Evolving cyber threats require CFO vigilance

An evolving cyber threat landscape requires different defensive tactics. CFOs who want to ensure they’re making the right investments to address these threats must rely both on technology and their information-security counterparts, experts told CFO Brew.

It’s easy to see how cyber hygiene, which may sound like merely an IT concern, is also a CFO issue when considering the financial risks. On average, a data breach cost global organizations $4.4 million in 2025, IBM calculated in its latest Cost of a Data Breach report. Experts also warned that a data breach can have long-term consequences.

CFOs overseeing security budgets need to lean on their chief information security officers (CISOs), according to Holly Grey, CFO of penetration testing company Horizon3.ai.

“A CFO is always trying to manage the company’s dollars prudently, and the CISO’s job is to make sure that the appropriate security protocols are set up for a company,” Grey said. “There absolutely has to be a dialogue between those two individuals.”

CFOs should expect that their CISOs are going to ask for more than an organization can spend on security, she said, adding: “The way I always approached those [situations] was, ‘What’s the trade-off and what is the level of risk?’” Grey said she in part makes spending decisions based on the level of risk of a proposed investment.

Measures of success. Karen Walker, CFO of cloud security platform Sysdig, noted that the rise of AI technology may help finance leaders “evolve their thinking” on the value of cybersecurity investments.

Cybersecurity investments are by nature preventive, Walker explained. In other words, they’re preventing a costly attack from happening. Yet, “it’s really hard to actually identify an ROI when you think about things that are preventive,” because the measure of success is that nothing changed.

When a company adds agentic AI to assist security analysts, the CFO can measure returns “from an outcomes perspective” rather than preventive, she said. For instance, an organization can track how many vulnerabilities they identified and remediated through these tools.

“I think agentic AI is transforming cybersecurity from a cost center to a value driver,” Walker said.

Companies should also do regular testing to identify vulnerabilities, such as a software update that didn’t install correctly or an engineer’s change that no one knew about, Grey said. She added that some organizations run tests monthly, while some even run them on a weekly basis.

“I think that across the board, a CFO should set aside budgetary spend for this and partner with their CISOs,” she said, likening regular testing to insurance “Having that money spent to protect yourself and make sure that, on a recurring basis throughout the year, that bigger investment is working appropriately.”

Is that a threat? Ransomware criminals last year shifted the focus of their attacks from encrypting data to data exfiltration and data suppression, according to Judson Dressler, head of cyber insurance and risk management firm Resilience’s Risk Operations Center. In other words, the bad guys increasingly stole companies’ data to sell on the black market or demand a ransom in exchange for not making the data public. Two-thirds of extortion events “were data suppression only” in the second half of 2025, Dressler told us.

The shift is due to technology changes on the part of both the attacker and defender, he explained. Better internet connectivity made it easier to steal large amounts of data. Organizations improved their system backups, making pure encryption tactics less effective for hackers. Automated cyberattacks also enabled cybercriminals to more easily sift through systems and find important data.

“It became much more capable and much more profitable for the threat actors to actually steal your data, which creates a somewhat of that long-tail [risk],” Dressler said. These long-tail risks include reputational damage and class-action lawsuits stemming from data breaches. These impacts extend “over months and years rather than days,” according to the Resilience report.

Battle bots. As Walker stated, AI technology makes it easier for CFOs to measure returns. But AI has a dark side, since attackers are also using it to improve their craft. Sysdig noted in a February blog post that its threat research team observed an AI-assisted cloud intrusion that gained administrative access in just eight minutes.

“As AI powered cyber attacks continue to accelerate, businesses should be investing with an assumed breach mentality,” Walker said.

AI is allowing some less-sophisticated cybercriminals “do some of the things that they weren’t able to do before,” such as easily mine data or scan networks and recommend access points, Dressler said. The more sophisticated criminals groups are deploying AI “throughout the entire attack cycle,” from reconnaissance to navigating breached networks.

IBM also warned that the AI tools themselves are vulnerable. In its data breach research, the firm found that “13% of organizations reported breaches of AI models or applications.” The vast majority of those victims (97%) said they didn’t have AI access controls in place.