CFO Leadership Council, said in a recent blog post. 

“This extends beyond just approving budgets — it involves understanding the business continuity implications and ensuring the organization is adequately protected,” he said. “Success depends on collaborating with CISOs and IT leaders to translate technical risks into business language for boards and investors, maintaining transparency about vulnerabilities and incident response capabilities, and being agile in responding to emerging threats.”

Security and finance leaders report excellent collaboration, with 74% and 68%, respectively, saying they work together early and often, according to Expel’s report. Yet the research exposed disconnects.

Security leaders said they encounter obstacles including limited understanding of cybersecurity risk when trying to obtain funding from finance. Finance leaders, meanwhile, indicated they want specific, measurable data before approving cybersecurity investments, with 40% saying that quantified risk reduction would make it easier to justify a spending hike.

More than four in 10 finance executives said better translation of technical risk into financial terms would help improve collaboration between the two teams.

To get on the same page, the teams have to learn to speak the same language, according to Expel.

“This may require security leaders to translate metrics into measurements that resonate with finance leaders,” the report said. “For example, ‘ease of integration’ might turn into a time- or cost-based metric while ‘meeting compliance requirements’ might translate into avoiding fines.”

The report was based on a survey of 136 cybersecurity leaders and 164 finance executives, Expel said.