As a chief information security officer inside an investment firm, I sit closer to the financial side of conversations than most people in my role.

The CFO’s seat is firmly established at the senior management table. With CISOs, that’s not a given. They’re often pulled in late — after decisions are made or once something has already gone sideways. Even when both leaders are in the room, they’re not always solving the same problem.

The interaction is typically situational and transactional — more reactive than intentional. It surfaces in moments of friction, not as a steady partnership. Both are managing enterprise risk, but not in the same language. That disconnect isn’t just operational. It’s a balance sheet problem.

When alignment does happen, it’s usually under pressure. Something goes wrong — a ransomware attack, a failed audit, a board-level escalation.

Suddenly, the conversation shifts from technical detail to business reality: what the revenue impact is, how long systems will be down and what the cost will ultimately be.

Decisions made in the middle of a crisis are rarely optimal. They’re reactive, expensive and constrained by whatever options remain. Yet that is still when most organizations finally try to connect finance and cybersecurity.

The core problem

CFOs and CISOs are highly capable. That’s not the issue. The disconnect is simpler and more persistent than most want to admit: they are managing the same enterprise risk through entirely different lenses.

CISOs think in terms of threats, vulnerabilities and controls. CFOs think in terms of capital allocation, financial performance and enterprise value. Both are managing the same risk, but in different languages.

It is common for a CISO to present technically accurate risk data that is not actionable to the finance function — not because it isn’t important, but because it isn’t translated into business impact.

Without that translation layer, the conversation defaults to metrics that feel meaningful but rarely drive decisions: vulnerabilities patched, systems compliant and threats detected. They are operationally useful, but financially incomplete.

Compliance doesn’t close the gap either. It creates a baseline, not protection — and certainly not resilience. Too often, there is an assumption that compliant means secure, and secure means resilient. Those assumptions break quickly when mapped to actual financial exposure.

Closing the gap

The shift required is simple: stop asking technical questions first and start asking business ones. Which parts of the business generate revenue, and what happens if they stop? What are the most likely scenarios that could materially hurt us, and what would they cost? How fast can we recover where it matters most, and what does that downtime translate to in financial terms?

The same applies to how organizations invest and validate risk decisions. Are they investing in the right places or just spending? What assumptions about security have never actually been tested? And when something goes wrong, how does it ultimately surface in areas such as financial reporting, disclosure, regulation and investor confidence?

When the CFO–CISO relationship works, neither side becomes the other. Instead, risk is translated into shared terms both can act on.

The CISO’s role is not just to manage threats, but to translate them into business consequences. The CFO’s role is not just to manage cost, but to understand where cyber risk can materially affect the business.

Closing the gap requires better translation, better questions and a shared view of risk.

In practice, that means cyber risk is framed in terms of operational disruption and financial exposure, not control gaps; scenarios are prioritized by business impact, not technical severity; and trade-offs are made explicitly and together, rather than in separate security and finance silos.

Success is measured in outcomes: reduced business disruption, not more tools or more controls.

That is when cybersecurity stops being treated as cost and starts functioning as part of financial strategy.