Mark Thomas felt trouble brewing when he was a CIO with a CISO reporting to him as the pair stumbled over what could have been seen as conflicting priorities.

The two hashed out a plan to overcome the discord, Thomas says. They developed a set of common standards to help them communicate and pull toward common objectives. Thomas considered it an executive version of middleware.

“It gave us common terminology and common objectives. It aligned our goals,” Thomas says. “That was a really good starting point for breaking down our siloes.”

Thomas, now president of Escoute Consulting, which focuses on the governance of enterprise IT, says it was important to get out in front of the communication breakdown between himself and the CISO, because he views the relationship as a crucial partnership for enterprise success.

Yet he and others say it’s common, and in many ways expected, for CIOs and CISOs to butt heads. They have different objectives that bump up against each other: CIOs strive to deliver consistent reliable services as quickly as possible, while CISOs seek to deliver those services securely.

“But they have to work in harmony, build the right team structure and promote the right culture. And they have to work together for the common good of the organization,” says George Moraetes, a security consultant and interim CISO with his firm Securityminders LLC.

When they don’t, the organization is at risk for slower, less secure technology services and stinted digital transformation overall.

Signs of trouble

There are many telltale signs of trouble in the CIO-CISO relationship, according to experienced executives, researchers and management consultants. They include:

A lack of respect. The executives (and, as a result, their managers and staff) disregard each other’s advice, ignore requests for cooperation, dismiss the other’s opinions, issue commands to be obeyed rather than calls for collaboration, and refuse to share information. No clear delineation of responsibilities. Especially in areas where technology and security overlap, a lack of clarity around roles and responsibilities can lead to either battles over territory or neither side taking ownership of projects. High turnover. A high turnover rate, particularly in either executive position, but also in staff positions within both departments, could indicate a toxic work environment that may (but not exclusively) stem from problems at the top. An us-vs.-them mentality. This adversarial approach fosters an obstructive working relationship rather than a collaborative one. Failure to do the job. Missed deadlines, incomplete projects, or ignored requests for input where the IT and security teams need to coordinate all can result in work not getting done. Frequent or increased downtime. In particular, unplanned downtime due to security needs could indicate inconsistent or nonexistent communication and coordination between the two teams.

Lack of peer relationship

Several factors can lead to a troubled CIO-CISO relationship that manifests in bad behaviors like those just listed. The people in those roles could be particularly egocentric. They might not like each other and can’t work through the ill feelings. Or they don’t know – and don’t care – about the pressures that the other one faces.

But often a troubled CIO-CISO relationship stems from an imbalance in the positions, according to multiple experts.

They say the CIO and the CISO should be on equal footing within an organization, with each one involved in strategic planning.

That’s the case in many organizations, but not all. The 2018 Global State of Information Security Survey from PwC, CSO and CIO found that 40 percent of the top information security executives reported to the CEO, 27 percent reported directly to the board of directors, and 24 percent reported to the CIO.

Similarly, the 2018-2019 EY Global Information Security Survey found that 40 percent of organizations charge their CIOs (not the CISOs) with ultimate responsibility for information security.

Relationship fixes

A problematic CIO-CISO relationship can be repaired if you're willing to put in the work. The experts we spoke with offer the following steps that the executives can take to help overcome misalignment, professional conflicts and even animosity.