FinOps and cybersecurity look nothing alike on the surface. One counts cloud dollars. The other blocks ransomware. But strip away the tooling and the two disciplines share the same structural DNA: a vendor ecosystem that profits from complexity, a cultural adoption challenge that technology alone cannot solve, and a leadership audience that will not act until the problem is made visible. The difference is time. Cybersecurity has a ten-year head start on the maturity curve. Its practitioners have already lived through the tool sprawl, the budget opacity, the compliance theatre, and the slow, painful work of making protection a company-wide concern rather than one team’s headache. The question for FinOps is not whether these problems are coming. They are already here. The question is whether the discipline can learn from the road cybersecurity has already traveled, or whether it will insist on making every mistake fresh.

Geraud Gonzalez has spent nearly twenty years on both sides of that road. He started in audit and consulting at EY, moved in-house as CISO for Europe at XPO Logistics, and returned to EY in 2025 to lead the cybersecurity practice in France. He has bought security tools and sold them, run the budget and advised on it, protected the infrastructure and audited the protection. Outside work, Geraud plays golf. Not for networking or deal-making, but for what it demands mentally. Golf is a sport where no one is watching most of the time. You are alone with your ball, far from others, and integrity is entirely your responsibility. The real game, he says, is choosing honesty anyway. It is a constant internal challenge, where perfection never quite arrives. You know the swing you want, and you work to increase the probability of executing it, one shot at a time.

That instinct, choosing real over performative, runs through everything Geraud sees in cybersecurity today. Too often, he says, organisations optimise for compliance before they optimise for protection. For FinOps practitioners watching their own discipline climb the same maturity curve, the warning is direct: build visibility and culture now, or spend the next decade checking boxes that protect nothing.

“Too often, organisations optimise for compliance before they optimise for protection.”

Making It Visible: Why Protection Starts with What You Can Measure

The most common complaint from cybersecurity leaders is not that their tools fail. It is that no one in the organisation knows the tools are working. Geraud splits the challenge into two halves: making everyone in the company aware that security is their problem, and reporting, proving to leadership that the investment is doing something. FinOps practitioners will recognise the pattern instantly. A cost optimization that nobody sees credited to the team is the same as a blocked attack that nobody hears about. Both disciplines live or die on the ability to make invisible work visible.

A hand hovering a computer mouse over the CLICK HERE button of a simulated phishing email
The click is the only data point that matters.

Q: In FinOps, one of the biggest challenges is educating different functions to speak the same language about cloud costs. Cybersecurity seems to face the same cross-functional translation problem. How do you approach it?

There are two sides. Security Awareness means getting everyone in the company to a baseline. That means training programmes, phishing simulations, and making them role-specific. We run programmes for HR because they handle personal data. We run different ones for communications teams because they use tools outside the normal IT perimeter. We run them for operations. And the phishing tests are adapted to each group. I have seen real results from this. It surfaces problems you can then fix in detail, like a funnel. One time we had an employee who told us, straight-faced: “I know it’s phishing, but it’s stronger than me. I have to click.” You cannot make that up. We put safeguards around that person and moved on. But it shows you that training has limits, and that is exactly why you also need tools and process behind it. The second side is reporting. I tell the people who work for me: if you do good work but do not report on it, it is as if the work did not happen.

Q: What does effective reporting look like in practice?

The first thing I propose when I come in as an advisor is a dashboard. Let us look at what your tools are actually blocking this month. How many incidents occurred? How quickly were they resolved? What is your phishing click rate? How many vulnerabilities remain open, and how many did you close last month? You build a score, you track it monthly, and you show leadership whether you are green, orange, or red. When a KPI will not move, you go to the board and say: this one needs funding. This might sound obvious to you. But in company after company, they are not doing it. Metrics are what make cybersecurity real for the business. And its needs.

“I know it’s phishing, but it’s stronger than me. I have to click.”

Paying for the Same Lock Twice: When Vendor Opacity Inflates the Budget

Visibility is the foundation. But even organisations that track their security posture can find themselves bleeding money in a different way: by paying for tools they already own. FinOps has its own version of this problem. Platform sprawl, overlapping capabilities between native cloud tools and third-party solutions, and a growing vendor market where no single buyer can map the full landscape. Geraud describes a cybersecurity vendor ecosystem so opaque that most buyers do not know what they have purchased, and most sellers are not in a hurry to tell them.

Two identical brass padlocks side by side on a single iron chain link, only one keyed
When you cannot see what you have already bought, you buy it again.

Q: Tool duplication is a growing concern in FinOps as well. In cybersecurity, how widespread is the problem?

The market today is, honestly, a plate of spaghetti. It is very difficult to understand what a given tool actually does, where its coverage starts and stops, and whether you need one product or three. What you are sold often does not cover everything you need. There are usually gaps, so you buy another piece separately. And then you have clients who end up with two or three tools doing the same job. Or worse: they have one tool and they are using thirty percent of its capability, because nobody told them the other seventy percent was included in the licence. We see this everywhere. We sometimes tell a client: your existing tool already does this. And they say, no it does not. And we say, actually, it does. You have been paying a second licence for nothing.

Q: Is that opacity accidental or deliberate on the vendor side?

Maybe both. There is not always full transparency on coverage and overlap, and I will not pretend to know whether that is intentional. But on the buyer side, the people purchasing security tools are often very technical. They think in terms of a specific need and want a matching product. They are not always the best negotiators, and they do not always map out what their existing stack can already do. On the other side of the table, the sales teams can be excellent. You end up with technical people buying from commercial people, and that mismatch creates waste. What I am seeing now, though, is a real desire to rationalise. Companies are starting to say: we need to homogenise, understand what we have, and stop duplicating.

“If cybercrime were a country, it would be the third-largest economy in the world. A mature market does not mean less risk. It never did.”

Reading the Scoreboard: Why a Booming Market Hides Immature Companies

Duplicate tools and opaque catalogues would be easier to forgive if the market were small. It is not. Cybersecurity is one of the most developed ecosystems in enterprise technology. And yet the gap between the market’s maturity and the actual maturity of the companies it serves has never been wider. FinOps is building toward the same split: a fast-growing vendor market on one side, and organisations still at the crawl stage of their maturity curve on the other. Geraud calls it the central paradox of his industry.

A digital scoreboard whose left panel glows with the word MATURE in green LEDs, beside a dark reflective panel where a yellow Post-it note reading NO PASSWORDS is being pressed by a single finger
A booming market is not a defended one.

Q: From the outside, cybersecurity looks like a mature, well-resourced industry. What does it look like from the inside?

What is extremely paradoxical is that the market is hyper-mature. You have an enormous number of vendors. AI is embedded everywhere. Consulting firms have every offering imaginable. There are events, dedicated training programmes, new entrants every day. Twenty years ago, you could not study cybersecurity at university. Today I recruit graduates from dedicated programmes. I teach in those schools myself. So you look at all this and you think: companies must be well protected. Then you read the study that came out today. If cybercrime were a country, it would be the third-largest economy in the world, after the US and China. Fourteen trillion dollars in projected losses by 2028. The attacks have not slowed. The victim pool is infinite. And the tools to attack have been democratised. Someone with basic technical means and a bit of AI can now launch an attack that used to require real expertise.

Q: Does zero-maturity still exist? Companies with essentially no security posture at all?

I see them every day. Some companies have no passwords, let alone multi-factor authentication. Completely open to the outside. They survive because they are small enough to be invisible. But any attacker who bothered would take ten minutes to bring down their entire system. Despite the effort of the cybersecurity community, these people often do not even understand the risk. And honestly, all the better for business. But that is the reality today. But it is the reality. A mature market does not mean less risk. It never did.

“Europe will not move without a kick. If you do not put a regulatory foot behind it, nothing happens. But regulation is a lever, not a destination.”

Checking the Box: When Regulation Replaces Real Protection

When an industry is mature but its clients are not, regulation arrives. In Europe, the regulation is NIS 2: a directive requiring more than 150,000 companies across the continent to meet a cybersecurity baseline, backed by fines of up to two percent of turnover and, for the first time, personal liability for executives. FinOps has no equivalent regulation today. But the discipline already has a Foundation-led maturity framework, and formal certification is a logical next step. When it arrives, the question will be the same one Geraud’s clients face now: will organisations pursue genuine operational maturity, or will they optimise for the audit?

A wooden rubber stamp pressed onto paper leaving a fresh red NIS 2 COMPLIANCE imprint, with a hand-stamped red checkmark inside a hand-drawn black box beside it
Protection delivers compliance. The reverse is not true.

Q: NIS 2 is the biggest regulatory shift in European cybersecurity in a decade. How are companies reacting in practice?

The spirit of NIS 2 is right. Europe needed this. France is the fourth most-attacked country in the world. Billions of euros leave the continent every year through extortion and ransomware. So pushing companies to raise their baseline makes sense. But in practice, too often organisations optimise for compliance before they optimise for protection. That distinction drives me crazy. They are more afraid of the fine than of the attack. And the fine is extremely hypothetical. For someone to penalise you for non-compliance, they would need to audit you first, and that enforcement infrastructure barely exists. So they chase the checkbox while remaining just as exposed.

Q: Is there a way to use regulation constructively rather than as a compliance exercise?

NIS 2 is actually a tremendous lever for security leaders inside companies. Especially now that executive liability is on the table. Executives must personally validate security measures. They must be trained themselves. When you can go to your board and say this is not just a technical problem, you are personally exposed, that changes the conversation entirely. I went through this as a CISO. Having a regulatory stick behind you makes it much easier to get the budget you need. The mistake is treating compliance as the destination instead of using it as the tool to get the real work done.

Key Takeaways: The Parallel

Geraud Gonzalez’s perspective exposes the structural traps that await any discipline climbing the maturity curve. The parallels between cybersecurity and FinOps are not metaphorical. They are structural.

Visibility First. If leadership cannot see what tools are blocking, the security function is treated as a cost centre. Dashboards and KPIs are the mechanism through which the discipline earns its seat at the table. A cost optimisation no one sees credited to the FinOps team might as well not have happened. Showback dashboards and unit economics reporting are the equivalent: making the invisible work visible to leadership.

Vendor Literacy. Opaque vendor catalogues and technical buyers create duplicate spending. Most organisations use a fraction of the capabilities they have already licensed. FinOps platforms overlap with native cloud provider tools, third-party optimisers, and internal scripts. Mapping existing capabilities before purchasing is the first and cheapest optimisation available.

Market ≠ Maturity. A booming vendor ecosystem with AI-powered tools and dedicated university programmes has not prevented companies from operating with zero security posture. Market sophistication masks client immaturity. The FinOps vendor market is growing fast, but most organisations are still at the crawl stage of the FinOps Foundation’s maturity model. A thriving market of platforms does not mean the companies buying them are operating effectively.

Compliance Trap. NIS 2 pushed 150,000+ companies toward compliance. Many now chase the checkbox rather than genuine protection. Regulation is a lever for budget and executive attention, but treating it as the finish line leaves the organisation exposed. FinOps has no regulatory equivalent today. But formal certification is a logical next step, and it would carry real weight for IPOs, supplier due diligence, and infrastructure cost assurance. When it arrives, the risk is the same: optimising for the audit rather than for genuine operational value.

Culture Scales. Role-specific training, phishing simulations, and sensitisation do more to change organisational behaviour than any single platform. The human layer is the hardest and most durable investment. FinOps succeeds when cost awareness becomes part of every function’s operating rhythm, not when a central team runs reports alone. Engineers, product owners, and finance must each own their piece. Like security, culture is the multiplier that no tool can replace.

The Bottom Line

Cybersecurity has already walked the road that FinOps is beginning. Its practitioners spent a decade buying duplicate tools, hiding behind compliance, and failing to make their work visible to leadership. The organisations that built culture and measurement first pulled ahead. The ones that chased checkboxes are still catching up. FinOps has the rare advantage of watching that journey in real time and choosing a shorter path.

About Geraud Gonzalez

Geraud Gonzalez is a Partner leading the Cybersecurity Practice at EY France, with nearly twenty years of experience spanning audit, consulting, and in-house security leadership. He previously served as CISO for Europe at XPO Logistics and currently advises mid-market and large enterprises across France. Connect with Geraud on LinkedIn.

Cloud Value Lab publishes practitioner-led thought leadership at the intersection of FinOps, GreenOps, and AI Economics. If you are a practitioner or subject matter expert interested in sharing your perspective, reach out to David May.