Beyond the Budget: What CISOs Need to Understand About Their CFO Relationship 

Every CISO has prepared for a budget conversation by building the strongest possible business case. The right data, the right framing, the right numbers. But the security leaders who consistently earn CFO support are not necessarily the ones with the most polished decks. They are the ones who built the relationship that made the ask credible before it ever landed on the table. 

That distinction came through clearly in a recent conversation between Exabeam CISO Kevin Kirkwood and Exabeam CFO Mike Byron. While they don’t always agree, they’ve spent enough time building mutual understanding that disagreement doesn’t feel like a threat.  

The budget meeting was not where their relationship was built. It was where it got tested. 

The CFO and CISO Are Protecting the Same Business

As they discussed their thinking and evaluated their relationship, Kevin and Mike shared some basic truths and explored their common ground.  

The bottom line? 

The most common mistake CISOs make before a CFO conversation is walking in with the wrong mental model.  

The CFO is trying to protect the business financially, support growth, and drive profitability. The CISO is trying to protect the business from cyber risk while helping build a more resilient organization.  

The disciplines are different. The mission is the same. 

When both leaders recognize their shared purpose, the dynamic shifts. Conversations that once felt adversarial become collaborative. The CFO’s demand for clarity stops feeling like resistance and starts feeling like exactly what a responsible financial steward should provide. 

The Relationship Has to Start Before the Ask

As CISO and CFO, Kevin and Mike did not build their working relationship in a budget meeting. Because, if the first meaningful conversation is in the context of a funding request, the relationship is already under pressure. 

“We have regular one-on-ones where we’re talking about what’s happening in the business,” Kevin explained. Over time, that consistency created the context for harder conversations. 

Mike described the result: “Kevin learned rather quickly exactly what drives me as CFO. And I learned incredibly quickly as well what drove Kevin.” 

That kind of mutual understanding cannot be manufactured in a single meeting. It accumulates. 

CISOs who treat the CFO relationship as an ongoing investment rather than a budget-season task will find that when a significant ask arrives, the credibility to support it already exists. 

Facts Over Feelings Is an Emotional Discipline

CISOs develop strong instincts through experience, and those instincts are often right. However, when professional preference becomes personal attachment, the CFO can tell the difference.  

As a seasoned CISO, Kevin’s standard is unambiguous. 

“Total cost of ownership is fundamental, and there is no room for what you feelabout the technology,” he says. “Vendors leapfrog each other year-over-year in terms of functionality. Some years your favorite tech wins; sometimes it doesn’t. Understanding that, and retaining your objectivity, means factoring in business needs and making the strongest decision for the business.”   

Before bringing a recommendation to the CFO, the honest pressure-test is simple: Are you advocating for this because it is right for the business, or because you’re most comfortable with it? 

A CFO who senses the latter will question every aspect of the CISO’s budget to ferret out any gaps in the plan. 

Credibility Is Earned Between Budget Cycles

Security leaders who consistently look for tradeoffs, retire underperforming tools, and propose offsets alongside new investments send a clear signal to finance: they understand the business operates on finite resources and they take that seriously. 

“When I’m clear with Mike about my intent, I continue to build that trust,” Kevin continues. “I can explain that I’m making a tradeoff by removing one product to invest in another. As a result, when I do bring an ask for an increased budget” 

Mike was quick to add, “it’s not that every single time a budget conversation comes up, Kevin asks for the biggest spend increase. But because of his previous track record, I know that when it does come up, he’s already rationalized the decision.” 

This kind of cost discipline functions as a relationship signal.  

The track record a CISO builds between budget cycles shapes how the CFO receives the next ask. When a security leader has consistently demonstrated they are not trying to maximize spend, the CFO is more likely to trust them when they say a premium investment is genuinely necessary. 

Trust Is the Currency

There is an informal but widely held principle among experienced security leaders: “The number one law of IT and security is ‘Thou shalt not cause surprises,” Mike says.

For CFOs, surprises carry a cost well beyond the financial impact. They signal that the business case was incomplete, raising questions about what else was not disclosed. 

“Trust can deteriorate quickly when a decision is made, a contract signed, and you find out after the fact that there are additional costs associated with it that were never part of the original business case,” says Mike. 

Protecting trust means treating predictability as a relationship behavior. Surface unknowns early. Flag implementation risks before signing. Communicate bad news as soon as it is known, not when it becomes unavoidable.  

The CFO does not need the information to be perfect. They need it to be timely. 

The Shared Mission Is the Anchor

The relationship between security and financial leaders will always involve tradeoffs. What makes these conversations productive is a shared anchor.  

“Every CISO needs to know the mission of their business,” says Kevin. “You need to approach conversations with the CFO from a business-facing, business-focused lens.” 

When security priorities connect clearly to organizational goals, they become something a CFO can evaluate, support, and defend. When they exist in isolation from the business, they become a recurring negotiation.  

For CISOs, that means the relationship with the CFO cannot start with the ask. It has to start with empathy, consistency, and the discipline to turn security priorities into business conversations long before the budget meeting arrives.