Throughout my career, one of the skills I've been most passionate about developing is the ability to communicate about security with other parts of the executive team, especially finance teams and boards. After 25 years in cybersecurity, including 15 years at the NHL where I delivered both technology and security outcomes, I've learned that technical excellence means nothing if you can't articulate its business value to the people who run the business. That skill has never been more critical than it is right now.
In today's economic climate, where budgets are being scrutinized more closely than ever and security spending faces increasing pressure to justify its ROI, the ability to speak finance's language isn't just nice to have, it's essential for survival. CISOs who can't translate security outcomes into business impact will find themselves on losing end of budget battles, regardless of how sophisticated their programs are.
But here's what I've consistently observed: most security leaders believe they're already speaking the same language as finance. The reality is far different.
What 300 Executives Revealed About Security-Finance Alignment
Expel recently commissioned independent research that surveyed 300 executive leaders (136 cybersecurity decision-makers and 164 finance leaders) about cybersecurity investment decisions, risk tolerance, business impact measurement, and cross-functional collaboration.
The headline finding? Both sides report high levels of collaboration and alignment. Seventy-four percent of security leaders say they work with finance early and often on cybersecurity matters. Sixty-eight percent of finance leaders say the same about working with security.
Yet beneath this surface agreement, the data reveals something troubling: these teams aren't aligned on what matters most.
The collaboration paradox: why frequency doesn't equal effectiveness
Here's where things get interesting. Despite all this reported collaboration, finance leaders express notably lower confidence in security's core business capabilities.
- Only 52% are very confident that security can communicate business impact clearly
- Just 48% are very confident that security can protect the organization from major cyber events
- A mere 40% are very confident that security can align with the business strategy
Meanwhile, security leaders cite competing budget priorities and finance's limited understanding of cybersecurity risk as their main challenges when seeking funding.
This is the collaboration paradox: teams meet regularly, claim to work together effectively, yet remain fundamentally frustrated with each other.
The disconnect? They're meeting at the wrong level and discussing the wrong things.
The executive engagement gap
Nearly half of finance leaders, 49%, say they only meet with security leadership quarterly to discuss cybersecurity strategy or investment. Another 16% meet just annually. And most of those meetings aren't even happening between C-suite peers.
Only 22% of finance leaders regularly engage with their CISO. 49% interact primarily with Directors of Cybersecurity. On the flip side, just 24% of security leaders regularly collaborate with their CFO, while 41% work mainly with Directors of Finance.
This matters more than you might think.
Security leaders who primarily interact with CFOs report 63% "very aligned" relationships with finance, which is a 17% increase from security leaders that interact with non-CFOs. Likewise, finance leaders who work directly with CISOs are 72% more likely to view cybersecurity as a core strategic driver for business planning, versus 55% overall.
The data is clear: director-level coordination during budget cycles isn't cutting it. Strategic alignment requires C-suite engagement.
What Security Optimizes For vs. What Finance Actually Evaluates
Here's where the language barrier becomes most apparent. When making security investment decisions, security leaders prioritize industry best practices, compliance requirements, and ease of integration, alongside ROI considerations.
But when finance evaluates the ROI of those same security investments, they use completely different frameworks. The majority model cost avoidance, risk reduction, or time savings (34%), or tie investments directly to business continuity and uptime (30%). Only 20% rely on audit or compliance pass rates, and just 15% use the security team's own reporting and metrics.
Notice the gap? Security is making decisions heavily weighted toward compliance and best practices, while finance is evaluating those same investments primarily through the lens of cost avoidance and business continuity.
They're not just speaking different languages, they're operating in entirely different frameworks.
The metrics finance wants (but isn't getting)
When we asked finance leaders what they most wanted security teams to report, their top priorities were strategic alignment with enterprise goals, investment efficiency measured as cost versus coverage, and potential financial loss avoided.
Meanwhile, security teams are focused on reporting business impact of actual security incidents, cost of control versus potential losses, and security program maturity levels.
There's some overlap: both care about cost efficiency and business impact. But security's focus on program maturity ranks as finance's second-least useful metric for understanding cybersecurity value.
We're spending energy on reports that our stakeholders don't find valuable for decision-making.
The confidence gap: What finance needs to approve investment
When reviewing cybersecurity budget requests, finance leaders' top concerns center on high costs, inability to quantify return or risk, insufficient visibility into performance, and lack of clear business alignment.
Notice that three of the top four concerns are about measurement and communication, not about the actual cost of security.
Finance isn't saying security is too expensive. They're saying they can't make informed decisions with the information they're receiving.
When we asked what would make it easier for finance to justify increased security budgets, the most common responses were quantified risk reduction, improved reporting and transparency, and benchmarked security performance.
These aren't impossible demands. They're reasonable requests for the kinds of data that finance teams use to evaluate every other business investment.
Building a Shared Language: Practical Frameworks
So, what does it actually look like to bridge this gap?
Start with the business outcomes that matter. Identify the three to five metrics your organization truly cares about:
- revenue protection
- operational uptime
- customer retention
- regulatory compliance costs
Then work backward from those to show how security initiatives support them.
Translate technical metrics into business impact. Don't report that you reduced mean-time-to-detect by 30%. Report that faster detection prevents an estimated dollar amount in potential downtime costs based on your organization's revenue-per-hour of operations.
Use ranges, not false precision. Finance teams work with uncertainty constantly. They understand probability ranges and confidence intervals. What they don't tolerate is hand-waving or security teams who claim they can't quantify anything. A well-reasoned estimate with clear assumptions beats refusing to quantify impact at all.
Engage at the C-suite level. Push for regular strategic conversations with your CFO, not just annual budget reviews with finance directors. Make it a standing monthly meeting focused on business context, not tactical spending discussions.
Focus on resilience, not prevention. Everyone now accepts that breaches are inevitable. The conversation should be about business continuity: how quickly can we detect, contain, and recover while keeping revenue-generating operations running? Despite all these misalignments, there's reason for optimism. When we asked finance leaders what would improve collaboration, more than half (51%) cited clearer business cases for security investments, and nearly as many (46%) said training or education to bridge knowledge gaps.
They're not asking for the impossible. They're asking for translation.
And the vast majority of both security leaders (87%) and finance leaders (89%) expect cybersecurity budgets to increase over the next 12 months. The resources are there. The business case for security has never been stronger. What's missing is the shared framework for making investment decisions.
Cybersecurity needs to learn to speak the language of the business. And as I often say, finance is the lingua franca of the boardroom. Everyone needs to learn to speak in the terms that finance uses: impact to bottom line, risk of business disruption, return on investment.
The gap between security and finance isn't about conflicting priorities. It's about communication frameworks, measurement approaches, and organizational dynamics. These are structural problems, which means they have structural solutions.
The language barrier is fixable. It just requires both sides to commit to the work and for security leaders to take the first step in meeting finance where they are.
