6 signs the CIO-CISO relationship is broken — and how to fix it

Mark Thomas felt trouble brewing when he was a CIO with a CISO reporting to him as the pair stumbled over what could have been seen as conflicting priorities.

The two hashed out a plan to overcome the discord, Thomas says. They developed a set of common standards to help them communicate and pull toward common objectives. Thomas considered it an executive version of middleware.

“It gave us common terminology and common objectives. It aligned our goals,” Thomas says. “That was a really good starting point for breaking down our siloes.”

Thomas, now president of Escoute Consulting, which focuses on the governance of enterprise IT, says it was important to get out in front of the communication breakdown between himself and the CISO, because he views the relationship as a crucial partnership for enterprise success.

Yet he and others say it’s common, and in many ways expected, for CIOs and CISOs to butt heads. They have different objectives that bump up against each other: CIOs strive to deliver consistent reliable services as quickly as possible, while CISOs seek to deliver those services securely.

“But they have to work in harmony, build the right team structure and promote the right culture. And they have to work together for the common good of the organization,” says George Moraetes, a security consultant and interim CISO with his firm Securityminders LLC.

When they don’t, the organization is at risk for slower, less secure technology services and stinted digital transformation overall.

Signs of trouble

There are many telltale signs of trouble in the CIO-CISO relationship, according to experienced executives, researchers and management consultants. They include:

1. A lack of respect. The executives (and, as a result, their managers and staff) disregard each other’s advice, ignore requests for cooperation, dismiss the other’s opinions, issue commands to be obeyed rather than calls for collaboration, and refuse to share information.
2. No clear delineation of responsibilities. Especially in areas where technology and security overlap, a lack of clarity around roles and responsibilities can lead to either battles over territory or neither side taking ownership of projects.
3. High turnover. A high turnover rate, particularly in either executive position, but also in staff positions within both departments, could indicate a toxic work environment that may (but not exclusively) stem from problems at the top.
4. An us-vs.-them mentality. This adversarial approach fosters an obstructive working relationship rather than a collaborative one.
5. Failure to do the job. Missed deadlines, incomplete projects, or ignored requests for input where the IT and security teams need to coordinate all can result in work not getting done.
6. Frequent or increased downtime. In particular, unplanned downtime due to security needs could indicate inconsistent or nonexistent communication and coordination between the two teams.

Lack of peer relationship

Several factors can lead to a troubled CIO-CISO relationship that manifests in bad behaviors like those just listed. The people in those roles could be particularly egocentric. They might not like each other and can’t work through the ill feelings. Or they don’t know – and don’t care – about the pressures that the other one faces.

But often a troubled CIO-CISO relationship stems from an imbalance in the positions, according to multiple experts.

They say the CIO and the CISO should be on equal footing within an organization, with each one involved in strategic planning.

That’s the case in many organizations, but not all. The 2018 Global State of Information Security Survey from PwC, CSO and CIO found that 40 percent of the top information security executives reported to the CEO, 27 percent reported directly to the board of directors, and 24 percent reported to the CIO.

Similarly, the 2018-2019 EY Global Information Security Survey found that 40 percent of organizations charge their CIOs (not the CISOs) with ultimate responsibility for information security.

Relationship fixes

A problematic CIO-CISO relationship can be repaired if you’re willing to put in the work. The experts we spoke with offer the following steps that the executives can take to help overcome misalignment, professional conflicts and even animosity.

1. Make CISOs and CIOs peers. Have CISOs present to the CEO and/or board so that security requirements are clearly understood and get equal consideration in strategic planning. “If you want security to be important to your organization, you’re going to have to give that CISO a seat at the table, and they’re going to report to the CEO, CFO or general counsel. They’re going to have to have a seat at the table, where they sit next to — and not behind — the CIO,” says Alexis Culp, director of engineering at Apollo Information Systems and an active member in the Women in CyberSecurity (WiCyS).
2. Set security budgets and staffing levels independent of the CIO budget and IT plans. This further helps create equality between the IT and security departments — and also makes the most sense, says Tony Scott, CEO of the strategic consulting firm TonyScottGroup, former CIO of the U.S. Government, and SPJ Ambassador Board CIO Chairman. “The best organizations take a risk-based approach to cybersecurity and make active decisions about what risks they’ll accept and which ones they’ll put resources against. That impacts budget and headcount, and in most organizations that has little or no relation to how much IT is spending. So I’ve always favored looking at these at two separate items,” he says.
3. Establish a clear understanding of responsibilities. Especially in areas where IT and security overlap and require collaboration, it is critical the CIO and CISO roles and responsibilities are clear. “The goal is to have a seamless working relationship, where roles and corresponding processes are well defined and well understood,” says Frank Kim, founder of ThinkSec, a security consulting and CISO advisory firm and a senior instructor with the SANS Institute.
4. Involve the CIO and CISO in the organization’s strategic planning process. This gives both teams a single common objective that they can work toward, ensuring alignment. “IT and security should have a shared technology vision that’s mapped to different business drivers,” Kim says, noting that this approach helps ensure neither team’s objective is minimized.
5. Require CISOs and CIOs to master executive skills. It’s not enough for these leaders to have domain expertise; they must also be strong executives skilled in strategic thinking, negotiation, communication and relationship building. “And you need to get to know the other person on a personal level if you’re going to work day in and day out together,” says Robert LaMagna-Reiter, CISO at FNTS, a global IT strategy and managed services company.
6. Understand the other’s job and its objectives. “Both the CIO and the CISO have to know each other’s world, otherwise there’s politicking and animosity. They have to be teachers and mentors to one another,” Moraetes says. When one has a more informed appreciation for what the other must accomplish to succeed, they’re both better able to identify common priorities and agree on compromises. For example, Moraetes says the CIO at one of his corporate clients drew on security architects to work on an identity and access management initiative that was overloading IT, a partnership that helped turn the project into a win for both departments – and the business as a whole.
7. Employ executive training. Scott says coaching services and 360-degree reviews can be particularly effective in building strong relationships. “Sometimes an outside facilitator needs to come in and help the two be better collaborators. In most cases they help point out where there are issues but also they help encourage a more collaborative environment from the get-go,” he says.
8. Step down. Experts say there are times when the CIO-CISO relationship is beyond repair, and it’s better to walk away than let the situation endanger the organization’s success. “In extreme cases, one or the other has to leave,” Scott says. Culp says she has seen situations where the CIO and others on the executive team simply did not respect the CISO’s expertise or value security as a whole. In one such case, the CISO saw the company renege on funding for key security initiatives, a scenario that the CISO believed put the company at significant risk and the individual’s reputation on the line – so the CISO quit.