Although there are overlaps in the goals and responsibilities of the CIO and the CISO, there are also challenges that get in the way of a more cohesive relationship, including reporting lines, organizational structures, budgets, and risk appetites.
If they don’t overcome these challenges, they’ll stall the technology from achieving its full potential, silos will persist, and the rifts will widen.
What’s the aim? Unite these two executive leaders under a common purpose. A panel of CIOs and CISOs identified some of the shifts that can get these two roles working better—together.
Shift #1: Identify the overlaps.
CIOs and CISOs have different jobs to do.
- The CISO is the cybersecurity leader who leverages compliance and regulations to protect information and stop data leakages.
- The CIO is the enabler of business growth and innovation who makes sure that the organization is getting the most out of the information at hand.
The overlap is their perspective on the “information” part of “information technology.” Specifically, how the CISO’s technical and cybersecurity responsibilities juxtapose the CIO’s growth mindset.
Conflict emerges when CIOs and CISOs look at the IT risks and opportunities as separate responsibilities. This doesn’t make sense to Brian Brackenborough, CISO at Channel 4, who says it is inefficient to separate the many responsibilities that CIOs and CISOs carry.
He said there is no need for separate IT teams to focus on fixing devices while another focuses on networks. Instead, there should be one team managing it across the board.
Shift #2: Overcome the tension in your reporting lines.
Consider both viewpoints of CISOs and CIOs, which is to understand the origins of tension between the roles. Some of this friction can be attributed to reporting structures: when the CISO reports directly to the CIO there is typically less friction, but with more CISOs reporting directly to the CEO with a seat at the board room table, this dynamic changes. The choice of reporting structure could be down to strategic priorities flexing between regulation and innovation phases of the business cycle.
Organizations can choose to approach this dynamic duo differently. Johnson Matthey’s CIO, Aidan Hancock, says the CISO has always reported to him, but that reporting lines can grow and spread out. His focus is making sure the CISO is fully on board with the rest of his IT leadership team.
Equality in reporting lines will be a dead end if CIOs and CISOs don’t share responsibility for risk. That’s not to say they must have identical perspectives—each leads the organization from a different vantage point—but they do need to understand and align.
Shift #3: Align on risk.
Doug Drinkwater, Director of Strategy at HotTopics, suggests that historically, the CISO will be the one to “take the hit” when it comes to risk.
At the top of any organization, the CIO and CISO must be united and share the responsibility for leading risk. Hancock’s main concern is a CISO with an independent reporting line owning risk while “the CIO delivers most of the actions that meet that risk.” His solution to this is for the leaders to find a common purpose.
Shift #4: Work together for a shared purpose.
Anuj Tewari, CISO at TMF Group, looks at collaboration between CIOs and CISOs as a key success factor. The moment they stop working together, everything becomes a challenge. The greater the disconnect, the less optimistic the partnership can be.
The budget exercise was one example where Tewari said he saw CIOs and CISOs work hand in hand. In the end, he maintains that collaboration is about creating a road map to ensure that CISOs and CIOs can secure the data and overall “crown jewel” for the organization. That means consciously overriding our human instinct to stick with our “people.”
For Brackenborough, transparency between the two roles is foundational. He gave the example of the traditional CIO and CISO conferences. An information security conference is full of CISOs and information security professionals. Brackenborough suggests they swap. This way, technology leaders will know what’s happening in each other’s camps and help the CISO and CIO overcome the feeling that they’re talking different languages.
Understanding the overlap in the roles and becoming intentional about reporting lines while aligning on risk and purpose can bring IT organizations closer together. This is ideal because technology is starting to do the same.
The convergence of technology and people
The industry is moving forward and the convergence of networking and security is giving organizations the technology to scale. This shift allows organizations to better support demand, fulfill performance requirements, and allow for deployment of new services, all while securely connecting hyper-distributed teams, places, and things.
Think about security, incident response, and detection paired with the alignment of goals, objectives, and priorities. Modern tools break down the silos between the CISO and CIO so that convergence can take place.
Resultingly, teams can start working together to push forward. CIOs and CISOs get a holistic view of what is going on in the organization they’re leading. With the right tools for the job and doing business with security in mind, there’s a lot of potential to be unlocked.
CIOs and CISOs must clarify roles, responsibilities, and reporting structures. By aligning on risk and purpose they can organize their teams to work better—together.
Register now for a webinar about
Why CIOs and CISOs should work together more closely
Great article
Good read, thanks for sharing.
Interesting…
I like when Cisco use different formats to share more knowledge ina different way!
Very perfect
Great Informative information.
Thank you so much for sharing. Such a great article.
Great Informative information.
Good read, thanks for sharing.
Thank you so much for sharing. Such a great article.