Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
December 20, 2023
4 Min Read
Federico Caputo via Alamy Stock
With so many ways for hackers to exploit vulnerabilities in today’s security landscape, it’s mission-critical for security and IT leaders to work seamlessly together to protect against evolving threats.
Those leaders serve in roles such as chief legal officer (CLO), chief information officer (CIO), chief financial officers (CFO), and chief information security officer (CISO) and chief security officer (CSO). But every organization tends to define these roles, as well as their reporting structures, slightly differently. This can lead to overlapping responsibilities and internal misalignment. For these leaders to effectively collaborate and advance their company’s security posture, they must first draw clear lines in the sand for program ownership and cultivate relationships based on mutual trust and respect.
Establish Clear Lanes
While some companies have only one security leader bearing responsibility for all the domains related to protecting the organization, others have multiple leaders peered together to divide and conquer. In some cases, CISOs take on security, compliance, privacy, IT, and enterprise applications and systems, while CIOs are responsible for data and business intelligence (BI) along with that list. The CSO role is often interchangeable with the CISO, with the key differentiation being that some CSOs manage physical and personnel security in addition to cybersecurity.
When viewed through this traditional lens, the reporting structure often goes from CISO/CSO to CIO to CEO, with each position accumulating new domains, but this structure isn't one-size-fits-all. For example, some CISOs/CSOs are not as strong in IT and enterprise applications as they are in the security elements of the role, and they are hesitant to shift their focus away from security when they progress to the CIO realm. That’s why it’s helpful to have CISOs, CSOs, and CIOs specialize in the areas they feel most prepared to manage, with each having a voice that is heard and respected within the organization.
This custom approach plays into each leader’s strengths and takes their passion areas into account. For instance, data and BI can ping pong between any of these roles, depending on whose skill set is best tailored to own this domain and who will reap the most actionable insights from managing the subset.
Build Trust-Based Relationships
A company’s security program is only as effective as its leaders. C-level security leaders within an organization need to forge healthy working relationships to collaborate productively without stepping on each other’s toes, while also maximizing their influence across the organization from a security standpoint. For this reason, it’s essential to consider how the personalities and mindsets of different leaders will mesh together when hiring or planning teams.
For the strongest defense possible, security colleagues must build relationships around trust. Without a foundation of trust and integrity, leaders may find themselves working across odds, reducing the efficacy of their efforts and putting their organization at risk. By working to establish trust, those same leaders will be more willing to listen to and invest in one other’s ideas, rallying the organization around a united strategy. So how is this trust earned and retained?
First, these leaders should have an appreciation for each other’s roles and view their respective focus areas as important. For example, a CIO who views the security roadmap laid out by the CISO with an open mind will have an easier time understanding how investments in security positively impact other areas of the business. By adopting a mindset of collaboration rather than competition, CIOs will be more apt to give CISOs the space they need to effectively lead the company’s security messaging and strategy while making key achievements known.
Conversely, CISOs may be more likely to defer to the CIO’s expertise around the less security-focused aspects of the company’s IT initiatives. At the end of the day, building a healthy relationship requires effort and investment on both sides with less focus on formal reporting structures and more on each leader’s unique ability to make an impact. This also holds true for successful relationships between these security leaders and the CFO, CTO, CLO, or CEO they report to.
There’s never been a more challenging time to be a security leader, with persistent threats like phishing, social engineering, ransomware, and third-party vulnerabilities all being accelerated by new technologies like generative artificial intelligence. In this climate, it’s essential that C-suite security leaders have clearly outlined roles to avoid confusion or push-and-pull around ownership. Even more importantly, these leaders need to support and elevate each other’s platforms, promoting open and transparent communication with each other and across the organization. Lastly, they need strong moral integrity and a willingness to foster healthy relationships that will best protect their companies against existing and emerging threats.
About the Author(s)
VP, Security and CISO , Drata
Matt Hillary currently serves as VP, Security and Chief Information Security Officer at Drata. With more than 15 years of security experience, Matt has a track record of building exceptional security programs. He most recently served as SVP, Systems and Security and CISO at Lumio, and he’s also held CISO and lead security roles at Weave and Workfront, Instructure, Adobe, MX, and Amazon Web Services.
You May Also Like
Overwhelmed IT Service Desk?
The Total Economic Impact™ Of Fortinet NGFW For Data Center And AI-Powered FortiGuard Security Services Solution Study
5 key areas for improved automation in InfoSec compliance
MontanaPBS Shifts to Agile Broadcasting With Help from Raritan KVM Solutions
Checklist: 7 Essentials for Securing Modern Applications