How to Get the CFO to Fund Cybersecurity
Your cybersecurity budget keeps getting cut because you speak the wrong language. Here's how to frame security as risk-adjusted investment a CFO respects.
“We already spend a lot on security. What would more buy us?”
If you’ve ever stood in front of a CFO and heard that question, you know the feeling. Not hostility — something worse. Genuine confusion. The CFO isn’t being difficult. They’re applying the same capital allocation logic they use for every other budget line: show me the return, and I’ll fund it. The problem is that most security leaders can’t show it — not because the return doesn’t exist, but because the cybersecurity budget conversation has been happening in the wrong language for twenty years.
I spent 15 years as the Chief Security Officer at Silicon Valley Bank, presenting to the board and defending budget requests against the same scrutiny applied to credit risk models and market risk hedges. The CFO didn’t give me money because cybersecurity was important. She gave me money because I could show her, in dollar terms, what we were buying: measurable risk reduction against specific threat scenarios, denominated in annual loss expectancy. That’s a different conversation than “we need more tools.”
This is the structural problem — and how to fix it.
Why Your Cybersecurity Budget Request Fails
Every CFO manages a portfolio of risks. Credit risk has expected loss models. Market risk has value-at-risk. Operational risk has loss event databases. Each risk category speaks in dollars, probabilities, and confidence intervals. The CFO allocates capital based on risk-adjusted return.
Then the CISO walks in with a heat map.
Red, yellow, green. High, medium, low. A list of vulnerabilities ranked by severity scores that mean nothing to a finance professional. Maybe a reference to a framework — NIST, ISO, CIS Controls — with a maturity score expressed on a 1-to-5 scale that sounds like a restaurant review. The CFO nods politely, approves something less than requested, and moves on to a budget line where the math actually works.
This isn’t a failure of the CFO. It’s a failure of the security profession to translate its value into terms the business already understands. We’ve been speaking in technical severity when the CFO thinks in financial materiality.
The fix isn’t better slides. The fix is cyber risk quantification — the discipline of translating security findings into the same financial language every other risk function already speaks.
The ALE Conversation CFOs Actually Respect
Annual loss expectancy is the unit of measurement that changes everything. ALE takes a risk scenario — say, a ransomware event affecting production systems — and produces a dollar figure: the expected annual financial loss from that scenario given your current controls. Not a severity rating. Not a color. A number with a dollar sign in front of it.
The formula is straightforward. Single loss expectancy (what one occurrence costs you) multiplied by annualized rate of occurrence (how often it’s expected to happen). A $4 million ransomware recovery cost with a 0.25 annual probability produces a $1 million ALE. That’s the number your CFO already knows how to evaluate.
Now here’s where the cybersecurity budget conversation transforms. You’re no longer saying “we need an endpoint detection platform.” You’re saying: “This $350,000 investment reduces our ransomware ALE from $1 million to $200,000 — an $800,000 risk reduction for a $350,000 spend. That’s a 128% risk-adjusted return.”
The CFO leans forward. You just spoke their language.
I’ve watched this happen in real time — not in theory, but in the boardroom. When I was presenting quarterly at SVB, the shift from qualitative risk theater to quantitative risk measurement changed the entire dynamic. The board stopped asking “are we secure?” (an unanswerable question) and started asking “where does the next dollar of security spend produce the highest risk reduction?” That’s a question with an answer. That’s a question a CFO can work with.
From Heat Maps to Financial Models: The Cybersecurity Budget Playbook
If you want to rebuild how your organization funds security, here’s the playbook that actually works. It’s not about persuasion. It’s about translation.
Step 1: Identify the risk scenarios that matter to the business
Not every vulnerability is a board-level conversation. Pick three to five scenarios that would materially impact the company: ransomware on production systems, data breach affecting regulated customer data, supply chain compromise, business email compromise at scale, insider threat to intellectual property. These should be scenarios your CEO and CFO would recognize as existential or near-existential.
Step 2: Quantify each scenario in ALE terms
For each scenario, estimate single loss expectancy and annualized rate of occurrence. This is where most security teams get stuck — they default to “we can’t know the exact numbers.” They’re right. You can’t. But the CFO can’t know the exact probability of a loan default either. They use calibrated estimates, historical data, and models. So should you.
My partner Doug Hubbard, who wrote How to Measure Anything in Cybersecurity Risk, has demonstrated that calibrated estimation consistently outperforms both gut instinct and qualitative rating scales. You don’t need perfect data. You need defensible ranges. Monte Carlo simulation handles the rest — it models thousands of scenarios using your input distributions and produces a loss curve that captures both expected loss and tail risk.
This is exactly what Theodolite was built to do: take your security findings and produce ALE-denominated risk models that a CFO can evaluate alongside every other risk in the portfolio.
Step 3: Show risk reduction, not risk elimination
CFOs don’t believe in zero risk. They manage risk for a living. When you promise to “eliminate the threat,” you lose credibility. When you show that a specific investment reduces ALE from $2.4 million to $600,000 — and you can explain the mechanism of that reduction — you gain it.
Present a menu of investments ranked by risk-adjusted return. The CFO is used to seeing this for capital projects. They’ve never seen it for cybersecurity. The first time they do, the relationship changes permanently.
Step 4: Tie the conversation to the risk register
If your company has an enterprise risk management function, your cybersecurity risks should appear on the same register as credit risk, market risk, and operational risk. Denominated the same way. Reviewed the same way. If cybersecurity is a separate conversation that happens in a separate meeting with separate terminology, you’ve already lost — you’re not competing for budget, you’re begging for it.
The Psychological Barrier: Why Security Leaders Resist Quantification
Here’s something I’ve observed across dozens of organizations: the biggest obstacle to quantitative cybersecurity budgeting isn’t the CFO. It’s the CISO.
Many security leaders have built careers on qualitative assessment. The heat map is familiar. The maturity model is comfortable. Quantification feels like exposure — what if my numbers are wrong? What if the CFO challenges my assumptions?
This is exactly the vulnerability that keeps cybersecurity stuck in the budget basement. Every other risk function submits to quantitative scrutiny. Credit risk officers defend their models. Actuaries defend their loss curves. They accept that models are imperfect because imperfect models are infinitely more useful than no models at all.
As I wrote in Cyber War and Peace, resilience is execution, held together by governance. Governance means accountability. Accountability means measurement. You cannot govern what you cannot measure, and you cannot fund what you cannot measure either.
The security leader who learns to say “my 90% confidence interval for this ALE estimate is $800,000 to $1.6 million” earns more respect — and more budget — than the one who says “the risk is high.”
What a Funded Cybersecurity Program Actually Looks Like
When the cybersecurity budget conversation shifts from cost to investment, the organizational dynamics change in ways that compound over time.
First, budget renewals become easier. You’re no longer re-justifying security’s existence every fiscal year. You’re reporting on risk-reduction returns from last year’s investments and proposing new ones based on the current threat landscape. The CFO treats your budget the same way they treat the hedging desk’s budget — as a cost of managing the portfolio.
Second, security gets a seat at strategic decisions. M&A due diligence, product launches, market expansions — when you can quantify the cyber risk of a business decision in dollar terms, you get invited into the room before the decision is made, not after.
Third, the board conversation elevates. Instead of a compliance checkbox — “the CISO presented, we listened” — you get engaged directors asking specific questions about risk-return tradeoffs. That’s strategic cybersecurity oversight working as it should.
The Question Nobody Asks
Every company I’ve worked with — from growth-stage startups to publicly traded banks — eventually arrives at the same realization. The cybersecurity budget isn’t a technology cost. It’s a risk-adjusted investment. And the only reason it hasn’t been treated that way is that nobody translated it into the language the people who control capital already speak.
The CFO isn’t the obstacle. The heat map is.
Frequently Asked Questions
How do I justify cybersecurity spending to the CFO?
Frame every security investment as risk-adjusted return. Quantify the annual loss expectancy for the threat scenario the investment addresses, show the ALE reduction the investment produces, and express the result as ROI: (risk reduction minus cost) divided by cost. CFOs evaluate every other capital allocation this way. Give them the same inputs for cybersecurity and the conversation shifts from “how much should we spend” to “where does the next dollar produce the highest return.” Our guide on how to measure cybersecurity ROI walks through the full methodology.
What is annual loss expectancy and why does the CFO care?
Annual loss expectancy is the expected financial loss from a specific risk scenario over one year: single loss expectancy multiplied by annualized rate of occurrence. The CFO cares because ALE is the same unit of measurement used in credit risk, market risk, and operational risk. It makes cybersecurity legible to finance. When you say “this investment reduces our ransomware ALE by $800,000 for a $350,000 spend,” the CFO can evaluate that alongside every other line item in the risk budget. The ALE calculator guide breaks down the formula with worked examples.
Why do red-yellow-green risk matrices fail in cybersecurity budget conversations?
Because they’re ordinal, not cardinal. A CFO can’t compare “high” to “$1.2 million.” They can’t calculate return on investment from a color. Qualitative matrices also compress wildly different risks into the same category — a $50,000 exposure and a $5 million exposure can both be “red.” That compression makes rational capital allocation impossible. The alternative is cyber risk quantification, which replaces subjective tiers with calibrated financial estimates that plug directly into enterprise risk management frameworks.
How much should a company spend on cybersecurity?
There is no universal percentage-of-revenue benchmark that holds up under scrutiny. The right cybersecurity budget depends on your specific risk profile: what data you hold, what regulations you face, what threat actors target your industry, and what controls you already have in place. The honest answer is: spend until the marginal cost of the next security investment exceeds the marginal risk reduction it produces. That calculation requires quantitative risk measurement — without it, you’re guessing. A fractional CSO can help you build the measurement framework before you commit to the spend.
Nick Shevelyov is the founder of vCSO.ai and former Chief Security Officer of Silicon Valley Bank. He advises boards, PE/VC firms, and growth-stage companies on translating cybersecurity risk into the financial language that gets programs funded.
