Threatonomics

What your CFO actually cares about (and how to speak their language)

by Emma McGowan , Senior Writer
Published

The first step to getting your budget approved? Communicating impact.

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift.

The issue isn’t that your CFO doesn’t care about cyber risk or doesn’t understand how critical security is to the business. The problem is simpler—and more fixable—than that.

You’re speaking different languages.

CFOs think in numbers. Specifically, they think in terms of capital allocation, return on investment, financial impact, and risk-adjusted returns. They’re evaluating dozens of competing budget requests, all claiming to be mission-critical. To earn their attention and approval, you need to translate cyber risk into the financial metrics they already track.

This isn’t about oversimplifying your message. It’s about making it actionable in their world.

Why your technical explanations aren’t landing

Consider the typical CISO-CFO budget conversation. You arrive prepared with technical severity scores, industry reports about emerging threats, and well-reasoned arguments about why your organization needs stronger security controls. You discuss attack surfaces, vulnerability management, and the latest in ransomware. Your CFO listens, asks a few questions, and then responds with something like “let me think about it” or “we’ll revisit this next quarter.”

What just happened? You essentially asked your CFO to translate your request into financial terms without providing that translation yourself. When you say “we need endpoint detection and response on all devices,” they must mentally convert that into: What does this cost? What’s the return? What happens if we don’t do it? How does this compare to other options?

Meanwhile, you’re competing with concrete proposals from other executives. The head of sales is requesting two new account executives who will generate $5 million in revenue. The VP of product needs three engineers who will ship features customers are actively requesting. Without financial framing, your request appears vague by comparison—even when the stakes are higher.

The challenge compounds when security leaders lead with fear rather than finance. CFOs assess risk analytically, but fear-based arguments without probability weighting don’t resonate with their framework. Saying “we could get hit with ransomware” is equivalent to saying “the building could catch fire.” Certainly it could. But what’s the likelihood? What’s the expected cost? What controls are currently in place, and what would this investment actually change?

Building your financial case: What CFOs care about and how to deliver it

Understanding what drives CFO decision-making will transform how you present cyber risk investments. The following framework provides a systematic approach to budget approval requests that addresses each priority your CFO evaluates.

1. Quantified financial exposure

Begin by quantifying your current risk exposure. Rather than saying “we could get breached,” analyze the scenarios most likely and most costly for your specific business. What would a week of downtime cost in lost revenue? What’s your regulatory exposure based on the data you actually hold? What would customer churn cost following a public breach?

When you present these figures, be precise about what they include: business interruption costs, regulatory fines based on the actual data you hold, customer notification and credit monitoring expenses, legal and forensic investigation fees, and long-term reputation impact from customer churn and lost deals.

The critical element: show how much of that risk you’re retaining versus transferring through insurance. If you’re self-insuring $5 million of cyber risk, that’s a financial exposure on the books whether leadership has explicitly acknowledged it or not.

2. Expected loss and probability

CFOs understand risk the same way actuaries do: probability times impact equals expected loss. Calculate this by multiplying probability times impact. If you face a 20% chance of a $5 million incident, that represents $1 million in expected annual loss—budget the organization is already spending, even if it doesn’t appear on a line item.

Instead of presenting worst-case scenarios, provide the quantitative analysis: “Based on threat intelligence specific to your industry, the control gaps you’ve identified, and historical data about similar organizations, you might face approximately a 30% likelihood of a material security incident in the next 12 months. That translates to an expected annual loss of $2.4 million.”

This approach enables productive conversation about risk tolerance—a data-driven discussion about how much risk the organization is comfortable accepting versus how much should be mitigated through controls or transferred through insurance.

3. Investment payback and measurable risk reduction

Map each proposed security investment to specific, measurable risk reductions. Don’t simply request budget—demonstrate the return: “This $500,000 investment in our security operations reduces our expected annual loss by $2 million—a 300% ROI in year one.”

Show how this particular control reduces ransomware risk from $5 million to $2 million in expected loss, or decreases the probability of a payment card breach from 15% to 5%. Then calculate the net benefit: how much risk reduction does each dollar spent deliver?

When calculating that return, include every factor that improves the financial equation: reduced expected losses from prevented incidents, lower insurance premiums (insurers reward strong controls with better rates), avoided regulatory fines, reduced business interruption, and decreased incident response time. If you can demonstrate payback in under a year, you’re not proposing a cost center—you’re recommending a profitable investment.

4. Business enablement and strategic objectives

This is where the conversation shifts from defense to offense. Connect your recommendations to broader business objectives rather than solely to risk mitigation.

Consider the business case: achieving SOC 2 Type II certification might require a $300,000 investment, but it unlocks enterprise deals worth $15 million annually. Implementing specific controls enables pursuit of that Fortune 500 client who requires particular security standards—with an annual contract value of $8 million. Enhanced fraud prevention reduces your chargeback rate by 2%, saving $450,000 annually while maintaining good standing with payment processors.

Perhaps you need HIPAA compliance controls to expand into healthcare customers, or these security improvements reduce integration risk for a potential acquisition, or these certifications are required to achieve growth targets in regulated industries. When security investments remove obstacles to strategic initiatives, they transition from costs to business enablers—something CFOs prioritize.

5. Comparative efficiency and alternatives

CFOs evaluate proposals using ratios and efficiency metrics. Present alternatives with transparent trade-offs: Why does this approach deliver better value than alternative risk-transfer options? How does this vendor compare to other options you evaluated? What are the trade-offs of phasing this investment versus implementing it immediately?

Provide concrete measurements: cost per asset protected, cost per user secured, or investment as a percentage of total risk exposure. Demonstrate why your approach delivers better efficiency than alternatives. Perhaps this solution costs $200,000 annually and addresses 60% of your critical vulnerabilities, while an alternative vendor quoted $350,000 for comparable coverage. But also compare against accepting current risk: not investing means retaining $4 million in expected annual losses, while the recommended $400,000 investment reduces that exposure to $1.2 million—a net benefit of $2.4 million.

When you present alternatives with transparent trade-offs, you’re requesting collaboration in choosing the most cost-effective path to acceptable risk—a conversation CFOs are trained to conduct.

The bottom line

The objective isn’t to transform your CFO into a security expert. They don’t need to understand technical implementation details.

What they need is to understand cyber risk using the same financial framework they apply to every other business decision. When you provide that translation, you’re not simplifying the message—you’re making it actionable. You’re providing the analysis they need to approve investments with confidence.

This approach isn’t about getting every request approved. It’s about conducting productive conversations where cyber risk receives appropriate priority, evaluated with the same rigor applied to every other organizational investment.

Your CFO wants to approve the right investments. Provide them with the financial analysis that enables informed decisions.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]

Your 90-day roadmap to sustainable vendor risk management

We’ve covered why vendor discovery matters, how to mine data streams for comprehensive vendor identification, which vendor categories are commonly overlooked, and how to implement risk-based tiering. Now comes the critical question: how do you actually implement this in your organization and make it sustainable over time? Chuck Norton from Resilience emphasizes the resource reality: […]

How our 2025 cybersecurity predictions held up

At the start of 2025, we made some bold predictions about the cyber landscape. Now, as we look back at the year that was, it’s time to see how accurate our crystal ball really was. Dr. Ann Irvine, Chief Data and Analytics Officer at Resilience, sat down with us to evaluate what happened—and what surprised […]

Cybersecurity and insurance predictions for 2026

The cyber threat landscape is evolving at breakneck speed, and the challenges organizations will face in 2026 look dramatically different from those of even a year ago. To understand what’s coming, we gathered insights from Resilience’s leading cybersecurity and cyber insurance experts: Dr. Ann Irvine, Chief Data and Analytics Officer; Chris Wheeler, CISO; David Meese, […]