.png)
Collaboration between the CIO and the CISO is hampered by a persistent paradox: while the two roles operate in the same arena, they rarely share the same rules or vision. Yet cybersecurity governance is a cross-functional role that cannot be shouldered by a single person. Without strong synergy between the CIO, the CISO, the executive committee, and the business units, collaboration often leads to tension and deadlock…
“A cybersecurity team on its own can’t accomplish much. It needs to interact with a number of entities, and all these interactions require one essential thing: collaboration. You can’t just order it to happen—it has to be built.”
– Julien Coulet, CSO at Tenacy
At the cybersecurity breakfast on March 4, 2026, Tenacy brought togetherLyon’s cybersecurity and IT community to discuss this key topic: the interactions between CISO and CIO. During the roundtable discussion, Aymeric Lacroix (CIO at Adenes Group, with the company since its founding) and Franck Martel-Badinga (CISO at Artelia for the past four years, after being hired as CTO in 2014) shared their experiences and expert advice.
In this article, we take a look at the five major points of friction that undermine the relationship between the CIO and the CISO—and, more importantly, practical steps to finally overcome them!
Issue #1: The CISO’s Role in Relation to the Executive Committee: A Major Cybersecurity Governance Challenge
Since the COMEX is made up of a diverse group of individuals with varying expectations and sensibilities, the CISO and CIO may find themselves faced with a conflicting challenge: how to convey a complex technical message to an audience that oscillates between the need for minute details and the urgency of a summary in a few bullet points?
The challenge: striking a balance between the analytical and the synthetic
To win over the Executive Committee, it’s not enough to be technically correct. You have to be able to adapt to the mindset of the person you’re talking to.
“The COMEX is made up of a diverse group of individuals. Some are very concise and only want to know about the risks they’re supposed to take positions on, while others are more analytical and focused on the details…”
– Aymeric Lacroix, CIO at Adenes Group
The risk? Losing half the audience by trying to please the other half. The challenge, then, is to simplify… without distorting the message you want to convey.
→ To put an end to these delays, the CIO-CISO team must change its approach.
The levers to activate
Be strict about speaking time
It’s a classic scenario: you had 20 minutes, but the agenda ran over, and you’re left with just 10. Cybersecurity shouldn’t be an afterthought: the CISO and CIO need to coordinate in advance and secure their time slot.
Find internal ambassadors
Identify allies within the executive committee who understand your challenges and can convey your message in a way that resonates with their peers. As Aymeric Lacroix (CIO at Adenes Group) points out, these ambassadors are invaluable for “rephrasing the message in their own words, delivering it effectively, and building alliances” even before the meeting begins.
Use "business language"
The Executive Committee doesn’t talk about “critical vulnerabilities,” but rather “business disruption” or “loss of revenue.” The common focus that brings everyone together is business. News about peers can also be a useful educational tool: concrete examples experienced by competitors can help transform a theoretical risk into a tangible threat.
Challenge #2: Aligning IT and CISO Collaboration with Cyber Risk Assessment
CIOs and CISOs don’t always interpret signals in the same way. This difference in perspective is natural and understandable, but it can quickly become a source of chronic tension if it isn’t addressed and worked through.
The challenge: deciphering another person’sgut feeling
Risk isn’t just a series of numbers in a table—it’s also a matter of experience. For a CIO, seeing warning signs pile up without getting the expected response can really test one’s confidence.
This disconnect creates a gray area: when a CIO is concerned about a vulnerability they consider critical, the CISO may instead prioritize another initiative they deem more strategic. The result? A loss of efficiency and a shared sense of insecurity.
→ The goal, then, is not to eliminate the difference in perspective, but to make it understandable to the other person.
The levers to activate
Moving Beyond Crisis Management to Communicate with One Another
The classic mistake is to wait for an incident to occur before comparing perspectives on risk. To avoid tension and conflict, it is better to establish regular opportunities for discussion outside of operational emergencies. The goal is to explain one’s perspective before or after a crisis.
Applying the presumption of competence
When faced with a disagreement, it is essential to maintain a relationship of trust in order to turn tension into a constructive expert discussion.
“You shouldn’t assume that someone doesn’t know what they’re doing. It’s important to explain things before or after a crisis to set the record straight with your team members.”
– Franck Martel-Badinga, CISO at Artelia
Moving from alerts to proactive resolution
When faced with warning signs, a CIO looks to others for reassurance. That is also the role of a CISO: to provide reassurance through action.
“If I had a magic wand, I’d want someone to come see me in the morning, give me the information I read the day before, and tell me, ‘I saw that, and I’ve taken action.’”
– Aymeric Lacroix, CIO at Adenes Group
Beyond Intuition: The IT Governance Framework as a Common Language
For collaboration between the CIO and the CISO to be sustainable, it must be based on structured IT governance. The ISO 27001 serves as the backbone for many organizations: it requires rigorous documentation and, above all, a clear division of roles. However, the standard does not magically solve everything: it defines the “what,” but not the human “how.”
True cybersecurity governance begins where spreadsheets end. It lies in the ability of the team to transform compliance requirements into a strategic asset that protects the business while remaining agile.
Issue No. 3: The "hot potato": Who really bears the cyber risk?
In many organizations, everyone wants to be involved in cybersecurity decisions… but no one wants to bear the risk or take ultimate responsibility. As a result, risk becomes a “hot potato” that gets passed back and forth between departments, creating a climate of mistrust that paralyzes action.
The challenge: moving beyond the "Superman CISO" syndrome
The main danger is giving the impression that the CISO is the sole guarantor of security. This centralized approach, in addition to being exhausting for the CISO, shifts responsibility away from other departments.
“People can get very tense because they feel like we’re trying to make them responsible for a risk—and that creates a lot of tension and shuts down communication.”
– Aymeric Lacroix, CIO at Adenes Group
To avoid this breakdown, we need to move away from a situation where the CISO acts like a "Superman" with a buffer to validate practices.
→ Risk must be internal, driven by each department and each stakeholder, which requires a balance between firmness and dialogue.
: The levers to activate
Clarify decision-making authority
If every decision has to go all the way to the top, the company grinds to a halt. The solution? Give decision-making power back to the experts on the ground.
“You can’t take everything back to the executive committee—there are plenty of risks that need to be handled by an architect, a developer… Everyone needs to have the ability to make decisions, otherwise everyone ends up paralyzed under a mountain of red tape.”
– Aymeric Lacroix, CIO at Adenes Group
Everyone must take responsibility for their technical decisions without expecting systematic arbitration.
Adapt governance to the maturity of the entities
We don’t expect the same from a small subsidiary as we do from a structured regional office. An effective governance model must be agile in order to provide:
- robust technical support for leaner organizations—in which case the CISO serves as an operational support function;
- governance andaccountability to more mature entities—they bear their own risks, while the CISO oversees and advises.
Making risk management a collective effort
When risk management is the responsibility of every department, the role of the CISO takes on a new dimension: he is no longer the one who puts the brakes on, but the one who empowers others to take ownership. It is by clearly defining this division of responsibilities that we foster open communication and advance our cybersecurity posture.
Tension #4: Crisis Management: When Pressure Reveals (or Strains) the Relationship
A cyber crisis is the ultimate moment of truth for the CIO-CISO duo. Under the pressure of an emergency, the masks come off: either the relationship becomes permanently stronger, or it falls apart under the weight of unspoken issues and disorganization. In the midst of a storm, it’s too late to be wondering who decides what!
The challenge: preventing secondary accidents
In first aid, the priority is to prevent further injury. The same applies to cybersecurity. If the CIO and the CISO are at odds over the remediation strategy while the systems are down, they are creating an organizational crisis.
For Franck, crisis management is like a high-altitude mountain climb: survival depends on a clear and accepted chain of command. Without that prior trust agreement, stress takes precedence over competence.
“When you go hiking in the mountains, there’s a guide, and everything is planned in advance. Planning ahead is important for managing crises or emergencies.”
– Franck Martel-Badinga, Chief Information Security Officer at Artelia
→ A crisis that is handled well should leave behind not scars, but a solid foundation.
The levers to activate
Ensuring a post-crisis recovery
It’s every CISO’s worst nightmare: being made the scapegoat after an attack. For Aymeric, this approach is a managerial dead end.Decisions should beexplained calmly rather than in the heat of the moment.
Define the decision-making chain "in peacetime"
Trust cannot be imposed on the day of the crisis; it must be built up both before and after the crisis. Roles (who gives orders, who carries them out, who communicates) must be clearly defined well in advance of any crisis to ensure the appropriate level of delegation when the time comes.
Fostering Empathy at the Top
Technology is important, but people are the driving force behind resilience. The support of the Executive Committee is one of the factors that enables teams to keep going over the long term.
Issue No. 5: CISO Burnout: A Structural Problem That Is Still Underestimated
The relationship between the CIO and the CISO can be strained, in part because the CISO is sometimes burdened with an excessive workload: responsible for everything and often left to handle it alone, the CISO may be seen at times as a hindrance to business operations and at other times as the go-to firefighter. If this constant pressure is not addressed by the CIO and senior management, it leads to a dead end.
The challenge: breaking free from the isolation of being "responsible for everything"
The French term "Responsable" (as opposed to the English term " Chief Information Security Officer") can be misleading: how can a single individual be solely responsible for the security of a complex and ever-changing ecosystem?
Facing risk alone is all the more difficult because the CISO may be held personally accountable during a crisis, despite all their efforts to prevent it.
“It’s a tough job, where you can do the best you can and still find yourself in crisis situations where your responsibility may be called into question [...] On a personal level, I find it pretty tough.”
– Aymeric Lacroix, CIO at Adenes Group
→ To avoid burnout, the CISO must stop operating as a lone wolf and instead become a strategic leader supported by a strong team.
The levers to activate
No longer leaving the CISO to face risks alone
The first protective measure is organizational: the burden must be shared. The CISO should not be the only one to bear the risks.
“You need to build strong teams, choose the right people to work with, and trust them.”— Franck Martel-Badinga, Chief Information Security Officer at Artelia
Hire a "translator" rather than a purely technical specialist
Burnout can also stem from a lack of understanding. A CISO who only talks about firewalls will burn out because management isn’t listening, whereas a hybrid approach would be beneficial.
“The most important thing is finding the right person. Not a hyper-specialist. The CISO needs to be able to discuss firewalls with the firewall administrator AND speak the right language to the executive committee. If they use the same language with both groups, it won’t work.”
– Aymeric Lacroix, CIO at Adenes Group
Moving from "obstacle" to "business partner"
Burnout can also stem from feelings of uselessness or rejection. If the CISO imposes unworkable procedures, they undermine trust and become a burden.
“If you’ve tried to show that you’re important to the business, but you’ve been a pain in the neck to everyone with procedures that can’t be applied in day-to-day operations, you become a hindrance to the business. You undermine trust. To earn that trust, you have to bring something to the business.”
– Franck Martel-Badinga, CISO at Artelia
By positioning themselves as a facilitator rather than a controller, the CISO reduces day-to-day friction and, by extension, their own stress levels.
Preventing CISO Burnout: A Challenge for Organizational Resilience
Burnout among security managers is not an inevitable personal fate: when a CISO is expected to serve as a strategist, auditor, and on-call technical expert all at once, burnout is inevitable. CISO burnout is a systemic risk for the company: a sudden departure or an inability to work in the midst of a cyberattack can prove catastrophic.
To defuse this ticking time bomb, management must transform the role. This requires not only selecting the right resources but also ensuring genuine integration into decision-making processes. The fight against burnout begins with collaboration between the CIO and the CISO, where both parties agree on one priority: cybersecurity is a marathon, not a constant adrenaline-fueled sprint!
Conclusion: What Really Makes an IT Director-CISO Collaboration Work
Collaboration between the CIO and the CISO depends neither on an organizational chart nor on a budget, but on a shared culture. Whether it’s a matter of winning over the executive committee, aligning risk assessments, or navigating a crisis, trust is built patiently, through clear roles and a common language.
Ultimately, while technology lays the foundation, it is the human factor that holds the structure together.
“It’s important for the executive committee to understand our constraints and challenges, and for us to understand theirs. We need to respect one another and strike a balance between doing business and keeping things and people safe.”
– Aymeric Lacroix, CIO at Adenes Group
Would you like to take things a step further and stack the odds in your favor to build a truly effective partnership? You might find this article interesting: CISO & CIO: The Keys to a High-Performance, Business-Driven Partnership!
Thank you to Franck Martel-Badinga and Aymeric Lacroix for allowing us to write this article, as well as to the many participants at the cyber breakfast for their insightful discussions on this crucial topic!
