The CIO-CISO relationship matters: The CIO and CISO need to have a strong relationship for either of them to succeed, says MK Palmore, founder and principal adviser for advisory firm Apogee Global RMS and a former director in the Office of the CISO at Google Cloud.”It’s critical that those in these two positions get along with each other, and that they’re not only collegial but collaborative,” he says. Yes, they each have their own domain and their own set of tasks and objectives, but the reality is that each one cannot get that work done without the other. “So they have to rely on one another, and they have to each recognize that they must rely on each other.”Moreover, it’s not just the CIO and CISO who suffer when they aren’t collegial and collaborative. Palmore and other experts say a poor CIO-CISO relationship also has a negative impact on their departments and the organization as a whole.”A strained CIO-CISO relationship often shows up as misalignment in goals, priorities, or even communication,” says Marnie Wilking, CSO at Booking.com. “When technology and security leaders are not on the same page, it becomes clear in both operations and outcomes, from missed project deadlines to increased vulnerabilities.”Multiple factors can contribute to a strained relationship.To start, the security department is still sometimes seen as, and acts like, the department of “no,” Cardwell says. “The CIO never has the luxury of saying ‘no.’ The CIO’s job is to enable what the business is trying to do. So the CISO needs to have that mindset, too: ‘The business wants to do this thing, and my job is to figure out how to make that possible,’” she explains.Even if security doesn’t act like the department of “no,” Cardwell says, it may take the CISO too long to get to “yes.””There are a hundred ways, depending on what the problem is, to solve the problem quickly,” she says. “As a CISO, I like to provide several solutions with different price points and timelines with pros and cons and security scores, from fastest on or least secure or most secure on this timeline, to give the CIO and the business options.”Another reason for a poor relationship: Sometimes the CIO doesn’t place a high enough priority on security. “Maybe the CISO is only security-minded but not thinking as a business-enabler; or maybe the CIO isn’t at all security-minded and only focused on business enablement,” Palmore says.In other cases, the CIO wants tight control of all things IT and excludes security, or vice versa. “Some security leaders believe that they alone own security and find themselves on an island without a boat to get them home,” says Kory Daniels, chief security and trust officer at LevelBlue, a managed security services provider.Other factors that can lead to a poor CIO-CISO relationship are more structural, experts say.It may be that the organization has not defined each position’s responsibilities. “When roles and responsibilities aren’t clearly defined, overlaps or gaps in accountability can create unnecessary risk,” Wilking says.Or it could be that the organization’s funding process turns them into “adversaries for the same dollar,” Cardow says.Much of these problems stem from what Wilking says is “a lack of shared context and alignment around enterprise risk.””The CIO is typically measured on uptime, scalability, and agility, while the CISO is focused on protecting data, ensuring compliance, and mitigating threats. Without a unified view of how those priorities intersect, the two can seem at odds,” she explains. “Too often, cybersecurity gets treated like the gatekeeper instead of a true partner. Teamwork ends up feeling transactional instead of collaborative. At Booking.com we emphasize embedding cybersecurity into business strategy from the start, ensuring it’s part of every conversation about product design, data, and customer trust.”
How to improve a poor relationship: CIOs and CISOs both have incentives to improve a problematic relationship.As Lee explains, “The CIO-CISO relationship is critical. They both have to partner effectively to achieve the organization’s technology and cybersecurity goals. All tech comes with cybersecurity exposure that can impact the successful implementation of the tech and business outcomes; that’s why CIOs have to care about cybersecurity. And CISOs have to know that cybersecurity exists to achieve business outcomes. So they have to work together to achieve each other’s priorities.”CISOs can take steps to develop a better rapport with their CIOs, using the disruption happening today, whether from AI or the uncertainty in the economy, as an opportunity to check in, reset the relationship, and address any issues that have stymied collaboration.Steps for CISOs include:
Establishing alignment with the CIO as well as members of the C-suite and the board on the organization’s position on risk.Ensuring security is aligned with the organization’s strategy and its IT roadmap. Transcend’s Cardwell says it’s important for CISOs to think, “The CIO has a great thing here. I’d like to find how to make it secure.”Getting clarity on CIO and CISO responsibilities. “You need clarity on where the lines are drawn,” LevelBlue’s Daniels says.Making regular and ad hoc direct communication with the CIO a priority.Focusing on relationship management. “Communicate, be willing to meet, get teams to meet, establish trust,” Daniels says.Seeking to understand the CIO’s priorities, incentives, and challenges and sharing yours. “Find a way to walk a mile in the other’s shoe,” Daniels adds.
Shifting to a business-enablement mindset. “Instead of leading with ‘no,’ lead with ‘How do we get there securely,’” RegScale CISO Hoak says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4094754/12-signs-the-ciso-cio-relationship-is-broken-and-steps-to-fix-it.html
