Scott Arnold and James Bowie joke with the ease of longtime friends. Professionally, they've grown closer as part of their work as the CIO and CISO of Tampa General Hospital, a 1,040-bed non-profit medical center.
The two executives credit their well-oiled working relationship to mutual respect for each others’ jobs and objectives, a link that allows them to work together to enable innovation without jeopardizing safety.
“We work hard to really strike a balance,” said Arnold. “We want to go out on the edge and be innovative but also not at the expense of security for our patients and or our team members.”
Not every enterprise CIO and CISO duo works well together because their goals have historically been misaligned, said Jess Burn, principal analyst at Forrester.
Where a CIO might want to race forward with their brand new product, CISOs want to make sure it doesn’t contain security gaps that can put the entire enterprise at risk. System uptime and security are two common friction points between the two executives.
CIOs and CISOs can work together for the sake of the organization by having clearly defined roles, trying to walk in each other’s shoes, and having mutual respect for their missions and goals.
Conflicting goals — and org chart positions
The CISO-CIO relationship is often roiled by clashing perspectives, especially since CISOs are more worried about cyberthreats than their counterparts.
CISOs are more on edge than any other C-suite executive, with two-thirds saying they were worried about cybersecurity threats to the organization, compared to just 56% of other C-suite executives, according to EY research.
CIOs' focus on the bottom line can also lead to friction.
“From a CIO’s point of view, my focus is on the business and how do we drive revenue and how do we maximize profit,” said Rebecca Fox, group CIO at NCC Group, who is in the unique position of being a CIO of a cybersecurity organization. “From the CISO point of view, their priorities are making sure my organization doesn’t get hacked.”
As cybersecurity’s importance changes, so has the position of the CISO in relation to the CIO, which can help them work in tandem.
CISOs are now more frequently viewed as true C-suite roles instead of “being a C-title that’s really at a director level,” said Burn. That’s in part because CEOs and most executives and board members are“much more aware of major security risks than five or 10 years ago.
If a CIO and CISO are in conflict, they can work together to figure out how their shared mission is “in service of innovation and differentiation for the organization,” Burn added. Instead of rushing something to market as quickly as possible to show to an executive board, the goal instead can be showing how security can improve experiences and reduce costs.
It also helps when CIOs and CISOs “build relationships and understand where other people are coming from,” said Fox. “Otherwise, they’re not doing their job.” That approach requires respectful, strategic conversations about budgets instead of clashing over priorities.
Mutual respect
Bowie and Arnold have been working together as CISO and CIO for two years, but first met 10 years ago, when they had different jobs at the hospital. Understanding each other’s priorities has helped them excel in what they’re doing now.
“Cybersecurity is usually a bunch of ‘no, but…’” said Bowie, often due to lack of resources. He credits Arnold with changing that by giving security what it needs, including the ability to hire the right people. Now, Bowie said, “it’s a ‘yes, but…’” Bowie and his team can now make projects happen, securely, instead of saying no because they lack the resources or expertise.
Bowie also tries to anticipate what Arnold needs — for good and bad.
When there’s a cybersecurity issue, Bowie will inform Arnold how much he should be concerned on a 1 to 10 scale. He also makes sure Arnold hears about it from him first. During the global CrowdStrike outage in July 2024 — which pulled some companies offline altogether — Bowie informed Arnold immediately, ranking the outage a 3 given its impact on some vendors instead of the organization itself.
“He always has my attention but I think it really boils down to communication and aligning incentives,” said Arnold. “The incentives for us are taking care of the organization and taking care of our patients and keeping them safe.”
The duo has made sure Bowie is able to speak directly to their board of directors instead of running through Arnold. That includes giving reports to audit and compliance committees but also an annual cybersecurity posture review. Not only does the board like hearing directly from the CISO, said Arnold, but it conveys a greater commitment to security — and the equality of their roles.
“He’s given me the trust to put [myself] out there," Bowie said. "It makes it a lot easier when there’s not a middleman.”
