I've sat on both sides of the budget table throughout my cybersecurity career. I've been the person presenting the threat landscape to skeptical finance leaders, and I've been the person trying to explain why the controls we already knew we needed still weren't fully funded or deployed. After decades in this industry, I've come to believe that the most dangerous gap in enterprise security isn't a technical one. It's a communication one.
Two reports published recently by Expel—our 2026 Annual Threat Report and CISO-CFO disconnect report—make this case together more powerfully than either does alone. Read them side by side and a troubling picture emerges: we largely know what the threats are, we largely know what the fixes are, and we still can't reliably get the investment decisions right.
What the threat data actually shows
Expel's SOC triaged nearly a million alerts across our customer base in 2025. The findings are striking not for their novelty, but for their consistency with what security leaders have been saying for years.
Identity-based attacks dominated, accounting for 68.6% of all incidents, the top category for several consecutive years. Nearly half of those incidents (47.7%) resulted in successful account access using stolen credentials. Endpoint-based attacks made up another 29% of incidents, driven primarily by opportunistic malware and social engineering techniques like ClickFix, where users are tricked into executing malicious scripts. Cloud infrastructure incidents were just 2.5% of volume but disproportionately high in potential impact, with misconfigurations and exposed secrets creating pathways into the systems where the most sensitive data lives.
Here’s the part that should generate real urgency in every boardroom: the report is explicit that the vast majority of these attacks succeeded not because attackers were technically sophisticated, but because foundational security controls such as MFA, proper configurations and timely patching weren't fully implemented or maintained. When MFA was properly enforced, it stopped more than half of credential-based identity attacks immediately. The tools to prevent most of these incidents exist. They just weren't fully deployed.
That's a funding and prioritization story as much as it's a security story.
The alignment that isn't
Expel commissioned independent research surveying 300 executive leaders about how the two functions collaborate on cybersecurity investment. The headline finding sounds reassuring: 74% of security leaders say they work with finance early and often, and 68% of finance leaders say the same.
But dig one layer deeper and the picture changes. Despite all this reported collaboration, only 52% of finance leaders say they're very confident that their security team can communicate business impact clearly. Only 40% are very confident that security can align with business strategy. And just 43% are very confident that security can prioritize investments based on risk.
Connect that back to the threat data and the implication becomes clear. We have a threat landscape where identity attacks succeed primarily because basic controls aren't fully in place, controls that are well understood, widely available, and not technically complex to implement. And we have a finance function that, by its own admission, lacks confidence in security's ability to make the case for investment. These two facts are not unrelated.
The attackers are winning, in part, because the investment decisions aren't keeping up. And the investment decisions aren't keeping up, in part, because security and finance aren't actually speaking the same language, even when they think they are.
The metrics gap: Reporting what you know vs. what finance needs
One of the most illuminating findings from this research is the mismatch between what security teams typically report and what finance actually needs to make investment decisions.
Security leaders tend to report on the business impact of actual security incidents, cost of control versus potential losses, and security program maturity levels. These feel like meaningful metrics from a security practitioner's perspective. The problem is that finance doesn't use them that way. When evaluating the ROI of security investments, finance teams are far more likely to model cost avoidance, risk reduction, or time savings, or tie investments directly to business continuity and uptime. Only 15% of finance leaders say they rely on the security team's own reporting and metrics when evaluating ROI.
Security program maturity level, one of security's most commonly reported metrics, ranked as the second least useful metric among finance leaders for understanding cybersecurity value.
Now layer in the threat data. Organizations catching threats early in the kill chain, at initial access, before attackers can move laterally or deploy ransomware, achieve dramatically better outcomes. That kind of detection speed has a quantifiable financial value: faster containment means less downtime, smaller blast radius, lower recovery costs, and reduced regulatory exposure.
That's exactly the kind of metric finance wants - potential financial loss avoided, business continuity protected, investment tied to measurable operational outcomes. But most security teams aren't translating their performance data into those terms. They're reporting maturity scores and threat counts to audiences who are trying to model cost avoidance and resilience.
The executive engagement gap
There's another structural problem that directly affects security teams' ability to fund the right priorities. Most security-finance collaboration isn't happening at the right level.
Only 22% of finance leaders regularly engage with their CISO. Nearly half (49%) interact primarily with directors of cybersecurity. On the security side, just 24% of security leaders regularly collaborate with their CFO, while 41% work primarily with directors of finance.
This matters enormously. Security leaders who engage directly with CFOs report 63% "very aligned" relationships with finance, compared to 46% overall. Finance leaders who work directly with CISOs are more likely to view cybersecurity as a core strategic driver for business planning. The data is clear: director-level coordination during budget cycles isn't producing the alignment that C-suite engagement does.
Think about what this means against the backdrop of the threat data. The fundamental security investments that would address the most common attack vectors, for example robust MFA deployment, identity hygiene, endpoint detection tuned to real-world attacker behavior and cloud configuration management, which are not technically exotic. They're operationally rigorous. Getting them fully funded and fully implemented requires a finance counterpart who understands why they matter and has enough confidence in the security team's judgment to approve the resources. That relationship is built at the C-suite level, not at the director level during annual budget reviews.
Why "cost center" is a more dangerous label than it sounds
38% of security leaders believe their CFO perceives cybersecurity as a cost center. Another 39% believe their board does the same. That perception has real consequences.
Security leaders who believe their CFO sees them as a cost center are significantly less confident in their alignment with finance and, the data suggests, are likely receiving less proactive support for investment decisions as a result. Meanwhile, finance leaders who view cybersecurity as a cost center are less likely to approve significant budget increases, less likely to engage at the C-suite level, and less likely to see security investments as decisions requiring strategic input rather than routine expense management.
The 2026 threat data gives us a concrete way to reframe this. Attacks succeed when basic controls aren't maintained. The cost of not maintaining those controls in breach recovery, regulatory fines, reputational damage, and operational disruption is quantifiable. Security leaders who can translate the threat landscape into expected loss values and show how specific investments reduce that exposure are making the exact kind of argument that shifts the "cost center" perception. They're not asking for budget. They're presenting a risk-adjusted investment decision.
Building the bridge: What actually works
The good news is that finance leaders aren't asking for the impossible. When asked what would make it easier to justify increased security budgets, their top responses were quantified risk reduction, improved reporting and transparency, and benchmarked security performance. More than half said clearer business cases for security investments would improve collaboration. Nearly as many said training or education to bridge knowledge gaps would help.
They're not demanding certainty. Finance teams work with uncertainty and probability ranges constantly. What they don't tolerate is hand-waving—security leaders who claim they can't quantify anything, or who report metrics that don't connect to business outcomes. A well-reasoned estimate with clear assumptions is far more useful to a CFO than a technically accurate maturity score that tells them nothing about business risk exposure.
Here's how I'd translate both reports into a practical framework for security leaders right now:
Connect threat data to financial exposure. Identity attacks dominate, endpoint delivery techniques are well-documented, cloud misconfigurations create high-impact exposure. Translate each of these into an expected financial impact such as potential downtime cost, breach recovery expense or regulatory fine risk and show how specific investments reduce that exposure. That's the language finance uses to evaluate every other investment decision.
Report what finance actually evaluates. Stop leading with maturity scores and threat counts. Lead with cost avoidance, potential financial loss avoided, business continuity metrics, and investment efficiency. Security teams that report in the same frameworks finance uses to evaluate ROI are far more likely to get the resources they're asking for.
Escalate the relationship, not just the urgency. If your primary security-finance relationship is at the director level, push for regular C-suite engagement. Monthly strategic conversations with your CFO focused on business risk and resilience—not tactical spending—change the dynamic fundamentally. The data shows it produces materially better alignment outcomes.
Reframe prevention as resilience. Finance responds better to business continuity and resilience framing than to breach prevention framing. Threat data can help emphasize the importance of early detection and fast response. It tells a resilience story, about keeping operations running and minimizing impact even when attacks occur. Lead with that narrative.
Use the threat data as a shared reference point. Threat reports exist precisely to give security leaders external validation for the priorities they're already advocating. Bringing real data about what's actually happening across thousands of organizations into budget conversations is more persuasive than internal assessments alone, and it gives finance counterparts a basis for understanding risk that doesn't require them to already be security experts.
The 2026 threat landscape isn't primarily a story about adversaries becoming more sophisticated. It's a story about known, preventable gaps being exploited because the foundational investments weren't made and in many cases, weren't effectively communicated to the people who control the budget. The threat data and the collaboration data together point to the same conclusion: the security outcomes we need are achievable. What's missing is the shared language and the organizational discipline to act on what we already know.
That's a solvable problem. But only if security leaders take the first step in meeting finance where they are.
