Dive Brief:
- Most organizations still treat cybersecurity as an information technology concern, giving little weight to finance and other considerations, according to a recent study commissioned by cybersecurity firm Qualys.
- Less than a quarter (22%) of companies include finance teams in their cybersecurity risk discussions, according to the research. While 49% of respondents said their organizations have established formal cybersecurity risk programs, only 30% reported that such programs are prioritized based on business objectives.
- “Security programs that fail to align with operational, financial, and regulatory stakes are simply ineffective,” Mayuresh Ektare, vice president of product management at Qualys, said in a blog post on the research.
Dive Insight:
The vast majority (71%) of organizations believe their cyber risk levels are rising or holding steady, showing that many security investments are failing to move the needle, according to the blog post. Qualys found that just 14% of organizations use a cyber-risk approach that ties together integrated risk scenarios with financial measurements.
“[I]t’s clear that throwing more money at tools or talent won’t move the needle unless the organization has a risk-centric operating model that prioritizes business context, continuously assesses controls, and communicates risk in business terms,” Ektare said.
The FBI’s Internet Crime Complaint Center received 859,532 complaints of suspected internet crime in 2024, with reported losses exceeding $16 billion, a 33% increase over the prior year, according to a report released in April.
“Cybersecurity is not just an IT problem or a crisis scenario from a playbook, but a persistent and growing business concern with real financial implications, including the potential costs of incident response, legal liabilities, reputational damage, and loss of revenue from lack of consumer trust,” Ernst & Young cybersecurity consultants Tunde Lawson and Jaime Kipnes wrote in an April article on the topic.
Mitigating cyber risks and incorporating them into the organization’s long-term financial strategy is a mission shared by multiple people in the C-suite, including the CFO, who is “uniquely positioned to quantify these risks and estimate the cost of an incident,” the authors said.
Working in concert with the chief information security officer, the CFO can “better understand the probability and exposure to risk, set metrics on spending and ROI and communicate recommendations for prioritizing cybersecurity spending,” they wrote.
