From Budget Battles to Strategic Partnerships

How CFOs & CISOs are Reshaping Cybersecurity

In this month’s column, Tariq Munir sits down with Abid Adam – Group Chief Risk and Compliance Officer at Axiata Group, overseeing cybersecurity, data privacy, enterprise risk management, and compliance across the group’s telecommunications, infrastructure, and digital business operations in multiple Asian markets.

In today’s complex digital landscape, the threats faced by organisations are constantly evolving. Traditionally, the roles of CFO and Chief Information Security Officer (CISO) might have seemed worlds apart, interacting primarily when it came to budget approvals. However, that dynamic is undergoing a significant transformation. To gain insight into this crucial shift, I sat down with Abid, Axiata Group’s Chief Risk and Compliance Officer, who shared his compelling perspective on the need for increased collaboration between finance and security leadership.

Tariq: You have handled quite a packed agenda throughout your career.  How has the relationship between CFOs and cybersecurity leaders evolved over your career?

Abid: The transformation has been remarkable. In the past, IT security teams rarely engaged directly with CFOs. When we did, it was typically through the CIO’s budget approval process. Overcoming the translation barriers between “tech-speak” and finance was an Achilles’ heel.

 I remember walking into CFOs’ offices asking for money to buy firewalls or antivirus software, and those conversations would be fraught with frustration. CFOs would question whether the controls were necessary or too expensive, asking, “Can we do without it?”

Fast forward to today, and I’ve never been in a meeting with a CFO who doesn’t understand and appreciate the importance of cybersecurity and data privacy. The shift has been dramatic and necessary, driven by the scale of cyber investments and their strategic implications for business operations.

Tariq: This is a positive shift. What specific areas of collaboration have emerged between CFOs and CISOs…and why?

Abid: I see three key areas where this collaboration has become essential. First is risk management, particularly around making an informed trade-off between business objectives and de-risking the business.  Let me give you a practical example: when launching a cloud-hosted product, the CISO conducts security analysis and penetration testing. If critical vulnerabilities are discovered just before the planned launch, when marketing campaigns are already running, someone needs to make tough decisions about trade-offs.

This is where CFOs play a crucial balancing role. They don’t just see the upsides like marketing teams, nor only the downsides like security teams might. They can assess whether the exposure is worth taking the risk to go live immediately, or if it makes more sense to delay and fix the problem..

The second area is investment allocation. Cyber investments are no longer rounding errors for CFOs—they are substantial. CFOs can help CISOs understand business strategy and priorities. If a product is strategically critical or faces high regulatory fines, resource allocation discussions become collaborative. Conversely, if a system is sunsetting within a year, perhaps minimum hygiene controls make more sense than major investments.

The third emerging area is M&A (mergers and acquisitions). Over the past 18-24 months, we’ve seen cyber teams increasingly involved in due diligence processes. In some deals, cybersecurity findings are factored into limitations of liability, indemnities, or even valuations. When you inherit businesses requiring millions in security investments to reach acceptable standards, that needs to be part of your due diligence and valuation exercise. This is where collaboration between CFOs and CISOs is not just a nice-to-have, but critical.

Tariq: Where do you feel you need the most from your Finance counterparts in near future?

Abid: Absolutely – it’s cyber risk quantification, or CRQ. This is an emerging area within cybersecurity that involves assigning financial quantification to cyber risk. This is something that mirrors what finance teams do constantly: modelling, sensitivity analysis, base case, best case, worst case scenarios, and value-at-risk calculations. The cyber domain isn’t yet as mature as finance when it comes to this type of quantitative analysis.

If I had to identify one area where I wish I could tap more into finance expertise, it’s helping us with modelling and quantification. This isn’t a natural background for cybersecurity professionals. When presenting to CFOs, they want to know: What’s the size of the risk? Can you quantify it so we can make informed trade-offs between investments and value? Even today, cyber teams struggle significantly with this quantification challenge.

The finance team’s expertise in modelling could be transformational for cybersecurity decision-making and resource allocation.

Tariq: Shifting gears to everyone’s favourite subject, AI. How are you approaching AI governance, and where do you see opportunities for CFO-CISO collaboration in this area?

Abid: AI governance requires a nuanced, risk-based approach rather than applying the same heavy framework everywhere. We cannot have a one-size-fits-all approach.

The key is focusing on use cases and their potential impact. If you’re developing a model that materially affects customers, like credit profiling for home loans or credit card approvals, that’s high risk requiring enhanced due diligence, bias testing, and comprehensive governance processes. But if you’re developing something purely internal, like content summarization, that might be low to medium risk.

We’ve integrated AI risk into our existing governance structure: evaluation and analysis at the Senior Leadership Team level, deliberation at our Risk and Compliance Management Committee, and escalation to our Board Risk and Compliance Committee based on risk levels. It’s the same tiered, risk-based approach we use for other strategic decisions.

CFOs and CISOs need to work together on determining these risk classifications and ensuring appropriate governance escalation. The financial implications of AI deployment – from development costs to potential liability – make this collaboration essential.

Tariq: With regulatory changes on the horizon, particularly around data privacy, what should CFOs be watching?

Abid: Data privacy is becoming increasingly critical across our markets. In Australia specifically, there’s a Second Amendment to the Privacy Act coming soon that CFOs need to watch closely.

The pathway differs in how the law is applied between countries, even when they share common general principles. CFOs need to understand these regulatory shifts because compliance costs, potential fines, and operational changes can significantly impact financial planning and risk management strategies.

There is a strategic advantage in getting this right, as digital trust and resilience become essential elements of future economies.

Tariq: A question I ask everyone. What will be one message that you would give to the CFOs?

Abid: The era of cybersecurity being an IT problem that CFOs can ignore is over. Today’s cyber investments are substantial, the business risks are material, and the strategic implications touch every aspect of operations from product launches to M&A activities.

CFOs play a crucial role in cybersecurity by bringing expertise in risk management, financial modelling, and strategic business perspectives. Their collaboration with cybersecurity teams is essential for effective cyber risk quantification, investment allocation that aligns with business strategies, and accurate valuation of cybersecurity in M&A transactions, all of which contribute to business success.

The organizations that recognize this and foster genuine collaboration between CFOs and CISOs will be better positioned to manage cyber risks while enabling business growth and innovation.

This evolution from budget gatekeepers to strategic partners marks a fundamental shift for the CFO. As cyber threats intensify while investments grow, financial leaders must embrace their role in cybersecurity decision-making.

CFOs are and will continue to wear many hats. Building on their risk management experience, CFOs need to embrace the role of navigators, demanding continued attention on cyber risk. The path forward requires strategic thinking, active collaboration amongst various internal and external stakeholders, concerted action, and a steadfast commitment to cyber resilience.

———-

About the Author – Tariq Munir

Tariq is a Digital Transformation advisor and consults businesses on unlocking the potential of AI, Data, and Digital. He is also a keynote speaker, trainer, and monthly columnist at CFO Magazine A/NZ.

He can be reached at [email protected] or www.tariqmunir.me