CIOs and CISOs can be good friends, but that doesn’t mean they get along when it comes time to marshaling resources and setting priorities.
Typically CISOs report to CIOs, who know they have the upper hand. But both have to learn that while they look at the enterprise in different ways — one has digital performance and transformation in mind, the other protecting the enterprise from cyber attacks —they both have the best interests of the organization at heart.
For the moment let’s not deal with the “if they have a C in their title they should both report to the CEO.” Who sits at the Big Table without it getting crowded is another fight.
A recent article on CSOonline delved into this conundrum and quotes a number of executives on how they make the relationship work.
One CISO, for example, says both have to share in “open communication and shared goals, remembering that they have the same overall objectives.”
If there isn’t respect and communications, infosec pros become defensive, fear they will be blamed for breaches and become the ‘department of no.’
A consultant and former CISO says a lack of clear reporting and stakeholder involvement causes problems. “The CIO has to understand that the CISO is a support function to their role and not feel threatened that their judgement is being called into question or that they are going to be blamed for any issues found. When the CIO embraces the CISO, the relationship works well,” he is quoted as saying.
One expert says CISOs should keep three things in mind:
- Know where security can break the business, and where it can add value;
- Understand the business and its priorities;
- And “try and make it real for executives. If they understand it and it challenges them, then you’re less likely to be sacked!”
The continuous fluctuation in cyber security is mirrored by the fluctuation in business. CIOs and CISOs must work together. It’s a matter of finding out how.
How do you work effectively with your CIO? Let us know in the comments section below.