CISOs Vs CFOs: Who Owns The Cyber Risk?

A lively debate between Chief Information Security Officers (CISOs) and Chief Financial Officers (CFOs) set the tone on the opening day of the Africa CISO Summit in Nairobi, highlighting a long-standing tension within organisations over cybersecurity spending. Held at the Pullman Nairobi Upper Hill, the discussion revolved around the question: “Spending on Fear or Investing in Resilience?” – a framing that captured the push and pull many organisations face when deciding how much to allocate to cybersecurity.

Moderated by Desmond Rao, the CIO of Davis and Shirtliff, the session brought together security leaders and finance executives to unpack why the two functions often approach cybersecurity investment from different perspectives. On the panel were CISOs Sithembile Songo, the Group Head – Information Security, Eskom – South Africa and Tim Theuri, the Executive Head of Cybersecurity at M-Pesa Africa; alongside CFOs Jackline Aluda Engefu, the Group CFO at Cold Solutions Kenya Ltd and Teddy Mukabane, the CFO at CIO Africa.

At the centre of the debate was a familiar organisational dynamic: CISOs arguing for proactive investment to prevent cyberattacks, while CFOs push for clearer financial justification for those investments.

From the security side, the argument was that cyber threats are inevitable and preparation is essential. Theuri noted that most attacks exploit weaknesses that already exist within systems, meaning organisations must focus on closing those gaps before they are exploited.

“An attack is at the end of a gap that has already been there,” Theuri said. “From my end, I need to be able to prepare for an attack, and that means being proactive and ensuring the organisation can be resilient. It’s not a matter of if, but when we will be attacked.”

Songo echoed this sentiment, arguing that organisations need to move beyond treating cybersecurity purely as a compliance requirement.

“We need to move from a compliance strategy to a risk strategy,” she said. “You need to know how to respond and do it as quickly as possible, and the organisation should still be able to operate even during an attack.”

However, finance leaders on the panel stressed that cybersecurity investments must be explained in ways that connect to financial outcomes and business impact. Mukabane challenged security leaders to demonstrate the value of their proposals.

“Are you able to quantify the impact?” he asked, highlighting the need for measurable outcomes when budgets are being allocated.

On her part, Engefu agreed that cybersecurity must be positioned as part of broader business strategy rather than presented only as a looming threat.

“You have to be proactive and move from being seen as a cost centre to being a strategic partner,” she said. “Let’s not only talk about an attack as the worst thing that can happen.”

Another point of contention during the discussion was the language often used by security professionals. The finance leaders argued that technical jargon can make it difficult for business executives to fully grasp the implications of cyber risk.

Engefu urged security teams to communicate more clearly with finance departments.

“Bring the jargon to our level,” she said. “Quantify it and make it clear, because our role is to protect the business and ensure it remains profitable.”

Songo responded that in mature organisations, security teams are not trying to scare executives into spending.

“If the organisation is mature, there’s no need to threaten anyone,” she said. “We talk about what will happen if we don’t invest in cybersecurity and demonstrate the value of what we are investing in.”

Theuri added that in some cases, the true impact of cyber incidents cannot always be reduced to financial metrics alone.

“When a CFO asks me to quantify the impact, how do I quantify human suffering?” he asked, noting that cyber incidents can disrupt essential services and affect millions of people.

Songo also pointed out that while financial models are useful, not every risk can be fully quantified.

“There are ways to quantify risk, but not everything is quantifiable,” she said. “When we go to CFOs, all they talk about is money. But how do you quantify when the CFO loses their job because they didn’t release the money needed for security and then a breach happens?”

Despite the spirited exchanges, the panel ultimately converged on one point: cybersecurity decisions require collaboration between finance and security leaders.

Engefu emphasised that a more cooperative approach would help both sides better understand the risks and the financial implications involved.

“Let’s be collaborative,” she said. “When that happens, we can get the numbers in terms of the risk that’s at play.”

Audience members also reinforced the importance of both sides learning each other’s language where security leaders understand financial metrics, and finance executives gain a deeper appreciation of cyber risk.

Theuri argued that organisations must balance three priorities: protecting customers, managing risk, and safeguarding the bottom line. Mukabane summarised the finance perspective more succinctly: collaboration must ultimately support business sustainability.

For Engefu, the solution lies in clearer communication and shared learning between the two functions.

“CISOs contribute to the growth and profitability of the organisation as well,” she said. “We need to strike a balance. I get training on cybersecurity, and security leaders should also learn how their work contributes from a financial perspective.”

By the end of the session, both sides acknowledged that the debate is less about choosing between spending and saving, and more about aligning cybersecurity strategy with business priorities—something that requires CISOs and CFOs to work more closely than ever.