By Holly Grey, CFO at Horizon3.ai
Over the past decade, I have served in senior finance leadership roles at cybersecurity companies, including SVP of Finance at Forescout and CFO of Exabeam. At Forescout, I helped prepare the company for its public listing in 2017 and supported its growth through its subsequent acquisition. At Exabeam, I led finance through a period of significant operational transition and growth that ultimately supported its acquisition. Across these roles, I have seen organizations invest heavily in cybersecurity programs, yet often struggle to determine whether those investments are materially reducing risk.
Having also managed security teams directly, I have seen the operational side of the equation. Teams face too much noise and too little time. Alerts compete for attention. Many forms of security validation, including annual penetration tests and scheduled assessments, occur at fixed intervals and rely heavily on manual efforts and review. In a rapidly changing risk environment, that can create a static view of exposure. Audits confirm that controls exist at a given point in time, but they do not necessarily demonstrate whether those controls would prevent a determined attacker from achieving their objective.
From a finance perspective, that distinction is significant.
In financial services, cybersecurity is enterprise risk. It is discussed at the board level and increasingly influences capital allocation decisions. CFOs are accountable for ensuring that investments meaningfully reduce risk to the organization. Security spending should therefore be evaluated with the same discipline applied to any other material exposure.
Recommended Articles
Compliance remains essential, particularly in a highly regulated industry. But compliance alone does not guarantee resilience, especially when testing and validation of controls occur only periodically rather than as part of an ongoing risk management process.
Financial institutions operate within a deeply interconnected ecosystem. Payment networks, exchanges, clearinghouses, cloud providers, and software vendors are interdependent. An issue within one organization can quickly affect others. That interconnectedness strengthens the financial system, but it also increases the importance of understanding how exposures can propagate across environments.
Consider a common scenario. A vendor connection is properly documented and approved. Access is segmented according to policy. On paper, the control framework appears sound. But if credentials are reused across environments or monitoring thresholds are misconfigured, an attacker may still be able to move laterally from that third-party connection into more sensitive systems. The documentation is accurate. The exposure remains.
From a finance standpoint, third-party risk is therefore not abstract. It represents potential systemic impact.
Historically, oversight has relied on certifications, attestations, and scheduled reviews. Those mechanisms provide structure, accountability, and insight at a given point in time (when the audit is done) of how the environment fared. Increasingly, institutions are exploring more frequent, automated and autonomous approaches to validation. These methods reduce human subjectivity and allow security testing to occur more continuously rather than episodically. The objective is not simply to confirm that controls exist, but to understand whether they function under realistic conditions over time.
As regulatory expectations continue to evolve into 2026 and beyond, institutions are likely to face increased scrutiny not only on documented controls, but on their ability to demonstrate operational resilience under stress.
The role of the CFO in this context is not to direct technical strategy. It is to ensure that capital is aligned with the risks most likely to create material operational disruption and brand degradation, and that leadership can clearly articulate how investments are reducing those risks.
That requires asking disciplined questions. Are we prioritizing exposures that could meaningfully affect operations or customer trust? Do we even have a way of knowing which exposures could materially impact operations? Can we demonstrate that key controls prevent exploitation, rather than simply document their existence? Do we understand how our own environment interacts with that of our suppliers and partners?
If the answers rest primarily on documentation rather than sustained validation, there is probably more uncertainty than we would prefer.
Security teams operate with finite resources. Not every finding can be addressed at once. But, the number of findings continues to grow at a pace that exceeds a security team’s ability to keep up. Prioritization must therefore take into consideration potential business impact, not simply the volume of vulnerabilities identified.
In executive discussions, materiality matters. A smaller number of realistically exploitable exposures tied to critical systems often warrants more immediate attention than a long list of lower-impact findings. But, the key is knowing one of the lower-impact findings can’t lead an attacker to your company’s “crown jewels”.
As the financial services community prepares to convene at forums such as FS-ISAC, conversations around systemic risk and operational resilience will continue to mature. The industry has made meaningful progress in information sharing and regulatory alignment. At the same time, increasing complexity means that confidence must be supported by sustained validation, not annual snapshots.
In other areas of enterprise risk, including credit and market risk, organizations rely on ongoing measurement, stress testing, and defined indicators. Cyber risk should be approached with similar rigor.
Capital is finite, and every investment involves trade-offs. Clarity around which security investments materially reduce exposure is therefore essential. Knowing that your security investments are implemented and configured to actually protect you is invaluable.
Cyber risk, in practical terms, is capital risk.
For financial institutions, managing that risk requires evidence, accountability, and a disciplined focus on outcomes, not simply activity.
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
Tags: banks, cfo, cyber risk, cyber security, financial risk, financial services, horizon3.ai, lenders, risk
