What CFOs really think about cyber risk

Cybersecurity has firmly entered the CFO agenda. According to the 2025 CFO Priorities Survey from Jefferson Wells, it’s the second-biggest strategic concern for CFOs, sitting just behind profitability. It’s also a board-level priority, with 25% of directors naming cybersecurity among their top issues in 2025. 

When CFOs list what ‘keeps them awake at night,’ 27% put cybersecurity on the list – alongside cost optimisation, competition, and navigating economic uncertainty.

This is telling. CFOs are no longer passive stakeholders in security; they see cyber risk as an operational and financial vulnerability (which is a good thing). But profitability still dominates the finance agenda; so CISOs will need to frame cyber investments as drivers of value, resilience, and competitive advantage, not just threat mitigation.

The confidence gap: CFOs believe they can handle cyber risk

One of the most notable findings is the confidence CFOs have in their organisations’ cyber readiness.

In the section exploring agility and innovation under pressure, 63% of CFOs say their company can ‘pivot and respond well’ to cybersecurity risks. Another 35% say it takes time but they get there, and only 2% say they can’t respond effectively.

CFOs also report ‘a high level of confidence’ in their organisations’ cybersecurity capabilities overall. 

And involvement is high: 

• 73% of CFOs are involved in cyber strategy.
• Nearly half (49%) say they are deeply involved in both strategy and cyber incident response.
• In large enterprises (>$1bn revenue), 68% of CFOs report being deeply involved, whereas in smaller companies (<$200m), 15% say they’re not involved at all.

For CISOs, CFO confidence is both a positive and a challenge. CFOs believe their organisations can adapt quickly to cyber risks – a perspective that security teams might not share, given tooling gaps, attack surface complexity, and increasing pressure from AI-augmented threats.

And this makes expectation-setting a critical leadership skill for CISOs in the year ahead. 

Cyber spending is rising – but it’s competing with AI

When asked where they plan to invest in technology next year, 43% of CFOs put cybersecurity tools on the list. 

But it ranks below AI (69%), financial reporting systems (56%), and automation (52%). In terms of budget dynamics, cybersecurity has crept up the priorities list, but it’s still not the primary concern. 

And there’s also a significant shift toward external expertise. When CFOs were asked where they expect to rely on third party providers in 2025, the top categories were:

• AI (59%)
• Cybersecurity (51%)
• Tax support (41%)
• Technology transformation (40%) 

We think this is one of the report’s most important findings. CFOs recognise they don’t have enough in-house capability to manage emerging risks. They expect to buy expertise rather than build it.

And when selecting service providers, CFOs prioritise:

1. Subject matter expertise (61%)
2. Industry expertise (58%)
3. Price (41%) 

For cybersecurity leaders, this is good news. CFOs are explicitly saying they’ll put expertise over cost. CISOs can lean into that when making the case for specialised partners, advanced tooling, and specialised headcount.

Lessons for CISOs from the CFO mindset

If you’re a CISO who wants to build stronger alignment with finance leaders next year, the report outlines three clear opportunities.

1. Speak in board language: profitability + resilience + competitive advantage
   Boards rank profitability (63%), technology transformation (38%), and competitive advantage (38%) ahead of cyber (25%). Cyber can’t be sold as insurance – it has to be positioned as a business enabler, a condition for executing strategy, and a protective layer for transformation initiatives.
2. Treat CFO confidence as an alignment opportunity (not a barrier)
   That 63% confidence score means CFOs believe their organisation can handle cyber risks better than they can handle tech end-of-life issues, competitive shifts, tariffs or wage pressure. You can build on this confidence by identifying where it’s justified, where it isn’t, and showing where targeted investment will increase resilience. This is a chance to elevate cyber as part of the organisation’s change muscle.
3. Use the outsourcing trend to accelerate capability
   The fact that 51% of CFOs expect to use external cybersecurity service providers is a very practical insight: CFOs already assume cyber is a specialised discipline. You can use this to strengthen arguments for expert partners, high-context MSSP models, threat intelligence subscriptions and specialist incident response retainers.The buying criteria (expertise over price) should give you the confidence to pursue value instead of going with the lowest bid. 

CFOs are thinking about cyber 

The research shows that CFOs are becoming more active in cybersecurity. They’re growing in confidence, they’re getting more hands-on, and they’re ready to spend. 

This is an opportunity for CISOs to translate risk into business outcomes and anchor investments in transformation. And importantly, use your CFO’s appetite for external support to build resilience faster.

If you can meet finance leaders where they are, your organisation will be stronger for it.