GUEST OPINION: Cybersecurity is one of the biggest risks to organisations, and responsibility no longer sits with IT alone. It’s a whole-of-business issue. Chief financial officers (CFOs) are expected to play an active role in protecting the company from digital threats, and the consequences of ignoring them are too severe to overlook. Financial losses, reputational damage, regulatory fines, and even declines in market valuation are now common outcomes of a poorly managed cyber incident.
Jonathan Beeby, managing director, SAP Concur Australia and New Zealand, said, “CFOs bring a unique perspective to cybersecurity. Their expertise in managing financial risk, regulatory compliance, and governance makes them well-suited to evaluate the cost implications of cyber defence strategies. Finance leaders can drive a more strategic approach to funding and prioritising security initiatives by framing cybersecurity as a business investment rather than simply an IT expense. This financial oversight lets organisations allocate resources proactively to reduce vulnerabilities before they escalate.”
Artificial intelligence (AI) has intensified the threat landscape by creating new risks, including adversarial attacks and the weaponisation of AI by cybercriminals, and CFOs cannot ignore this dynamic. This is not just a technical issue for CFOs; it’s a financial and operational one, as a single breach can disrupt supply chains, drain liquidity, and erode shareholder trust.
Many finance leaders remain reluctant to embrace a deeper role in cybersecurity despite these risks. This hesitation is often rooted in a lack of technical understanding or a belief that such responsibilities sit solely with the chief information security officer (CISO). Yet, this reluctance creates gaps in oversight that adversaries are quick to exploit. CFOs risk limiting their ability to challenge assumptions, ask the right questions, and hold security teams accountable without at least a foundational knowledge of cybersecurity risks.
Clarity of responsibility is another barrier, with CFOs often unsure whether cybersecurity should be led solely by IT or shared across departments, which delays decisive action and weakens collaboration. Establishing clear governance structures where finance and IT share accountability lets companies build stronger, more unified defences. Effective cross-functional collaboration also helps align cybersecurity priorities with broader business objectives, preventing security from being sidelined by competing departmental goals.
The benefits extend beyond risk mitigation as CFOs step into this role. A stronger cybersecurity culture emerges when leaders outside of IT champion the cause, signalling that security is everyone’s responsibility. CFOs reinforce an organisation-wide ethos that treats cyber resilience as integral to financial stability by advocating for training, funding insurance, and promoting transparent incident reporting. Such cultural shifts can reduce the success of social engineering attacks, which remain one of the most common threats to companies today.
Jonathan Beeby said, “A well-prepared finance leader will have worked alongside the CISO to establish clear processes for responding to breaches, communicating with regulators, and protecting sensitive financial data. CFOs may even be directly involved in ransom negotiations or in explaining the financial impacts of an incident to the board and shareholders. This type of early engagement is essential because a crisis should never be the first time these conversations take place.”
Finance leaders also shape transparency across departments, incorporating security considerations into financial systems, supplier contracts, and investment appraisals from the outset. In doing so, they embed cybersecurity into routine business decision-making, extending it to procurement, transformation programs, and financial audits to catch vulnerabilities before they turn into liabilities. CFOs similarly support a more secure operating environment by driving investment into financial management solutions, such as travel and expense management systems, that have cybersecurity built in.
Jonathan Beeby said, “The evolution of the CFO’s role in cybersecurity reflects the interconnected nature of today’s risks. Cybersecurity is no longer a siloed technical issue; it’s a core business risk with direct financial implications. CFOs who actively engage in this space are protecting their organisations while reinforcing their position as strategic leaders who can balance growth ambitions with risk management.”