I've sat in enough CFO offices to know the pattern. Cybersecurity shows up on the risk register, gets a concerned nod at the board meeting, and then gets deferred because there's always something more urgent. A new line, a margin squeeze, an acquisition. Security feels abstract until it isn't.
Then someone clicks a link they shouldn't have, and suddenly it's the most concrete thing in the building.
The Mental Model Problem
Most financial leaders think about cybersecurity the way they think about insurance: a cost to be minimized. This isn't unreasonable — it's how they're trained to think. But it leads to a dangerous misunderstanding of the risk.
Insurance protects against events that are unlikely and random. Cyberattacks are neither. They're systematic, targeted, and increasingly automated. Your company isn't being protected by the odds. It's being protected by the quality of its defenses — or it isn't.
The better mental model is maintenance. You don't skip oil changes because the engine hasn't seized yet. You don't defer roof repairs because it hasn't leaked into the server room. Cybersecurity is operational maintenance for your digital infrastructure. Neglect it long enough, and the cost of remediation will dwarf what prevention would have cost.
What the Numbers Actually Look Like
When I help companies think through cybersecurity investment, I ask them to model the downtime scenario. Not the worst case — the likely case. For a mid-market manufacturer or professional services firm, a ransomware event typically means:
Two to four weeks of degraded operations. Some companies are fully down for the first week. Forensics and remediation costs, often in the six figures for even modest incidents. Legal and notification costs if customer data is involved. Reputational damage that's hard to quantify but real.
Now compare that to the annual cost of basic security hygiene: endpoint protection, regular patching, employee training, backup testing, and an incident response plan that someone's actually read. It's not even close.
Three Things to Do This Quarter
You don't need to become a security expert. You need to ask the right questions and make sure someone credible is answering them.
Get a baseline assessment. Have someone independent evaluate your current posture — not your IT vendor, not your MSP. Someone with no financial interest in selling you the solution. Know where you stand before you spend a dollar.
Test your backups. Not "confirm they exist." Actually restore from them. I've seen companies discover during a crisis that their backup system had been silently failing for months. That's not a technology failure — it's a process failure that's entirely preventable.
Run a tabletop exercise. Sit your leadership team down and walk through a realistic incident scenario. Who makes decisions? Who communicates with customers? Who talks to law enforcement? If you can't answer those questions in a calm conference room, you definitely can't answer them during an actual incident.
The Bottom Line
Cybersecurity spending isn't a black hole. It's a quantifiable investment against a quantifiable risk. The CFO's job isn't to minimize the spend — it's to ensure the spend is proportional to the exposure and that the company can survive an incident when, not if, one occurs.