The relationship between the IT department and the CISO still too often resembles an organized misunderstanding: the IT department builds, the CISO slows things down. At least, that's what we hear.
During our latest Tenacy workshops with around twenty CISOs (from banking, insurance, healthcare, and industry), the consensus was unanimous: "You can't go it alone in cybersecurity." However, in reality, collaboration between IT departments and CISOs remains shaky:
- Security comes into play at the end of the project, when it's too late to make proper decisions.
- IT projects are decided without cyber risk mapping
- Priorities clash rather than align
- Reporting? Spread across three tools, unusable
Here is what these CISOs reported as concrete levers for breaking out of the status quo.
CIO/CISO: end cohabitation, move to co-construction
While the roles of CISO and CIO are distinct, this does not mean that they should work in silos! On the contrary, open collaboration between the two is fruitful—and above all, essential. A mature CIO-CISO relationship is not measured by the number of joint meetings, but by the existence of shared governance. Not parallel. Shared.
A common language, KPIs that are understandable to both parties
The CISO and CIO can regularly discuss ongoing projects, telemetry data, and reports on observed security threats and incidents. For example, whenanalyzing risks, they can use Security Scorecards to assess the cybersecurity posture of the information system.
As such, Tenacy facilitates this process by allowing the CISO to share information directly with the CIO. Centralizing security data provides an overview that helps coordinate defense efforts and improve communication between these two roles.
Gone are the days of debates such as "you don't understand anything about security" vs. "you block everything." What brings CIOs and CISOs together are business impact indicators:
- Actual exposure of the IS
- Regulatory compliance (ISO, NIS2, DORA)
- Maturity by domain: IAM, patch management, vulnerability management
- Progress on major infrastructure projects
- Risks blocking ongoing projects
Several CISOs have confirmed that reducing their reporting to 4-6 strategic KPIs has changed their relationship with their CIO and with the executive committee. Fewer indicators, but actionable ones.
Strategic IT and security management grounded in reality
Organizations that function effectively all have:
- A quarterly cyber-IT committee that arbitrates (not informs)
- A multi-year plan co-written by the CIO and CISO, not imposed
- A common governance framework (ISO 27001, NIS2, DORA)
- Prioritizing investments based on risk, not urgency
A concrete example reported by a CISO in logistics: a NIS2 score out of 100, recalculated every six months, has become the compass for the CIO-CISO relationship.
"Now, whenever we discuss a project, my CIO asks me: how will this affect our score?"
The issue of transparency
Tensions between CIOs and CISOs rarely stem from technical disagreements. They arise from a lack of mutual visibility. As the African proverb says, "Alone, we go faster; together, we go further." It is in this sense that the complementary nature of the two roles makes it possible to develop joint initiatives.
The CISO criticizes the IT department for failing to ensure compliance.
The IT department criticizes the CISO for arriving at the end of the chain.
The solution? Make the effort visible on both sides.
What works for the CISOs we met:
- 360° audit of the IS with a report that everyone can understand
- Industrialized reporting (no more scattered Excel files)
- View progress by area (IAM, patch, PRA, etc.)
- Recognizing IT teams when metrics improve
Result: security moves beyond its role as "IT police" and becomes a driver of continuous improvement.
CIO CISO: how to stop arriving too late to IT projects
All CISOs share the same problem: they arrive after the battle is over.
Why? Because IT projects are planned under business constraints, and then security is called in to "check." Not to co-create.
Three levers to reverse this mechanism:
→ Require a security check beforehand
Not to slow things down. To ensure technical AND regulatory feasibility. The CISO does not validate the stack: he validates risk management.
→ Co-write security gates with the IT department
A bank CISO has implemented simple gates that are understandable to IT project managers.
Result: "Security is no longer seen as a validation process, but as a tool to help frame risks before decisions are made."
→ Synchronize IT departments, CISOs, and business units around a single repository
A shared, updated, and compared risk map creates healthy competition. No one wants to be at the bottom of the class.
Why HR, Purchasing, and Business Units Strengthen (or Sabotage) the Relationship Between the CIO and the CISO
The collaboration between the CIO and CISO does not exist in a vacuum. It depends on the CISO's ability to get internal partners on board.
HR: the foundation of a sustainable cyber culture‍
In a social protection group, HR-RSSI-DSI alignment is based on a continuous ISO 27001 approach: onboarding including security, mandatory training, regular audits, and content tailored to specific professions.
The result: cybersecurity is no longer an IT issue, it is a business issue.
Shopping: the underestimated ally
Regulatory pressure (NIS2, DORA) places a major responsibility on CIOs and CISOs with regard to third parties. Mature organizations integrate security from the outset in calls for tenders, contracts, andservice provider monitoring.
Professions: the true barometer
The collaboration between the CIO and CISO is measured by the business units. When they understand the value of the CISO and IT, the dynamic changes.
"When everyone understands the issues at stake, regardless of the organizational chart, things move forward."
This is confirmed by feedback from the field on the relationship between the CIO and the CISO.
The CISOs attending the Tenacy workshops all agree on these points:
- The collaboration between the CIO and CISO is not a sprint, it's a marathon. It's a process of continuous, structured, measurable acculturation.
- Standards (ISO, NIS2, DORA) are a powerful pretext. They create a common framework for IT departments, information security officers, and business units.
- Communication is the key soft skill for a CISO. To influence without imposing. To engage without coercing.
- Indicators are a universal language. They should be clear, shared, and focused on business risks.
- It is essential to emphasize the positive. This is what creates emulation, much more so than punishment.
CIOs and CISOs must work together to drive resilience
The CIO-CISO relationship is mature when security no longer intervenes "after," but "with. "
When the CISO is no longer seen as an obstacle, but as a catalyst for decision-making.
When the CIO is no longer seen as a technical executor, but as a strategic partner.
This is what enables you to anticipate risks, accelerate projects, streamline compliance, and align security with business performance.
‍
