As cyber threats multiply and digital transformation accelerates, the relationship between Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) has become more critical—and more complicated. While both roles are crucial in shaping an organization’s technology and security posture, the inherent tension between the two can lead to misalignment that hampers innovation and increases risk. David Gee, former Global Head of Technology, Cyber & Data Risk at Macquarie Group, provides a unique perspective on this tension, having held both CIO and CISO roles during his career. Gee emphasizes that bridging the divide between these key executives is essential for enterprise security leaders aiming to thrive in today’s complex landscape.

CIOs and CISOs: Conflicting Mandates, Shared Goals

The root of the tension between CIOs and CISOs stems from their differing mandates. CIOs are tasked with driving digital innovation, ensuring the smooth operation of IT systems, and supporting the organization’s business goals. On the other hand, CISOs are primarily responsible for securing the enterprise, managing cyber risks, and safeguarding critical assets. This divergence creates friction, as security measures can often be seen as impediments to the CIO’s mandate for agility and speed.

David Gee, who spent decades navigating this dynamic, notes, “The tension is almost inevitable. CIOs are under immense pressure to innovate and deliver new capabilities at speed, and that’s often where the friction with CISOs arises. Security, by its nature, can slow things down.” He points out that while CIOs understand the need for security, they often see it as a secondary priority when compared to digital transformation initiatives. “It’s not that CIOs don’t care about security; it’s that they view it as something that can conflict with the business need for speed,” Gee adds.

CISOs, meanwhile, have a very different perspective. Their focus is on minimizing risk, ensuring compliance, and building a security-first culture. Gee explains, “As a CISO, your job is to protect the organization from evolving threats, and that often means introducing friction. CISOs are the ones who have to say ‘no’ when things move too fast or when shortcuts are taken. That can be difficult for a CIO to accept, especially when they’re measured on how quickly they can deliver new services.”

Despite these conflicting objectives, both CIOs and CISOs ultimately serve the same goal—ensuring the organization’s success. “The challenge,” Gee says, “is getting both roles to recognize that they are on the same team, working toward a shared outcome. Security and innovation don’t have to be at odds; they can actually complement each other.”

Overcoming the Tension: Fostering a Culture of Shared Responsibility

One of the key insights Gee offers for bridging the divide between CIOs and CISOs is the need for shared responsibility. Rather than viewing security as a barrier to innovation, CIOs need to embrace it as an enabler of long-term success. Gee highlights the importance of reframing the relationship between these two roles: “It’s not about one role winning over the other. It’s about integrating security into the fabric of digital transformation from the start. When both sides see security as a shared responsibility, the conversation changes.”

Gee points to his experience at HSBC, where he implemented a strategy to foster collaboration between IT and security teams. Early in his tenure as CISO, he organized a series of cyber briefings for key stakeholders, including the CIO and other senior IT leaders. “It wasn’t just about reporting on risks,” Gee recalls. “It was about creating an open dialogue where everyone could ask questions, voice concerns, and contribute to the solution. When people are engaged and feel like they have a stake in the outcome, they’re more likely to buy into the security agenda.”

Gee emphasizes that transparency and communication are crucial for building trust between CIOs and CISOs. “The biggest mistake organizations make is treating cybersecurity as a siloed function. The CISO can’t be the only person responsible for security, just as the CIO isn’t the only one responsible for innovation. Both need to work together to create a strategy that balances speed and safety,” he explains.

At Macquarie, Gee built on this approach by ensuring that both the CIO and CISO were aligned with the board and executive leadership. “It’s about creating a shared narrative,” he says. “If the board sees cybersecurity as a foundational part of digital transformation, it sets the tone for the entire organization. The CIO and CISO need to be united in delivering that message.” This alignment, Gee believes, is critical in creating a culture of shared responsibility where innovation and security go hand in hand.

Cybersecurity as a Competitive Advantage

One area where Gee sees alignment between CIOs and CISOs growing is in the recognition that cybersecurity can be a competitive differentiator. “In the past, security was often seen as a necessary evil—something that you had to invest in, but that didn’t add direct value,” he explains. “But that’s changed. Today, organizations that can demonstrate strong cybersecurity practices have a significant edge in the market, especially when it comes to earning customer trust.”

CIOs, in particular, are starting to recognize the value of security in building resilient, customer-centric services. “Digital transformation without security is a recipe for disaster,” says Gee. “If you’re rolling out new technologies or services without considering the security implications, you’re not just risking a breach—you’re risking your reputation. Customers want to know that their data is safe, and organizations that can offer that assurance will win in the marketplace.”

Gee points out that this shift in thinking is leading to more productive conversations between CIOs and CISOs. “CIOs are beginning to see that cybersecurity is not just a cost center—it’s an investment in the future. It’s about building trust with customers, protecting the organization’s intellectual property, and ensuring that digital initiatives are sustainable over the long term.”

Collaboration Beyond the Enterprise: The CISO Community

The complexities of today’s threat landscape require collaboration not just within organizations, but across the broader cybersecurity community. Gee is a strong advocate for greater information sharing among CISOs, particularly when it comes to third-party risks. “No organization operates in isolation anymore,” he explains. “We’re all part of a broader ecosystem, and the threats we face are often interconnected. Sharing intelligence and collaborating with other CISOs is essential if we’re going to stay ahead of the attackers.”

Gee recounts his experience attending industry forums, such as the FSI Congress in Singapore, where he and other CISOs discussed the challenges they were facing with third-party security. “We sat down and asked ourselves, ‘How can we protect ourselves collectively?’ It’s not just about protecting your own organization—it’s about working together to create shared defenses. That’s where the power of the CISO community really comes into play.”

This collaborative mindset is something Gee believes should extend to the relationship between CIOs and CISOs. “When CISOs are transparent about the challenges they face, and when CIOs are open to understanding those challenges, it creates an environment where both roles can succeed,” he says. “It’s about building a coalition—both within the organization and across the industry.”

The Vendor Conundrum: Aligning Solutions with Strategy

Another challenge that complicates the CIO-CISO dynamic is the flood of security solutions offered by vendors. While technology is a critical enabler of both digital transformation and security, CIOs and CISOs often find themselves overwhelmed by the sheer volume of solutions being pitched to them. “Every vendor claims to have the ‘silver bullet’ for cybersecurity, but the reality is that no single solution can address all of an organization’s needs,” says Gee.

He advises both CIOs and CISOs to be strategic in their approach to vendor relationships. “It’s about understanding where your organization is in its security journey, and choosing solutions that align with your long-term goals,” Gee explains. He emphasizes the importance of selecting vendors who understand the unique needs of both the CIO and CISO. “Vendors need to recognize that the CIO and CISO have different priorities, but those priorities aren’t mutually exclusive. The best vendors are the ones who can demonstrate how their solution fits into the broader business strategy, not just the security strategy.”

For Gee, the key to managing vendor relationships is trust. “CISOs and CIOs are bombarded with vendor pitches every day, and it’s easy to get lost in the noise. The vendors who stand out are the ones who take the time to understand your challenges, listen to your concerns, and offer solutions that are tailored to your specific needs. It’s not just about selling a product—it’s about building a partnership.”

Embracing a Unified Approach

As cyber threats continue to evolve and the pace of digital transformation accelerates, the relationship between CIOs and CISOs will remain pivotal to enterprise success. David Gee’s insights offer a roadmap for overcoming the natural tension between these two roles, emphasizing the need for collaboration, shared responsibility, and a unified approach to security and innovation.

For enterprise-level CIOs and CISOs, the takeaway is clear: the divide between security and technology is no longer sustainable. By fostering open communication, aligning their strategies with business goals, and embracing a culture of shared responsibility, these executives can not only bridge the gap but turn it into a source of strength. As Gee puts it, “When CIOs and CISOs work together, they’re not just protecting the organization—they’re driving it forward.”