CISOs and CIOs forge vital partnerships for business success – Source: www.csoonline.com

Last July, a routine update from cybersecurity software firm CrowdStrike sparked a global IT outage that brought companies to their knees, disrupting operations and amounting to an estimated $5 billion-plus in direct losses.

As companies across every major sector scrambled to recover, Webster Bank was back in business in short order — an achievement CIO Vikram Nafde credits to the usual cybersecurity tools and policies, but also to a formidable peer partnership forged with his CISO.

The pair’s collaborative work straddles joint strategic planning, integrated roadmaps, coordinated messaging, and regular touchpoints. On the heels of the CrowdStrike outage, the partners conducted tabletop exercises to demonstrate the bank’s ability to recover quickly in the event of a similar cybersecurity incident — or potentially something much worse.

“We brought the board together to showcase how the CIO and CISO work together,” says Nafde, also executive vice president at the bank. “Today, there is more reporting from the CISO role directly every quarter to the risk and technology committee and the board.”

Webster Bank

As is the case at many companies, Webster Bank’s CISO Patty Voight reports into the CIO. While there is a direct line between the executive functions, Nafde says the structure is collaborative, not hierarchical — a significant evolution as the intensity of threats escalate, raising the bar for cybersecurity leadership. In 2024, the global average cost of a data center breach was $4.88 million — a 10% spike over the subsequent year and the highest on record, according to the Cost of a Data Breach Report 2024 published by IBM and Ponemon Institute. That report revealed it takes an average of 258 days for security teams to identify and contain such a data breach.

With companies’ revenue, reputation, and resiliency on the line, cybersecurity leaders can no longer operate from technical silos, detached from day-to-day operational challenges and divorced from critical business goals. The breadth and complexity of the attack vector, coupled with an active and evolving regulatory landscape, have elevated cybersecurity to a key business priority and along with it, CISO executive status.

According to the 2025 State of the CIO survey, upgrading IT and data security to reduce corporate risk ranked among the top CEO priorities for IT this year, cited by 20%. The research also found CISOs split evenly between reporting up to the CEO (37%) and into the CIO (36%); in 2024, nearly half (49%) of CISOs named the CIO as their direct superior.

“Businesses are recognizing that cybersecurity needs to be prioritized and that it’s a global problem — not a matter of if, but when,” says Larry Whiteside, chief advisory officer for The CISO Society, a private community for cybersecurity leaders. There’s no such argument anymore that a company is too small to be in the crosshairs.

“If you’re making money or have data, they will come after you,” Whiteside says. “You need to be thinking about potential business impacts and how to mitigate that risk as much as possible.”

As CIOs morph into a multi-faceted business leader, it makes sense that CISOs follow suit, building the case for a more collaborative, business-focused partnership. “As the CIO becomes more of a consultant, working with the business to leverage technology, the CISO works alongside to build security into those strategies,” Whiteside adds. “CISOs are moving out from under the CIO and becoming a peer.”

The CISO Society

Secrets to CIO-CISO partnership success

At United Airlines, the CIO and CISO have long been peer positions, both reporting into the CEO. United landed on that structure to fuel its digital agenda, treating each competency as a distinct capability while acknowledging the need for alignment to achieve targeted business goals, according to Deneen DeFiore, United’s vice president and CISO.

“CISOs have to engage in the business operating rhythms and not be four levels down hearing about what outcomes you’re trying to drive and try to translate that,” DeFiore says. “I’m right there able to connect the dots with a real-time perspective.”

Deneen DeFiore / United Airlines

DeFiore and CIO Jason Birnbaum got a head start on their relationship dynamics working at General Electric, where they didn’t interact as colleagues, but still gained exposure to a shared set of experiences, core values, and business language. That mutual understanding was pivotal when it came time to sketch out the contours of their working partnership at United. DeFiore and Birnbaum built on their common foundation, prioritizing open communications and transparency, developing a shared vision and set of outcomes, and aligning messaging to help break down barriers and misperceptions.

Their playbook helps position security requirements at the center of new initiatives without bogging down timelines or becoming a gating factor for innovation. Case in point: United’s “Every Flight Has a Story” offering, a generative AI-fueled flight-status service released last year designed to bring more transparency and context to flight delays and updates.

Jason Birnbaum / United Airlines

Working as a team, DeFiore and Birnbaum recognized the game-changing potential for generative AI, and together with their organizations created a framework around responsible use of the technology. The flight-status service was one of the first external-facing use cases for gen AI, and there are about 90 others in the pipeline, she says. “We were able to iterate on that quickly together and manage the risks associated with using emerging technology,” she explains.

Not only is CIO/CISO alignment critical for positive outcomes, it’s important the partners propagate those shared values and business goals downstream to members of their respective IT and security organizations.

That’s a top priority for the CIO/CISO team at the Federal Reserve System. CIO Ghada Ijam and CISO Tammy Hornsby-Fink make it a point to publicly demonstrate to the broader enterprise their shared commitment to the financial institution’s mission while highlighting how cybersecurity-related decisions advance those core objectives.

Federal Reserve System

“We need to make sure our way of working doesn’t just happen at our level but is reinforced with teams at many levels of the organization,” Hornsby-Fink says. “If we get into a situation where we are either shutting something down or not being open to each other’s perspective, that sends a strong signal downstream. We make sure we listen to each other in open, public forums. That’s one of the practices put in place to ensure the [peer] relationship endures long after we’re gone.”

Federal Reserve System

Plaza Dynamics, a provider of managed IT, cloud, and security services, addresses the need for close CIO/CISO alignment with a unique approach. It has appointed a single executive to oversee both sets of responsibilities. In her dual-title role, Dr. Vivian Lyon serves as Plaza Dynamics’ CIO and CISO — a structure she says speaks to the expanding business remit of the security function as well as the need for security professionals to take ownership of risk.

“My dual-titled role as a CIO and CISO gives me new levers to work with and more scope to drive strategic integration and alignment of cybersecurity within our organization and clients,” Lyon says, acknowledging that, although the dual-titled leader is on the rise, the structure doesn’t work for all companies, especially larger organizations.

In instances where the CIO and CISO are separate, peer-level roles, Lyon advocates for a well-defined risk profile to help prioritize resources and balance acceptable risks.

“In a peer relationship, balancing business objectives with security requirements ensures decisions that drive both resilience and growth,” she explains. “Without clarity, organizations may overinvest in low-priority threats or under prepare for significant risks.”

Plaza Dynamics

CISOs find their voice

Even the best relationships have their trouble spots, and the peer CIO/CISO partnership is no exception. Historically, the pair’s agendas — the CIO charged with leading digital strategy and transformation and the CISO tasked with protecting it — have been at odds. While there’s often distance between the two, CISOs’ growing business orientation and tighter alignment with their CIO counterparts is helping to close that delta more so than in the past. Business-oriented CISOs are also working hard to shed their long-standing characterization as being overly risk-averse, which positioned them as a bottleneck to innovation.

“One of the characteristics of a business-aligned CISO is they don’t use the veto card in every instance,” Ijam explains. “When the CISO is at the table and understands the importance of outcomes and deliverables from a business perspective as well as risk management from a security perspective, they are able to pick their battles in a smart way.”

Forging a peer CIO/CISO partnership also requires the right set of leaders. While CIOs have been honing a business orientation for years, CISOs need to follow suit, maturing into a role that understands business strategy and is well-versed in the language so they command a seat at the table. “The right CISO leader is someone that doesn’t speak in ones and zeros,” Whiteside says. “They need to be at the table talking in terms that business leaders understand — not about firewalls and malware.”

Becoming a C-suite peer also means cultivating an independent voice — important because CIOs and CISOs often have varying points of view, separate priorities, and different tolerances for risk. It’s equally important to make sure the CISO’s voice — and security recommendations — are part of every discussion related to business strategy, IT infrastructure, and critical systems at the beginning, not as an afterthought.

“There is an assumption often made that a CISO or security people will slow you down,” says the Federal Reserve’s Hornsby-Fink. “If we are at the table early in conversations, we can steer the organization in a direction where we can move the business quickly and avoid being overly risk averse.”

Like any successful long-term relationship, open communication and transparency are key to a fruitful CIO-CISO partnership. Having those tough conversations to reconcile conflicting priorities, actively listening, and holding one another accountable are all part of what’s required to build trust and transparency — the bedrock for peer partnership success.

“Any points of contention, I don’t take personally,” says United’s DeFiore. “I know we have a trusted relationship and not everything is going to be all rosy. In the end, we are trying to do the same thing and find solutions to get there.”