5 ways to improve the CIO-CISO relationship

Regardless of the reporting structure in your organization, here are five ways you can improve your relationship with the CISO.

1. Treat the CISO as a peer

One way you can create a good CIO-CISO relationship is to treat the CISO as a peer, even if they are a direct report. This might be difficult. Like many people who rise to the CIO level, you may have type-A tendencies, and often want to control every aspect of your organizations. But it is possible to loosen the reins and grant talented colleagues greater autonomy.

There are thousands of small behaviors that color interactions and distinguish between treating someone “as a peer” and “as a direct report.” If the CISO reports to you, try to imagine that they don’t. Invite them to join you for discussions. Don’t issue orders. Make suggestions, not demands. Encourage them to set goals that align with the business, not with what you want. And who knows? The approach might be so effective you’ll want to try it with all your direct reports, not just the CISO.

2. Frame discussions around risk

CIOs oftentimes want to shift the topic of every discussion to technology. As a CIO, you should be reluctant to do that with CISOs. A better tactic is to drive every discussion on the topic of risk, particularly enterprise risk. What enterprise risk is imposed, or mitigated, Assume your CISO has a solid grasp of the technology, or at least that the security team does and has been able to clearly communicate it upward. Try to grant the ownership of risk assessment to the CISO, even though, as CIO, you have likely dealt with risk issues many times in your career. Always remember that if this risk assessment is wrong, it’s the CISO who gets fired.

3. Engage the CISO and security team

This may sound obvious, but it’s surprising how often CISOs or their teams will tell me that major decisions have been made Strive to position yourself and your team at that fourth level of maturity. It prevents the need for drastic course corrections downstream and helps integrate and align the IT and cybersecurity strategies.

4. Arrange informal and formal interactions

If you’ve read this far, you may be making a note on your to-do list that reads something like: “Schedule regular briefings with CISO and team to keep them appraised of our major initiatives.”

Yes, absolutely, you should do that. Formally scheduling something is an excellent way to ensure it gets done.

But don’t neglect the impact of less-formal, less-structured interactions as well. One Canadian CISO of my acquaintance used to host what he called “Timbits Tuesdays.” For those south of the border, Timbits are scrumptious donut holes made In this online, work-from-home environment, Timbits Tuesdays might not work. But there are plenty of ways to recreate the informal vibe over a video link. For example, have different members of the IT team present topics that interest them — while wearing silly hats. Fostering connection is also an important way to help your team reduce stress, which should be a concern for all leaders.

5. Craft consistent business cases

One final way to improve the CIO-CISO relationship is to work harmoniously to craft business cases that take into consideration each other’s strategies for technology investment.

If you are proposing a major ERP upgrade, for instance, you should include funding for technologies to keep that upgrade secure and justify why that technology investment is important. And when the CISO puts in for a software-defined perimeter, he or she should track the benefits in the form of reduced trouble tickets, increased employee satisfaction and the like.

In other words, CISOs and CIOs should work together — whether they’re in the same reporting structure or not — to ensure that business cases consistently account for the costs and benefits of technology investment.

About the author
Johna Till Johnson is CEO and founder of Nemertes Research, where she sets research direction and works with strategic clients.