In an age where cyberattacks threaten your entire ecosystem, it makes little sense to place the entire burden on the shoulders of one department or individual. Instead, companies should pursue greater collaboration between the chief financial officer (CFO) and chief information security officer (CISO).

This post will highlight some of the key ways controllers and CISOs can better communicate and work together to prevent and resolve cybersecurity concerns.

The Scope of Cybersecurity Threats (2023)

According to the FBI Internet Crime Report, cybersecurity breaches cost American businesses $6.9 billion in 2021 alone. And between 2022 and 2023, cybercrime increased by 49%, including incidents of business email compromise (BEC) that affect both consumers and business owners.

The exact impact of cybercrime is difficult to fully quantify. In addition to the loss of revenue, cyber threats can threaten customer information and weaken brand loyalty. Cybercrime has a disruptive impact on every aspect of your business, which is why it’s important for departments to collaborate to mitigate these threats.

How Controllers and CISOs Can Collaborate

Controllers and CISOs can work together to mitigate cyber threats and provide training and education for both their subordinates and management. Here are some key areas in which controllers and CISOs can better communicate.

Quantifying Risk

According to data from the Geneva Association, 90% of all cybersecurity risks are uninsured. While that’s clearly a problem, the larger challenge lies in quantifying cybersecurity risks in order to know how much to invest in cyber insurance.

CISOs can therefore play a role in quantifying cybersecurity risks, which influence the budgeting decisions of controllers. Similarly, the controller may play a role in guiding the CISO’s cybersecurity response, helping these individuals prioritize threats and make decisions that fit both the company’s needs and budget.

Financial Planning and Budgeting

Controllers can include cybersecurity threats in their planning and budgeting process. This includes money spent on mitigation measures (see above) but also accounts for knowledge of potential threats in the company’s larger financial processes.

Controllers can remind their teams of the importance of cybersecurity in their planning and budgeting discussions and even invite team members to strategize ways to further integrate these two areas of concern.

Similarly, CISOs can include financial data in their cybersecurity process. The goal is to bring financial and cybersecurity concerns into alignment so companies can make informed decisions based on input from multiple departments.

Protecting Critical Data

Financial loss isn’t the only concern when it comes to cybersecurity — a data breach could jeopardize other assets, including customer data. At a minimum, these sorts of breaches can erode customer confidence. In some cases, they can also violate compliance standards.

CISOs can assess relative risk levels within their organizations, even applying a risk quotient to measure varying degrees of threat. The CFO can then assist by providing an estimate of the potential financial impact of this type of data breach, also taking into account any damage caused to the company’s reputation and brand. 


With the above concerns in mind, controllers and CISOs would jointly produce and present reports to senior leadership. Controllers are frequently called upon to influence governing decisions, but it’s important that senior management also hear input from CISOs and IT personnel.

This also means that controllers and CISOs need the soft skills required to communicate essential data and present it to corporate leaders in a meaningful way.


At many organizations, training is handled within individual departments. But cybersecurity affects everyone, highlighting the need to involve both the controller and CISO in training protocols and standard operating procedures.

The controller and CISO can work closely together to identify areas of critical concern and provide appropriate training. To that same end, controllers and CISOs may identify which employees require which level of training and develop a shared system to ensure compliance.


Uber made national headlines following a cybersecurity breach in 2022. As it turns out, both the CFO and the CISO were aware of the breach yet failed to make a report to protect the company’s public reputation.

Controllers and CISOs can play a role in holding one another accountable when facing actionable information. By working together, there’s less opportunity for any individual to exercise poor judgment or withhold information stakeholders need to have.

Specialized Cybersecurity Resources

Controllers Council recognizes the unique challenges of cybersecurity in today’s business climate. And judging by recent numbers, these threats can only be expected to multiply. That’s why the IT Executives Council provides resources for IT executives and other personnel involved in mitigating cybersecurity risks.

To learn more, visit the IT Executives Council website, where you’ll find additional content and professional development resources that can augment your existing processes.

Developing a proactive cybersecurity strategy requires collaboration across departments to devise systems that address the company’s greatest needs while taking budget and other important considerations into account.

A strong partnership between controllers and CISOs can strengthen the entire organization, providing resilience for whatever lies ahead.