CFOs and CISOs are increasingly at odds over cyber security spending as companies invest heavily in tools while neglecting resilience, recovery and business continuity, according to industry experts.
Richard Ford, group CTO at Integrity360, said threat actors are exploiting this disconnect. While security teams invest in multiple solutions to stay ahead of threats, high spending does not necessarily translate into resilience. Poorly targeted investments can create overlap, blind spots and operational strain.
Companies can spend millions on security technologies and still suffer significant disruption from ransomware attacks if recovery plans are untested and backups are not secure, Ford said.
According to Integrity360, the Interpol 2025 Africa Cyberthreat Assessment Report found that SA experiences an average of 12 281 ransomware attacks each month, with annual growth estimated at about 22%.
Perceptions of value
Experts say the tension stems partly from different perceptions of value.
Ford explained that CFOs see security budgets climbing every year, yet the company’s sense of vulnerability remains high. "They view security as a growing cost centre. This disconnect does not stem from executive ignorance; rather, cyber security behaves differently from traditional business risks – it’s a perpetual race.”
He added: “Resilience is the objective, not ‘safe’. You always assume a breach is coming. When countermeasures are so dynamic and complex, it is understandable why spending is often questioned.”
Christo Coetzer, MD of BlueVision, said companies often build extensive security portfolios without addressing operational readiness.
“The CFO-CISO tension is one of the most consequential misalignments in modern enterprise risk management," Coetzer said. "Organisations routinely acquire an impressive portfolio of security tools yet remain structurally vulnerable because tooling without operationalisation is not resilience. Threat actors exploit gaps in detection capability, response readiness and human judgment – not gaps in your licence inventory.”
He said security spend is too often measured by procurement rather than by outcome. "A CFO scrutinising cost-per-tool is asking the wrong question. The right question is: what is our actual mean time to detect and respond, and what is the residual risk to the business?”
Anna Collard, SVP of content strategy and CISO advisor at KnowBe4 Africa, said many companies still equate spending with security outcomes.
“Buying another tool is often easier than addressing the more difficult work of building cyber resilience through culture, processes and human risk management," Collard said. "Threat actors benefit when cyber security becomes a budget debate rather than a business risk discussion. The most successful attacks today target people, decision-making and trust. Human factors continue to feature in the majority of breaches.”
Tension trade-off
Mark Walker, director at T4i, said tension exists because the CFO focuses on cost efficiency while the CIO is evaluated on system availability.
“This tension requires trade-offs from both sides based on the perceived risk the organisation is willing to take. Threat actors are aware of this and exploit it to maximise their benefit,” Walker said.
Ford said many security environments have evolved reactively, with new tools purchased to address emerging threats. “For many CFOs and boards, the frustration is palpable: they are spending more than ever, yet their sense of vulnerability often remains. The issue is rarely the size of the budget but rather where that budget is being absorbed. In many cases, financial value is being swallowed by the phantom expense called complexity.”
The problem is compounded in SA, where most enterprise security software is priced in US dollars. Ford noted that companies managing multiple vendors face numerous licence renewals, support contracts and currency-linked costs.
Collard cited industry research showing that 65% of companies believe they have too many security tools, while more than half report integration challenges.
To address the issue, Ford advocated a platform-first approach that consolidates security capabilities and reduces redundant licensing costs.
Walker said resilience remains the ultimate measure of success. “A balance between cost and risk is the desired outcome, so compromises will be necessary from both sides.”
Collard added: “Thousands of alerts, dozens of dashboards and multiple vendor contracts can create an illusion of security. True resilience is demonstrated by how effectively an organisation can prevent, detect, respond to and recover from incidents.”
Robert Falkner, sales manager at iOCO SBT, said companies often fail to manage cyber security holistically. “Spending a fortune on firewalls means nothing if someone can just plug directly into the network." Reducing risk requires more than purchasing tools, he added, and should include securing edge and IOT devices as part of a broader resilience strategy.
Share
