Finance teams left out of the loop on cyber risk programs

Less than a quarter (22%) of companies include finance teams in their cybersecurity risk discussions, according to the research. While 49% of respondents said their organizations have established formal cybersecurity risk programs, only 30% reported that such programs are prioritized based on business objectives. 

“Security programs that fail to align with operational, financial, and regulatory stakes are simply ineffective,” Mayuresh Ektare, vice president of product management at Qualys, said in a blog post on the research. 

The vast majority (71%) of organizations believe their cyber risk levels are rising or holding steady, showing that many security investments are failing to move the needle, according to the blog post. Qualys found that just 14% of organizations use a cyber-risk approach that ties together integrated risk scenarios with financial measurements. 

“[I]t’s clear that throwing more money at tools or talent won’t move the needle unless the organization has a risk-centric operating model that prioritizes business context, continuously assesses controls, and communicates risk in business terms,” Ektare wrote. 

The FBI’s Internet Crime Complaint Center received 859,532 complaints of suspected internet crime in 2024, with reported losses exceeding $16 billion, a 33% increase over the prior year, according to a report released in April. 

Mitigating cyber risks and incorporating them into the organization’s long-term financial strategy is a mission shared by multiple people in the C-suite, including the CFO, who is “uniquely positioned to quantify these risks and estimate the cost of an incident,” the authors said. 

Working in concert with the chief information security officer, the CFO can “better understand the probability and exposure to risk, set metrics on spending and ROI and communicate recommendations for prioritizing cybersecurity spending,” they wrote.