The Evolving Relationship Between the CIO and CISO

There is something powerful going on in many organizations that is going to have a profound effect on how enterprises aggressively, but securely, use technology for business advantage. And it has its roots in the evolving roles of the CIO and the CISO, and the strategic nature of their working relationship.

For C-suite executives and board members, how this relationship plays out can possibly make the difference between whether your organization benefits from digital transformation, or falls a victim to its mind-boggling impact.

Let me explain.

No one would debate the fact that the roles of both CIOs and CISOs are changing in dramatic ways. Two decades ago, CIOs began to be seen as business strategists, even more than technologists, and that trend is accelerating. And CISOs similarly are going through a belated, but equally impactful transition to business leadership instead of focusing just on the “shiny new toy” syndrome of cybersecurity.

Here’s where it gets interesting: Without an implicit, sincere, and well-planned alignment between the CIO and the CISO, organizations risk devolving into a technology turf war that will create roadblocks to success, rather than pathways to a brighter future.

I have been fortunate, in that my last eight years as a leader of Infrastructure and Security with last three as CIO have allowed me to work as a brother-in-arms with my CISO colleagues, first at Gap and more recently here at Palo Alto Networks. This close working relationship has crystallized in my mind the benefits–as well as the potential challenges–brought about by the changing roles of CIOs and CISOs. And my thinking about how to get the most out of both executives and their teams for the benefit of the parent organization centers on two main themes: Kinship and Dynamic Tension.

I’ll admit, the notion of kinship–or a commonality of purpose–is not new, at least not in theory. Business schools and academic journals have talked about this theme as a prerequisite for leadership success for many years. Unfortunately, it has not always played out as drawn up on the whiteboard.

In my current role, I see our CISO at Palo Alto Networks as more than a business colleague. We are united in our over-reaching goals, but also in our shared understanding of fighting a common adversary. In our changing roles from worrying first about technology issues to solving our company’s most strategic business problems, we have a mirrored interest in solving critical, real-world crises. We may be coming at problem-solving with slightly different orientations–the CIO focused on how technology can positively disrupt business models, and the CISO centered on how security can enhance our customers’ trust in our brand–but we each know that we have to end up at the same place, even if it means we have to be flexible in how we get there.

We also are involved in another important organizational change: The increasing demand  that we work in a far more decentralized structure where we are co-creating with business units and developers (DevOps), and where security is embedded from the start in all digital transformation processes (DevSecOps). It’s an exciting time to be doing all this, as technology disrupts every industry by using automated tools, machine learning, and other emerging technologies to change how we work and how our customers use technology.

OK, kinship is a great concept and a powerful fulcrum for positive change. But in many organizations, that may be the easy part. By contrast, encouraging and understanding how to benefit from dynamic tension can either build on the benefits of kinship….or render it a worthless slogan.

This give-and-take between smart, motivated, innovative, and–yes–ego-driven executives should be cultivated and used as a force-multiplier. At the heart of dynamic tension is the mutual acknowledgement that, at times, our agendas will differ and we need to communicate closely and honestly to be able to resolve differences and achieve optimal business outcomes.

Increasingly, CIOs are being measured by their ability to engender speed and agility in the organization and CISOs on their ability to prevent successful cybersecurity attacks. As any business executive can attest, sometimes those goals appear to be at cross purposes. While these agendas can lead to confusion about priorities and may become the source of conflict, it’s up to the CIO and CISO (without the CEO mandating it) to resolve any alignment issues. The key here is keeping the “eye on the prize,” which is an opportunity, agile organization that promotes cybersecurity for the good of all parties.

Done well, this dynamic tension can be a powerful catalyst for process improvement. However, if we don’t manage the dynamic tension properly, it can be corrosive to organization success.

For example, take the notion of who the CISO should report to. There’s a lot of debate on this topic, especially around the question of whether the CISO should roll up to the CIO and his/her team.  A very good article on addressed this idea with a simple principle: Check your ego at the door.

Regardless of who they report to, I strongly believe that CISOs need independence from IT leaders to do their jobs properly–and that extends to budgets. The CISO needs a budget that is separate and apart from the CIO’s budget. As a CIO, I value independence for the security team, because I’ve seen first-hand how it has helped us improve our security outcomes. The independence does come at a cost though, since it requires both leaders to collaborate at much higher levels and have a common set of objectives around security. Often, I see a misalignment between CIOs and CISOs, and in some cases, disrespect between the two leaders.

I also am seeing a troubling and toxic mix of unhealthy competition that is being advocated by so-called experts who have a misguided notion of the benefits of promoting an adversarial environment among executives. Like a troubled teenager, a few CISOs believe there should be open competition with the CIOs. On the other hand, I have observed CIOs who are clueless about security, grossly under-spending on security, and burying security deep within organizational layers.

Both positions are wrong and dangerous to companies. We have a shared responsibility to security: Many times, the implementation and support of security controls is the responsibility of IT professionals, while defining and providing independent verification of controls falls with Infosec. If both groups don’t communicate and are not deeply integrated with each other, it is often impossible for their teams to come to common understanding.

And make no mistake about it: IT and Infosec teams take their cues from their leaders. If the CIO and CISO aren’t on the same page, you can guarantee a dysfunctional relationship between their teams. This is something CEOs and board members need to watch very, very closely.

How can business leaders take this evolving relationship between the CIO and the CISO and use it as an asset, rather than as a liability? Here are a few lessons we’ve learned at Palo Alto Networks:

  • Build the right team structure. For instance, joint scrum teams from IT and Infosec, with leadership visibility into their activities, sends a powerful message of kinship. Your teams also must be aligned not only on goals, but on how progress is measured. IT and Infosec teams also need to develop and manage an evergreen program on cybersecurity hygiene.
  • Develop and promote the right culture. CIOs and CISOs need to set the mindset standard for joint problem-solving, built around open give-and-take on ideas, suggestions, testing, and implementation. Disagree during the process is natural, and often even desirable, but in the end, all team members have to adhere to a culture of commitment to the team’s goals and tactics.

I challenge CIOs and CISOs to work on three areas to improve their partnership for the good of the organization:

  1. Jointly prioritize and strategize mitigation controls for areas you can’t address right away.
  2. Understand, appreciate, and learn about each other’s world.
  3. Drive your teams with a sense of urgency around any issue related to cybersecurity.

Above all, everyone should have a big-picture goal: Make work a positive experience, done with a smile and resulting in a joy of achieving higher outcomes. Work may not be the only thing in our lives, but it’s certainly important enough that we have to find ways to make it a rewarding process for all involved. We work too hard and too long to have it any other way.

Naveen Zutshi is Chief Information Officer at Palo Alto Networks.