Skip to main content
close search
site logo

The risk of disconnect between CIOs and CISOs

Companies need their CIO and CISO working together to reach their strategic goals. Strain in the relationship is a recipe for breaches.

Published June 30, 2021
Roberto Torres's headshot
Editor
A group of workers attends a meeting.
"wocintech (microsoft) - 112" by WOCinTech Chat is licensed under CC BY 2.0

IT leaders fear hearing the word "cyberattack" associated with their company's critical systems. 

From Equifax to Capital One, Merck or Colonial Pipeline, businesses have experienced the lasting impact a cybersecurity weakness can have on operations, brand equity or market performance. 

Due to the disruptive nature of cybersecurity weaknesses, almost half of tech leaders say vulnerability of IT assets is their main worry, according to data from Flexera. Seven in 10 leaders place vulnerabilities among their top three concerns. 

Supporting an organization is the relationship between CIOs and CISOs or other similar figures within IT and security. A healthy connection starts with a focus on priority business outcomes rather than specific technologies. 

But maintaining an effective relationship is also tied to how companies shape their leadership structure and executives' abilities to work together.

There are three leadership models that are most common in CIO/security leadership structure, according to Sridhar Karimanal, head of the Health and Life Sciences group at Eagle Hill Consulting:

  • CISOs reporting to the CIO, the most common structure

  • CISOs reporting directly to the CEO, which is often found in financial organizations, or

  • CISOs reporting to a chief risk officer.

No matter the organizational model that companies follow, significant differences between the CIO and the CISO in strategy or decision-making constitutes "a recipe for a potential gap or breach," Karimanal said. 

CIOs need to work closely with their security counterparts, according to Andrew Bartels, VP and principal analyst at Forrester. Technology executives can use CISO insight to fully grasp the security implications of ongoing projects.

Vulnerabilities can present themselves all across the tech stack. Operating systems, productivity software and IT management tools rank atop the most vulnerable technologies due to end of life or end of service events from providers, according to Flexera data.

"The mandate of a CIO is not simply to keep the IT systems up to date, not simply to make sure that we're adding new capabilities from technology perspective, but to support the business strategy," said Bartels.

The CISO and CIO can become strained over decision-making, deadlines or resources. But it's in every organization's best interest to ensure the two executives find common ground.

"You need to have a governance structure that brings them together," and calls for both leadership figures to make joint decisions, Karimanal said. 

One factor that can get both leaders to see eye to eye is using the language of business outcomes, said Paul Proctor, distinguished research VP at Gartner. Looking at security investments through a business plan, and making decisions based on supporting business success is an ideal approach.

The monetary motivation of an efficient CIO-CISO team is clear. The cost of cybercrime globally — including monetary losses and cybersecurity spend — soared past the trillion-dollar mark in 2020, according to estimates from McAfee

"If the CIO is in conflict with their security officer, they need to address that conflict," said Proctor. Leaders must understand how the organization is prioritizing its business outcomes in order to understand where security investments should be made.

Editors' picks

Company Announcements

View all | Post a press release
Unanet Acquires GovPro AI to Enable Customers to Win More Business
From Unanet
November 22, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in IT Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell