These trade-offs are pinch points that intersect with the CISO’s remit, highlighting conflicting priorities for both parties. Over time, such situations — and how they are handled and resolved — can lead to real friction between the two parties. This friction can be overt, boiling over in public, or covert, where it is more hidden from other colleagues or the CIO/CISO themselves.

Common CIO-CISO pressure points

In every mature enterprise risks have to be accepted for the time being, with remediation deferred. Vulnerability patching is one example where tension between the CIO and CISO can arise.

In the case of highly critical vulnerabilities that have been exploited, the CISO will want patches applied immediately, and the CIO is likely aligned with this urgency. But for medium-level patches, the CIO may be under pressure to defer these disruptions to production systems, and may push back on the CISO to wait a week or even months before patching.

The same tension exists for programs that impact digital customer experience. For example, new multifactor authentication functionality requires new customer communications and perhaps associated short-term disruption of the channel, something that may be difficult for the business to accept.

Or the CIO and the engineering team may be working with business units to facilitate new customer features via an API platform. From the CISO’s perspective, those APIs must be managed properly, and even penetration-tested, to ensure they don’t create an unexpected data loss vector. The CISO will want more controls applied, but the CIO, while agreeing in principle, must also satisfy the stakeholders by ensuring the feature is delivered, often in a short time frame.

Incident management is another are ripe for tension. The CISO has a leadership role to play when there is a serious cyber or business disruption incident, and is often the“messenger” that shares the bad news. Naturally, the CIO wants to be immediately informed, but often the details are sparse with many unknowns. This can make the CISO look bad to the CIO, as there are often more questions than answers at this early stage.