{"id":6010,"date":"2025-12-01T07:00:00","date_gmt":"2025-12-01T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6010"},"modified":"2025-12-01T07:00:00","modified_gmt":"2025-12-01T07:00:00","slug":"12-signs-the-ciso-cio-relationship-is-broken-and-steps-to-fix-it","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6010","title":{"rendered":"12 signs the CISO-CIO relationship is broken \u2014 and steps to fix it"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Despite the need for collaboration between security and IT, all is not well in the CISO-CIO relationship.<\/p>\n

And it\u2019s not about newly minted CISOs trying to find their footing, as Gartner research has found<\/a> that while around a third of CISOs with less than two years of experience report conflicts with their CIOs on key security-related areas, half of CISOs with five or more years of experience report conflicts in most of those same areas, including improving the organization\u2019s cyber resilience and negotiating enterprise cyber risk appetite.<\/p>\n

Conflict can be a sign that the CIO-CISO relationship is broken, says Christine Lee<\/a>, vice president of research and content leader for Gartner\u2019s cybersecurity research team, but not always.<\/p>\n

In fact, other signs may be more telling indicators that the CIO and CISO are not working in concert, according to researchers, experienced executives, and executive advisors.<\/p>\n

Signs of trouble<\/h2>\n

Security leaders and advisors offer CISOs the following signs that indicate there may be trouble worth addressing in their relationship with their CIO colleagues:<\/p>\n

1. The CIO commonly disregards or overrides the CISO\u2019s recommendations and decisions.<\/strong> Aimee Cardwell<\/a>, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group, says this situation often plays out with the CIO saying, \u201cThank you for your input, but we\u2019re going to do what we want anyway.\u201d<\/p>\n

2. The CIO and CISO can\u2019t resolve conflict.<\/strong> Conflict can be healthy for moving an organization forward. Diversity of perspectives and opinions can provide top executives with new possibilities and opportunities for compromise that benefit the organization overall.<\/p>\n

But if the CIO and CISO can\u2019t resolve differences without escalating their disagreement to more senior executives, then a fundamental problem may be taking root. \u201cAre you shoulder to shoulder or nose to nose? Because if you\u2019re going nose to nose, then there\u2019s misalignment,\u201d Cardwell says.<\/p>\n

Gartner research notes that 87% of experienced CISOs describe their relationship with the CIO as \u201cgood\u201d or \u201cexcellent\u201d when it comes to resolving conflicts. Gartner\u2019s Lee says this figure shows that conflict itself doesn\u2019t mean the relationship is problematic. Rather, \u201cit\u2019s the inability to make progress or get to agreement that is a sign the CIO-CISO relationship is broken,\u201d she says.<\/p>\n

3. The CIO isn\u2019t sharing information.<\/strong> \u201cThat\u2019s a gigantic red flag,\u201d Transcend\u2019s Cardwell says.<\/p>\n

4. The CIO alters or blocks the CISO\u2019s message to the board.<\/strong> It\u2019s problematic enough when the CISO doesn\u2019t present directly to the board<\/a> on a regular basis, but Cardwell says it\u2019s even more troubling when the CIO is changing the information the CISO believes the board needs to have.<\/p>\n

\u201cThis goes beyond advice like, \u2018You can word this a better way,\u2019 or \u2018You can tell the story in a better way.\u2019 It\u2019s not just the CIO coaching. It\u2019s cutting facts that need to be elevated or making changes that could create a real moral problem for you as a CISO,\u201d she explains.<\/p>\n

5. The CIO otherwise undermines the CISO\u2019s agenda to the board and other executives.<\/strong> \u201cIf the CIO is actively undermining the CISO\u2019s credibility and opinions, if the CIO is mediating every conversation between the CISO and the board and executive team, that\u2019s not a good sign,\u201d Lee says.<\/p>\n

Trouble here also includes the CIO\u2019s failure to advocate for the CISO\u2019s priorities in important meetings and the organization\u2019s IT strategy overall.<\/p>\n

6. The CISO is not consulted on business initiatives involving IT.<\/strong> True partnership on any IT initiative would see the CIO and CISO working together from step one. But if the CISO is finding out about important tech initiatives late in the process or only by asking probing questions, it\u2019s time to reset the relationship.<\/p>\n

\u201cIf someone says something about a new project or vendor or migration and the CISO doesn\u2019t know something about it, then that\u2019s a problem, because you\u2019re then bolting on security,\u201d says Dale Hoak<\/a>, CISO for software firm RegScale. \u201cIn a good relationship, there are no surprises because you\u2019re having continuous conversations and you\u2019re sharing dashboards.\u201d<\/p>\n

7. There are no one-on-one conversations.<\/strong> LevelBlue CIO Maria Cardow<\/a> says CIOs and CISOs who share information only via emails, through group meetings or between CIO and CISO subordinates (assuming that information will flow up) do not have a healthy rapport.<\/p>\n

\u201cWe have too much information in front of us to not be talking to each other directly; there is no substitute for conversations on a regular and on an ad-hoc basis,\u201d she says.<\/p>\n

8. The CIO and CISO don\u2019t know each other\u2019s priorities, challenges, strategies, etc.<\/strong> \u201cAs a CIO I should have a good idea of what my CISO\u2019s concerns are and the CISO should know what\u2019s going on in my world,\u201d Cardow says.<\/p>\n

9. The CISO and CIO clash on who should be doing what work. <\/strong>A similar sign of trouble is when one side blames the other for shortcomings in areas where they had joint responsibilities.<\/p>\n

10. One buys technology with capabilities the other already has.<\/strong> This sign of trouble in the relationship goes both ways, but a related problem involves the CIO dictating the products the CISO must buy or the vendors or service providers the CISO must use.<\/p>\n

\u201cIn some cases those might be the right answer for security, but in some cases they might not be the right answer,\u201d says Ayan Roy<\/a>, EY\u2019s Americas cybersecurity competency leader. \u201cBut just being told means there is not the right analysis being done. The CIO should give the CISO the latitude to pick the right solution; the CISO needs to be able to do the evaluation and to make the right pick.\u201d<\/p>\n

11. The CIO isn\u2019t prioritizing cyber hygiene.<\/strong> One of the most common indications here is failing to or foregoing patching vulnerabilities that the security team has identified and prioritized for remediation.<\/p>\n

12. Technology products are commonly released with security flaws or control gaps. <\/strong>\u201cThe question then is, \u2018Why didn\u2019t we figure that out during the product design lifecycle,\u2019 and the answer is usually poor collaboration between IT and security,\u201d says Sara Madden<\/a>, CISO of Convera, a global payments and foreign exchange company.<\/p>\n

The CIO-CISO relationship matters<\/h2>\n

The CIO and CISO need to have a strong relationship for either of them to succeed, says MK Palmore<\/a>, founder and principal adviser for advisory firm Apogee Global RMS and a former director in the Office of the CISO at Google Cloud.<\/p>\n

\u201cIt\u2019s critical that those in these two positions get along with each other, and that they\u2019re not only collegial but collaborative,\u201d he says. Yes, they each have their own domain and their own set of tasks and objectives, but the reality is that each one cannot get that work done without the other. \u201cSo they have to rely on one another, and they have to each recognize that they must rely on each other.\u201d<\/p>\n

Moreover, it\u2019s not just the CIO and CISO who suffer when they aren\u2019t collegial and collaborative. Palmore and other experts say a poor CIO-CISO relationship also has a negative impact on their departments and the organization as a whole.<\/p>\n

\u201cA strained CIO-CISO relationship often shows up as misalignment in goals, priorities, or even communication,\u201d says Marnie Wilking<\/a>, CSO at Booking.com. \u201cWhen technology and security leaders are not on the same page, it becomes clear in both operations and outcomes, from missed project deadlines to increased vulnerabilities.\u201d<\/p>\n

Multiple factors can contribute to a strained relationship.<\/p>\n

To start, the security department is still sometimes seen as \u2014 and acts like \u2014 the department of \u201cno,\u201d Cardwell says. \u201cThe CIO never has the luxury of saying \u2018no.\u2019 The CIO\u2019s job is to enable what the business is trying to do. So the CISO needs to have that mindset, too: \u2018The business wants to do this thing, and my job is to figure out how to make that possible,\u2019\u201d she explains.<\/p>\n

Even if security doesn\u2019t act like the department of \u201cno,\u201d Cardwell says, it may take the CISO too long to get to \u201cyes.\u201d<\/p>\n

\u201cThere are a hundred ways, depending on what the problem is, to solve the problem quickly,\u201d she says. \u201cAs a CISO, I like to provide several solutions with different price points and timelines with pros and cons and security scores, from fastest on or least secure or most secure on this timeline, to give the CIO and the business options.\u201d<\/p>\n

Another reason for a poor relationship: Sometimes the CIO doesn\u2019t place a high enough priority on security. \u201cMaybe the CISO is only security-minded but not thinking as a business-enabler; or maybe the CIO isn\u2019t at all security-minded and only focused on business enablement,\u201d Palmore says.<\/p>\n

In other cases, the CIO wants tight control of all things IT and excludes security \u2014 or vice versa. \u201cSome security leaders believe that they alone own security and find themselves on an island without a boat to get them home,\u201d says Kory Daniels<\/a>, chief security and trust officer at LevelBlue, a managed security services provider.<\/p>\n

Other factors that can lead to a poor CIO-CISO relationship are more structural, experts say.<\/p>\n

It may be that the organization has not defined each position\u2019s responsibilities. \u201cWhen roles and responsibilities aren\u2019t clearly defined, overlaps or gaps in accountability can create unnecessary risk,\u201d Wilking says.<\/p>\n

Or it could be that the organization\u2019s funding process turns them into \u201cadversaries for the same dollar,\u201d Cardow says.<\/p>\n

Much of these problems stem from what Wilking says is \u201ca lack of shared context and alignment around enterprise risk.\u201d<\/p>\n

\u201cThe CIO is typically measured on uptime, scalability, and agility, while the CISO is focused on protecting data, ensuring compliance, and mitigating threats. Without a unified view of how those priorities intersect, the two can seem at odds,\u201d she explains. \u201cToo often, cybersecurity gets treated like the gatekeeper instead of a true partner. Teamwork ends up feeling transactional instead of collaborative. At Booking.com we emphasize embedding cybersecurity into business strategy from the start, ensuring it\u2019s part of every conversation about product design, data, and customer trust.\u201d<\/p>\n

How to improve a poor relationship<\/h2>\n

CIOs and CISOs both have incentives to improve a problematic relationship.<\/p>\n

As Lee explains, \u201cThe CIO-CISO relationship is critical. They both have to partner effectively to achieve the organization\u2019s technology and cybersecurity goals. All tech comes with cybersecurity exposure that can impact the successful implementation of the tech and business outcomes; that\u2019s why CIOs have to care about cybersecurity. And CISOs have to know that cybersecurity exists to achieve business outcomes. So they have to work together to achieve each other\u2019s priorities.\u201d<\/p>\n

CISOs can take steps to develop a better rapport with their CIOs, using the disruption happening today \u2014 whether from AI or the uncertainty in the economy \u2014 as an opportunity to check in, reset the relationship, and address any issues that have stymied collaboration.<\/p>\n

Steps for CISOs include:<\/p>\n

Establishing alignment with the CIO as well as members of the C-suite and the board on the organization\u2019s position on risk.Ensuring security is aligned<\/a> with the organization\u2019s strategy and its IT roadmap. Transcend\u2019s Cardwell says it\u2019s important for CISOs to think, \u201cThe CIO has a great thing here. I\u2019d like to find how to make it secure.\u201dGetting clarity on CIO and CISO responsibilities. \u201cYou need clarity on where the lines are drawn,\u201d LevelBlue\u2019s Daniels says.Making regular and ad hoc direct communication with the CIO a priority.Focusing on relationship management. \u201cCommunicate, be willing to meet, get teams to meet, establish trust,\u201d Daniels says.Seeking to understand the CIO\u2019s priorities, incentives, and challenges and sharing yours. \u201cFind a way to walk a mile in the other\u2019s shoe,\u201d Daniels adds.<\/p>\n

Shifting to a business-enablement mindset. \u201cInstead of leading with \u2018no,\u2019 lead with \u2018How do we get there securely,\u2019\u201d RegScale CISO Hoak says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Despite the need for collaboration between security and IT, all is not well in the CISO-CIO relationship. And it\u2019s not about newly minted CISOs trying to find their footing, as Gartner research has found that while around a third of CISOs with less than two years of experience report conflicts with their CIOs on key […]<\/p>\n","protected":false},"author":0,"featured_media":6011,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6010","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6010"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6010"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6010\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6011"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}