By Nate Olson, Fractional CIO & IT Director | N.O. IT Strategy LLC
To My CFOs: The Hat That Nobody Handed You
Hi, CFOs.
How does that cybersecurity hat feel? You know the one, the hat nobody handed you, the one that just appeared on your desk somewhere between a cyber insurance renewal and a board meeting.
If you lead finance at a small or mid-sized company, you already wear plenty of hats, and that comes with the job. You picked most of them up on purpose, whether it was HR, contracts, or facilities, because somebody had to. This hat is different, because nobody decided you should wear it, and nobody trained you for it. You studied accounting and finance, and you built a career on numbers you could verify, controls you could test, and statements you could stand behind. That’s precisely why this landed on you, because cybersecurity is a risk domain, and you’re the executive who speaks risk. The catch is that the evidence behind this one is written in a language you were never trained to read, and the consequences of it now land squarely in your world.
Think about your company’s last cyber insurance application. It asked whether MFA was enforced everywhere, whether backups were tested, and whether endpoint protection was deployed, and somebody in your leadership team attested to all of it, quite possibly you. Could anyone in that room personally verify those answers, or did you all sign what someone else told you was true? At least one insurer has already gone to court to rescind a policy over exactly that gap. (Read about that here in our 9th briefing)
That discomfort is the subject of this briefing, and the data says you’re not imagining it.
SAP Concur surveyed 605 CFOs and senior finance leaders between December 2025 and January 2026, and for the first time, cybersecurity edged past worsening economic conditions as the external challenge they named most often. FTI Consulting’s survey of 700 senior finance executives found that 82% now consider cyberattacks and cyber fraud a significant risk to enterprise performance, up from 70% the year before. The trend line is not subtle, and it points at your desk.
Every playbook written for this moment offers the same comfort, which is to work closely with your CISO or CIO.
Here’s what those playbooks skip. The 2026 CISO Report from Cybersecurity Ventures and Sophos estimates roughly 35,000 full-time CISOs worldwide against hundreds of millions of businesses, and the same report puts a qualified full-time hire at $250,000 to $400,000 a year. The estimate has its limits, but the shape of it is undeniable, because that talent pool is concentrated almost entirely in large enterprises. If your company sits between 20 and 500 employees, the odds are good that nobody in your building holds that seat, and the playbook advice was never really written for you.
The CFOs I talk to are already asking the right questions, and they come down to three.
- What are our external risks?
- Where do we actually stand on compliance?
- Am I applying the right amount of money to manage these risks?
In a large company, the CIO or CISO answers these questions, and that’s the whole point of the seat. It belongs to someone who turns technical reality into financial decisions, with no agenda beyond the company’s interest.
Without that seat, the questions don’t disappear. They default to whoever is closest to the technology, and for most SMBs, that’s the IT vendor.
On the first two questions, a good vendor can genuinely help. The third question is different, because “am I spending the right amount” is a question you’re asking the party whose revenue depends on the answer. Plenty of vendors are honest, and some will even talk you out of a purchase, but honesty doesn’t remove the structure. A vendor shouldn’t be the only party validating the scope and cost of that vendor’s own services, and without that leadership seat filled, they usually are.
An analysis published this year by the Foundation for Defense of Democracies, aimed at federal policymakers, described what happens in that gap, where security becomes “a patchwork of tools, checklists, insurance paperwork, and whatever guidance a vendor offers.” Its recommendation was that SMBs need advisors with “independence from vendor incentives and product quotas.”
That means someone whose only product is the truth about your risk, someone who can tell you where you’re overspending, where you’re exposed, and whether the answers on that insurance application would survive a claim.
Now imagine if you had somebody who could not only see these pain points coming, but actually built a business structured to help people in exactly this position.
Just imagine.
*Wink, wink.*
Sources:
SAP Concur, CFO Insights Report: Finance, Cybersecurity, AI & Digital Risk (2026) — survey of 605 CFOs and senior finance leaders, December 2025 to January 2026
FTI Consulting, 2026 Global CFO Survey — 700 senior finance executives across North America, EMEA, and Asia
Cybersecurity Ventures and Sophos, 2026 CISO Report — global CISO count and compensation estimates
Foundation for Defense of Democracies, “The Missing Cybersecurity Leader in Small Business” (May 2026)
Travelers Property Casualty v. International Control Services (2022) — insurer sued to rescind a cyber policy over an MFA representation on the application; the policy was voided
