Finance and Security Chiefs at Odds Over Priorities, Survey Reveals
This analysis is based on a report originally published by CFO.com. For continuous coverage of financial leadership insights, subscribe to the CFO.com newsletter.
While cybersecurity is universally acknowledged as a critical business concern, a deep-seated misalignment persists between finance executives and their security counterparts over how to prioritize, fund, and measure it, according to a new industry survey.
The study, conducted by managed detection and response provider Expel, surveyed 300 leaders from large organizations (5,000+ employees). Surface-level consensus exists: 87% of finance leaders and 84% of security leaders believe the other department is at least somewhat aligned with their priorities. Collaboration also appears strong, with majorities reporting they work together “early and often.”
However, a significant perception gap emerges upon closer inspection. Nearly half (46%) of security leaders feel their finance colleagues are “very” aligned with their priorities, but only 35% of finance leaders reciprocate that view. This divergence points to underlying friction in one of modern corporate management's most crucial relationships.
The Measurement Mismatch
A core disconnect lies in evaluating cybersecurity's business impact. While 71% of security leaders rated their organization’s ability to measure this impact as mature, just 56% of finance leaders agreed. Furthermore, three in five security leaders admitted lacking full confidence that their cybersecurity investments match the organization's actual risk exposure.
“Finance decision-makers generally view cybersecurity as strategically important,” Expel noted, with 85% calling it a key planning component. Yet, this strategic recognition isn't translating into operational harmony.
Speaking Different Languages
The reporting disconnect exacerbates the problem. Security teams typically report on incident business impact and program maturity levels. Finance teams, however, seek data on cost, coverage, and tangible return on investment. Expel found that “program maturity level vs. industry benchmarks” is the second least-valued metric among finance executives surveyed.
“Security leaders continue to grapple with familiar funding challenges, while finance teams contend with persistent cost and ROI concerns,” the report stated. This is reflected in budgeting: only 38% of finance leaders feel fully aligned with security on risk tolerance and budget expectations.
Expert Commentary
CFO Dive gathered reactions from industry observers:
“This isn't about blame; it's a classic translation problem,” said Michael R. Chen, a risk management consultant and former CISO. “Security speaks in terms of threats and resilience, while Finance speaks in terms of value and liability. Boards need to mandate a common risk-and-value framework.”
“The 35% alignment figure from finance is alarming but predictable,” argued Sarah J. Feldstein, a vocal commentator on tech governance. “For years, security has operated as a black box, demanding funds while often failing to articulate business value in terms CFOs understand. Until security leaders can directly link controls to revenue protection or cost avoidance, they'll keep hitting a budget wall.”
“The survey underscores the need for integrated planning from the start,” added David Park, a financial analyst specializing in tech. “When security is woven into business case development for new initiatives, rather than being a downstream cost, alignment improves dramatically.”
“We're seeing more joint workshops between our finance and security teams,” shared Anya Sharma, a Fortune 500 CFO who requested anonymity for her company. “It's slow, but building that shared vocabulary on risk quantification is the only way forward.”