CDAO's Blueprint for Strategic CISO Partnership
This article outlines the critical need for Chief Data and Analytics Officers (CDAOs) and Chief Information Security Officers (CISOs) to form a strong strategic partnership. It identifies key challenges and opportunities at the intersection of data, AI, and cybersecurity, emphasizing the importance of joint governance, integrated risk management, shared roadmaps, and cultural alignment. The report provides actionable frameworks and strategic imperatives for CDAOs to navigate the evolving landscape and effectively collaborate with CISOs, ultimately driving business value while ensuring data security and compliance.
Navigating the Data-Security Nexus: 2025-2026
I. Executive Summary: The Imperative for CDAO-CISO Synergy in 2025-2026
The 2025-2026 landscape presents a confluence of unprecedented opportunities and complex challenges, particularly at the intersection of data, analytics, artificial intelligence (AI), and cybersecurity. For Chief Data and Analytics Officers (CDAOs), the mandate is clear: drive demonstrable business value through data-driven insights and AI-powered innovation. Simultaneously, Chief Information Security Officers (CISOs) grapple with an escalating threat environment, intensified by the very technologies CDAOs seek to leverage. This dynamic underscores a critical reality: sustained organizational success in this era hinges on an unprecedented level of collaboration and strategic alignment between the CDAO and CISO. Navigating the complexities of AI governance, ensuring the security of burgeoning data assets, and meeting the relentless pressure to deliver tangible business outcomes requires a unified front, transforming the CDAO-CISO relationship from a functional interface to a strategic partnership.
The core themes resonating through the 2025-2026 outlook emphasize the paramount importance of robust AI governance, the recognition of data security as a shared CDAO-CISO responsibility, the CDAO's evolving role from data steward to strategic business leader, and the CISO's critical function in enabling, not inhibiting, secure innovation. Organizations where CDAOs are under increasing pressure to communicate value and grow their relevance, particularly as AI demand forces them to prove its worth 1, cannot afford siloed approaches. The expectation that CDAOs will drive major decisions by 2025 is coupled with the stark warning that those failing to demonstrate organization-wide impact risk assimilation.2 This pressure on the CDAO to deliver quantifiable results occurs within a context of elevated cyber risk and heightened accountability for cybersecurity leaders.3
The dual pressures of AI-driven value creation, championed by the CDAO, and the proliferation of AI-driven threats, which fall under the CISO's purview, create an inherent and unavoidable intersection for these two roles. CDAOs are pushed to leverage AI for tangible business benefits 1, yet the very adoption of AI technologies introduces new vulnerabilities and expands the organizational attack surface.3 Since CISOs are primarily responsible for mitigating these new AI-related risks, the CDAO's success in deploying AI effectively is inextricably linked to the CISO's ability to secure these systems. Consequently, a CDAO cannot achieve sustainable AI-driven value without the CISO, and the CISO's role becomes even more pivotal as AI becomes pervasive. A fragmented or uncoordinated approach to AI by either the CDAO or CISO is a recipe for project failures, security breaches, or significant missed opportunities.
This report outlines the top strategic imperatives for CDAOs in 2025-2026, identifies the critical shared challenges and concerns with their CISO counterparts, and provides actionable frameworks for forging a powerful strategic alliance. The insights and recommendations herein are designed to empower CDAOs not only to address their core responsibilities effectively but also to proactively engage with CISOs in building a future-proof, data-driven, and secure enterprise. Proactive, integrated strategies are no longer optional; they are essential for organizational resilience, competitive advantage, and the realization of true data-driven potential.
II. Navigating the Horizon: Top 5 Strategic Imperatives for the CDAO (2025-2026)
The role of the Chief Data and Analytics Officer is at a critical juncture. To navigate the complexities of the 2025-2026 landscape successfully, CDAOs must prioritize several strategic imperatives. These imperatives not only define the CDAO's agenda but also inherently highlight crucial points of collaboration with the CISO, laying the groundwork for a synergistic partnership.
Imperative 1: Demonstrating and Delivering Quantifiable Business Value from Data & AI
The "grace period is over" for enterprise CDAOs.1 The foremost challenge is to transition definitively from a perceived role of data stewardship to that of a strategic innovator who directly and measurably impacts the organization's bottom line, including revenue generation, operational efficiency, and customer experience enhancement.1 Executive peers, including CEOs and CFOs, now expect unequivocal proof of the value derived from data and analytics (D&A) initiatives; they can no longer be assumed to see the connections automatically.1 This heightened scrutiny illuminates a historical gap where, despite significant investments in data capabilities, measurable returns have often remained elusive.6 Failure to bridge this gap and demonstrate tangible business value carries significant consequences: by 2026, 75% of CDAOs who have not made an organization-wide impact or influenced top priorities may see their functions assimilated back into technology departments.2
To meet this imperative, CDAOs must prioritize initiatives that yield clear, measurable benefits and demonstrate a strong return on investment (ROI).4 This involves developing robust methodologies for articulating and quantifying the value created for the business, potentially including a standard data value index to connect D&A efforts to business outcomes.4 Partnering with CFOs to build compelling investment cases for AI and other data-intensive projects will be crucial.8 Adopting an "offense-oriented" strategy, focusing on areas like revenue generation, customer experience improvement, and process efficiency, will be key to showcasing impact.1
The inherent link to the CISO is foundational: secure and trustworthy data and AI systems are prerequisites for delivering sustainable business value. Data that is compromised, or AI systems that are unreliable or manipulated, cannot form the basis of lasting business improvements or trusted decision-making. The CISO's role in ensuring data integrity, system security, and the confidentiality of sensitive information directly underpins the CDAO's ability to deliver on this primary imperative. The CDAO's influence and, indeed, the persistence of the role itself, are directly tied to an ability to communicate in the language of business—finance, ROI, strategic outcomes. This is a language the CISO must also adopt when justifying security investments and discussing risk mitigation.9 Both roles must transcend technical jargon to effectively engage the C-suite and the Board. This shared need for business acumen creates an opportunity: CDAOs and CISOs can mutually reinforce their positions and enhance the likelihood of securing resources by co-developing business cases for initiatives that deliver both data/AI value and critical security outcomes, presenting a unified and compelling value proposition to stakeholders.
Imperative 2: Mastering Enterprise AI: From Strategy and Governance to Ethical Implementation
The transformative potential of AI, particularly Generative AI (GenAI), is undeniable, and organizations are eager to capitalize on this momentum.4 However, the path to successful AI adoption is fraught with challenges. A staggering 60% of GenAI projects are forecast to be abandoned by 2025 due to issues like poor data quality or unclear business value.1 Furthermore, data reliability is cited as a key barrier by 56% of data leaders in advancing GenAI pilots, and 43% point to data quality, completeness, and readiness as major obstacles.11 Compounding these technical hurdles, 45% of data leaders believe that concerns over the responsible and ethical use of AI prevent them from demonstrating business value.11 In this complex environment, CDAOs are increasingly taking the helm, with 70% now holding primary responsibility for developing AI strategy and establishing operational frameworks within their companies.12 A core part of this leadership is ensuring that AI is safely and securely embedded into enterprise applications, which necessitates new collaborations across often siloed technology and business teams, including security.1
CDAOs must therefore focus on building AI-ready data foundations, characterized by high-quality, reliable, and well-governed data.1 Establishing robust AI governance frameworks is not merely a compliance exercise but a critical enabler of trust and sustainable AI adoption.1 These frameworks must address ethical considerations, promote transparency, and ensure fairness in AI systems.4 Fostering cross-functional collaboration is essential for the successful development and deployment of AI, bringing together expertise from data science, engineering, business lines, legal, compliance, and security.1 Prioritizing AI use cases with clear value propositions and designing for reusability and scalability will be key to maximizing impact.8
The CISO is an indispensable partner in mastering enterprise AI. AI governance is intrinsically linked with AI security and risk management. The CISO's expertise is critical in defining security protocols for AI models and the underlying infrastructure, mitigating AI-specific threats (such as model poisoning, adversarial attacks, data leakage through Large Language Models, and the rise of AI-driven cyberattacks 3), and ensuring that AI systems comply with a rapidly evolving regulatory landscape. The rush to adopt AI, especially GenAI, without adequate data readiness and robust governance—a concern shared by both CDAOs and CISOs—creates a significant risk of "shadow AI." Similar to the well-known problem of "shadow IT," employees eager for productivity gains may independently adopt readily available GenAI tools without organizational approval or proper security vetting. This proliferation of unmanaged and potentially insecure AI instances exposes the organization to severe risks, including data leakage, intellectual property loss, and compliance violations. To counter this, CDAOs and CISOs must collaboratively establish clear AI usage policies 14, provide access to sanctioned and secure AI tools, and educate the workforce on responsible AI use. This joint approach to AI enablement and control is vital to harness AI's benefits while mitigating its inherent risks.
Imperative 3: Fortifying the Foundation: Modern Data Governance and Architecture for Agility and Trust
Effective data, analytics, and AI capabilities rely on modern technology architecture and infrastructure.4 For CDAOs, a key priority for 2025-2026 is to evolve data governance from a primarily compliance-focused, often reactive, function into a strategic enabler of data quality, integrity, security, and democratized access.1 This involves not only establishing policies but also building and modernizing the technological backbone—the data architecture—to support advanced analytics and AI at scale. Investments in AI-ready data, data quality governance, and data architectures are top priorities for as many as three-quarters of organizations.1
CDAOs must lead the charge in implementing a modern, flexible data governance and operating model that fosters enterprise-wide accountability for data as a shared asset.4 This includes a comprehensive evaluation of existing technology and data infrastructure to inform a modernization plan that clearly links data capabilities to desired business outcomes.4 A focus on robust data quality programs, comprehensive data lineage tracking, and effective metadata management is essential, with AI itself potentially being leveraged to enhance these data management processes.8 The goal is to create a data ecosystem that is not only rich in information but also resilient, trustworthy, and agile enough to meet evolving business needs.
Data governance and data security are inextricably intertwined; they are two sides of the same coin. Robust governance defines the policies for data access, use, and management (who can access what data, under what conditions, and for what purpose), while security provides the mechanisms to enforce these policies and protect data from unauthorized access, modification, or exfiltration. A modern data architecture, therefore, must be "secure by design" 15, a core principle championed by the CISO. As organizations increasingly embrace concepts like "data products" and "data democratization" to drive wider data utilization and value 4, the complexity of ensuring both effective governance and robust security escalates significantly. More users accessing and manipulating data in diverse ways inherently increases the potential attack surface and the risk of accidental or malicious misuse. Traditional, manual approaches to governance and security cannot scale to manage this dynamic environment. Consequently, both CDAOs (to ensure data quality, compliance, and appropriate use) and CISOs (to safeguard data assets and manage access controls) must champion and jointly invest in automated governance tools, AI-powered data discovery and classification systems, and dynamic, attribute-based access controls.8 This collaborative approach to technology selection and implementation is crucial for enabling scalable and secure data democratization, ensuring that data can be widely leveraged without compromising its integrity or security.
Imperative 4: Cultivating an AI-Ready, Data-Literate Workforce and Culture
Technology and data alone are insufficient to drive transformation; people and culture are the critical catalysts. A significant challenge for CDAOs is to build AI fluency organization-wide and to attract, develop, and retain talent possessing the right blend of data, analytics, AI skills, and crucial business acumen.4 Indeed, cultural challenges are cited by an overwhelming 91.2% of data leaders as the primary impediment to their organizations becoming truly data-driven.6 This underscores the magnitude of the task in shifting mindsets and behaviors.
CDAOs must therefore champion comprehensive data literacy and AI proficiency programs tailored to various roles within the organization.4 This involves fostering an insights-driven culture through targeted training, interactive workshops, and initiatives that encourage learning, experimentation, and innovation with data and AI.4 Building high-performing D&A teams requires a strategic approach that integrates technical expertise with a deep understanding of business objectives, enabling these teams to translate data into actionable insights and serve as trusted advisors to the business.4 This includes fostering a "data product" mindset, where data assets are curated, managed, and delivered with the same rigor as traditional products.4
The CISO has a natural and vital role in this cultural transformation. A data-literate workforce is inherently a more security-aware workforce. Employees who understand the value of data and are trained in proper data handling protocols—a core component of data literacy—are less likely to make errors that could lead to security incidents. Human error remains a significant factor in many data breaches, and enhancing data literacy directly contributes to mitigating this risk. The CISO's ongoing efforts in security awareness training 15 can and should be integrated with the CDAO's data literacy and AI proficiency initiatives. As AI tools become more democratized and accessible to a broader range of employees, a new type of "AI hygiene" training becomes essential. This training, co-developed by the CDAO and CISO, must go beyond basic data literacy or generic security awareness. It needs to address the specific nuances of interacting with AI models, such as understanding prompt injection risks, recognizing potential AI biases, being aware of data poisoning threats, and, critically, knowing not to input sensitive company or personal data into public LLMs.14 Traditional data literacy programs may not cover these AI-specific risks, and conventional security awareness training may not adequately address responsible AI usage principles. Therefore, a combined curriculum focusing on "AI hygiene"—promoting the safe, ethical, and effective use of AI tools—is paramount. This joint educational effort empowers employees to leverage AI productively (a CDAO goal) while minimizing associated security and ethical risks (a CISO goal), thereby fostering an "AI-responsible culture" 13 across the enterprise.
Imperative 5: Leading Through Influence: Orchestrating Cross-Functional Data-Driven Transformation
The CDAO role is increasingly defined by the ability to lead through influence and navigate the growing organizational complexity inherent in enterprise-wide data initiatives.1 To be effective, CDAOs must act as brokers and connectors, aligning executives and initiatives from disparate parts of the organization towards common data-driven goals.1 This evolution positions the CDAO as a "connector" who bridges C-suite strategy with technical execution or a "pioneer" who champions transformative change by fostering cross-functional innovation.12 Their exposure across the organization uniquely positions them to lead, guide, and challenge their respective organizations to successfully deliver value from data and AI.12
Success in this imperative requires the CDAO to establish a compelling vision and an effective data strategy, and then to proactively cultivate strong, collaborative relationships with a diverse network of stakeholders across business units and functional areas.4 Critically, the CDAO must be perceived as a business leader who understands and contributes to overarching strategic objectives, not merely as a technical expert.7
This emphasis on influence and cross-functional collaboration finds a strong parallel in the CISO's world. Effective cybersecurity is not solely the responsibility of the security team; it relies heavily on influencing behavior and embedding security considerations into processes across the entire organization. Both the CDAO and CISO require exceptional stakeholder management skills and the ability to weave their respective priorities—data-driven decision-making and security-mindedness—into the fabric of all business operations. The CDAO's success in driving enterprise-wide data transformation is therefore increasingly dependent on their capacity to forge strategic alliances. Among these, the partnership with the CISO is one of the most critical due to the pervasive nature of data and its inherent security implications. Data initiatives invariably touch upon issues of privacy, access control, and data integrity—all core CISO concerns. A CDAO pushing for rapid data innovation without CISO buy-in will inevitably encounter security roadblocks, potentially derailing projects or leading to insecure deployments. Conversely, a CISO imposing security controls without understanding the data's value or the objectives of data initiatives will be perceived as an inhibitor to progress. Thus, a proactive CDAO-CISO alliance, where both leaders advocate for each other's priorities as mutually beneficial and essential for overall success, becomes a powerful enabling force. For instance, a CDAO can frame initiatives to improve data quality by highlighting how this also enhances the CISO's ability to perform anomaly detection and identify security threats. Similarly, a CISO can articulate how robust security measures enable trusted data environments, which are foundational for reliable AI and analytics. This mutual advocacy not only strengthens their individual positions but also accelerates the journey towards a secure, data-driven enterprise.
To summarize these critical areas of focus for the CDAO and their inherent CISO linkages.
This list outlines strategic imperatives for a Chief Data and Analytics Officer (CDAO) and their inherent links to the Chief Information Security Officer (CISO).
Imperative 1: Demonstrating Quantifiable Business Value from Data & AI
CDAO Challenge: Prove ROI, move beyond stewardship to strategic innovation. Actions include prioritizing high-ROI initiatives, developing value metrics, partnering with the CFO, and adopting offense-oriented strategies.
Inherent CISO Link/Collaboration Point: Secure data/AI is foundational to trustworthy value. The CISO ensures data integrity & system security, underpinning the CDAO's ability to deliver.
Imperative 2: Mastering Enterprise AI: Strategy, Governance, Ethical Implementation
CDAO Challenge: Capitalize on GenAI amid data quality, reliability, and ethical concerns. Actions include building AI-ready data, establishing AI governance, addressing ethics, and fostering cross-functional collaboration.
Inherent CISO Link/Collaboration Point: AI governance is intrinsically linked with AI security. The CISO is critical for AI security protocols, threat mitigation, and compliance of AI systems.
Imperative 3: Fortifying the Foundation: Modern Data Governance & Architecture
CDAO Challenge: Evolve governance to a strategic enabler, modernize tech infrastructure. Actions include implementing a flexible governance model, investing in AI-ready architectures, and focusing on data quality/lineage.
Inherent CISO Link/Collaboration Point: Data governance and data security are two sides of the same coin. Modern architecture must be "secure by design," a core CISO principle.
Imperative 4: Cultivating an AI-Ready, Data-Literate Workforce & Culture
CDAO Challenge: Build AI fluency, retain talent, overcome cultural resistance. Actions include championing literacy programs, fostering a data-driven culture, and building balanced teams.
Inherent CISO Link/Collaboration Point: A data-literate workforce is more security-aware. The CISO's security awareness training can integrate with the CDAO's literacy efforts, especially for "AI hygiene."
Imperative 5: Leading Through Influence: Orchestrating Cross-Functional Transformation
CDAO Challenge: Navigate organizational complexity, align diverse executives/initiatives. Actions include establishing a compelling vision/strategy, fostering stakeholder relationships, and acting as a business leader.
Inherent CISO Link/Collaboration Point: Cybersecurity also relies on cross-functional collaboration and influence. Both need stakeholder skills to embed data-drivenness & security-mindedness organization-wide.
III. The CISO's Parallel Journey: Key Cybersecurity Challenges and Priorities (2025-2026)
To foster a truly effective partnership, it is essential for the CDAO to understand the landscape their CISO counterpart is navigating. The 2025-2026 timeframe presents CISOs with a distinct set of acute challenges and strategic priorities, many of which echo or directly intersect with the CDAO's agenda.
A dominant concern for CISOs is AI as a double-edged sword. While CISOs are exploring AI and machine learning to enhance threat detection, automate responses, and improve overall security posture, they are simultaneously confronting a surge in AI-enhanced cyberattacks.3 Adversaries are leveraging AI to create highly sophisticated and convincing phishing campaigns, generate deepfakes for social engineering, and develop automated attack tools that can adapt to defenses in real time.3 This creates an "AI cyber arms race" 16, where CISOs must continuously innovate to stay ahead. Securing the organization's own AI systems against manipulation, data poisoning, or unauthorized access is also a critical facet of this challenge.
The protection of critical infrastructure and the management of geopolitical threats remain high on the CISO's agenda. Nation-state actors are increasingly targeting essential services, and the current geopolitical climate contributes to a heightened risk of cyber warfare and espionage, potentially impacting supply chains and overall organizational stability.3 CISOs must ensure robust defenses for operational technology (OT) and industrial control systems (ICS), particularly in sectors like healthcare, finance, and energy.
Concurrently, CISOs are grappling with an expanding attack surface and escalating third-party risk. The proliferation of IoT devices, remote work environments, and complex digital ecosystems means more potential entry points for attackers. Managing vulnerabilities within the extended digital supply chain, including software vendors and service providers, is a significant challenge.3 The rapid growth in machine identities—non-human entities like applications, APIs, and automated tools that require authentication and authorization—adds another layer of complexity to identity and access management.17
Data security in a hybrid, multi-cloud world continues to be a major focus. As organizations increasingly rely on diverse cloud environments, CISOs face the challenge of ensuring consistent data protection, visibility, and control across these fragmented landscapes. There is a notable push towards consolidating security tools and adopting unified data security platforms to provide a more holistic view and enable AI-powered analysis across the entire attack surface, from code development to cloud deployments and security operations centers (SOCs).16
The burden of regulatory scrutiny and evolving compliance mandates is also intensifying for CISOs. A complex web of international, national, and industry-specific regulations governs data privacy, cybersecurity practices, and incident reporting.5 Emerging AI regulations, such as the EU AI Act, will add further compliance obligations. This environment is characterized by increased CISO accountability, with some regulations even hinting at personal liability for security failures.10
Finally, CISOs must maintain a forward-looking stance on securing emerging technologies. Quantum computing, while not an immediate widespread threat, poses a long-term risk to current cryptographic standards ("harvest now, decrypt later"), necessitating preparations for cryptoagility.15 The continued expansion of IoT and other interconnected technologies also requires proactive security strategies.
This challenging landscape is forcing a subtle but significant shift in the CISO's strategic focus. While prevention remains critical, there's a growing acknowledgment that breaches are, in many cases, inevitable.15 Consequently, CISOs are placing increased emphasis on building organizational cyber resilience, which encompasses robust incident response capabilities, rapid recovery mechanisms, and business continuity planning.15 This shift has direct implications for the CDAO. When a data breach or an AI-related security incident occurs, effective response and recovery depend heavily on a deep understanding of the affected data assets—their criticality, lineage, dependencies, and restoration requirements. Similarly, understanding the workings and potential vulnerabilities of AI models is crucial if they are compromised. Therefore, the CISO's drive for enhanced resilience inherently requires the CDAO's active involvement in planning for, and responding to, incidents that impact the organization's data and AI systems.
IV. Bridging the Divide: Identifying Critical Shared Concerns for the CDAO and CISO
While CDAOs and CISOs approach their roles from distinct perspectives, the evolving technological and threat landscapes reveal significant areas of overlapping responsibility and mutual interest. Identifying these critical shared concerns is the first step towards building a robust, collaborative partnership that benefits the entire organization.
1. AI Governance, Risk, and Compliance (GRC) as a Unified Mandate
The rapid proliferation of AI technologies presents both immense opportunities and substantial risks. A paramount shared challenge for CDAOs and CISOs is ensuring that AI is developed, deployed, and managed responsibly, ethically, securely, and in full compliance with a burgeoning array of regulations.13 This encompasses managing a spectrum of AI-specific risks, including algorithmic bias that can lead to unfair outcomes, model drift where performance degrades over time, adversarial attacks designed to manipulate AI behavior, and data privacy violations within AI systems. The safe and secure democratization of AI requires new levels of collaboration, explicitly including security functions.1
From the CDAO's perspective, the focus is on enabling AI innovation by ensuring high-quality data inputs, defining ethical guidelines for AI development and use, demonstrating the business value of AI initiatives, and fostering an AI-literate workforce. The CISO's perspective centers on securing AI models and the underlying infrastructure, preventing data leakage through AI tools (especially public LLMs), managing AI-specific vulnerabilities, and ensuring that AI systems meet all relevant security and compliance standards.
The collaboration imperative is clear: CDAO and CISO must jointly develop comprehensive AI policies, establish robust risk assessment frameworks tailored to AI, and implement mechanisms for ongoing compliance monitoring and auditing.13 This may involve creating a cross-functional AI Governance Committee with representation from legal, compliance, IT, engineering, data, and security.14 The lack of universally accepted, off-the-shelf standards for AI GRC means that CDAOs and CISOs often find themselves in a pioneering role, co-developing these frameworks from the ground up within their organizations. This is particularly true as AI, especially GenAI, is a relatively new and rapidly evolving domain 1, with regulatory landscapes still taking shape and varying significantly by jurisdiction.4 This pioneering effort necessitates a very tight feedback loop, shared learning, and an iterative approach to the development of AI GRC policies and controls. Such a deep collaboration is foundational to the company's entire AI posture and, if executed well, can position the organization as a leader in responsible AI adoption.
2. Data Security, Privacy, and Trust in the Age of Pervasive Analytics
Data is the lifeblood of modern organizations, fueling analytics, AI, and strategic decision-making. Protecting sensitive data from breaches, unauthorized access, and misuse, while simultaneously enabling its legitimate use, is a core shared challenge.4 This includes ensuring stringent compliance with data privacy regulations like GDPR and CCPA, and, critically, building and maintaining stakeholder trust in how the organization collects, manages, and utilizes data.4
The CDAO's focus is on ensuring data quality, availability, and accessibility for analytics and AI; managing data access controls from a business entitlement perspective; implementing appropriate data retention and disposition policies; and promoting the ethical use of data across the enterprise. The CISO's primary concern is the implementation of technical security controls to protect data at rest, in transit, and in use; managing identities and access from a security enforcement perspective; leading the response to data breaches; and ensuring appropriate data encryption, masking, and tokenization techniques are applied.
The collaboration imperative involves jointly defining data classification schemes to identify sensitive data, establishing granular access control policies that reflect both business need and security principle of least privilege, and developing integrated incident response plans specifically for data breaches. The adoption of Privacy-Enhancing Technologies (PETs) should also be a joint consideration. A particularly salient area for collaboration arises from the business drive for hyper-personalization, often enabled by the CDAO and marketing teams. This practice, while potentially valuable, creates a direct tension with data privacy and security requirements.1 Hyper-personalization frequently involves the collection and analysis of granular, often sensitive, customer data, thereby increasing the risk of privacy violations if not meticulously managed and making the aggregated data a more attractive target for cyber adversaries. Strict regulations govern the use of such customer data.4 Achieving effective personalization (a CDAO/CMO goal) without breaching customer trust or regulatory mandates (a CISO/Legal goal) necessitates very close collaboration on data minimization principles, anonymization strategies, robust consent management mechanisms, and embedded security controls. A tripartite working group involving the CDAO, CISO, and Chief Marketing Officer (CMO) should be established to govern customer data usage, ensuring that personalization initiatives are designed with "Privacy by Design" and "Security by Design" from their inception.
3. Navigating the Evolving Regulatory and Compliance Landscape (Data & Cyber)
Organizations operate within an increasingly complex and dynamic regulatory environment. Keeping abreast of, and ensuring compliance with, a multifaceted array of regulations pertaining to data protection, cybersecurity, and now AI, is a significant shared burden for CDAOs and CISOs.4 This includes not only broad mandates but also numerous industry-specific compliance requirements.
The CDAO's perspective involves ensuring that all data handling practices, from collection to disposal, meet relevant regulatory standards; managing data sovereignty and cross-border data transfer issues; and preparing the organization for data-related audits and assessments. The CISO's perspective focuses on ensuring that technical security controls and processes meet cybersecurity regulations; managing mandatory incident reporting requirements; preparing for security audits and certifications; and dealing with potential technology bans or restrictions imposed for national security reasons.3
The collaboration imperative lies in the joint interpretation of new and evolving regulations, the development of unified compliance frameworks and control sets that address both data and security requirements efficiently, and coordinated responses to audits and regulatory inquiries. The increasing trend of regulators holding individual executives personally liable for significant breaches or non-compliance—a concern already prominent for CISOs 10 and potentially extending to CDAOs in the context of major data-related incidents—further elevates the need for a deeply shared understanding and meticulously documented joint effort in managing regulatory risks. Demonstrating "due care" through a robust, collaborative approach to compliance and risk management becomes a crucial element of executive responsibility and organizational defensibility. Therefore, CDAOs and CISOs should consider maintaining a joint compliance dashboard and regularly conduct tabletop exercises for various regulatory scenarios (e.g., responding to a major data breach disclosure requirement, addressing the discovery of significant bias in a critical AI system) to ensure preparedness, alignment, and meticulous documentation of these proactive efforts.
4. Managing Third-Party and Supply Chain Risks in Data Ecosystems
The modern enterprise does not operate in isolation. Data and security risks extend far beyond an organization's direct control, permeating complex ecosystems of vendors, partners, and data suppliers. A critical shared challenge is ensuring that these third parties adhere to the organization's stringent data handling and security standards.3 Data often flows through intricate supply chains, and increasingly, AI models or components may be sourced from external providers, each introducing potential vulnerabilities.
From the CDAO's perspective, this involves assessing the quality, reliability, and lineage of data obtained from third-party sources; ensuring that contractual agreements clearly define data usage rights and obligations; and managing the risks associated with deploying third-party AI models, including issues of bias, transparency, and intellectual property. The CISO's perspective is centered on assessing the overall security posture of vendors and partners; managing vulnerabilities introduced by third-party software, hardware, or services; ensuring secure data exchange protocols with external entities; and responding to incidents that originate within the supply chain.
The collaboration imperative calls for the establishment of joint vendor risk assessment programs that evaluate both data management practices and security controls of third parties. It also requires the development of standardized contractual clauses pertaining to data handling, security requirements, and breach notification, as well as shared monitoring mechanisms to ensure ongoing third-party compliance. The increasing reliance on cloud platforms and specialized Software-as-a-Service (SaaS) solutions for both data analytics (CDAO domain) and security operations (CISO domain) creates a significant shared dependency on a few critical "mega-vendors." This means both the CDAO and CISO have a common, vested interest in the security, resilience, and contractual accountability of these major platform providers. A significant outage or security breach at a key cloud provider could simultaneously cripple data operations and security monitoring capabilities, as illustrated by the widespread impact of incidents like the CrowdStrike software update issue.21 Consequently, CDAOs and CISOs should jointly participate in the due diligence, selection, and ongoing risk assessment of strategic cloud and SaaS vendors. Furthermore, they should collaborate on developing robust contingency plans for critical vendor failures that could impact both data availability and security operations.
5. Ensuring Resilience: Joint Preparedness for Data Breaches and AI Incidents
In an environment where cyber threats are constantly evolving and often successful, focusing solely on prevention is insufficient. Acknowledging that breaches are, in many cases, inevitable 15, a key shared challenge is to ensure organizational resilience: the ability to prepare for, respond to, and recover effectively from incidents that impact data assets or AI systems. This extends beyond mere technical recovery to include managing reputational damage, meeting regulatory obligations, and maintaining customer trust.
The CDAO's role in resilience involves identifying critical data assets and understanding their dependencies for business continuity; defining processes for restoring data integrity and accuracy post-incident; and assessing the impact of AI model compromise or failure on business operations. The CISO's role involves leading the technical incident response, including threat containment and eradication; restoring system security; conducting forensic analysis to understand the attack vector; and coordinating with law enforcement and regulatory bodies.
The collaboration imperative is to develop integrated incident response plans that clearly define roles, responsibilities, and communication protocols for both data-related breaches and AI-specific security incidents. Regular joint tabletop exercises and simulations are crucial to test these plans and build muscle memory. A shared understanding of data and AI system restoration priorities, aligned with business impact, is also essential. The concept of "cryptoagility"—preparing for a post-quantum computing world where current encryption standards may be broken 17—is primarily a CISO concern, but it has profound long-term implications for the CDAO. CISOs are beginning to plan for the transition to quantum-safe cryptography, which involves identifying all data, keys, and algorithms that will need updating. CDAOs, as custodians of the organization's data assets, including vast long-term archives that may contain highly sensitive historical information, must be involved. Data encrypted today with current algorithms could potentially be harvested by adversaries and decrypted years later by future quantum computers (the "harvest now, decrypt later" threat 16). Therefore, the CISO's cryptoagility strategy must incorporate the CDAO's input to identify and prioritize the protection of critical long-term data assets against these future quantum threats. This is a long-horizon shared concern that necessitates early and ongoing CDAO-CISO dialogue to ensure that data lifecycle management and archiving strategies align with future cryptographic requirements.
Table 2 provides a matrix summarizing these shared concerns, the distinct perspectives of the CDAO and CISO, and the key opportunities for collaborative action.
This list summarizes the shared concerns and collaboration opportunities between a Chief Data and Analytics Officer (CDAO) and a Chief Information Security Officer (CISO).
Shared Concern 1: AI Governance, Risk, & Compliance (GRC)
CDAO Perspective/Impact: Enabling AI innovation, ensuring data quality for AI, defining ethical guidelines, demonstrating AI value.
CISO Perspective/Impact: Securing AI models/infrastructure, preventing data leakage via AI, managing AI vulnerabilities, ensuring AI compliance.
Key Collaboration Opportunity/Joint Initiative: Joint development of AI GRC policies, risk assessment frameworks, compliance monitoring; establish cross-functional AI Governance Committee.
Shared Concern 2: Data Security, Privacy, & Trust
CDAO Perspective/Impact: Ensuring data quality/availability, managing data access, implementing retention policies, promoting ethical data use.
CISO Perspective/Impact: Implementing technical security controls, managing identities/access, responding to breaches, ensuring encryption/masking.
Key Collaboration Opportunity/Joint Initiative: Joint data classification, access control policies, integrated incident response for data breaches; joint strategy for secure hyper-personalization with CMO.
Shared Concern 3: Evolving Regulatory & Compliance Landscape
CDAO Perspective/Impact: Ensuring data handling meets regulations, managing data sovereignty, preparing for data audits.
CISO Perspective/Impact: Ensuring security controls meet cyber regulations, managing incident reporting, preparing for security audits.
Key Collaboration Opportunity/Joint Initiative: Joint interpretation of new regulations, unified compliance frameworks, coordinated audit responses; joint compliance dashboard and regulatory scenario tabletop exercises.
Shared Concern 4: Managing Third-Party & Supply Chain Risks
CDAO Perspective/Impact: Assessing third-party data quality/lineage, ensuring data usage rights, managing risks of third-party AI models.
CISO Perspective/Impact: Assessing vendor security posture, managing third-party vulnerabilities, ensuring secure data exchange.
Key Collaboration Opportunity/Joint Initiative: Joint vendor risk assessment programs, standardized contractual clauses for data/security, shared monitoring; joint due diligence for critical cloud/SaaS vendors.
Shared Concern 5: Ensuring Resilience: Joint Preparedness for Incidents
CDAO Perspective/Impact: Identifying critical data, understanding data dependencies for BC/DR, restoring data integrity, assessing AI compromise impact.
CISO Perspective/Impact: Leading incident response, threat containment, system security restoration, forensic analysis.
Key Collaboration Opportunity/Joint Initiative: Integrated incident response plans, joint tabletop exercises, clear crisis communication protocols; joint planning for post-quantum data protection (cryptoagility alignment).
Operationalizing the Alliance: Frameworks for Effective CDAO-CISO Collaboration
Identifying shared concerns is crucial, but translating that understanding into effective, day-to-day collaboration requires deliberate frameworks and mechanisms. Operationalizing the CDAO-CISO alliance ensures that their combined expertise is consistently applied to mitigate risks and enable secure innovation.
1. Establishing Joint Governance Structures
Formalizing the partnership through joint governance structures provides a dedicated forum for strategic alignment, decision-making, and oversight.
Mechanism: One effective approach is the formation of a "Data Risk & Security Council" or an "AI Ethics & Security Board." Such a body could be co-chaired by the CDAO and CISO or include senior representatives from both offices, along with stakeholders from Legal, Compliance, IT, Engineering, and relevant business units.14 The Department of the Air Force, for example, has data and AI officers collaborating with CDAO staff on architecture and governance 22, illustrating a model of structured collaboration.
Mandate & Benefit: This council would be mandated to oversee data- and AI-related risks, review and approve relevant policies (e.g., AI usage, data handling), scrutinize high-impact data or AI projects for both value and risk, serve as an escalation point for resolving conflicts, and ensure consistent alignment between data/AI initiatives and overarching security and compliance requirements. The benefits include formalized and regular dialogue, clear accountability, a transparent decision-making process, and the promotion of shared responsibility for outcomes.
The effectiveness of such joint governance bodies, however, hinges critically on having clear charters that define their scope, responsibilities, and decision rights. Equally important is securing strong executive sponsorship—ideally from the CEO or another influential C-suite member—to empower these councils to not only make recommendations but also to ensure their decisions are implemented and enforced across the organization. Without this authority and backing, such committees risk becoming mere discussion forums with limited impact. Therefore, when establishing a Data Risk & Security Council, the CDAO and CISO must jointly advocate for this executive sponsorship and work with legal and HR departments to formalize the council's charter and its authority within the broader organizational governance structure.
2. Developing Integrated Risk Management Processes
Siloed risk management efforts can lead to blind spots and inefficiencies. Integrating data-related and security-related risk management processes provides a more holistic and effective approach.
Mechanism: This involves systematically incorporating data-specific risks—such as data quality issues, potential for algorithmic bias, ethical use concerns, and data privacy implications—into the CISO's existing enterprise risk management (ERM) framework. Conversely, security risks and requirements must be embedded into the CDAO's project lifecycle for all new data platforms, analytics solutions, and AI model development.13 Conducting joint risk assessments for new data sources, analytics platforms, third-party data providers, and AI models should become standard practice.14
Benefit: An integrated approach provides a comprehensive, 360-degree view of risks associated with data and AI initiatives. It prevents the dangerous siloing of risk management, where data teams might overlook security implications or security teams might not fully grasp the nuances of data-specific risks. This ensures that both the opportunities presented by data/AI and their inherent security implications are considered concurrently from the outset.
A significant enhancement to integrated risk management is the development of a shared risk lexicon and a unified risk register, co-managed by the CDAO and CISO teams, specifically for data, AI, and related security risks. Often, data risks and security risks are tracked in separate systems using different terminologies and rating scales. This fragmentation can lead to confusion and a disjointed narrative when reporting to the board, auditors, or regulators, who require a consolidated view of organizational risk. A unified register, underpinned by a common language for defining and assessing these intertwined risks, allows for a more coherent, comprehensive, and credible risk picture to be presented to all stakeholders. This requires an upfront investment of time from both teams to harmonize their understanding of risk terminology and collaboratively design the relevant sections of the enterprise risk register, ensuring consistent assessment methodologies and reporting formats.
3. Creating Shared Roadmaps for Technology, Data, and Security
Aligning strategic planning cycles and developing shared roadmaps can prevent conflicts, optimize resource allocation, and ensure that security is an integral part of data initiatives from inception.
Mechanism: This involves CDAO and CISO teams participating in joint planning sessions to align their respective roadmaps for technology acquisition, data infrastructure development (e.g., data lakes, AI platforms), and the implementation of security controls and architectures. For instance, when the CDAO's office plans the deployment of a new enterprise data platform, the CISO's team should be involved from day one to define security requirements, data protection measures, and access control strategies, ensuring these are "baked in" rather than "bolted on" later. A real-world example of CIO-CISO alignment demonstrated that this early integration led to faster implementation of projects with security built in along the way.23
Benefit: This proactive collaboration prevents the costly and often disruptive process of retrofitting security measures onto already developed systems. It ensures that new data initiatives are "secure by design" and "privacy by design." Furthermore, it helps optimize resource allocation by identifying opportunities for shared technology investments or by avoiding redundant or conflicting technology choices.
The prevailing trend towards "platformization" in both the security domain 16 and, increasingly, in data and analytics presents a unique opportunity for such shared roadmapping. CISOs are often looking to consolidate their security tools into integrated platforms for better visibility and efficiency. Simultaneously, CDAOs are building out enterprise data platforms to support diverse analytical and AI workloads. There's a natural overlap in the data requirements of these platforms: security operations need access to vast amounts of activity logs, system telemetry, and network data (often residing in or flowing through the CDAO's data platforms) for effective threat detection, investigation, and response. If data platforms and security platforms are selected and implemented in silos, integrating them to share this critical data can be complex, expensive, and slow. By jointly evaluating and selecting foundational platforms that can efficiently serve both advanced analytics/AI needs and security data requirements (e.g., a unified data lake architected to securely feed both analytics models and security information and event management (SIEM) systems), the CDAO and CISO can achieve significant synergies, cost efficiencies, and richer insights for both functions. This might involve establishing a joint architectural review board or process for all major platform decisions.
4. Fostering a Culture of Shared Responsibility and Continuous Communication
Effective collaboration is built on a foundation of trust, mutual understanding, and open communication, extending beyond formal meetings to permeate the daily operations of both teams.
Mechanism: Implementing regular, structured communication channels, such as bi-weekly CDAO-CISO synchronization meetings to discuss ongoing projects, emerging risks, and strategic priorities, is essential.23 Assigning individuals from each team to work collaboratively on key cross-functional projects can break down silos and build rapport. Jointly sponsored awareness campaigns, such as a "Secure and Ethical Data Handling Week," can reinforce key messages across the organization. Furthermore, embedding "security champions" within data and analytics teams, and "data stewards" or liaisons within the security team, can facilitate ongoing dialogue and ensure that perspectives from both domains are considered in operational decision-making.
Benefit: These practices build trust and mutual respect between the CDAO and CISO and their respective teams. They break down organizational silos, promote the proactive identification and resolution of issues, and reinforce the critical message that data enablement and security are not conflicting goals but shared responsibilities vital for the organization's success.
Beyond these formal mechanisms, fostering informal channels for communication and knowledge sharing can significantly accelerate the development of a truly collaborative mindset. Shared communication platforms (e.g., dedicated Slack or Microsoft Teams channels for CDAO-CISO team members), joint brown-bag lunch sessions to discuss emerging technologies or evolving threat landscapes, or even cross-functional social or learning events can play a vital role. These informal interactions allow for quicker problem-solving for day-to-day issues, facilitate ad-hoc brainstorming, and provide a richer understanding of each other's operational challenges, priorities, and perspectives. Such interactions often foster a sense of "one team" more effectively than formal structures alone, building the personal relationships that are frequently the bedrock of strong professional collaboration. The CDAO and CISO should actively encourage their teams to establish and utilize these informal channels.
Collaboration Pillar 1: Joint Governance
CDAO Key Responsibilities/Contributions: Define data value & use cases, advocate for data-driven approaches, ensure ethical data handling, represent business needs for data.
CISO Key Responsibilities/Contributions: Define security requirements, assess cyber risks, ensure compliance with security standards, represent security needs for data protection.
Example Joint Initiative/Mechanism: Data Risk & Security Council (co-chaired/represented); Joint AI Ethics & Security Board; Formalized charters & executive sponsorship.
Desired Outcome: Aligned policies, clear accountability, transparent decision-making, reduced conflict, proactive risk management.
Collaboration Pillar 2: Integrated Risk Management
CDAO Key Responsibilities/Contributions: Identify data-specific risks (quality, bias, privacy), embed risk assessment in data project lifecycle, ensure data for risk modeling.
CISO Key Responsibilities/Contributions: Integrate data risks into ERM, embed security risk assessment in data projects, define security controls for data assets.
Example Joint Initiative/Mechanism: Joint AI/Data Risk Assessment Protocol; Unified Data & AI Risk Register; Security embedded in CDAO project lifecycle & vice-versa.
Desired Outcome: Holistic risk view, prevention of risk silos, concurrent consideration of data opportunities & security threats.
Collaboration Pillar 3: Shared Roadmaps
CDAO Key Responsibilities/Contributions: Plan data infrastructure & platforms, identify data needs for business strategy, champion data-driven innovation.
CISO Key Responsibilities/Contributions: Plan security architecture & tools, identify security needs for data platforms, champion "secure by design" principles.
Example Joint Initiative/Mechanism: Joint Technology & Platform Planning Sessions; Co-developed Data & Security Architecture Blueprints; Joint Architectural Review Board for major platforms.
Desired Outcome: Prevention of costly security retrofitting, optimized resource allocation, "secure by design" data initiatives.
Collaboration Pillar 4: Culture & Communication
CDAO Key Responsibilities/Contributions: Promote data literacy & ethical data use, champion data sharing & collaboration, provide data context to security team.
CISO Key Responsibilities/Contributions: Promote security awareness & cyber hygiene, champion secure practices, provide security context to data team.
Example Joint Initiative/Mechanism: Regular CDAO-CISO Sync Meetings; Cross-functional Project Teams; Joint Awareness Campaigns; Security Champions in Data Teams & Data Stewards in Security Teams.
Desired Outcome: Increased trust & mutual understanding, breakdown of silos, proactive issue resolution, shared responsibility.
VI. Forging a Unified Front: Crafting a Cross-Functional Data & Security Strategy
A truly effective CDAO-CISO partnership culminates in a unified, cross-functional strategy that seamlessly integrates data and analytics ambitions with robust security and risk management. This joint strategy becomes the blueprint for how the organization will leverage data as a strategic asset, securely and responsibly.
1. Aligning with Business Objectives: The North Star for Joint Initiatives
The foundational principle for any successful joint CDAO-CISO strategy is its unwavering alignment with the overarching business objectives of the enterprise. Data, AI, and cybersecurity initiatives should not exist in a vacuum; they must directly support and enable the organization's key strategic goals, whether those involve market expansion, enhancing operational efficiency, driving product innovation, or building unbreakable customer trust.1 CDAOs are explicitly tasked with aligning D&A initiatives to business strategy 1, and effective CISOs frame security projects in a way that clearly supports organizational goals.25
The CDAO and CISO must therefore collaboratively map their respective strategic priorities to the enterprise's core objectives. This process involves identifying areas where joint efforts can create amplified business value (e.g., enabling a new digital product through secure data sharing) or mitigate critical business risks (e.g., protecting customer data to maintain brand reputation and avoid regulatory penalties). This business-first approach ensures that the joint strategy is relevant, impactful, and perceived by other C-suite executives as a direct contributor to organizational success. When data/AI strategies and security strategies are independently aligned to business objectives but not explicitly to each other, they can inadvertently create conflicting priorities or resource contention. For instance, a CDAO might prioritize rapid deployment of a new customer analytics platform to support an urgent marketing campaign (business goal A), while a CISO, focused on achieving a new compliance certification (business goal B), might advocate for stricter data access controls that could slow the CDAO's initiative. While both business goals are valid, the uncoordinated pursuit can lead to friction. A jointly business-aligned strategy, however, considers both goals A and B simultaneously, facilitating a balanced approach where data is used innovatively and securely. This requires the CDAO and CISO to participate in each other's strategic planning sessions and then hold dedicated joint sessions to explicitly deconflict potential issues and identify synergies, ensuring their combined efforts optimally support the full spectrum of enterprise goals.
2. Key Components of a Joint CDAO-CISO Strategic Plan
A well-defined joint strategic plan provides clarity, direction, and a framework for accountability. Key components should include:
Shared Vision & Mission: A concise, compelling statement articulating the joint commitment of the CDAO and CISO functions to enabling secure, trusted, data-driven innovation and decision-making across the enterprise. For example, the Department of the Air Force established a clear vision, mission, and goals for Data and AI, ensuring alignment with overall strategy.22
Joint Goals & Objectives: Specific, measurable, achievable, relevant, and time-bound (SMART) goals that reflect shared priorities. Examples could include: "Reduce data-related security incidents by 20% by year-end 2026," "Achieve 100% compliance for all critical AI systems with new AI regulations within 12 months of their enactment," or "Improve the efficiency of secure data onboarding for new analytics projects by 30% within 18 months."
Priority Initiatives: A clearly defined list of key projects and programs that will be co-sponsored, co-managed, or significantly contributed to by both CDAO and CISO teams. A comprehensive AI policy framework, for instance, should define governance structures, outline AI use cases, and set clear accountability—elements that can be adapted for a broader joint strategy.13
Resource Allocation: Agreements on how budgetary resources and personnel (including specialized skills) will be shared, dedicated, or jointly managed for the prioritized initiatives.
Governance & Oversight: A clear reference to the established joint governance structures (as detailed in Section V), outlining how the strategy will be monitored, how decisions will be made, and how performance will be reviewed.
Metrics & Reporting: Defined Key Performance Indicators (KPIs) that will be used to measure the success of the joint strategy and the effectiveness of the CDAO-CISO partnership (further detailed below).
The joint strategic plan should explicitly address how the CDAO-CISO partnership will support the organization's innovation agenda while maintaining an acceptable and well-understood risk posture. This reframes the collaboration as an enabler of progress, not an inhibitor. Businesses must innovate to remain competitive, often by leveraging data and AI. This innovation inherently involves taking calculated risks. Security is sometimes perceived as a barrier to rapid innovation, a perception that a proactive CISO, in partnership with the CDAO, can effectively counter. A joint strategy that clearly articulates how robust security and thoughtful data governance will enable safe and accelerated innovation—for example, by providing secure "sandboxes" for AI experimentation, by streamlining security reviews for data projects that meet predefined risk criteria, or by offering pre-approved secure data analytics toolsets—changes this narrative. This requires the CDAO and CISO to work closely with innovation teams and business units to understand their needs and proactively design security frameworks and data governance processes that support agility and experimentation within clearly defined risk boundaries.
3. Prioritizing Initiatives for Maximum Impact and Shared Wins
With limited resources and numerous potential areas for collaboration, effective prioritization is key. A structured approach ensures that joint CDAO-CISO efforts are focused on initiatives that deliver the greatest value and contribute most significantly to strategic objectives. Criteria for prioritization, adapted from best practices in D&A strategy 7, should include:
Business Impact: How much direct business value (e.g., revenue generation, cost savings, efficiency gains) or critical risk reduction (e.g., prevention of fines, reputational damage, operational disruption) will the initiative generate?
Stakeholder Commitment: Is there strong buy-in and active support from relevant business unit leaders and other C-suite executives? Highly committed stakeholders can significantly improve the chances of success.
Leverage & Scalability: Will the successful execution of this initiative provide a foundation or create momentum for other important joint initiatives? For example, a successful pilot of a joint AI governance framework can then be scaled across the enterprise.
Feasibility: Are the necessary resources (budget, personnel, technology) and capabilities realistically available or attainable within the required timeframe?
Urgency: Is there a pressing compliance deadline, an immediate and significant threat to address, or a critical window of market opportunity that the initiative targets?
Using a scoring matrix based on these criteria can help the CDAO and CISO objectively evaluate and rank potential joint projects. It is also advisable to focus on achieving some "quick wins"—initiatives that are relatively easy to implement but deliver visible benefits—early in the partnership. These early successes can build momentum, demonstrate the tangible value of the CDAO-CISO collaboration, and garner broader organizational support for more complex, longer-term initiatives. Initiatives that simultaneously address a significant CDAO pain point (e.g., improving data quality for critical AI models 1) and a pressing CISO pain point (e.g., better identifying and protecting sensitive data across the enterprise) are ideal candidates for such "shared wins." For example, a project to implement advanced AI-powered data discovery and classification tools would directly help the CDAO by providing cleaner, better-understood data for AI development. Simultaneously, it would provide the CISO with a more accurate and comprehensive inventory of sensitive data, enabling more targeted and effective security controls. Such initiatives, offering clear mutual benefits, are easier to justify, gain cross-functional support for, and use to showcase the power of the CDAO-CISO alliance.
4. Measuring Success: Joint KPIs and Value Metrics
"What gets measured gets managed." To demonstrate the effectiveness of the joint strategy and the CDAO-CISO partnership, it is essential to define and track a set of shared Key Performance Indicators (KPIs) and value metrics. These metrics should reflect the goals of the collaboration and provide tangible evidence of its impact. Examples of joint KPIs could include:
Risk Reduction:
Year-over-year reduction in the number and severity of data breaches or security incidents involving sensitive data.
Decrease in findings from internal and external audits related to data governance and cybersecurity controls.
Reduction in the time taken to detect and respond to security incidents involving data assets.
Enablement & Efficiency:
Reduction in the average time to securely deploy new data services or AI applications.
Increased user adoption rates of centrally managed, secure data sharing platforms or AI tools.
Percentage of critical AI systems reviewed and validated against agreed-upon ethical and security standards prior to deployment.
Joint cost savings achieved through the consolidation of data/security tools or the streamlining of overlapping processes.
Compliance & Trust:
Improvement in compliance scores against key data protection and cybersecurity regulations.
Positive trends in stakeholder satisfaction scores (from business units) regarding the accessibility, usability, and security of data and analytics capabilities.
Reduction in data subject access requests or privacy-related complaints.
CDAOs are already encouraged to consider developing metrics like a standard data value index 4 and to measure business outcomes such as revenue growth, cost savings, and risk mitigation.7 These can be expanded to encompass joint CDAO-CISO metrics. It is crucial to establish a baseline for these KPIs at the outset of the joint strategy and then regularly track progress, reporting jointly to executive leadership and the board. This joint reporting reinforces the shared accountability and the integrated nature of the data and security functions. Furthermore, the joint KPIs should ideally include a mix of both "lagging indicators" (which measure past outcomes, like the number of breaches) and "leading indicators" (which measure activities or conditions expected to influence future success, like the percentage of employees who have completed mandatory AI hygiene training, or the number of new data projects undergoing a joint security and data governance review early in their lifecycle). Leading indicators are more proactive and can provide early warnings if the joint strategy is not on track, allowing for timely corrective actions before negative outcomes materialize in lagging indicators. A balanced scorecard of joint KPIs provides a more comprehensive, forward-looking, and actionable view of the CDAO-CISO partnership's effectiveness and its contribution to the organization's overall success.
VII. Articulating Joint Value: Communicating the CDAO-CISO Partnership to the C-Suite and Board
Even the most robust CDAO-CISO partnership and well-crafted joint strategy will fall short if its value is not effectively communicated to and understood by key stakeholders, particularly the C-suite and the Board of Directors. Articulating this joint value requires a deliberate and strategic approach to communication.
1. Building a Compelling Narrative of Shared Purpose and Reduced Risk
The CDAO-CISO partnership should be framed not as an additional cost center or a bureaucratic impediment, but as a strategic enabler of core business objectives and a critical component of organizational resilience.9 The narrative must emphasize how this collaboration accelerates secure innovation, builds and maintains customer trust (a key competitive differentiator), and enhances the organization's ability to navigate an increasingly complex risk landscape. When CISOs find new ways to convey the ROI of security initiatives to their boards 9, and when security projects are aligned with the organization's overarching goals 25, they garner greater support. This principle applies equally, if not more so, to joint CDAO-CISO endeavors.
The language used in these communications is paramount. Technical jargon must be avoided in favor of clear, concise business terms that resonate with a non-technical executive audience.10 Focus should be on tangible outcomes such as "enhanced competitive advantage through the deployment of trusted AI systems," "reduced financial and reputational impact from cyber incidents due to integrated data protection," or "accelerated time-to-market for new data-driven products via secure-by-design development processes." Linking cyber risks directly to potential financial consequences is a particularly effective way to capture executive attention and underscore the value of proactive, collaborative risk mitigation.10 Storytelling can be a powerful tool in this context. Rather than relying solely on metrics and dashboards, which can be overwhelming, CDAOs and CISOs should use real-world examples or carefully anonymized near-misses from within the organization to illustrate the impact of their collaboration. For instance, a narrative detailing how a joint CDAO-CISO review of a prospective AI vendor prevented the adoption of a tool with significant security flaws and the potential for massive data leakage is far more compelling and memorable than simply reporting "X number of vendor risk assessments completed." As noted in discussions among CIOs and CISOs, leadership needs to "tell a story that resonates with them, not explain a security framework".27 Actively collecting and curating these success stories (and equally valuable lessons learned from challenges) related to their collaborative efforts can provide powerful, relatable evidence of the partnership's tangible benefits when communicating with senior leadership.
2. Demonstrating Due Care and Strategic Alignment
Executive leadership and the Board have a fiduciary responsibility to ensure the organization is managed prudently. Proactively communicating how the joint CDAO-CISO strategy addresses key regulatory requirements, aligns with industry best practices, and reflects the organization's specific risk appetite is crucial for demonstrating responsible stewardship and "due care".10 As one executive shared, "We can demonstrate a standard of due care, meaning that someone in your similar situation would make the same decision".27 This approach not only builds confidence among stakeholders that data and security risks are being managed professionally and strategically but also provides a defensible position for leadership.
Embedding regulatory compliance into strategic plans is essential for organizations aiming to drive growth while reducing risk.10 This ensures that the organization stays aligned with evolving cyber and data regulations, fostering an environment that supports sustainable growth. The CDAO and CISO should jointly present how their integrated approach to data governance, AI ethics, and cybersecurity directly supports these compliance efforts and contributes to a culture of proactive risk management. One way to reinforce this message and validate the internal strategy is by occasionally inviting external experts—such as respected industry analysts, or peer CISOs and CDAOs from other well-regarded organizations who have successfully implemented similar collaborative models—to speak to the Board or C-suite.27 Hearing from an objective third party about the critical importance and emerging best practices of CDAO-CISO collaboration can provide powerful validation for the organization's own approach and underscore its strategic necessity. This external perspective can be highly persuasive to board members and senior executives, lending further credibility to the CDAO's and CISO's joint efforts.
3. Translating Technical Imperatives into Business Outcomes
When discussing the need for investments in data governance tools, advanced security platforms, AI infrastructure, or specialized talent, it is imperative to consistently and clearly link these technical requirements back to specific, measurable business benefits.7 Instead of focusing on the features of a new technology, the conversation should center on how that technology enables business outcomes. For example: "This proposed investment in an AI-powered data discovery and classification platform will reduce our data compliance risk exposure by an estimated X%, potentially saving $Y million in avoided fines and associated recovery costs over the next three years. Furthermore, it will enable our marketing team to launch new personalized product offerings Z months faster by providing them with trusted, compliant data more rapidly." This approach directly connects technical needs to the C-suite's focus on revenue generation, cost savings, and risk mitigation.7
Using well-designed dashboards and reports that visually demonstrate the connection between joint CDAO-CISO activities and key business performance indicators can be highly effective. These visuals should quantify cyber risk using metrics familiar to the board 10 and translate technical details into business terms that convey potential impact and the value of security and data investments.26 To ensure this message permeates the organization beyond just the C-suite and Board, the CDAO and CISO should consider regular, proactive "roadshow" presentations to different business units. Many data and security initiatives require buy-in, cooperation, and behavioral changes from operational teams across the enterprise. These teams may not always fully understand the "why" behind new data policies or security controls. Targeted communication that explains the joint data and security strategy and its specific benefits to those business units can foster greater understanding, reduce resistance, and encourage partnership at the operational level. This involves developing a joint communication plan that includes tailored outreach to key business unit leaders and their teams, clarifying how the data and security strategy supports their unique objectives and how they can contribute to its success.
VIII. Conclusion: Seizing the Future Through CDAO-CISO Strategic Partnership
The strategic landscape of 2025-2026 is unequivocally clear: the escalating complexities and opportunities presented by data and AI, coupled with a dynamic and increasingly sophisticated threat environment, demand a fundamental shift in how organizations approach data management and cybersecurity. Siloed operations and reactive postures are no longer viable. The future belongs to enterprises that can forge deep, strategic partnerships between their Chief Data and Analytics Officers and Chief Information Security Officers. This collaboration is not merely an operational improvement; it is a strategic imperative for survival, growth, and sustained competitive advantage. CDAOs are uniquely positioned, due to their cross-organizational exposure and data expertise, to help lead, guide, and challenge their organizations to successfully deliver value from AI 12, and a key part of this leadership involves brokering essential connections, with the CISO partnership being paramount.1
The journey outlined in this report—from understanding individual CDAO and CISO priorities, to identifying critical shared concerns in areas like AI governance, data security, regulatory compliance, third-party risk, and resilience, to operationalizing the alliance through joint governance and integrated processes, and finally to crafting and communicating a unified strategy—provides a blueprint for this essential transformation. An effective CDAO-CISO collaboration is essential for a strong cybersecurity strategy and for the overall health of data-driven initiatives.24
The vision for an organization where this partnership thrives is one of agility, innovation, resilience, and deeply embedded trust. It is an enterprise where data is leveraged to its fullest strategic potential, powering insights and AI-driven solutions, all within a framework of robust security and ethical stewardship. New products and services are brought to market faster and more securely. Customer confidence is high, built on the assurance that their data is protected and used responsibly. Regulatory complexities are navigated with foresight and efficiency. And the organization as a whole is better equipped to anticipate, withstand, and recover from the inevitable disruptions of the digital age.
The call to action for every CDAO is to proactively initiate, strengthen, or redefine their strategic alliance with their CISO counterpart. The insights and frameworks presented herein offer a guide for this crucial endeavor. This is not simply about mitigating risk or ensuring compliance; it is about unlocking new levels of business value, fostering a culture of secure innovation, and building a lasting competitive differentiation in an increasingly data-centric and interconnected world. The CDAO-CISO partnership, when cultivated with strategic intent and mutual respect, can become a powerful engine for organizational transformation. Moreover, the success of this particular alliance—navigating the fundamental tension between innovation and control—can serve as a compelling model for other C-suite collaborations, such as between the CDAO and CMO or the CISO and CHRO. By championing and demonstrating the power of such integrated leadership, the CDAO and CISO can elevate their strategic importance beyond their immediate functional domains, fostering a more cohesive, agile, and strategically aligned leadership team across the entire enterprise. The time to build this bridge is now.
Works cited
3 Trends Driving CDAO Strategy in 2025 | Gartner, accessed May 18, 2025, https://www.gartner.com/en/articles/2025-trends-for-cdaos
The Gartner Predictions for 2024 Data & Analytics | PDF - Scribd, accessed May 18, 2025, https://www.scribd.com/document/836417909/The-Gartner-Predictions-for-2024-Data-Analytics
5 Cybersecurity Trends for 2025: What to Prepare For - Bitsight, accessed May 18, 2025, https://www.bitsight.com/blog/5-cybersecurity-trends-2025-preparing-year-elevated-risk-and-accountability
www2.deloitte.com, accessed May 18, 2025, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/Deloitte-CDAO-Program-Top-10-Priorities-2025.pdf
2025 Cybersecurity Predictions: Not Getting Easier, but there Is Hope, accessed May 18, 2025, https://www.secureworld.io/industry-news/cybersecurity-predictions-for-2025
The Chief Data Officer Role: What's Next - MIT Sloan Management Review, accessed May 18, 2025, https://sloanreview.mit.edu/article/the-chief-data-officer-role-whats-next/
Essentials for Your First 100 Days as a Chief Data and Analytics Officer (CDAO) - Gartner, accessed May 18, 2025, https://www.gartner.com/en/data-analytics/insights/new-to-role-cdao
2025 New York CDAO Community Executive Summit - Evanta, accessed May 18, 2025, https://www.evanta.com/cdao/new-york/new-york-cdao-executive-summit-7464
CISOs are gaining more influence in the boardroom, and it's about time - ITPro, accessed May 18, 2025, https://www.itpro.com/security/CISO-boardroom-influence-growing
Why CISOs and Boards Must Speak the Same Language on Cybersecurity, accessed May 18, 2025, https://www.corporatecomplianceinsights.com/cisos-boards-speak-same-language-cybersecurity/
Overcoming GenAI Challenges: Key Insights for CDOs in 2025 ..., accessed May 18, 2025, https://www.informatica.com/lp/cdo-insights-2025_5039.html.html
Gartner: Why CDAOs are now Leading Enterprise AI Strategy | AI Magazine, accessed May 18, 2025, https://aimagazine.com/articles/gartner-why-cdaos-take-centre-stage-as-ai-strategy-leaders
Building a Strong AI Governance, Risk, and Compliance (GRC) Program: A CIO-CISO Collaboration Guide, accessed May 18, 2025, https://www.theciomagazine.com/building-a-strong-ai-governance-risk-and-compliance-grc-program-a-cio-ciso-collaboration-guide/
The 2025 CISOs' Guide to AI Governance, accessed May 18, 2025, https://www.trustcloud.ai/the-cisos-guide-to-ai-governance/
Developing a Cyber Strategy and the Seven Pillars of Cyber Resilience - ISACA, accessed May 18, 2025, https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2025/developing-a-cyber-strategy-and-the-seven-pillars-of-cyber-resilience
2025 Cybersecurity Predictions - Palo Alto Networks, accessed May 18, 2025, https://www.paloaltonetworks.com/why-paloaltonetworks/cyber-predictions
Top Recommendations For CISOs In 2025: Deal With Uncertainty ..., accessed May 18, 2025, https://www.forrester.com/blogs/top-recommendations-for-cisos-in-2025-deal-with-uncertainty-again/
FY2025-2026 CISA International Strategic Plan, accessed May 18, 2025, https://www.cisa.gov/2025-2026-cisa-international-strategic-plan
2025 UK & Ireland CISO Community Executive Summit - Evanta, accessed May 18, 2025, https://www.evanta.com/ciso/uk/uk-ireland-ciso-executive-summit-7512
2025 tech trends report - 18TH EDITION - Future Today Institute, accessed May 18, 2025, https://ftsg.com/wp-content/uploads/2025/03/FTSG_2025_TR_FINAL_LINKED.pdf
JCDC Success Stories - CISA, accessed May 18, 2025, https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/jcdc-success-stories
ACCELERATE CLOUD ADOPTION CHAMPION: Mr. Heitmann LINE OF EFFORT #2 - SAF/CN, accessed May 18, 2025, https://www.dafcio.af.mil/Portals/64/Documents/Strategy/DAFCIOLOEObjectives2025.pdf
CIO-CISO Strategic Alignment Creates Organizational Stability - Gartner, accessed May 18, 2025, https://www.gartner.com/en/information-technology/customer-success-stories/cio-ciso-strategic-alignment-creates-organizational-stability
Strategies for CIOs and CISOs to Work Together Effectively | Zluri, accessed May 18, 2025, https://www.zluri.com/blog/cio-ciso-collaboration
CISO's Strategy to Effectively Communicate with the Board | CISOSHARE, accessed May 18, 2025, https://cisoshare.com/blog/ciso-communication-strategy/
A CISO's Guide to Communicating Cyber Risk to Business Leaders - GDT, accessed May 18, 2025, https://gdt.com/blog/chief-information-security-officers-cisos-and-communicating-risk-to-business-leaders/
Treating Cybersecurity as a Business Investment - Evanta, accessed May 18, 2025, https://www.evanta.com/resources/cxo/townhall-insights/denver-cio-ciso-town-hall-insights-october-2024
