{"id":2246,"date":"2025-03-10T07:00:00","date_gmt":"2025-03-10T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2246"},"modified":"2025-03-10T07:00:00","modified_gmt":"2025-03-10T07:00:00","slug":"cisos-and-cios-forge-vital-partnerships-for-business-success","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2246","title":{"rendered":"CISOs and CIOs forge vital partnerships for business success"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Last July, a routine update<\/a> from cybersecurity software firm CrowdStrike sparked a global IT outage that brought companies to their knees, disrupting operations and amounting to an estimated $5 billion-plus in direct losses.<\/p>\n

As companies across every major sector scrambled to recover, Webster Bank was back in business in short order \u2014 an achievement CIO Vikram Nafde credits to the usual cybersecurity tools and policies, but also to a formidable peer partnership forged with his CISO.<\/p>\n

The pair\u2019s collaborative work straddles joint strategic planning, integrated roadmaps, coordinated messaging, and regular touchpoints. On the heels of the CrowdStrike outage, the partners conducted tabletop exercises<\/a> to demonstrate the bank\u2019s ability to recover quickly in the event of a similar cybersecurity incident \u2014 or potentially something much worse.<\/p>\n

\u201cWe brought the board together to showcase how the CIO and CISO work together,\u201d says Nafde, also executive vice president at the bank. \u201cToday, there is more reporting from the CISO role directly every quarter to the risk and technology committee and the board.\u201d<\/p>\n

\n

Vikram Nafde, EVP and CIO, Webster Bank<\/p>\n

Webster Bank<\/p>\n<\/div>\n

As is the case at many companies, Webster Bank\u2019s CISO Patty Voight reports into the CIO. While there is a direct line between the executive functions, Nafde says the structure is collaborative, not hierarchical \u2014 a significant evolution as the intensity of threats escalate, raising the bar for cybersecurity leadership. In 2024, the global average cost of a data center breach was $4.88 million<\/a> \u2014 a 10% spike over the subsequent year and the highest on record, according to the Cost of a Data Breach Report 2024<\/a> published by IBM and Ponemon Institute. That report revealed it takes an average of 258 days for security teams to identify and contain such a data breach.<\/p>\n

With companies\u2019 revenue, reputation, and resiliency on the line, cybersecurity leaders can no longer operate from technical silos, detached from day-to-day operational challenges and divorced from critical business goals. The breadth and complexity of the attack vector, coupled with an active and evolving regulatory landscape, have elevated cybersecurity to a key business priority and along with it, CISO executive status<\/a>.<\/p>\n

According to the 2025 State of the CIO survey, upgrading IT and data security to reduce corporate risk ranked among the top CEO priorities for IT this year, cited by 20%. The research also found CISOs split evenly between reporting up to the CEO (37%) and into the CIO (36%); in 2024, nearly half (49%) of CISOs named the CIO as their direct superior.<\/p>\n

\u201cBusinesses are recognizing that cybersecurity needs to be prioritized and that it\u2019s a global problem \u2014 not a matter of if, but when,\u201d says Larry Whiteside, chief advisory officer for The CISO Society, a private community for cybersecurity leaders. There\u2019s no such argument anymore that a company is too small to be in the crosshairs.<\/p>\n

\u201cIf you\u2019re making money or have data, they will come after you,\u201d Whiteside says. \u201cYou need to be thinking about potential business impacts and how to mitigate that risk as much as possible.\u201d<\/p>\n

As CIOs morph into a multi-faceted business leader<\/a>, it makes sense that CISOs follow suit<\/a>, building the case for a more collaborative, business-focused partnership. \u201cAs the CIO becomes more of a consultant, working with the business to leverage technology, the CISO works alongside to build security into those strategies,\u201d Whiteside adds. \u201cCISOs are moving out from under the CIO and becoming a peer.\u201d<\/p>\n

\n

Larry Whiteside, chief advisory officer, The CISO Society<\/p>\n

The CISO Society<\/p>\n<\/div>\n

Secrets to CIO-CISO partnership success<\/h2>\n

At United Airlines, the CIO and CISO have long been peer positions, both reporting into the CEO. United landed on that structure to fuel its digital agenda, treating each competency as a distinct capability while acknowledging the need for alignment to achieve targeted business goals, according to Deneen DeFiore, United\u2019s vice president and CISO.<\/p>\n

\u201cCISOs have to engage in the business operating rhythms and not be four levels down hearing about what outcomes you\u2019re trying to drive and try to translate that,\u201d DeFiore says. \u201cI\u2019m right there able to connect the dots with a real-time perspective.\u201d<\/p>\n

\n

Deneen DeFiore, VP and CISO, United Airlines<\/p>\n

Deneen DeFiore \/ United Airlines<\/p>\n<\/div>\n

DeFiore and CIO Jason Birnbaum got a head start on their relationship dynamics working at General Electric, where they didn\u2019t interact as colleagues, but still gained exposure to a shared set of experiences, core values, and business language. That mutual understanding was pivotal when it came time to sketch out the contours of their working partnership at United. DeFiore and Birnbaum built on their common foundation, prioritizing open communications and transparency, developing a shared vision and set of outcomes, and aligning messaging to help break down barriers and misperceptions.<\/p>\n

Their playbook helps position security requirements at the center of new initiatives without bogging down timelines or becoming a gating factor for innovation. Case in point: United\u2019s \u201cEvery Flight Has a Story<\/a>\u201d offering, a generative AI-fueled flight-status service released last year designed to bring more transparency and context to flight delays and updates.<\/p>\n

\n

Jason Birnbaum, CIO, United Airlines<\/p>\n

Jason Birnbaum \/ United Airlines<\/p>\n<\/div>\n

Working as a team, DeFiore and Birnbaum recognized the game-changing potential for generative AI, and together with their organizations created a framework around responsible use of the technology. The flight-status service was one of the first external-facing use cases for gen AI, and there are about 90 others in the pipeline, she says. \u201cWe were able to iterate on that quickly together and manage the risks associated with using emerging technology,\u201d she explains.<\/p>\n

Not only is CIO\/CISO alignment critical for positive outcomes, it\u2019s important the partners propagate those shared values and business goals downstream to members of their respective IT and security organizations.<\/p>\n

That\u2019s a top priority for the CIO\/CISO team at the Federal Reserve System. CIO Ghada Ijam and CISO Tammy Hornsby-Fink make it a point to publicly demonstrate to the broader enterprise their shared commitment to the financial institution\u2019s mission while highlighting how cybersecurity-related decisions advance those core objectives.<\/p>\n

\n

Tammy Hornsby-Fink, CISO, Federal Reserve System<\/p>\n

Federal Reserve System<\/p>\n<\/div>\n

\u201cWe need to make sure our way of working doesn\u2019t just happen at our level but is reinforced with teams at many levels of the organization,\u201d Hornsby-Fink says. \u201cIf we get into a situation where we are either shutting something down or not being open to each other\u2019s perspective, that sends a strong signal downstream. We make sure we listen to each other in open, public forums. That\u2019s one of the practices put in place to ensure the [peer] relationship endures long after we\u2019re gone.\u201d<\/p>\n

\n

Ghada Ijam, CIO, Federal Reserve System<\/p>\n

Federal Reserve System<\/p>\n<\/div>\n

Plaza Dynamics, a provider of managed IT, cloud, and security services, addresses the need for close CIO\/CISO alignment with a unique approach. It has appointed a single executive to oversee both sets of responsibilities. In her dual-title role, Dr. Vivian Lyon serves as Plaza Dynamics\u2019 CIO and CISO \u2014 a structure she says speaks to the expanding business remit of the security function as well as the need for security professionals to take ownership of risk.<\/p>\n

\u201cMy dual-titled role as a CIO and CISO gives me new levers to work with and more scope to drive strategic integration and alignment of cybersecurity within our organization and clients,\u201d Lyon says, acknowledging that, although the dual-titled leader is on the rise<\/a>, the structure doesn\u2019t work for all companies, especially larger organizations.<\/p>\n

In instances where the CIO and CISO are separate, peer-level roles, Lyon advocates for a well-defined risk profile to help prioritize resources and balance acceptable risks.<\/p>\n

\u201cIn a peer relationship, balancing business objectives with security requirements ensures decisions that drive both resilience and growth,\u201d she explains. \u201cWithout clarity, organizations may overinvest in low-priority threats or under prepare for significant risks.\u201d<\/p>\n

\n

Dr. Vivian Lyon, CIO and CISO, Plaza Dynamics<\/p>\n

Plaza Dynamics<\/p>\n<\/div>\n

CISOs find their voice<\/h2>\n

Even the best relationships have their trouble spots, and the peer CIO\/CISO partnership is no exception. Historically, the pair\u2019s agendas \u2014 the CIO charged with leading digital strategy and transformation and the CISO tasked with protecting it \u2014 have been at odds<\/a>. While there\u2019s often distance between the two, CISOs\u2019 growing business orientation and tighter alignment with their CIO counterparts is helping to close that delta more so than in the past. Business-oriented CISOs are also working hard to shed their long-standing characterization as being overly risk-averse, which positioned them as a bottleneck to innovation.<\/p>\n

\u201cOne of the characteristics of a business-aligned CISO is they don\u2019t use the veto card in every instance,\u201d Ijam explains. \u201cWhen the CISO is at the table and understands the importance of outcomes and deliverables from a business perspective as well as risk management from a security perspective, they are able to pick their battles in a smart way.\u201d<\/p>\n

Forging a peer CIO\/CISO partnership also requires the right set of leaders. While CIOs have been honing a business orientation for years, CISOs need to follow suit, maturing into a role that understands business strategy and is well-versed in the language so they command a seat at the table. \u201cThe right CISO leader is someone that doesn\u2019t speak in ones and zeros,\u201d Whiteside says. \u201cThey need to be at the table talking in terms that business leaders understand \u2014 not about firewalls and malware.\u201d<\/p>\n

Becoming a C-suite peer also means cultivating an independent voice \u2014 important because CIOs and CISOs often have varying points of view, separate priorities, and different tolerances for risk. It\u2019s equally important to make sure the CISO\u2019s voice \u2014 and security recommendations \u2014 are part of every discussion related to business strategy, IT infrastructure, and critical systems at the beginning, not as an afterthought.<\/p>\n

\u201cThere is an assumption often made that a CISO or security people will slow you down,\u201d says the Federal Reserve\u2019s Hornsby-Fink. \u201cIf we are at the table early in conversations, we can steer the organization in a direction where we can move the business quickly and avoid being overly risk averse.\u201d<\/p>\n

Like any successful long-term relationship, open communication and transparency are key to a fruitful CIO-CISO partnership. Having those tough conversations to reconcile conflicting priorities, actively listening, and holding one another accountable are all part of what\u2019s required to build trust and transparency \u2014 the bedrock for peer partnership success.<\/p>\n

\u201cAny points of contention, I don\u2019t take personally,\u201d says United\u2019s DeFiore. \u201cI know we have a trusted relationship and not everything is going to be all rosy. In the end, we are trying to do the same thing and find solutions to get there.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Last July, a routine update from cybersecurity software firm CrowdStrike sparked a global IT outage that brought companies to their knees, disrupting operations and amounting to an estimated $5 billion-plus in direct losses. As companies across every major sector scrambled to recover, Webster Bank was back in business in short order \u2014 an achievement CIO […]<\/p>\n","protected":false},"author":0,"featured_media":2247,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2246"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2246"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2246\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2247"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}