A pandemic makes CIOs and CISOs strange bedfellows, and this year they have had to work together more closely than ever under unprecedented circumstances. The result? The state of the relationship has generally improved.\nOrganizations across the board have accelerated their digital initiatives and migrations to the cloud to support remote workers and customers in the past several months. This has \u201ccaused people\u2019s risk appetites to shift very, very dramatically and it\u2019s caused CIOs and CISOs to be even more locked at the hip,\u2019\u2019 says Jeffrey Wheatman, a Gartner Research vice president.\n[ Learn from your peers: Check out our State of the CIO 2020 report on the challenges and concerns of CIOs today. | Find out the 7 skills of successful digital leaders and the secrets of highly innovative CIOs. | Get weekly insights by signing up for our CIO Leader newsletter. ]\nA symbiotic relationship is also needed now because \u201cboards are now asking more and sometimes better questions about cybersecurity,\u2019\u2019 says Wheatman, \u201cand that has resulted in CIOs and CISOs trying to at least have aligned stories or narratives.\u2019\u2019\nCIOs and CISOs agree that the push to automate manual processes and capabilities to create efficiencies has necessitated working together more closely. \u201cThe CIO and CISO have to be so tightly coupled together in roadmap and strategy, regardless of reporting structure,\u2019\u2019 says Patricia Titus, chief privacy and information security officer at insurance company Markel.\nSecurity is now strategic\nThis isn\u2019t always the case when the CISO reports to the CIO. \u201cUnfortunately, some CISOs struggle being under the CIO because, ultimately, some of things they find and need to fix will make it harder for the CIO to do their job,\u2019\u2019 Wheatman says. \u201cI think the CISO wants to make sure data during movement shouldn\u2019t be available to people who shouldn\u2019t see it and [keep] the integrity of systems and security and compliance, so there\u2019s a little bit of divergence about what the objectives are\u201d between the two roles.\nThe good news, he says, is there is less conflict than there used to be and more synergies between the two roles, thanks to a recognition by business executives and stakeholders that they are increasingly dependent on technology.\nThe maturity of security as a discipline has also grown. \u201cSecurity has now become viewed as more of a strategic initiative rather than people who say, \u2018No, stop, don\u2019t,\u2019\u201d Wheatman says. \u201cWe used to refer to that type of CISO as \u2018Dr. No.\u2019 We\u2019re seeing less of that.\u201d\nWhen CIOs and CISOs see themselves more as partners and peers, that drives synergies, Wheatman adds. \u201cAs we see the convergence of operational technologies like IoT and cloud, there\u2019s a recognition the two have to be more in lockstep, rather than CIO throwing things over the fence and saying, \u2018You have to secure this thing we have implemented.\u2019\u201d\nEvolution of the CIO-CISO relationship\nTitus and Mike Scyphers, Markel\u2019s CIO, have worked together for almost five years and have what could be characterized as the ideal work marriage \u2014 one of mutual respect and praise. Both speak deferentially about the other.\n Markel\n\nPatricia Titus, chief privacy and information security officer, Markel\n\n\nScyphers says that with the proliferation of consumer technology and the ability for business units to spin up their own cloud services, it\u2019s very easy to get focused on innovation \u201cwithout baking security in.\u201d He calls his relationship with Titus \u201cvaluable\u201d and says, \u201cI can\u2019t imagine [deploying technology] without that partnership.\u201d\nTitus originally worked in the IT department and Scyphers says he \u201cfully endorsed\u201d her moving out.\n\u201cAny time we have a conversation where there isn\u2019t a healthy [discussion] of checks and balances, I get nervous. Having Patti say something is wrong, starts as being correct,\u2019\u2019 he says. \u201cI\u2019ll debate our different views but \u2026 when everything is in the IT organization, ultimately, I found myself on both sides of the ledger, and while you always try to do everything right, you have blind spots, and this helps you compensate.\u201d\nScyphers says he\u2019s adverse to playing \u201cgood cop, bad cop,\u201d so when security concerns crop up, IT turns to the security team \u201cto get a read on it. If they\u2019ve got the answer, we don\u2019t waste time on it.\u201d\nThere has long been a perception that the CIO-CISO relationship is confrontational with one reporting to the other and taking a \u201cyou must do what I tell you\u2019\u2019 attitude, says Gary Hayslip, CISO at SoftBank Investment Advisers.\nEarlier in his career, Hayslip was a CIO and transitioned into the CISO role and says he used to believe that CISOs shouldn\u2019t report to CIOs. \u201cThe CISO\u2019s job is managing risk using people, processes, and technology, whereas the CIO\u2019s job is providing services. Those are very different views,\u2019\u2019 he explains. \u201cWe\u2019re using the same resources, but we approach issues very differently.\u201d\nThat said, the IT stack and security stack of technologies are intertwined, and that means both teams have to support the other, Hayslip adds.\nHayslip reports to Wil Bolivar, head of technology and information security at SoftBank, and says they are \u201creally good friends.\u201d He also reports to Softbank\u2019s CFO. In prior roles, Hayslip says he\u2019s reported to some \u201creally good CIOs\u201d and CISOs, and others with whom he\u2019s had a contentious relationship.\n\u201cSometimes you run into CISOs who can be very focused and almost in your face about security and risk, which doesn\u2019t always work,\u2019\u2019 Hayslip says. \u201cThey\u2019re very tactical CISOs and don\u2019t play well with others and they think all the risk issues have to be handled now, now, now.\u201d\nHayslip describes himself as a CISO who is both tactical and strategic. \u201cI look at my job as a business executive who happens to do cybersecurity, and I have to work with my peers in other business units\u201d and explain the value of security.\n SoftBank Investment Advisers\n\nGary Hayslip, CISO, SoftBank Investment Advisers\n\n\n\u201cThe only way to make that happen is, I can\u2019t be in their face; I have to understand how they work, what they need, who are their major customers and how can I support them,\u2019\u2019 Hayslip says. \u201cI approach it that way and I get a lot more traction.\u201d\nIf a CISO is strictly tactical, he adds, the business will \u201conly put up with your crap so long before they kick you to the curb.\u201d\nHayslip believes being tactical is a \u201cmaturity problem\u201d when a CISO has only worked with small companies and is used to putting out fires and hasn\u2019t had a chance to grow professionally.\nReporting structures\nThe reporting structure varies from company to company and can also differ by industry. For example, reporting to the CFO if you\u2019re in financial services tends to make more sense, says Gartner\u2019s Wheatman. CISOs who work in shipping, logistics, or retail most likely report to the COO.\n\u201cI take 600 calls a year, and probably 80 to 100 are on organizational structure, and the root question is, should the CISO report to CIO?\u201d he says. In past research Wheatman has done, about one-third of CISO respondents said they are not part of IT, he says.\nCybersecurity is often moved out of IT when an organization recognizes that security is a business problem and not a tech problem, he says. \u201cWhen it\u2019s part of the CIO\u2019s [purview] \u2026 everyone assumes [security is] a tech problem. There are tools involved and yes, technology, but cybersecurity is operational technology.\u201d The focus is on supporting the business processes and legal and regulatory requirements, Wheatman says. \u201cNone of those are the CIO\u2019s or tech\u2019s problems.\u201d\nIn the 14 years Wheatman has been with Gartner, data from the firm\u2019s security conferences have shown that about 35% of people who report themselves as head of security for an organization don\u2019t report to IT, he says. \u201cIt\u2019s flatlined now.\u201d\nBrennan Baybeck, vice president and CISO for customer services at Oracle, reports to the head of a business line, but says he reported to the CIO for seven years and had a positive experience.\n\u201cI was fortunate to work with a CIO who was progressive, understood the importance of security and was a huge advocate for it,\u2019\u2019 says Baybeck, who is also board director of the IT governance organization ISACA. Baybeck says he was able to articulate and demonstrate to the CIO the importance of security to the company\u2019s strategy, both from a business and IT perspective. He did that \u201cby continuously reporting to the CIO, educating him and keeping him aware of how security was enabling our business, and understanding security posture, risks, and vulnerabilities.\u201d\n Oracle\n\nBrennan Baybeck, vice president and CISO, Oracle\n\n\nBaybeck says he took the initiative to meet with the CIO on a regular basis, not just about security, but to share ideas for how to make IT more efficient and effective through security services.\n\u201cHe elevated me to his leadership team, which meant that I was not only able to advise executives on security, but also make sure that security was embedded and relative to the business and IT strategies,\u2019\u2019 he says. \u201cAdditionally, I was able to provide value to the IT team.\u201d\nAdvancing security took about 75% of Baybeck\u2019s time and he used the other 25% to work at obtaining additional resources. \u201cFor many of my peers, that equation is flipped and they spend the majority of their time fighting for and justifying resources.\u201d\nHayslip believes it\u2019s a good thing for a CISO not to report to a CIO. That way, \u201crisk is more visible and the organization is able to, from a strategic standpoint, understand where things will be managed,\u201d he says.\nIn that that type of environment, the CIO and CISO should be peers and still meeting on a weekly basis, he says.\nThe pandemic effect\nThe pandemic has certainly fostered having one another\u2019s backs as IT scrambled to enable remote work and security teams worked to ensure employees were authenticated when tapping into the network remotely and that data remains secure. \u201cIf your [security team] is doing that without the support of IT in the pandemic environment we\u2019re in right now you\u2019re crazy,\u2019\u2019 Hayslip says.\nThe network edge has moved into the home, he notes. \u201cI have 680 networks to worry about because I have 680 employees instead of one network,\u2019\u2019 Hayslip says.\nAlthough Clemson University Vice President and CIO Russell Kaurloto had a good working relationship with CISO Hal Stone prior to the pandemic, he agrees that COVID-19 has \u201csolidified it and brought closer how we share information and communicate more effectively.\u201d\nClemson had roughly 1,800 students working online remotely and that number jumped to around 26,000 along with 4,000 faculty and staff in March. \u201cI talk to my CISO weekly, one on one, but he\u2019s also involved in a daily COVID call where we go through systematically what\u2019s going on,\u2019\u2019 Kaurloto says.\nTips for CIO-CISO harmony\nEchoing Hayslip, Wheatman says that with the uptick in digital business, it\u2019s counterproductive for a CISO to wag their finger at the CIO and say, \u201cYou need to do what I say or else. It\u2019s more about, \u2018We need to work together to solve a problem that the board or COO, or CEO or CFO says is important.\u2019 It\u2019s growing over time.\u201d\nFor example, Wheatman worked with a CISO at a midsize financial credit union to build a deck for his audit committee. They constructed his narrative, starting with the business objectives and then the steps the CISO would take to build his cybersecurity program. \u201cThe CIO got ahold of it and said, \u2018We have to talk to the board about threats and technology, and I\u2019ve talked to boards and they\u2019re not interested in that and they don\u2019t understand what the takeaway is,\u2019\u201d Wheatman recalls.\nThey ended up having to do a joint call with the CIO to say, \u201cLook, this is why this message won\u2019t be constructive,\u2019\u2019 he says. While Wheatman doesn\u2019t know what the outcome was, \u201cthose [scenarios] are still common. It should be less than 5% and it\u2019s probably 20% to 25% of the time that those issues come up.\u201d\nWheatman tells security leaders that they need to figure out how to tell their story \u2014 not just to their own boss \u2014 but through them to their boss\u2019 boss.\n\u201cOften, we get lost in technology and end up talking about tech for tech\u2019s stake and not enough about the business value, revenue, culture, and risk management,\u201d he says.\nCISOs need to come up with a common set of terms of reference, he says. \u201cWe use words like \u2018cybersecurity\u2019 and \u2018threats\u2019 and \u2018vulnerabilities\u2019 and \u2018risk.\u2019 And we use them inconsistently, so we need to communicate a frame of reference in a consistent manner.\u201d\nThey also need to make sure they\u2019re aligned with the business objectives. \u201cThat sounds patently obvious, but in a lot of cases, it\u2019s not,\u2019\u2019 Wheatman says. \u201cCIOs tend to be more mature and they need to help the CISO elevate their messaging to get to that higher level of maturity.\u201d They need to be aligned even if they are not in agreement on everything, he stresses. \u201cThey need to have same long-term vision, and that\u2019s not always the case.\u201d\nThe biggest cause of friction is about budget, notes Hayslip. A CIO will be told they need to cut their budget while the CISO is focused on trying to build out a cybersecurity program and manage risk, he says.\n\u201cNine out of 10 times that\u2019s where the priorities differ.\u201d Hayslip says he\u2019s found that if the lines of communication stay open and the CIO and CISO meet weekly, even if it\u2019s just for a half hour to fill each other in, both sides will learn a lot.\n\u201cThe CIO will give you insight on politics so you have good insights on the company\u2019s problems or how the business is shifting,\u201d he says. That way, they can put their heads together to figure out where they can derive savings.\nIf the CIO and CISO are talking to each other, there are no surprises, he says. \u201cI\u2019ve found when we do that we work extremely well together.\u201d\nBaybeck agrees that nurturing relationships and building partnerships is key. \u201cA CISO should strive to be considered a trusted advisor to the CIO, to the point where they are anticipating their needs and informing them of issues or opportunities they may not even be thinking about in relation to security risks.\u201d\nAll the CIOs and CISOs agree that mutual respect is perhaps the most important ingredient in the relationship.\n\u201cRight from the start, there has to be mutual understanding of \u2026 what we\u2019re trying to achieve and maintain on a daily basis,\u2019\u2019 says Clemson\u2019s Kaurloto. \u201cThat\u2019s key. The second thing is to build a close relationship of mutual respect. You\u2019re not always going to come to the same result and you won\u2019t always be in unison. But with mutual respect you\u2019ll find that common ground.\u201d\nThere also needs to be full transparency, he adds. \u201cIf it comes across that you\u2019re not walking the walk you won\u2019t be able to gain the respect and understanding of your CISO. Your CISO is part of your overall success. If you don\u2019t have a good relationship and true transparency you will constantly have friction.\u201d\nMarkel\u2019s Scyphers says that he and Titus focus on business outcomes rather than a security or IT problem. \u201cWe both bring our disciplines to support that. Patti is the consummate professional \u2026 I encourage that trust to be there. It\u2019s critical.\u201d\nFor her part, Titus says it\u2019s important to challenge each other, \u201cand when you come out you have a concerted front. You solve your problems behind closed doors.\u201d\n\u201cIt\u2019s important to focus on the partnership\u201d and both sides may need to make concessions to get to that common goal, she says.\n\u201cWe may deviate a little on how we get there,\u201d Titus says, \u201cbut at the end of the day, we\u2019re going to cross the finish line together.\u201d\nJust like in any good marriage.