vCISO LeadershipMay 26, 20264 min read

What Should a CFO Know About Cybersecurity?

You do not need to understand encryption algorithms. You do need to know your risk score, insurance posture, and the dollar cost of doing nothing.

Security analyst reviewing cybersecurity dashboards
Key takeaway

A CFO does not need to understand encryption algorithms. But they do need to know their organization's risk score, insurance posture, compliance gaps, and the dollar cost of inaction. That is what a vCISO delivers without adding headcount.

The four numbers every CFO should know

Cybersecurity is a financial risk, not a technology problem. As CFO, there are four numbers that define your organization's security posture in business terms.

  • Annual loss expectancy (ALE): The dollar value of probable cyber losses per year, calculated from threat likelihood and impact. For a mid-market firm, a single ransomware incident averages $1.85 million in total cost (downtime, recovery, legal, notification).
  • Current security spend as a percentage of revenue: Industry benchmarks range from 4-10% of IT budget allocated to security, or 0.5-1.5% of revenue. If your number is significantly below this, you are likely underinvested.
  • Mean time to detect (MTTD): How long it takes to discover a breach. The global average exceeds 190 days. Every day of delay increases the cost of the incident.
  • Insurance coverage ratio: Your cyber insurance policy limit divided by your probable maximum loss. If this ratio is below 1.0, you are self-insuring the gap, and the board should know.

A vCISO can produce these four numbers within the first 30 days of engagement, giving you a financial framework for security decisions.

Cyber insurance: what CFOs get wrong

Most CFOs treat cyber insurance as a commodity purchase: compare premiums, pick the lowest price, and file the policy. This approach creates dangerous gaps.

  • Coverage gaps: Many policies exclude nation-state attacks, social engineering losses, and regulatory fines. If you have not read the exclusions, you do not know what you are paying for.
  • Sublimits: Your policy may have a $5 million aggregate limit but a $500,000 sublimit for ransomware payments. The sublimit is the real number.
  • Retroactive dates: Claims for incidents that occurred before the retroactive date are excluded, even if discovered during the policy period.
  • Underwriting trends: Underwriters now require MFA, EDR, backup testing, and incident response plans as conditions of coverage. Failing to maintain these controls can void the policy.
  • Premium optimization: CCK Advisors improved their security posture through vendor-neutral advisory and saw favorable insurance outcomes because underwriters reward demonstrated control maturity, not just policy purchases.

A vCISO coordinates with your broker to ensure your security investments translate into insurance premium savings and coverage improvements.

How to explain IT risk to your board

Board members need risk communicated in financial and operational terms, not technical jargon. Here is a framework that works consistently across industries.

  • Lead with dollars, not technology: Instead of "we need a SIEM," say "our mean time to detect a breach exceeds 190 days, which adds $1.2 million to the average incident cost. A detection capability reduces that to 24 hours."
  • Use the risk register: Present the top five risks ranked by annual loss expectancy. For each risk, show current mitigation status and residual exposure.
  • Compare to insurance: Frame security investments as self-insurance. "We can pay $80,000/year for endpoint detection, or we can accept $1.85 million in expected loss exposure. The insurance policy has a $500,000 sublimit for ransomware."
  • Show compliance status: Present a simple green/yellow/red scorecard against applicable frameworks (HIPAA, PCI-DSS, SOX, CMMC). Boards understand compliance risk.
  • Benchmark against peers: Industry benchmarks give boards context. "Companies our size spend 4% of IT budget on security. We spend 1.5%."

A vCISO prepares these board presentations as a standard deliverable, translating technical posture into executive language.

When to bring in a vCISO

The right time to engage a vCISO is before a security incident forces the decision. Here are the specific triggers that indicate the need.

  • You cannot answer the four questions above. If you do not know your ALE, security spend ratio, MTTD, or insurance coverage ratio, you lack the data to make informed decisions.
  • You are approaching a compliance deadline. HIPAA, PCI-DSS, SOX, CMMC, and state privacy laws all require documented security governance. A vCISO builds the framework.
  • Your cyber insurance is up for renewal. Premiums are rising, and underwriters are asking questions your team cannot answer confidently.
  • You have experienced a near-miss or incident. A phishing email that almost succeeded, a ransomware attempt that was narrowly contained, or a vendor breach notification.
  • Your IT director left. Chicago Jet Group brought in fractional CIO leadership after losing their IT director and achieved zero downtime during the transition.
  • Your board is asking questions you cannot answer. Board members increasingly ask about cybersecurity posture. If you are deferring to your MSP for answers, you need independent advisory.

A vCISO engagement costs $60,000-$180,000 per year. A mid-market ransomware incident costs $1.85 million on average. The math is not complicated.

Frequently asked questions

How much should our company spend on cybersecurity?

Industry benchmarks suggest 4-10% of your IT budget should be allocated to security, or approximately 0.5-1.5% of annual revenue. However, the right number depends on your risk profile, regulatory requirements, and industry. A vCISO can benchmark your current spend against peers and recommend a defensible budget based on your specific risk exposure, not arbitrary percentages.

Is cybersecurity the CFO's responsibility?

Cybersecurity is a business risk, which makes it a leadership responsibility. While the CFO does not manage security operations, they are responsible for ensuring adequate investment, understanding insurance coverage, and communicating risk to the board. In most mid-market companies without a dedicated CISO, the CFO is the executive most likely to own the cyber risk portfolio.

What is the ROI of cybersecurity investment?

Cybersecurity ROI is best measured as risk reduction. Compare the annual cost of security controls against the annual loss expectancy without those controls. For example: if endpoint detection costs $80,000/year and reduces your expected ransomware loss from $1.85 million to $185,000, the ROI is the $1.585 million in avoided expected loss. A vCISO quantifies this for your specific risk profile.

Related decision guides

Ready to compare specific options? These guides help you narrow from education into a concrete buying decision.

Security analyst reviewing multiple monitoring dashboards.
Cybersecurity

MDR vs Endpoint Protection vs SIEM/SOC

Use this guide to understand how endpoint protection (sometimes called EDR), MDR, and SIEM / SOC differ so security layers are sequenced instead of stacked blindly.

Clarifies security layersHelps sequence controlsConnects to security catalog
Best for: security layer confusion, monitoring gaps, detection strategy
Read guide
Security interface with a lock icon and policy-like overlays.
Cyber Insurance & Compliance

Insurance readiness vs assessment

Use this guide to decide whether the next step should be renewal-focused readiness work or a broader cybersecurity posture review.

Narrows the right reviewHelps compare optionsConnects to advisory support
Best for: renewal deadlines, security posture gaps, compliance pressure
Read guide

Ready to take the next step?

Talk to our advisory team about applying these insights to your business.

Book a vCISO Executive Review
Continue reading

Related insights

Security operations team reviewing monitors
vCISO Leadership
vCISO vs Full-Time CISO vs Outsourced MSSP

Three models for cybersecurity leadership, each with different costs, scopes, and trade-offs. Here is how to choose the right one for your organization.

CFOCOO
Read insight
Financial dashboard showing cost metrics
Cost Optimization
How One Firm Reduced IT Costs by 38%

CCK Advisors reduced IT costs by 38% while strengthening cybersecurity. Here is the vendor-neutral framework behind the results.

CFOCOOBusiness Owner
Read insight
Team discussing data and strategy
Advisory Model
Vendor-Agnostic vs Channel-Partner IT Advisors

The IT advisor you trust may earn commissions from the vendors they recommend. Here is how to tell the difference and why it matters.

CFOCOOBusiness Owner
Read insight