Field note · Zürich.
On spending two days in a room with an incoming CIO.
Lesson one: Build the budget case with the CFO before the numbers harden. The session made one point clear: a bigger budget does not automatically create stronger resilience. The real constraint is execution capacity. Money can move faster than people, skills, processes, and controls can absorb it. For a new CIO, the first move with the CFO is to replace the search for one perfect cyber ROI figure with a disciplined investment method.
That means separating baseline hygiene, regulatory compliance, and risk-driven investments. Use ranges rather than false precision. Use scenarios rather than slogans. Show total cost of ownership, risk reduction, maturity, technical fit, and operational capacity together. The CFO should be invited to sponsor the method, not just approve the spend. The CIO’s role is to industrialise the method so cyber funding becomes a repeatable management process rather than an annual negotiation.
Lesson two: Treat the CISO relationship as an execution partnership, not a reporting line. The session showed that many organisations know what good security looks like but fail to turn policy into verified control. That is the knowing-doing gap. For a new CIO, the partnership with the CISO must focus on evidence, validation, and delivery discipline.
Tool sprawl, legacy systems, fragmented suppliers, and unmanaged data all sit in the shared territory between IT and security. Rationalising the security toolkit is not only a CISO concern. It is also a reliability, architecture, and balance-sheet issue. Consolidation should reduce duplication, but it must not become cost-shifting. Legacy modernisation, identity, data governance, retention, and continuous verification must be treated as one operating agenda. The CISO can define the risk logic. The CIO must make it executable at scale.
Lesson three: Give the CEO a resilience agenda, not a technology agenda. The CEO needs to see cyber, data, and talent as constraints on strategy execution. The session made clear that AI-driven social engineering, data gravity, regulation, and talent scarcity are not isolated problems. Together, they define what the organisation can safely attempt.
For a new CIO, the CEO conversation should centre on choices. Which risks are strategic? Which capabilities must be built internally? Where should partners extend scarce expertise? Which data should be retained, reduced, or deleted? A strong data-diet principle, as little as possible and as much as necessary, lowers both cost and exposure. A deliberate talent and partner strategy expands delivery capacity. The CIO’s task is to turn resilience into a board-level operating rhythm that supports growth without pretending capacity is unlimited.
https://www.antwerpmanagementschool.be/en/blog/what-boards-are-asking-the-cio-cfo-and-ciso-response-for-2026
https://www.antwerpmanagementschool.be/en/blog/hoezo-blijft-it-kennis-een-blinde-vlek-in-raden-van-bestuur