Cybersecurity and finance usually speak different languages. Chief information security officers (CISOs) think in vulnerabilities, attack vectors, and controls. Chief financial officers (CFOs) and boards think in risk, capital allocation, and returns. This disconnect can have real consequences: budgets are underfunded or misdirected, boards make uninformed decisions, and cybersecurity leaders struggle to earn the strategic credibility they deserve.

The solution is not for CISOs to become accountants, or for CFOs to become security experts. Both sides need to build a common financial vocabulary around cyber risk that enables better decisions whatever an organisation’s maturity.

This article introduces seven financial principles that every cyber stakeholder should know. They are intentionally ordered to be actionable at any cyber maturity level, starting with what any organisation can do today, before progressing to more sophisticated financial risk management.

The Language Gap 

Many cyber leaders have been in board meetings where presentations focused on threat intelligence, vulnerability counts, and framework maturity scores. Senior executives usually ask for the number that matters: what does this mean for our business, and how much should we spend on it?

The problem is that security leaders are trained to manage technical risk, not financial risk. Many will find themselves on unfamiliar ground when cyber risk becomes a line item on a balance sheet, an insurance premium, a regulatory liability, or a capital allocation decision.

One of the main reasons security leaders find it hard to quantify cyber risks is the lack of data, tools, or the resources for complex financial models. Methodologies like Factor Analysis of Information Risk (FAIR) and other quantitative cyber risk frameworks are powerful, but they require significant data maturity, dedicated analysts, and executive alignment to implement properly. Many organisations have struggled to build and sustain these programmes.

The good news is that closing the language gap between cyber and finance teams is technically doable. It starts with understanding a few financial principles that directly drive cybersecurity budget and spend, and how cyber risk should be communicated to those who control the budget.

Seven Financial Principles for Cybersecurity

The principles below are structured as a maturity ladder. The first two can be applied immediately, using publicly available benchmarks and structured thinking, and no proprietary model is required. Organisations should know where they stand on this ladder and be clear about it with their boards.

01. Cyber Risk Has a Cost Whether You Measure It or Not

The absence of a number doesn’t mean the absence of a cost. When organisations say they cannot quantify cyber risk, they are not avoiding the cost; they are simply declining to acknowledge it in terms the business can act on. 

Several industry reports publish estimates of breach costs and incident impacts, including IBM's Cost of a Data Breach Report¹, Verizon's Data Breach Investigations Report², and publications from the European Union Agency for Cybersecurity (ENISA) and insurance market players. They should be treated as order-of-magnitude indicators rather than precise predictions, but they are public, widely recognised, and good enough to start the conversation internally.

The technique is scenario costing: anchoring the question to your own organisation. For example, what would a 48-hour outage cost our organisation in lost revenue, incident response, and regulatory notification? In practice, a structured business impact analysis covering revenue loss, incident response costs, and regulatory notification obligations can be completed in a matter of days, drawing on data that most finance and IT teams already hold. Then you can use industry benchmarks as a sanity check on the loss magnitude.

This approach does not require a proprietary tool or a complex model. It requires structured thinking and the willingness to estimate cyber risk.

02. The Language of Risk: From Red/Amber/Green to Financial Ranges

Qualitative heat maps – the red/amber/green matrices that populate most security risk registers – have their place, but they are incomplete. Stating “our ransomware risk exposure is red” tells a board nothing actionable. But stating “our ransomware exposure is between €3 million and €12 million with a 30% likelihood over three years” enables a capital allocation decision.

For their most material risks, organisations should move from traffic light classifications towards order-of-magnitude cost ranges, and ultimately towards probabilistic loss distributions. Each step adds value, and even the first step makes cyber risk easier for the business to act on.

We frame this path as a four-level maturity ladder:

• Level 1: Scenario costing with industry benchmarks, achievable immediately with no tooling required.
• Level 2: Expected loss ranges for the top three to five risk scenarios, built from internal data and external benchmarks.
• Level 3: Probabilistic models (FAIR, Monte Carlo simulations) for material risks, producing a range of outcomes with confidence intervals.
• Level 4: Fully integrated financial risk reporting, with cyber risk expressed in CFO and board financial disclosures.

Organisations should be explicit with their boards about where they sit on this ladder, and what it would take to move up. And providing a financial range is clearly more valuable than overstating capability.

03. CapEx vs. OpEx in Cybersecurity

Capital expenditure (CapEx) includes all spending on assets with a useful life greater than one year, such as on-premises firewall appliances, physical servers, and owned software licences. Operating expenditure (OpEx) covers ongoing costs, including cloud web application firewall (WAF) subscriptions, software as a service (SaaS) security tools, managed detection and response services.

This distinction matters enormously for cybersecurity. A firewall appliance purchased for €500,000 is treated as CapEx and depreciated over five years, creating a fixed book cost even when the threat landscape evolves. The same capability delivered as a cloud service costs €120,000 per year as OpEx – consumed monthly, scalable, and cancellable when requirements change.

The shift to cloud-first security architectures is fundamentally a shift from CapEx to OpEx. This has direct implications for budget approval processes: CapEx typically requires capital committee sign-off and creates depreciation schedules, while OpEx flows through operating budgets with less friction but creates ongoing cost commitments that must be managed actively. CFOs and CISOs must align explicitly on which treatment fits the organisation's financial strategy.

04. Fixed vs. Variable Security Costs

Fixed security costs, such as headcount or long-term software contracts, do not flex with business conditions. Variable costs, such as incident response retainers, penetration testing, or cloud security services consumed on demand, can be scaled up or down as priorities shift.

Understanding this ratio is critical when budget pressure arrives. When a CFO proposes a 15% security budget cut, a CISO who cannot distinguish fixed from variable commitments cannot respond appropriately. A CISO who knows, for example, that 75% of the budget is fixed can explain precisely: “We can return €X by reducing variable spend, but it means no proactive testing for 18 months—a risk the board must explicitly accept.” That is a governance conversation, not just a financial one.

Security staffing represents approximately 39% of the average security budget, with software at 29% in 2025, according to research from IANS and Artico Search.³ Most of the spending in both categories is fixed. CISOs should map their full budget against the fixed/variable split before any budget conversation with Finance. This is one of the most useful analytical tools available.

05. Cyber Insurance as a Financial Instrument

Cyber insurance is risk transfer on the balance sheet. It shifts part of the financial consequences to an insurer in exchange for a premium that reflects the organisation’s security posture, sector, and coverage limits.

A common problem is that organisations treat cyber insurance as a box to tick rather than a financial instrument to manage actively. Exclusions, such as war clauses, unpatched systems, or state-sponsored attack exclusions, mean that many organisations believe they are covered when they are not.

The CFO owns the insurance relationship. The CISO owns the security posture that determines eligibility and premium. These two functions must be aligned on what the policy covers, and that alignment requires an annual joint review, not a one-time sign-off at renewal. Insurers increasingly require evidence of multi-factor authentication (MFA), patching cadence, and endpoint detection and response (EDR) deployment as conditions of coverage. The security controls the CISO manages directly affect the financial terms the CFO signs.

06. Regulatory Cost Allocation and Materiality

Regulatory obligations set a non-discretionary financial floor for security investment. In budget conversations, this is a critical distinction: some security spend is optional and calibrated against risk appetite, but compliance spend is not. In Europe, that floor has risen sharply, and continues to rise as the regulatory environment evolves.

Regulations like Network and Information Security Directive 2 (NIS2), the General Data Protection Regulation (GDPR), and the Digital Operational Resilience Act (DORA) assign direct financial consequences to cybersecurity failures, and place accountability explicitly at board and senior management level. The question of what constitutes a reportable incident is therefore no longer a technical judgement made by a security team. It is a governance judgment requiring CFO and CISO alignment, agreed protocols, and incident response playbooks that are established and tested well before any incident occurs. 

The financial mechanics follow directly. Compliance costs should be budgeted and ring-fenced separately from discretionary security spend. They should be treated as a fixed, non-negotiable line item in the same way an organisation would treat a statutory audit fee or a mandatory insurance premium. When a CFO reviews the security budget for cuts or optimisation, compliance-driven spend must be clearly labelled as off-limits, with the potential fine exposure shown alongside it as context. A €200,000 annual NIS2 compliance programme sits differently in a budget conversation when the board can see it next to a €10 million regulatory fine exposure.

The allocation question matters as well. Compliance costs are indirect costs in the Finance 101 sense as they benefit the whole organisation, not a single business unit. How they are distributed across business units – by headcount, by data volume, or by revenue contribution – shapes whether business unit leaders feel accountability for the cyber risk that drives those costs. Organisations that allocate compliance costs transparently create the right incentives. Those that absorb them into an undifferentiated IT overhead do not.

07. Cyber Budget Benchmarking

Without benchmarks, every cyber budget conversation starts from scratch, with no shared reference point, no competitive context, and no basis for a business case beyond “the threats are getting worse.”

As per several industry benchmarks (Gartner, IDC, IANS), enterprises typically spend 5%-15% of their IT budget on cybersecurity, depending on the sector in which they operate. EU organisations now allocate an average of 9% of their IT budgets to cybersecurity, according to ENISA.⁴

These numbers give boards a frame of reference and give CISOs a more robust basis for argument rather than a wish list. However, they are not enough. The conversation must shift from cost to value, acknowledging security not as an overhead but as a capability that underpins revenue continuity, sustains customer trust, supports regulatory compliance, and enables entry into new markets.

The Bottom Line

The board does not want to know every technical detail of the organisation's security posture, any more than it wants to know how depreciation was calculated on assets in a regional office. What they want to know is whether the CISO has done a good job managing cyber risk, and can explain it in plain financial terms.

Achieving that standard requires CISOs, CFOs, and their boards share the financial literacy to have the right conversation around cybersecurity. 

Sources

1. IBM, Cost of a Data Breach Report 2025
2. Verizon Business, 2025 Data Breach Investigations Report
3. IANS, Artico Search, 2025 Security Budget Benchmark Summary Report
4. ENISA, “What’s Driving Cybersecurity Investments and Where Lie the Challenges?”