Why CISOs and CIOs Should Work Together More Closely

The CISO and CIO 

The aims and responsibilities of CIOs and CISOs greatly overlap. What do each executive require from the other for more seamless work and relationships, and a more aligned technology function?

One of the most notable relationships in the C-suite today is that of the CIO and CISO. While the CIO was mainly responsible for implementing and managing an organisation’s IT function and infrastructure, the CISO was more focused on developing and implementing cybersecurity procedures and strategies.

While the main goals and responsibilities of these two executive technology leaders now overlap, there is still much more to be done to create a more cohesive relationship. Most recently, there have been issues over reporting lines, budgets, organisational structures and risk appetite.

What exactly is required to unite the CISO and CIO to unify them in their roles and goals? In this roundtable our Head of Strategy, Doug Drinkwater, spoke with a panel of CIOs and CISOs to find out more.

Our panel of CIO and CISO speakers include: 

• Brian Brackenborough, CISO, Channel 4
• Ravinder Arora, Global CISO & DPO, Infogain
• Aidan Hancock, CIO, Johnson Matthey
• Anuj Tewari, CISO, TMF Group
• Nilesh Halai, SASE GTM and Sales Acceleration EMEA, Cisco

This roundtable was recorded at The Studio in partnership with Cisco. Click 'The Studio' to find out more.

Ready to discover more? If you liked these highlights, click the button below to watch the full roundtable debate on YouTube or listen to it on Spotify.

Navigating CIO/CISO obstacles

“The CISO is always seen as being in the technical area of any particular company when in actual fact it’s information security”, said Brian Brackenborough, CISO at Channel 4.

When asked what barriers he believes has blocked a more fruitful CIO and CISO relationship in the past, Brian focused on reporting lines and the idea that one leader would have to be subservient to the other. In comparison to the CISO’s technical and cybersecurity responsibilities, in comes the CIO who’s in charge of making sure that the information they have at hand is used to its best benefits for the company. As a result of this, Brian pointed out that this could end in conflict between the two leaders.

Johnson Matthey’s CIO, Aidan Hancock, shared a different experience with the rest of the panellists. “I think I’ve been luckier than most… I haven't really seen much of that antagonism”. In Aiden’s case, the CISOs have always reported to him – he later pointed out that reporting lines can grow and spread out. In light of this, the main focal point for him is making sure that the CISO is fully on board with the rest of the IT leadership team. Circling back to the question, he stated: “I've not seen it be a problem, but I think you just have to act more like equals reporting lines”.

Getting on the same page

Moving forward in the roundtable discussion, moderator Doug Drinkwater asked the panellists how they think CIOs and CISOs collaborate and get on the same page.

Anuj Tewari, CISO at TMF Group, argued that the collaboration between CIOs and CISOs is a key factor of success – the moment they stop working together becomes somewhat of a challenge. Echoing a previous point, Anuj believes that the greater the disconnect between these two leaders, the less optimistic a portrayal this presents. Adding onto this, he felt that the budget exercise in his previous organisation went hand-in-hand with collaboration. In the end, Anuj maintained that collaboration is about creating a roadmap to ensure that CISOs and CIOs can secure the data and overall “crown jewel” for the organisation.

Transparency between the two roles is an important factor for Brian. To illustrate this better, he gave the example of conferencing for both roles. When in an information security conference, the event is full of information security professionals – the same applies to CIO conferencing. Brian then suggested “Why don’t you swap?”. This way, he believes that technology leaders will have a better understanding of what’s happening in the other’s particular industry. He noted that, by default, this would also help CISOs better understand their own CIO and vice versa. “Otherwise, sometimes you feel like you're talking a different language”.

Collaboration and aligning goals

“I get to speak to a lot of CISOs and CIOs, so we get views on both sides”, said Nilesh Halai, SASE GTM and Sales Acceleration EMEA at Cisco. Going back to Aidan’s point on reporting lines, he conceded that there are positives and negatives to this – adding that there is less friction when reporting to the CIO. In terms of objectives, Nilesh argued that CISOs focus on the compliance and regulatory aspects, how to protect that information and ensure there are no data leakages. CIOs, however, are seen as more of a business enabler helping the organisation move forward. Nowadays, Nilesh pointed out that he is seeing more and more of the CISO reporting directly to the CEO and having a seat at the table with the Board. “I think there's a lot of work to be done around the collaboration, how can we align goals?”.

Picking up on Nilesh’s point on shared risk between the CISO and CIO, Doug mentioned the general perception that, historically, the CISO will be the one to “take the hit”.

Aidan agreed that the risk is shared between the two roles, noting that “the average duration for a CIO is three and a half years”. Going back to the topic of reporting lines, he divulged that at the end of the day, the CISO is the right person to be represented, adding that his own CISO liaises with the board more often than he does. When it comes to this type of collaboration, Aidan’s main concern is having a CISO with an independent reporting line and owning that risk while “the CIO delivers most of the actions that meet that risk”. His solution to this is having the two find a common purpose and having everyone be clear on what career progression they want and work jointly towards this.

Improving CISO and CIO relations

As the industry moves forward, Nilesh argued, the way convergence is occurring between technology brings those two roles together. To further emphasise his point, he asked the panellists to think about security, incident response and detection paired with the alignment of goals, objectives and priorities.

Bringing in the idea of “modern tools”, Nilesh believed that they were able to break down the silos between the CISO and CIO and allow that convergence to take place. This, in his view, allows teams to start working together and push them forward. These leaders can have what is seen as a holistic view of what is going on in the organisation – this is in addition to getting the right tools for the job and enabling the business with security in mind. “There's a lot of potential to be unlocked”, he said.

Brian agreed with the idea that this convergence is making an appearance within the technology function within his organisation. Moderator Doug Drinkwater asked him whether the ‘people’ aspect of this is the hardest thing to fix. “So many of the things that the CIO or the CISO does across all of those barriers, that it's just inefficient to do those separately”, Brian said. In an example, he argued that there’s no need for separate teams to focus on fixing devices while another focuses on networks. “There should be one team managing that across the board”.

This roundtable was in partnership with Cisco.

https://www.cisco.com/site/us/en/index.html