Reducing CIO-CISO tension requires recognizing the signs

The same tension exists for programs that impact digital customer experience. For example, new multifactor authentication functionality requires new customer communications and perhaps associated short-term disruption of the channel, something that may be difficult for the business to accept.

Or the CIO and the engineering team may be working with business units to facilitate new customer features via an API platform. From the CISO’s perspective, those APIs must be managed properly, and even penetration-tested, to ensure they don’t create an unexpected data loss vector. The CISO will want more controls applied, but the CIO, while agreeing in principle, must also satisfy the stakeholders by ensuring the feature is delivered, often in a short time frame.

Incident management is another are ripe for tension. The CISO has a leadership role to play when there is a serious cyber or business disruption incident, and is often the“messenger” that shares the bad news. Naturally, the CIO wants to be immediately informed, but often the details are sparse with many unknowns. This can make the CISO look bad to the CIO, as there are often more questions than answers at this early stage.