The Structural Divide Between IT and Security
This episode examines the persistent organizational gap between CIOs focused on innovation and digital transformation and CISOs tasked with risk reduction and compliance. Jane Frankland, a 28-year cybersecurity veteran and MBE recipient, explains how these opposing mandates create friction: CIOs are incentivized on cost efficiency and operational uptime, while CISOs are measured on resilience and risk mitigation. The conversation reveals how reporting structures compound this problem, with many CISOs reporting to CIOs—a dynamic that can lead to security concerns being filtered or dismissed before reaching board level. Frankland notes she has witnessed CISOs removed for being 'too good at their job' when security requirements conflicted with IT delivery timelines.
Real-World Consequences and Use Cases
The discussion moves to practical scenarios where IT-security misalignment creates tangible risk. System patching emerges as a critical example: infrastructure teams traditionally deploy patches, but security teams possess the vulnerability intelligence needed to prioritize them effectively. Without collaboration, organizations patch inefficiently or miss critical vulnerabilities. Cyber recovery planning presents another case where both domains must converge—infrastructure teams manage backup and recovery operations, but security teams provide the forensic analysis to identify clean restore points. Frankland adds merger and acquisition due diligence as a third scenario, where failure to include security can result in acquiring companies with undisclosed breaches.
Solutions: Culture, Process, Then Technology
Frankland advocates for a layered approach to bridging the gap, starting with leadership alignment and risk tolerance definition at board level. She emphasizes that technology solutions deployed without addressing people and process first actually widen the divide, as security tools remain siloed in the SOC while infrastructure teams operate independently. The conversation highlights Commvault's 'Minutes to Meltdown' workshops as an effective first step—simulated ransomware exercises that force cross-functional stakeholders to collaborate under pressure. Frankland's prescription for security professionals: become evangelists who serve the business rather than enforcers who block it. For non-security stakeholders: increase cyber literacy and build relationships with security teams, who she insists are 'the department that now likes to say yes.'
