CFOs are trained to trust the numbers. Controls are in place, processes are audited, and financial visibility is sharper than ever. On paper, everything adds up. But what if the biggest risks to value creation never show up in a spreadsheet? What if the real vulnerabilities sit outside the traditional field of vision embedded in systems, connections, and dependencies that quietly underpin operations across the business?

That’s the uncomfortable reality many organizations are starting to face. In today’s digital economy, trust — especially blind trust — can become a liability. Cyber risk is no longer a distant IT concern. It has become a direct threat to cash flow, operations, and ultimately enterprise value. Increasingly, it lands squarely on the CFO’s desk.

According to Bright Obeng, host of De CFO Podcast, the shift is already well underway. “Cybersecurity is  definitely no longer an IT topic,” he says. “It touches the core of the business. In some sectors, it’s even a license to operate.”

Not every CFO starts from the same place

To understand how finance leaders approach cybersecurity today, one nuance matters more than most, says Obeng: not every CFO operates in the same setup.

In many mid-sized organizations, particularly across Europe, the CFO’s role extends well beyond finance. IT, legal, and data often fall under the same umbrella. In these environments, cybersecurity is not an abstract concern — it is part of the CFO’s direct responsibility. The connection between digital resilience and business continuity is immediate and unavoidable.

In contrast are larger organizations, where cybersecurity sits with a Chief Information Security Officer (a CISO) or an IT leadership team. Here, the CFO may not “own” the domain, but that doesn’t mean the impact is any less real. As Obeng points out, structure shapes perception — but not accountability. “Even if a CFO doesn’t directly own IT or security, that doesn’t mean they can ignore it,” he notes. “The impact will always come back to the business. And therefore to finance.”

The risks you don’t see are the ones that matter most 

Today, cybersecurity is fully embedded in business operations. For CFOs who understand its impact, it is not just a technical matter — it directly influences value creation, cash flow, and operational continuity. In some sectors, it has effectively become a license to operate. If your systems, data, or processes are not secure, you are not just exposed — you are at risk of being unable to function altogether. That reality is reshaping how finance leaders think about investments, partnerships, and risk appetite. And the role of the CFO evolves accordingly. They are no longer passive recipients of IT updates, but they actively question vendors, challenge assumptions, and connect cybersecurity to financial outcomes.

Yet the picture of risk is more complex than this. While external dependencies—suppliers, software providers, and connected partners—can introduce vulnerabilities that immediately threaten operations, internal blind spots can be just as consequential. Even organizations with robust internal controls and firewalls may have overlooked gaps: outdated configurations, unmonitored integrations, or small procedural weaknesses that quietly persist over time. “Sometimes your front door is closed, but there’s a small window open in the attic — and you don’t even know it’s there,” Obeng explains.

This is why both perspectives matter. External partners can introduce sudden, high-impact risks, while invisible internal vulnerabilities accumulate quietly, creating opportunities for disruption that no internal team might detect on its own. “You have to look beyond your own systems,” Obeng emphasizes. “The risk doesn’t always start with you. It can start somewhere else — and you’ll be affected without even realizing it.” That’s why external perspectives are essential. Independent cybersecurity reviews, third-party audits, and specialized partners bring something internal teams cannot: the ability to spot what has been normalized or overlooked. You cannot fix what you cannot see, and in our digital era, the stakes are too high to assume everything is under control. 

That being said, the impact of cyber incidents is often underestimated — until it’s too late. An inability to invoice for even a few weeks can disrupt cash flow. Operational downtime can halt revenue streams. Service interruptions can drive customers elsewhere. And reputational damage can linger long after systems are restored. “These aren’t side issues,” says Obeng. “If you can’t operate, if you can’t deliver, the impact goes straight to your business.” 

The questions CFOs need to ask

The challenge for many finance leaders is often a lack of clarity on where to start. The most powerful shift therefore begins with a simple question: Where could this go wrong — and what are we not seeing? This is where scenario thinking becomes critical. Not necessarily technical deep dives, but structured reflection on potential failure points. 

“Ask yourself: where can it fail? And more importantly — what are we not seeing?” — Bright Obeng

Equally important is recognizing the limits of internal perspective. No organization can fully assess its own blind spots. “You can’t do this alone,” he adds. “It’s impossible.” Boardroom awareness is the starting point. Without it, priorities remain misaligned, and budgets fail to follow. But once that awareness is in place, the shift can happen quickly. Physical security was once fragmented and reactive, today, it is standardized, embedded, and expected. The same evolution is underway in cybersecurity. 

Ultimately, it comes down to mindset. CFOs must think about digital environments the same way they think about physical ones. Do we have the right safeguards in place? Are we monitoring what matters? Do we know how to respond if something breaks? “If you think about your physical security, you have fences, cameras, alarms,” Obeng says. “You need to translate that thinking into the digital world.” Because the stakes are no longer hypothetical. The digital infrastructure of a business is as real — and as vulnerable — as any physical asset.

Looking ahead: A conversation that matters

These questions sit at the heart of the upcoming CyberNova breakout session, where CFOs and CISOs will come together to explore the shifting boundaries of responsibility, risk, and collaboration. Two opposing perspectives who share a challenge: how to protect value in an environment where the rules are still being rewritten.

The debate underscores that cybersecurity is no longer simply a topic for the CFO’s agenda. Instead, it demands strategic attention, collaboration, and action. In other words: it has become a defining factor in the future of the business.