Cybersecurity budgets keep climbing, but many security leaders still struggle to explain what that spending delivers to the business. A new study by Expel examines that disconnect through a survey of security and finance executives at large enterprises. The research looks at how the two groups view risk, investment decisions, and their working relationship.
Shared priorities, uneven trust
Security leaders believe their priorities align with business objectives. Most say cybersecurity supports company goals and plays a role in enterprise strategy. Finance leaders generally agree that cybersecurity matters and often see it as part of business planning rather than a background technical function.
Confidence drops when finance evaluates execution. Finance executives report uneven trust in security teams’ ability to explain business impact, prioritize investments based on risk, and connect initiatives to company strategy. These concerns influence how budgets are reviewed and approved.
Cybersecurity executives recognize this hesitation. Many say they lack confidence that current cybersecurity investments align closely with business risk exposure. Strategic agreement exists, while confidence in outcomes remains fragile.
Risk means different things to different teams
Security practitioners tend to define unacceptable risk through compliance failures, loss of customer trust, or reputational damage. Financial loss carries less weight in their responses.
Finance teams frame risk through financial modeling and business continuity. Investment decisions focus on loss avoided, time saved, and reduced disruption. Compliance metrics and internal security reports carry less influence in these evaluations.
These differing definitions shape conversations. Security teams speak in terms of controls, maturity, and threat reduction. Finance teams look for projected financial impact and operational outcomes. Both sides believe they communicate well, even while using different reference points.
Reporting gaps slow decisions
Security teams often report metrics tied to incidents, control costs, and program maturity. Finance leaders say these inputs rarely support investment decisions on their own. They want reporting that ties cybersecurity spending to enterprise goals, operational stability, and measurable savings.
This gap slows approvals. Finance stakeholders cite uncertainty around return, limited visibility into performance, and high upfront costs as recurring concerns. Security decision-makers describe difficulty conveying urgency and risk in terms finance finds meaningful.
The result is a cycle where security teams feel underfunded and finance teams remain unconvinced.
“Cybersecurity needs to learn to speak in the language of the business. And finance is the lingua franca of the boardroom. Everyone needs to learn to speak in the terms that finance uses—which is impact to bottom line, risk of business disruption, etc.,” said Greg Notch, Chief Security Officer, Expel.
Collaboration happens, alignment lags
Both groups describe their working relationship in positive terms. Many say they collaborate early and often on cybersecurity topics. Regular meetings, however, do not guarantee shared understanding.
Collaboration often stays at the director level. Direct engagement between CISOs and CFOs occurs less frequently. Organizations with more executive level interaction report stronger alignment on priorities and greater confidence in cybersecurity’s business value.
Less frequent strategic discussions correlate with weaker agreement on risk tolerance and budget expectations. Timing and seniority influence how information translates into decisions.
Budgets rise with open questions
Both security and finance leaders expect cybersecurity budgets to increase over the next year. Security leaders anticipate larger gains, while finance leaders expect more modest growth.
Responsibility for final investment decisions varies. Finance respondents point to security leaders, finance teams, IT, and executive leadership as decision owners. This lack of consistency complicates accountability and slows consensus.
Finance executives say stronger business cases, improved reporting, and education around cybersecurity risk would help justify larger investments. They also point to translating technical risk into financial terms and sharing accountability for outcomes.
“Cybersecurity teams have to understand the KPIs that matter to the business and how their operations ladder up into those. It’s all about cybersecurity teams being able to communicate how their impact is contributing to those KPIs in the language of the business—which is all about dollars and cents,” Notch concluded.