Source: Brain_light via Alamy Stock Photo

At first glance, the chief information security officer and chief operating officer appear to operate in fundamentally different worlds — perhaps even at odds with one another. While the CISO is preoccupied with threat vectors, vulnerabilities and intrusions; the COO obsesses over margins, uptime, and efficiency.

However, the digitally transformed enterprise demands CISOs and COOs build strong, intentional partnerships. Not because security leaders suddenly care about cost per transaction or supply chain process optimization, but because downtime from cyberattacks has become an existential operational risk that every COO must actively manage. Modern operations are entirely digital, and operational excellence is inseparable from cybersecurity resilience.

"CISOs should treat the COO relationship as a top-tier relationship alongside the CEO/CFO, because operations disruption is often the business’s biggest practical risk," said David Elfering, director of security at transportation company Carrix.

Why This Partnership Matters to Operations

Cyber resilience represents an organization’s ability to prepare for, respond to, and recover from cyber threats while maintaining business operations throughout the incident lifecycle. This doesn’t merely cover the recovery after an attack; it’s the ability to function continuously, even while under active threat.

Related:Same Old Security Problems: Cyber Training Still Fails Miserably

The specter of disrupted processes, employee productivity loss, supply chain delays and customer service failures that accompany a significant security incident is a key concern of the modern COO. When ransomware locks down a production environment, the CISO’s containment protocols may protect the organization, but the COO watches as revenue evaporates.

"When disruptions hit operations, neither the COO nor the CISO can navigate such scenarios successfully," says Adam Ennamli, chief risk, compliance, and security officer at General Bank of Canada.

For COOs, this shift to digital operations has changed risk dramatically. Traditional operational risk management—mitigating supply chain disruptions, optimizing process flows, managing facility reliability—assumed that internal systems would remain available and functional.

Today, however, a ransomware attack exploiting a business process vulnerability can halt operations more effectively than most physical facility failures. Organizations now compete not just on cost and speed, but on their ability to sustain operations despite sophisticated digital threats. This is why COOs increasingly recognize that cybersecurity investment directly protects operational continuity, the metric by which their performance is fundamentally measured.

Related:Bridging the Skills Gap: How Military Veterans Are Strengthening Cybersecurity

Build the Relationship Before There’s a Crisis

One of the most significant mistakes an organization can make is leaving the CISO-COO relationship undernourished until a disruptive incident forces them together. Emergency response under pressure inevitably produces poor decisions, miscommunication, and misaligned recovery priorities. A 3 A.M. emergency call over a security incident becomes meaningfully more manageable if the CISO and COO have spent months building mutual understanding, trust, and shared decision-making frameworks.

This proactive engagement requires establishing recurring touchpoints where both leaders continuously align on operational dependencies, critical business processes, and how security controls either enable or constrain those processes. The COO needs to understand which systems the CISO considers most vital to protect and why. The CISO needs to grasp which business processes generate the highest operational risk if disrupted—not from a security perspective, but from a business continuity perspective.

These conversations build credibility before it becomes essential. When the COO has spent six months listening to the CISO’s views on operational resilience, the CISO’s recommendations during a crisis carry weight. The dialog in the relationship becomes "we’ve been planning for this together," rather than "the security team is now telling operations how to run things."

Related:From Power Users to Protective Stewards: How to Tune Security Training for Specialized Employees

Such ongoing communications will help resolve the typical security vs. operations friction that often plagues organizations, Elfering explains. For example, the "we can’t patch now, it might cause downtime" deadlock between operations and security teams.

"I recommend creating joint planning with operations and schedule maintenance windows that will reduce long-term accumulated risk that could produce larger, unplanned outages," Elfering says.

A Joint Crisis Operations Plan Requires Operational Specificity

The crisis management plans that most organizations draft are often vague about operational realities. They specify who communicates with regulators or customers. Still, they lack the operational granularity that COOs need: exactly how the company will maintain production systems, which backups will need to be activated, how customer traffic will be explicitly handled, and what the revenue-impact timeline looks like.

A CISO-COO joint incident response plan must include operational decision trees that account for different attack scenarios and their operational consequences. If ransomware targets the customer transaction system, the plan should specify exactly which systems have failover capability, how long activation takes, what capacity loss occurs during failover, and how operations will manage customer communication about potential transaction delays. If supply chain systems are compromised, the plan should identify which suppliers can be contacted through alternate channels, how inventory will be managed, and the recovery timeline.

The plan must also designate apparent authority for operational decisions during incident response. Does the CISO containment strategy require shutting down systems the COO considers critical?

"Who has final authority to make that trade-off call?” asks Elfering. “Answering these questions during calm planning prevents dangerous delays and conflicts when stakes are highest."

Ennamli adds that CISOs should work with COOs to build and test crisis communication/decision playbooks with operations, comms, legal, and execs, and to pre-assign roles and expectations. "Organizations with clear cross-functional playbooks move faster and minimize operational and reputational damage," Ennamli said.

Regular tabletop exercises must involve both the CISO and COO teams practicing their roles in realistic attack scenarios. These simulations should stress-test operational recovery decisions, not just technical incident response procedures.

The exercise should answer complex questions: If a system is shut down to prevent the spread of malware, how long can operations tolerate the revenue impact? What’s the acceptable downtime threshold? How are hard decisions, such as deciding between containing the threat and maintaining operations, made?

The CISO-COO partnership represents a fundamental recognition that cybersecurity and operational excellence have become synonymous. Organizations that build proactive, aligned relationships between these leaders—establishing crisis plans in regular times, translating cyber risk into operational consequences, and tying security investments to uptime and resilience outcomes—will sustain operations effectively even during sophisticated attacks. Those that treat the relationship as an afterthought, coordinating only when disaster strikes, may face cascading operational failures when they can least afford them.

About the Author

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.