CIO and CISO: A Unique Partnership

Why is friction between them not only normal but a sign of maturity? And how do we build a high-quality, seamless partnership between the system’s project leader and one of its key oversight roles? In the event of conflict, who holds the authority to make the final call and protect the relationship?

The CIO is like a central midfielder in football — the playmaker — positioned between the business teams and the technical teams, between users and software vendors, between ideas, expressed needs, and real-world implementation. The CISO, on the other hand, is a defender. Their job is to stop attackers and secure the goal area. They rely on the midfielder to prevent threats from getting through, and the midfielder relies on the defender to hold the line.

But before this tactical relationship can take shape, there’s the rest of the team — the organization — counting on both the CIO and CISO to ensure that the information system is both seamless and secure. There should be no tension between these two players, only trust, mutual understanding, subtle signals, and real cooperation in the interest of the collective.

The same analogy could be drawn with a Formula 1 driver and their quality engineer, or a CFO and the financial controller.

“Clear up any ambiguity. Communicate. Escalate when needed.”

What most often undermines the CIO–CISO relationship is ambiguity: Who is responsible for what? Who has the final say when there’s a strategic disagreement? Or a clash over timing or formal process?

In theory, this is where governance comes in: the business owner — whether that be the Security Committee, the Executive Committee, the CEO, or the Qualified Information Security Authority (AQSSI). The specific body matters less than its existence and clearly defined role. It’s up to the CIO and the CISO to escalate decisions to this governance layer when needed — with full context — so both can move forward with their respective plans without lingering resentment.

The CIO must be able to carry out the information system’s roadmap as smoothly as possible — both with the business and within their own functional and technical teams. The CISO must similarly execute their cybersecurity roadmap, which inevitably has an impact on the CIO’s domain.

So what are the options? Open conflict — which is obviously undesirable and likely to result in one of them leaving — or a state of productive peace, which is far more sustainable for the individuals and much healthier for the system as a whole.

“Approach the role with humility and awareness of the other’s goals and constraints.”

Both professionals must approach their roles with humility — aware of each other’s goals and constraints — a necessary condition for mutual understanding. There’s no good reason the CIO–CISO pairing shouldn’t work, except for human factors, misunderstandings, or poor arbitration.

The CIO and CISO are negotiators, not autocrats. They know full well that nothing gets done by command alone in a system where power is distributed. What works instead is nuance, pedagogy, and mutual respect. It’s their responsibility to ensure the relationship runs smoothly, each one ready to adapt their roadmap to the realities of regulation, national cybersecurity program commitments, and the outcomes of internal and external audits.

Their relationship must never become a power struggle — that would be toxic. Instead, it must be grounded in positive complementarity, where understanding each other’s challenges and stakes remains the foundation.

Both CIO and CISO serve the information system and the business — each in their own way. One is the builder, the architect of technical and functional needs. The other, the quality officer, the controller whose mission is to reinforce the structure: its availability, integrity, and accessibility.They are partners with a shared ambition: to ensure high-quality service delivery within a compliant regulatory framework.