IT leaders fear hearing the word "cyberattack" associated with their company's critical systems.
From Equifax to Capital One, Merck or Colonial Pipeline, businesses have experienced the lasting impact a cybersecurity weakness can have on operations, brand equity or market performance.
Due to the disruptive nature of cybersecurity weaknesses, almost half of tech leaders say vulnerability of IT assets is their main worry, according to data from Flexera. Seven in 10 leaders place vulnerabilities among their top three concerns.
Supporting an organization is the relationship between CIOs and CISOs or other similar figures within IT and security. A healthy connection starts with a focus on priority business outcomes rather than specific technologies.
But maintaining an effective relationship is also tied to how companies shape their leadership structure and executives' abilities to work together.
There are three leadership models that are most common in CIO/security leadership structure, according to Sridhar Karimanal, head of the Health and Life Sciences group at Eagle Hill Consulting:
CISOs reporting to the CIO, the most common structure
CISOs reporting directly to the CEO, which is often found in financial organizations, or
CISOs reporting to a chief risk officer.
No matter the organizational model that companies follow, significant differences between the CIO and the CISO in strategy or decision-making constitutes "a recipe for a potential gap or breach," Karimanal said.
CIOs need to work closely with their security counterparts, according to Andrew Bartels, VP and principal analyst at Forrester. Technology executives can use CISO insight to fully grasp the security implications of ongoing projects.
Vulnerabilities can present themselves all across the tech stack. Operating systems, productivity software and IT management tools rank atop the most vulnerable technologies due to end of life or end of service events from providers, according to Flexera data.
"The mandate of a CIO is not simply to keep the IT systems up to date, not simply to make sure that we're adding new capabilities from technology perspective, but to support the business strategy," said Bartels.
The CISO and CIO can become strained over decision-making, deadlines or resources. But it's in every organization's best interest to ensure the two executives find common ground.
"You need to have a governance structure that brings them together," and calls for both leadership figures to make joint decisions, Karimanal said.
One factor that can get both leaders to see eye to eye is using the language of business outcomes, said Paul Proctor, distinguished research VP at Gartner. Looking at security investments through a business plan, and making decisions based on supporting business success is an ideal approach.
The monetary motivation of an efficient CIO-CISO team is clear. The cost of cybercrime globally — including monetary losses and cybersecurity spend — soared past the trillion-dollar mark in 2020, according to estimates from McAfee.
"If the CIO is in conflict with their security officer, they need to address that conflict," said Proctor. Leaders must understand how the organization is prioritizing its business outcomes in order to understand where security investments should be made.