REDPIXEL - stock.adobe.com
A casual observer might assume that because the CIO and CISO are both technology roles there's a natural synergy between the two. As a CIO, you know that casual observer would be incorrect.
Improving this relationship is key to minimizing risk and reaching company goals. Doing so requires soft skills -- a combination of communication, mutual understanding and engagement across the rest of the C-suite and with other employees.
Here's a look at the characteristics of the CIO-CISO relationship, the typical reporting structure and ways you can work to improve the relationship.
The fundamental CIO-CISO relationship
CIOs and CISOs often feel mutual antipathy, which can degrade into downright hostility, to the detriment of an organization. This stems not from personalities of the people in the CIO and CISO roles, but rather from the fundamental conflict between the two roles.
Your job is to enable business through technology; the CISO's job is to mitigate the risk injected by technology.
In other words, a CIO's job is to say "yes" and the CISO's job is to say "no."
You can be fired if a technology implementation fails, costs too much or doesn't deliver as promised. A CISO gets fired if the company is breached badly enough -- regardless of whether it's their fault. So, a CIO's actions can get a CISO fired.
CIOs who see that situation from the CISO's point of view may find it easier to reframe both job functions in a way that can lead to improved interactions.
CIO-CISO reporting structure: Actual vs. ideal
One way that many organizations seek to mitigate this natural tension is via reporting structure. You can help advocate for the reporting structure that works best.
In 50% of organizations, the CISO reports directly to the CIO, and in the remaining 50%, there is no CISO. Instead, there are multiple layers between the CISO and the CIO. Or the CISO reports to someone other than the CIO or someone in his or her chain of command, according to Nemertes' research.
The CISO reporting to the CIO is not ideal: If the boss wants to do something and the direct report doesn't want to do it, who's most likely to win?
The most successful organizations -- based on quantifiable success metrics, particularly including the median total time to contain an incident -- are those in which the CISO reports directly to a business executive, not the CIO. Nemertes' research bears that out. Appropriate business executives include the CEO, the chief risk officer, the chief legal officer and the CFO -- basically anyone whose job includes a company-wide assessment of risk, not just technical risk.
To put it in good-better-best terms: It's good to have a CISO, even for a small organization, and even if that CISO reports several layers down in the CIO's organization. It's better to have the CISO report directly to the CIO, rather than several layers down. And it's best if that CISO doesn't report to the CIO at all, but to a business executive.
How to build a good CIO-CISO relationship
Regardless of the reporting structure in your organization, here are five ways you can improve your relationship with the CISO.
1. Treat the CISO as a peer
One way you can create a good CIO-CISO relationship is to treat the CISO as a peer, even if they are a direct report. This might be difficult. Like many people who rise to the CIO level, you may have type-A tendencies, and often want to control every aspect of your organizations. But it is possible to loosen the reins and grant talented colleagues greater autonomy.
There are thousands of small behaviors that color interactions and distinguish between treating someone "as a peer" and "as a direct report." If the CISO reports to you, try to imagine that they don't. Invite them to join you for discussions. Don't issue orders. Make suggestions, not demands. Encourage them to set goals that align with the business, not with what you want. And who knows? The approach might be so effective you'll want to try it with all your direct reports, not just the CISO.
2. Frame discussions around risk
CIOs oftentimes want to shift the topic of every discussion to technology. As a CIO, you should be reluctant to do that with CISOs. A better tactic is to drive every discussion on the topic of risk, particularly enterprise risk. What enterprise risk is imposed, or mitigated, by what the CISO is discussing? Is it operational, technical or reputational? How likely is the risk and how severe is it?
Assume your CISO has a solid grasp of the technology, or at least that the security team does and has been able to clearly communicate it upward. Try to grant the ownership of risk assessment to the CISO, even though, as CIO, you have likely dealt with risk issues many times in your career. Always remember that if this risk assessment is wrong, it's the CISO who gets fired.
3. Engage the CISO and security team
This may sound obvious, but it's surprising how often CISOs or their teams will tell me that major decisions have been made by the CIO or technology team without letting the CISO know. It's such a common scenario, in fact, that Nemertes has created a maturity model around it.
CIO-CISO maturity model
Our standard maturity model groups organizations into four categories: unprepared, reactive, proactive and anticipatory.
- Unprepared. From the standpoint of CIO-CISO engagement, the lowest level of the maturity model is the scenario in which infosec must pursue IT and business to find out what's going on.
- Reactive. The next level of the maturity model is one in which infosec must pursue business, but IT approaches proactively. The converse rarely occurs.
- Proactive. The third level of the maturity model is the scenario in which both the business and IT regularly inform infosec about new initiatives once they're underway.
- Anticipatory. The fourth, and highest, maturity level is one in which both business and IT engage the CISO and team from the very beginning, when an initiative is being assessed and considered, not after a decision is made.
Strive to position yourself and your team at that fourth level of maturity. It prevents the need for drastic course corrections downstream and helps integrate and align the IT and cybersecurity strategies.
4. Arrange informal and formal interactions
If you've read this far, you may be making a note on your to-do list that reads something like: "Schedule regular briefings with CISO and team to keep them appraised of our major initiatives."
Yes, absolutely, you should do that. Formally scheduling something is an excellent way to ensure it gets done.
But don't neglect the impact of less-formal, less-structured interactions as well. One Canadian CISO of my acquaintance used to host what he called "Timbits Tuesdays." For those south of the border, Timbits are scrumptious donut holes made by Canadian institution Tim Horton's. My friend would bring a couple bags of Timbits along with hot coffee to kick off a Tuesday-morning get-together with no fixed agenda. It was often the most valuable meeting of the week.
In this online, work-from-home environment, Timbits Tuesdays might not work. But there are plenty of ways to recreate the informal vibe over a video link. For example, have different members of the IT team present topics that interest them -- while wearing silly hats. Fostering connection is also an important way to help your team reduce stress, which should be a concern for all leaders.
5. Craft consistent business cases
One final way to improve the CIO-CISO relationship is to work harmoniously to craft business cases that take into consideration each other's strategies for technology investment.
If you are proposing a major ERP upgrade, for instance, you should include funding for technologies to keep that upgrade secure and justify why that technology investment is important. And when the CISO puts in for a software-defined perimeter, he or she should track the benefits in the form of reduced trouble tickets, increased employee satisfaction and the like.
In other words, CISOs and CIOs should work together -- whether they're in the same reporting structure or not -- to ensure that business cases consistently account for the costs and benefits of technology investment.
About the author
Johna Till Johnson is CEO and founder of Nemertes Research, where she sets research direction and works with strategic clients.