Tips for Better C-Suite Security Relationships in 2024

How can different security leaders work seamlessly together for top-tier defense? It starts with clear program ownership and relationships built on trust.

Matt Hillary, VP, Security and CISO

December 20, 2023

4 Min Read
two business people shaking hands
Federico Caputo via Alamy Stock

With so many ways for hackers to exploit vulnerabilities in today’s security landscape, it’s mission-critical for security and IT leaders to work seamlessly together to protect against evolving threats.

Those leaders serve in roles such as chief legal officer (CLO), chief information officer (CIO), chief financial officers (CFO), and chief information security officer (CISO) and chief security officer (CSO). But every organization tends to define these roles, as well as their reporting structures, slightly differently. This can lead to overlapping responsibilities and internal misalignment. For these leaders to effectively collaborate and advance their company’s security posture, they must first draw clear lines in the sand for program ownership and cultivate relationships based on mutual trust and respect. 

Establish Clear Lanes  

While some companies have only one security leader bearing responsibility for all the domains related to protecting the organization, others have multiple leaders peered together to divide and conquer. In some cases, CISOs take on security, compliance, privacy, IT, and enterprise applications and systems, while CIOs are responsible for data and business intelligence (BI) along with that list. The CSO role is often interchangeable with the CISO, with the key differentiation being that some CSOs manage physical and personnel security in addition to cybersecurity. 

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

When viewed through this traditional lens, the reporting structure often goes from CISO/CSO to CIO to CEO, with each position accumulating new domains, but this structure isn't one-size-fits-all. For example, some CISOs/CSOs are not as strong in IT and enterprise applications as they are in the security elements of the role, and they are hesitant to shift their focus away from security when they progress to the CIO realm. That’s why it’s helpful to have CISOs, CSOs, and CIOs specialize in the areas they feel most prepared to manage, with each having a voice that is heard and respected within the organization.

This custom approach plays into each leader’s strengths and takes their passion areas into account. For instance, data and BI can ping pong between any of these roles, depending on whose skill set is best tailored to own this domain and who will reap the most actionable insights from managing the subset. 

Build Trust-Based Relationships  

A company’s security program is only as effective as its leaders. C-level security leaders within an organization need to forge healthy working relationships to collaborate productively without stepping on each other’s toes, while also maximizing their influence across the organization from a security standpoint. For this reason, it’s essential to consider how the personalities and mindsets of different leaders will mesh together when hiring or planning teams.

Related:What CISOs Need to Know About Nation-State Actors

For the strongest defense possible, security colleagues must build relationships around trust. Without a foundation of trust and integrity, leaders may find themselves working across odds, reducing the efficacy of their efforts and putting their organization at risk. By working to establish trust, those same leaders will be more willing to listen to and invest in one other’s ideas, rallying the organization around a united strategy. So how is this trust earned and retained? 

First, these leaders should have an appreciation for each other’s roles and view their respective focus areas as important. For example, a CIO who views the security roadmap laid out by the CISO with an open mind will have an easier time understanding how investments in security positively impact other areas of the business. By adopting a mindset of collaboration rather than competition, CIOs will be more apt to give CISOs the space they need to effectively lead the company’s security messaging and strategy while making key achievements known.

Related:Data Breaches Just Keep Piling Up

Conversely, CISOs may be more likely to defer to the CIO’s expertise around the less security-focused aspects of the company’s IT initiatives. At the end of the day, building a healthy relationship requires effort and investment on both sides with less focus on formal reporting structures and more on each leader’s unique ability to make an impact. This also holds true for successful relationships between these security leaders and the CFO, CTO, CLO, or CEO they report to.

There’s never been a more challenging time to be a security leader, with persistent threats like phishing, social engineering, ransomware, and third-party vulnerabilities all being accelerated by new technologies like generative artificial intelligence. In this climate, it’s essential that C-suite security leaders have clearly outlined roles to avoid confusion or push-and-pull around ownership. Even more importantly, these leaders need to support and elevate each other’s platforms, promoting open and transparent communication with each other and across the organization. Lastly, they need strong moral integrity and a willingness to foster healthy relationships that will best protect their companies against existing and emerging threats.  

About the Author(s)

Matt Hillary

VP, Security and CISO , Drata

Matt Hillary currently serves as VP, Security and Chief Information Security Officer at Drata. With more than 15 years of security experience, Matt has a track record of building exceptional security programs. He most recently served as SVP, Systems and Security and CISO at Lumio, and he’s also held CISO and lead security roles at Weave and Workfront, Instructure, Adobe, MX, and Amazon Web Services. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights