Despite the need for collaboration between security and IT, all is not well in the CISO-CIO relationship.

And it’s not about newly minted CISOs trying to find their footing, as Gartner research has found that while around a third of CISOs with less than two years of experience report conflicts with their CIOs on key security-related areas, half of CISOs with five or more years of experience report conflicts in most of those same areas, including improving the organization’s cyber resilience and negotiating enterprise cyber risk appetite.

Conflict can be a sign that the CIO-CISO relationship is broken, says Christine Lee, vice president of research and content leader for Gartner’s cybersecurity research team, but not always.

In fact, other signs may be more telling indicators that the CIO and CISO are not working in concert, according to researchers, experienced executives, and executive advisors.

Signs of trouble

Security leaders and advisors offer CISOs the following signs that indicate there may be trouble worth addressing in their relationship with their CIO colleagues:

1. The CIO commonly disregards or overrides the CISO’s recommendations and decisions. Aimee Cardwell, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group, says this situation often plays out with the CIO saying, “Thank you for your input, but we’re going to do what we want anyway.”

2. The CIO and CISO can’t resolve conflict. Conflict can be healthy for moving an organization forward. Diversity of perspectives and opinions can provide top executives with new possibilities and opportunities for compromise that benefit the organization overall.

But if the CIO and CISO can’t resolve differences without escalating their disagreement to more senior executives, then a fundamental problem may be taking root. “Are you shoulder to shoulder or nose to nose? Because if you’re going nose to nose, then there’s misalignment,” Cardwell says.

Gartner research notes that 87% of experienced CISOs describe their relationship with the CIO as “good” or “excellent” when it comes to resolving conflicts. Gartner’s Lee says this figure shows that conflict itself doesn’t mean the relationship is problematic. Rather, “it’s the inability to make progress or get to agreement that is a sign the CIO-CISO relationship is broken,” she says.

3. The CIO isn’t sharing information. “That’s a gigantic red flag,” Transcend’s Cardwell says.

4. The CIO alters or blocks the CISO’s message to the board. It’s problematic enough when the CISO doesn’t present directly to the board on a regular basis, but Cardwell says it’s even more troubling when the CIO is changing the information the CISO believes the board needs to have.

“This goes beyond advice like, ‘You can word this a better way,’ or ‘You can tell the story in a better way.’ It’s not just the CIO coaching. It’s cutting facts that need to be elevated or making changes that could create a real moral problem for you as a CISO,” she explains.

5. The CIO otherwise undermines the CISO’s agenda to the board and other executives. “If the CIO is actively undermining the CISO’s credibility and opinions, if the CIO is mediating every conversation between the CISO and the board and executive team, that’s not a good sign,” Lee says.

Trouble here also includes the CIO’s failure to advocate for the CISO’s priorities in important meetings and the organization’s IT strategy overall.

6. The CISO is not consulted on business initiatives involving IT. True partnership on any IT initiative would see the CIO and CISO working together from step one. But if the CISO is finding out about important tech initiatives late in the process or only by asking probing questions, it’s time to reset the relationship.

“If someone says something about a new project or vendor or migration and the CISO doesn’t know something about it, then that’s a problem, because you’re then bolting on security,” says Dale Hoak, CISO for software firm RegScale. “In a good relationship, there are no surprises because you’re having continuous conversations and you’re sharing dashboards.”

7. There are no one-on-one conversations. LevelBlue CIO Maria Cardow says CIOs and CISOs who share information only via emails, through group meetings or between CIO and CISO subordinates (assuming that information will flow up) do not have a healthy rapport.

“We have too much information in front of us to not be talking to each other directly; there is no substitute for conversations on a regular and on an ad-hoc basis,” she says.

8. The CIO and CISO don’t know each other’s priorities, challenges, strategies, etc. “As a CIO I should have a good idea of what my CISO’s concerns are and the CISO should know what’s going on in my world,” Cardow says.

9. The CISO and CIO clash on who should be doing what work. A similar sign of trouble is when one side blames the other for shortcomings in areas where they had joint responsibilities.

10. One buys technology with capabilities the other already has. This sign of trouble in the relationship goes both ways, but a related problem involves the CIO dictating the products the CISO must buy or the vendors or service providers the CISO must use.

“In some cases those might be the right answer for security, but in some cases they might not be the right answer,” says Ayan Roy, EY’s Americas cybersecurity competency leader. “But just being told means there is not the right analysis being done. The CIO should give the CISO the latitude to pick the right solution; the CISO needs to be able to do the evaluation and to make the right pick.”

11. The CIO isn’t prioritizing cyber hygiene. One of the most common indications here is failing to or foregoing patching vulnerabilities that the security team has identified and prioritized for remediation.

12. Technology products are commonly released with security flaws or control gaps. “The question then is, ‘Why didn’t we figure that out during the product design lifecycle,’ and the answer is usually poor collaboration between IT and security,” says Sara Madden, CISO of Convera, a global payments and foreign exchange company.

The CIO-CISO relationship matters

The CIO and CISO need to have a strong relationship for either of them to succeed, says MK Palmore, founder and principal adviser for advisory firm Apogee Global RMS and a former director in the Office of the CISO at Google Cloud.

“It’s critical that those in these two positions get along with each other, and that they’re not only collegial but collaborative,” he says. Yes, they each have their own domain and their own set of tasks and objectives, but the reality is that each one cannot get that work done without the other. “So they have to rely on one another, and they have to each recognize that they must rely on each other.”

Moreover, it’s not just the CIO and CISO who suffer when they aren’t collegial and collaborative. Palmore and other experts say a poor CIO-CISO relationship also has a negative impact on their departments and the organization as a whole.

“A strained CIO-CISO relationship often shows up as misalignment in goals, priorities, or even communication,” says Marnie Wilking, CSO at Booking.com. “When technology and security leaders are not on the same page, it becomes clear in both operations and outcomes, from missed project deadlines to increased vulnerabilities.”

Multiple factors can contribute to a strained relationship.

To start, the security department is still sometimes seen as — and acts like — the department of “no,” Cardwell says. “The CIO never has the luxury of saying ‘no.’ The CIO’s job is to enable what the business is trying to do. So the CISO needs to have that mindset, too: ‘The business wants to do this thing, and my job is to figure out how to make that possible,’” she explains.

Even if security doesn’t act like the department of “no,” Cardwell says, it may take the CISO too long to get to “yes.”

“There are a hundred ways, depending on what the problem is, to solve the problem quickly,” she says. “As a CISO, I like to provide several solutions with different price points and timelines with pros and cons and security scores, from fastest on or least secure or most secure on this timeline, to give the CIO and the business options.”

Another reason for a poor relationship: Sometimes the CIO doesn’t place a high enough priority on security. “Maybe the CISO is only security-minded but not thinking as a business-enabler; or maybe the CIO isn’t at all security-minded and only focused on business enablement,” Palmore says.

In other cases, the CIO wants tight control of all things IT and excludes security — or vice versa. “Some security leaders believe that they alone own security and find themselves on an island without a boat to get them home,” says Kory Daniels, chief security and trust officer at LevelBlue, a managed security services provider.

Other factors that can lead to a poor CIO-CISO relationship are more structural, experts say.

It may be that the organization has not defined each position’s responsibilities. “When roles and responsibilities aren’t clearly defined, overlaps or gaps in accountability can create unnecessary risk,” Wilking says.

Or it could be that the organization’s funding process turns them into “adversaries for the same dollar,” Cardow says.

Much of these problems stem from what Wilking says is “a lack of shared context and alignment around enterprise risk.”

“The CIO is typically measured on uptime, scalability, and agility, while the CISO is focused on protecting data, ensuring compliance, and mitigating threats. Without a unified view of how those priorities intersect, the two can seem at odds,” she explains. “Too often, cybersecurity gets treated like the gatekeeper instead of a true partner. Teamwork ends up feeling transactional instead of collaborative. At Booking.com we emphasize embedding cybersecurity into business strategy from the start, ensuring it’s part of every conversation about product design, data, and customer trust.”

How to improve a poor relationship

CIOs and CISOs both have incentives to improve a problematic relationship.

As Lee explains, “The CIO-CISO relationship is critical. They both have to partner effectively to achieve the organization’s technology and cybersecurity goals. All tech comes with cybersecurity exposure that can impact the successful implementation of the tech and business outcomes; that’s why CIOs have to care about cybersecurity. And CISOs have to know that cybersecurity exists to achieve business outcomes. So they have to work together to achieve each other’s priorities.”

CISOs can take steps to develop a better rapport with their CIOs, using the disruption happening today — whether from AI or the uncertainty in the economy — as an opportunity to check in, reset the relationship, and address any issues that have stymied collaboration.

Steps for CISOs include:

• Establishing alignment with the CIO as well as members of the C-suite and the board on the organization’s position on risk.
  • Ensuring security is aligned with the organization’s strategy and its IT roadmap. Transcend’s Cardwell says it’s important for CISOs to think, “The CIO has a great thing here. I’d like to find how to make it secure.”
  • Getting clarity on CIO and CISO responsibilities. “You need clarity on where the lines are drawn,” LevelBlue’s Daniels says.
  • Making regular and ad hoc direct communication with the CIO a priority.
  • Focusing on relationship management. “Communicate, be willing to meet, get teams to meet, establish trust,” Daniels says.
  • Seeking to understand the CIO’s priorities, incentives, and challenges and sharing yours. “Find a way to walk a mile in the other’s shoe,” Daniels adds.
  • Shifting to a business-enablement mindset. “Instead of leading with ‘no,’ lead with ‘How do we get there securely,’” RegScale CISO Hoak says.