THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Craig Poley, CIO, City of ArvadaAs government CIOs, we often get asked a deceptively simple question: What is the ideal organizational structure for IT? The truth is, there is no universal ‘right’ answer. Our environments are shaped by public accountability, regulatory constraints, aging infrastructure, budget realities and 24/7 service expectations that don’t pause for org chart redesigns.
Yet even without a perfect model, there are predictable friction points that many of us encounter. One of the most common (and most disruptive) often shows up between infrastructure teams (particularly networking) and cybersecurity.
If you’ve felt this tension, you’re not alone.
Why This Conflict Is So Common
On paper, infrastructure and cybersecurity should be natural partners. In practice, they often operate with competing success metrics:
• Infrastructure teams are measured on uptime, reliability, performance and speed of delivery.
• Cybersecurity teams are measured on risk reduction, control enforcement, compliance and audit defensibility.
Both perspectives are valid. But when decision rights and accountability aren’t explicitly defined, teams can drift into turf protection, second-guessing or last-minute vetoes. Over time, this erodes trust and slows progress.
The root cause is rarely personality. It’s almost always governance clarity.
The Org Chart Matters Less Than Decision Rights
Many IT leaders assume friction can be solved through reorganization. The thought is that moving cybersecurity under infrastructure (or vice-versa), splitting networking into a separate division or restructuring reporting lines can ease the tension. In my experience, this rarely fixes the problem. It simply moves it.
What matters more than structure is who has authority to decide what.
A healthier model separates responsibilities into two complementary roles:
• Cybersecurity owns policy, standards, risk identification and compliance.
• Infrastructure owns implementation, operations, performance and availability.
"When security helps shape solutions early, controls become more practical, friction drops and implementation accelerates."
In this model, cybersecurity defines what must be true from a risk and compliance standpoint, while infrastructure determines how to implement those requirements in a way that supports operational needs.
This preserves cybersecurity’s independence and audit credibility while avoiding the operational bottleneck that often occurs when policy and operations become intertwined.
Shift Security From Gatekeeper to Design Partner
Another powerful change is when security gets involved early. If cybersecurity enters the process only at the final approval stage, it often feels like an enforcement body rather than a collaborator. This can lead to late-stage redesigns, resentment and rushed exceptions.
A better approach is to embed security architecture into early design discussions, including network redesigns, cloud initiatives, major application deployments, identity strategy, etc. When security helps shape solutions early, controls become more practical, friction drops and implementation accelerates.
This isn’t about adding bureaucracy. It’s about reducing rework.
Make Risk Ownership Explicit
One of the most effective governance improvements is clarifying who owns risk acceptance.
• Security should identify and articulate risk.
• Infrastructure should propose implementation options.
• IT leadership (and/or the Executive team) should formally accept or reject risk.
This prevents security from being positioned as the ‘department of no,’ and it ensures operational teams aren’t forced to carry risk they didn’t authorize.
When risk acceptance is explicit, decisions become calmer, faster and more defensible.
Solve Friction With RACI, Not Reorgs
Rather than reorganizing teams, many government organizations see better results by formalizing RACI (Responsible, Accountable, Consulted, Informed) for high-friction areas such as:
• Firewall and network segmentation decisions
• VPN and remote access policies
• Identity and privileged access management
• Emergency changes during incidents
• Compensating controls and exception handling
This turns potential personal conflict into structured decision-making.
The Real Goal: Shared Mission, Not Structural Perfection
At the end of the day, the goal isn’t a perfect IT org chart. It’s a model where:
• Security protects public trust without slowing essential services
• Infrastructure delivers reliable, modern systems without carrying unmanaged risk
• Both teams feel respected, heard and accountable
For most of us, the path forward isn’t a major reorganization. Instead, it’s clearer decision rights, earlier collaboration and a shared understanding of risk.
Read Also
