Skip to main content
AdvisoryBy Jason LeeJuly 9, 20267 min read

What the CFO Hears When You Say "Risk"

Security leaders say "risk" and expect urgency. The finance side hears something else entirely: cost, timing, probability, trade-offs, and whether the decision can be defended to the CEO and the board.

Episode two of The Blind Spot is built around a guest who has sat on both sides of that conversation. Chris Carter began his career as a junior analyst in finance, worked his way up to the CFO seat, then pivoted into IT and cybersecurity and eventually into a CISO role. When he talks about what a CFO hears in a budget meeting, he is not guessing. He spent years being that CFO.

The CFO's real framework

Put a funding request in front of a CFO and, in Chris's telling, a short list of questions starts running: why this, why now, what happens if we wait, what does this compete with, and how do I explain this decision to my CEO or the board. The pot of money is limited, so every ask is weighed against every other urgent thing crossing that desk.

"The CFO is not deciding whether cybersecurity matters. In most cases, she or he is deciding whether the specific risk deserves priority over everything else that's urgent."

That reframe matters. Most security leaders walk into the room prepared to argue that the risk is real. The CFO has usually already granted that. The contest is priority, not validity.

"We have a vulnerability" means nothing

Asked what loses a CFO fastest, Chris does not hesitate: a cyber leader who opens with a vulnerability. Vulnerabilities are a dime a dozen, and on their own they carry no decision. The stronger ask, in his words:

"Here's the exposure, here's the decision, here are the trade-offs, and here's the cost of waiting."

That structure shifts the conversation from technical severity to business consequence, which is the only plane a funding decision actually gets made on. Cyber risk, as Chris puts it, is not automatically a business priority until it is translated into business consequence.

Speak the language of the audience

Chris draws the analogy from his own world. In accounting, "GAAP" needs no explanation; to anyone outside finance it means nothing. Security vocabulary works the same way in reverse. Open ports and severity scores are GAAP to the security team and noise to everyone else. His advice to any new security leader is foundational: spend the first thirty days meeting peers, building trust, and learning the language the executives and the board already use, then frame every ask in that language.

Is your security budget ask stuck in translation?

Z Cyber's Executive Security Advisors turn findings into funded, board-defensible decisions, with the evidence to back them.

Talk to an Advisor →

Fund clarity before anxiety

Heat maps are the default artifact of security budget season, and Chris is direct about their limits. Red, orange, and green squares do not present a choice. A CFO funds proposals that are crystal clear and defensible, not just to peers but upward to the CEO and the board. The line Jason immediately promised to steal:

"The CFO tends to fund clarity before they fund anxiety."

And its corollary, familiar to anyone who has reviewed a risk register where every row is red: if everything is critical, nothing is.

AI adds interest to debt you already owed

The conversation then turns to what Jason calls debt on debt. Everything is AI right now, and AI is being used to justify budget lines the same way it decorates pitch decks. Chris's framing cuts through it:

"AI doesn't erase the old debt. It adds interest on that debt."

AI is not landing in clean environments. It lands on top of years of technology debt, identity debt, data governance debt, security debt, and process debt. Organizations that rush to adopt it without addressing those foundations are not just creating new risk. They are compounding risk they never fully understood in the first place, at machine speed. And because AI depends on data, good data in, good results out, the foundational work keeps coming back to the same place: knowing your assets, who has access to them, and what is being done with the data.

The four Rs

Nobody funds a debt pay-down. It is invisible work with no launch date. Chris's answer, learned from his own coaching work with CISOs, is to frame the ask in four buckets: security protects revenue, resilience, regulation, and reputation. An ask framed in the four Rs tells the CFO exactly what the money defends and gives them a defensible position when the board asks why it was approved.

The Semmelweis problem

Chris closes with a story from nineteenth-century Vienna. Ignaz Semmelweis, a Hungarian doctor at Vienna General Hospital, noticed that women were dying at alarming rates and traced it to doctors moving from the morgue to the delivery room without washing their hands. The finding was right. The message failed. His colleagues ridiculed him, and the institution ignored a discovery that would later become basic medical practice.

That, Chris argues, is the security profession's recurring blind spot. The findings are usually right. Open ports, default credentials, unwatched S3 buckets: all of it is the modern equivalent of unwashed hands. What fails is the framing. And there is one more layer to it:

"The blind spot is thinking the business is the audience, when the business is actually the decision maker."

The one question

The Blind Spot closes every episode with a single question: what is the one thing you wish the other side of the conversation understood? Chris picks the CISO's side, and his answer flips the usual advice on its head:

"I wish the board would spend more time understanding the basics of cybersecurity."

Security leaders are always told to speak the language of the business, and Chris agrees. But he argues the education should run both ways: boards with a fundamental grasp of cyber risk make better decisions, and it is on security leaders to teach it well, through storytelling and steady conversation rather than condescension.

Listen to the full episode

The full conversation runs about 30 minutes and is worth the time for anyone who has ever had a security budget request denied. Watch or listen here:

Chris Carter is a cybersecurity leader whose career runs from junior financial analyst to CFO, and from there into IT, security consulting, and the CISO seat. His work sits at the intersection of cyber risk and business decision-making. New episodes of The Blind Spot are released every two weeks. If your budget asks keep dying in translation, talk to a Z Cyber advisor.

Frequently Asked Questions

How does a CFO evaluate a cybersecurity budget request?

A CFO is not deciding whether cybersecurity matters. They are deciding whether a specific risk deserves priority over everything else competing for a limited pot of money. The working framework is a short list of questions: why this, why now, what happens if we wait, what does this compete with, and how do I defend this decision to the CEO and the board. A security ask that answers those questions directly is far more likely to be funded than one that leads with technical severity.

How should a CISO ask for cybersecurity budget?

Drop standalone vulnerability language and present a decision instead: here is the exposure, here is the decision, here are the trade-offs, and here is the cost of waiting. Frame the request in the terms finance already uses, cost, probability, timing, trade-offs, and defensibility, and present clear choices rather than a heat map. As Chris Carter puts it on The Blind Spot, the CFO tends to fund clarity before they fund anxiety.

What are the four Rs of a cybersecurity funding ask?

The four Rs are a framing device for budget requests: security protects revenue, resilience, regulation, and reputation. Tying an ask to one or more of the four Rs translates a technical finding into the business consequence a CFO and a board can weigh, defend, and fund.

How does AI affect existing technical debt?

AI does not erase old debt, it adds interest on it. AI systems land on top of years of accumulated technology debt, identity debt, data governance debt, security debt, and process debt. Organizations that adopt AI without addressing those foundations are not just creating new risk, they are compounding risk they never fully understood at machine speed.

Who is Chris Carter?

Chris Carter is a cybersecurity leader who began his career in finance, worked his way up to the CFO seat, then moved into IT and cybersecurity, eventually serving as a CISO. His work sits at the intersection of cyber risk and business decision-making, and he has coached CISOs on how to build budget asks that finance can actually fund. He is the guest on episode two of The Blind Spot, Z Cyber's podcast.

Subscribe for Updates

Get cybersecurity insights delivered to your inbox.