Finance and security leaders are odds over cyber priorities, and it’s harming enterprises

Finance leaders have a poor opinion of the performance of CISOs, believing that they can't always communicate clearly and aren't fully aligned with business needs.

A new survey of 300 CISOs, directors of cybersecurity, CFOs, and finance leaders by threat-hunting firm Expel found less than half (46%) of security leaders think their finance counterparts are highly aligned with the security team’s priorities.

Finance leaders, though, are less convinced, with only 35% believing that their security counterparts are highly aligned with the finance team’s priorities.

These conflicting perceptions on both sides of the divide further exacerbate existing issues with alignment, the study noted.

Crucially, there's a similar pattern when it comes to risk tolerance and budget expectations. While 71% of surveyed security leaders say that security and finance teams are fully or very aligned, finance decision-makers are much less positive, with only 58% saying the same.

"While most finance decision-makers see security as business-critical, they demonstrate a lower level of assurance in some of their security teams’ abilities," the researchers said.

Only half of surveyed finance leaders said they were very confident that their security team can communicate business impact clearly or protect the organization from major cyber events, while only four-in-ten express full confidence in security’s ability to align with business strategy.

Security decision-makers, meanwhile, are suspicious that they're perceived negatively by finance, with 36% saying they're seen as a cost center and 35% as no more than an operational necessity.

"The real issue isn't that finance sees security as a cost center — it's that too many security leaders haven't learned to articulate value in terms finance understands," said Greg Notch, Expel chief security officer.

"Security leaders should spend their time showing how that cost translates to business protection. Finance teams make cost-benefit decisions all day long. They're not afraid of costs; they're afraid of costs they can't quantify or understand."

How cyber leaders can shake up communication

When reporting results to finance, surveyed security leaders typically prioritize metrics like business impact of actual security incidents at 18%, cost of control versus potential losses at 17%, security program maturity level at 16%, and risk reduction score at 15%.

However, researchers found these metrics don't align with what finance actually requires for making strategic decisions. In fact, program maturity level versus industry benchmarks is the second least popular metric among finance leaders.

"Instead of falling back on maturity metrics, leaders need to communicate in the language of risk, especially when justifying security spend," advised Notch.

The calculation, he said, means taking the percentage - or percentage range - of likelihood that the organization will experience a breach, and the cost of that breach.

From there, you can determine that an investment that costs $x will likely lower your percentage likelihood of breach by x%.

"Cybersecurity teams have to understand the KPIs that matter to the business and how their operations ladder up into those," he said.

"It’s all about cybersecurity teams being able to communicate how their impact is contributing to those KPIs in the language of the business — which is all about dollars and cents."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.