Reducing CIO-CISO tension requires recognizing the signs

CIOs and CISOs operate in high-stress environments that can at times place additional strain on their relationship, further distracting them from achieving beneficial outcomes.

In my own career, I’ve been a CIO and a CISO, so I have firsthand experience with this issue from both perspectives. Defusing the situation so that the relationship is workable, healthy, and respectful for both parties can be challenging, especially for CISOs, who often reportto the CIO. It requires understanding the pressure and priorities of the other’s role, as well as how your partner operates.

Relationship ripe for tension

To understand why there is natural friction between CIOs and CISOs, one must consider the pressures and priorities of each.

The role of the CIO is filled with a multitude of activities that all demand attention and have high visibility with executive management and the board, which want to see the CIO on top of the IT agenda.

That agenda — the raison d’être for the CIO — is to enable business transformation and growth through use of technology. Key stakeholders throughout the company demand delivery of tech-enabled change and positive customer experiences from these platforms, and the CIO is judged on their ability to not only deliver these new digital solutions but also keep operational processes from being impacted by an outage or disruption to service.

Meanwhile, the CISO’s mandate is to protect the enterprise from external threats. Yes, the CIO cares about this too, but they also face pressure from their business stakeholders when it comes to the trade-offs that may be required to secure the enterprise.

These trade-offs are pinch points that intersect with the CISO’s remit, highlighting conflicting priorities for both parties. Over time, such situations — and how they are handled and resolved — can lead to real friction between the two parties. This friction can be overt, boiling over in public, or covert, where it is more hidden from other colleagues or the CIO/CISO themselves.

Common CIO-CISO pressure points

In every mature enterprise risks have to be accepted for the time being, with remediation deferred. Vulnerability patching is one example where tension between the CIO and CISO can arise.

In the case of highly critical vulnerabilities that have been exploited, the CISO will want patches applied immediately, and the CIO is likely aligned with this urgency. But for medium-level patches, the CIO may be under pressure to defer these disruptions to production systems, and may push back on the CISO to wait a week or even months before patching.

The same tension exists for programs that impact digital customer experience. For example, new multifactor authentication functionality requires new customer communications and perhaps associated short-term disruption of the channel, something that may be difficult for the business to accept.

Or the CIO and the engineering team may be working with business units to facilitate new customer features via an API platform. From the CISO’s perspective, those APIs must be managed properly, and even penetration-tested, to ensure they don’t create an unexpected data loss vector. The CISO will want more controls applied, but the CIO, while agreeing in principle, must also satisfy the stakeholders by ensuring the feature is delivered, often in a short time frame.

Incident management is another are ripe for tension. The CISO has a leadership role to play when there is a serious cyber or business disruption incident, and is often the“messenger” that shares the bad news. Naturally, the CIO wants to be immediately informed, but often the details are sparse with many unknowns. This can make the CISO look bad to the CIO, as there are often more questions than answers at this early stage.

A fifth example is DevOps, as many CIOs, including myself, advocate for continuous delivery at velocity. Unfortunately, not as many CIOs advocate for DevSecOps to embed cybersecurity testing in the process. This is perhaps because the CIO is often under pressure from executive stakeholders to release new software builds and thus accept the risk that there may be some iteration required if this is not perfect. Meanwhile, not many CISOs come from a software developer background, and so are often not comfortable engaging with and challenging this process.

How differing CIO and CISO archetypes engage

The above areas of friction have nothing to do with the personalities of the CIO and CISO, an additional incompatibility issue that can create further strain on the relationship.

The CIO and CISO are likely to have arrived at their positions through different career paths and may have a differing approach to their work. Some of these resulting archetypes naturally work better together, while others may clash.

My advice here is to consider how your counterparty operates, what is their natural style, and how you might approach potential pressure points differently. For instance, a Business CIO or Partnering CIO will value stakeholder engagement as key for success. If paired with a Technical CISO or Transformational CISO there may be some mismatch of approach.

How to manage this tension

If you find you are operating in a scenario of elevated CIO-CISO tension, or you recognize there is a natural divergence of your approaches, it is important for both the CIO and CISO to acknowledge this issue and work through how to reconcile their differences.

In these circumstances it is best to sit down and discuss how to work together respectfully and with business objectives in mind. Some suggested principles to consider include:

1. Adopt a company-first attitude.
2. Understand the business benefits of all proposed actions.
3. Be fact-driven.
4. Be transparent and honest but never offensive.
5. Look for the win-win.

This approach may not work if both parties are not committed to effecting a change. If that’s the case, then a reset may be required, with a third party or independent coach brought on board to help facilitate the relationship. Hopefully this reset can be made with some small tweaks, without one or both of the parties giving up and walking away.

A healthy dose of tension is good for the CIO and CISO in their everyday work. But this has to be managed so that it does not become conflict that spills over to create non-productive situations. That would be a lose-lose for both parties, and not a great outcome for the business as a whole.