Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo
Opinion

Turning tension into collaboration: How CIOs and CISOs can lead together

If properly managed and channeled, age-old friction between IT and cybersecurity can create a more resilient organization.

Published June 2, 2026
By Tom Scholtz, Distinguished VP Analyst, Gartner
Group of people working in a modern board room with augmented reality interface, all objects in the scene are 3D
Getty Images

The relationship between the CIO and the CISO has long been defined by friction. It is often framed as a structural conflict, with CIOs pushing for speed, scale and innovation and CISOs pulling toward control, constraint and cyber risk reduction.

In practice, this tension is real. But the problem is not that it exists: the problem is how it is managed.

For many organizations, this dynamic has drifted into something more corrosive. Security leaders report feeling pressure to downplay risk, while IT leaders often are perceived as shifting accountability rather than owning it.

These patterns do not just create internal dysfunction. They also expose the enterprise to unnecessary cyber risk, particularly at a time when technology adoption is accelerating and the consequences of misalignment are more immediate and visible.

The instinct in these situations is often to reduce tension, smooth over disagreements and create harmony. That’s understandable, but it’s also misguided. Cybersecurity is a control function and meant to introduce friction. When there is no tension, it is usually because difficult questions are not being asked or because risk is being accepted implicitly rather than deliberately. The goal is not to eliminate tension; it’s to make it constructive.

Embracing accountability with CISOs and CIOs

At its best, constructive tension sharpens decision-making. It ensures that innovation is pursued within defined boundaries rather than at the expense of them. It allows organizations to move quickly without losing sight of what matters most.

For CIOs, this means innovation does not outpace their ability to manage exposure. For CISOs, it means security remains relevant to how the business actually operates, rather than becoming an abstract constraint.

The foundation of this approach is clarity of accountability. One of the most persistent sources of conflict between CIOs and CISOs is ambiguity over who ultimately owns risk.

In practice, shared digital assets, systems, and data sit within the CIO’s domain. That makes the CIO the proxy owner of the risk tied to those assets. The CISO’s role is not to “own” that cyber risk, but to advise, challenge and provide assurance that risk decisions are informed and defensible.

This distinction is subtle but important. When accountability is unclear, decisions stall or become politicized. When it is clear, productive tension emerges. The CISO can push back on decisions that introduce unacceptable cyber exposure, while the CIO retains authority to balance risk with business priorities.

Codifying this relationship through formal governance, ideally with executive endorsement, removes ambiguity and sets the stage for more effective collaboration.

Collaborative risk management processes

Accountability alone, however, is not enough. Organizations also need a structured way to make and manage risk decisions together. A collaborative risk management process provides that structure. It allows both leaders to bring forward their perspectives, assess trade-offs and resolve disagreements with defined escalation and exemption mechanisms. Without this, disagreements either linger unresolved or are settled informally, often in ways that favor speed over sound judgment.

An independent governance layer further strengthens this model: a cybersecurity steering committee, composed of cross-functional stakeholders, can provide a neutral forum to resolve conflicts and arbitrate complex decisions. This body should not, however, be owned by either the CIO or the CISO. That ensures decisions will more likely to reflect enterprise priorities rather than individual agendas.

Underlying all of this is the simplest and often most overlooked requirement: consistent dialogue. Regular, structured communication between the CIO and CISO is what turns governance into practice. Weekly conversations about current risks, upcoming initiatives and operational challenges create a shared understanding that prevents issues from escalating unnecessarily. More importantly, it builds trust, which is essential when leaders must challenge each other in high-stakes situations.

How to measure successful CIO/CISO relationships

So, after all of this has been implemented and CIOs and CISOs are ready to tackle their new relationship from a different perspective, how do you know if it is actually working?

There are a few simple ways to gauge success, including:

  • Measuring the number of cyber risk conflicts between the CIO and CISO being escalated to the cybersecurity steering committee and/or chief risk officer. A reduced number means more conflicts are being addressed earlier.
  • Measuring the number of unacceptable cyber risks tracked through the risk register. A lower number here means the system is working.

The benefits of getting this balance right extend beyond risk reduction. Organizations that manage CIO-CISO tension effectively are able to move faster with greater confidence. Security becomes an enabler of innovation rather than a constraint because it is embedded in decision-making rather than applied after the fact. At the same time, IT initiatives are more resilient because they are shaped with an explicit understanding of cyber risk from the outset.

Tom Scholtz is a distinguished VP analyst who advises clients on security management strategies and trends, and is an acknowledged authority on information security governance, security strategy, security organizational dynamics and security management processes. Gartner analysts will provide additional insights for security and risk management leaders at the Gartner Security & Risk Management Summits, taking place June 1-3 in National Harbor, Md., July 22-24 in Tokyo, Aug. 4-5 in Sao Paulo and Sept. 22-24 in London. Follow news and updates from the conferences on X and LinkedIn using #GartnerSEC.

Editors' picks

Company Announcements

View all | Post a press release
DeVry University Earns Top 12 National Ranking in Spring 2026 National Cyber League Competition
From DeVry University
May 28, 2026
DeVry University logo
360 Privacy Expands Senior Leadership as Threats to Executives and High-Profile Individuals Gr…
From 360 Privacy
May 21, 2026
360 Privacy logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell