Blog
27.05.2025
min read

I’m a CFO – and suddenly responsible for security. What now?

In recent years, I’ve seen a clear shift in what it means to be a CFO. It’s no longer just about financial management and reporting. The role is increasingly moving into core areas like IT, data management, and – more and more often – security.
<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >I’m a CFO – and suddenly responsible for security. What now?</span>

I know many CFO colleagues who have now either taken on or are on their way to taking on responsibility for their organization’s security. Some have it formally in their job description – others more informally, because it “naturally fell” to the CFO to also handle IT and risk. And in the midst of all this, many of us are sitting and wondering:

“What now?”

I am the CFO at Sicra – a specialized cybersecurity company. Personally, I don’t have operational responsibility for our security – we have skilled professionals who handle that. But I understand how overwhelming it can be for a CFO who suddenly inherits this responsibility – often without resources, experience, or a support structure.

CFO + security = reality

There is little public data on how many CFOs in Norway actually have responsibility for security, but the signals are clear: the role is evolving.

According to the Limited Liability Companies Act, top management – often delegated to the CFO – has a formal responsibility to ensure that security is upheld. This applies even when operations and IT are outsourced, as described in digi.no (Norwegian only). At the same time, PwC emphasizes in its Cybercrime Survey that collaboration between the CISO and CEO is critical for effective security governance. In other words: Strategic leadership must be involved – and the CFO role sits right in the crossfire between strategy, risk, budgeting, and business-critical decisions.

A good example is TOMRA, where CFO Eva Sagemo also assumed responsibility for information security. After a serious cyberattack in 2023, she emphasized how important it is that CFOs with IT responsibility understand both systems and the threat landscape (BackerSkeie/Norwegian only).

So what do you do – as a CFO?

Here are some reflections I’d like to share with those of you who are facing or about to face this reality:

  1. You don’t need to know everything.

    But you must understand enough to know what you don’t know. Ask. Learn. And build a minimum level of understanding of threats, dependencies, and what’s truly at stake. As finance professionals, we’re used to thinking in terms of risk and consequence. Use that mindset to better understand the threat landscape, including the financial risks associated with a security breach.

  2. You must own the risk – but not alone.

    Make sure security doesn’t become a “side track” in the finance department. Bring in IT, HR, leadership, and the board. A security breach is never just a technical issue – it’s a business issue.

  3. Be proactive.

    Don’t wait until you’re in the middle of an attack or flagged in an audit before you act. Start the work now. Ask for help, and build relationships with people who know this better than you.

Need someone to bounce ideas off?

At Sicra, we work with security – all day, every day. We know how complex it is. We also know that not every organization has the need or budget for a full-time CISO. That’s why we offer CISO-for-hire – a flexible way to access deep security expertise without having to build it in-house.

And perhaps even more importantly: We have people you can talk to. People who can explain things clearly, translate the technical, and help you prioritize. So you, as a CFO, don’t have to stand alone in a field you never really asked to be responsible for.

Want to know more?

We are happy to have a non-binding conversation.
Contact us
I know many CFO colleagues who have now either taken on or are on their way to taking on responsibility for their organization’s security. Some have it formally in their job description – others more informally, because it “naturally fell” to the CFO to also handle IT and risk. And in the midst of all this, many of us are sitting and wondering: “What now?”
CFO at Sicra
Geir Dalen

Explore more

Cybersecurity that works
Blog

Cybersecurity that works

Tech blog
Cybersecurity
Sicra AS achieves prestigious ISO27001 certification
News

Sicra AS achieves prestigious ISO27001 certification

Sicra lands IT security agreement with 28 municipalities
News

Sicra lands IT security agreement with 28 municipalities

Sicra named cybersecurity partner of the quarter
News

Sicra named cybersecurity partner of the quarter

Tailored cybersecurity for institutions and enterprises that allows for innovation, growth, and fearless performance.

Get in touchCall us +47 648 08 488