For IT leaders, aligning security and IT isn’t just a tactical win – it’s a strategic advantage. But while both teams share overlapping goals, miscommunication and siloed priorities often get in the way. The solution? Build stronger relationships, communicate frequently, and create shared accountability.
We asked experienced IT and security leaders how they’ve fostered better collaboration between these two critical functions. Here’s what they said.
1. Build relationships first, then processes
Joe McCallister, Senior Manager of Cybersecurity Operations, The Trade Desk
Better alignment starts with simple, informal conversations, Joe McCallister shared on a recent episode of Tines’ Future of Security Operations podcast. “Take someone out to lunch or go for a walk, ask what projects they’re excited about – you might find ways to help.”
“Our IT guys might be really jazzed about phish-resistant MFA, for example, but it’s been deprioritized. We could help unblock that – and it makes everyone more secure.”
Joe adds that his security team meets with IT monthly to align their roadmaps. “You can’t coordinate if you’re not communicating.”
2. Bring a “no surprises” mindset to your check-ins
Mark Settle, 7x CIO and author of Truth from the Trenches: A Practical Guide to the Art of IT Management
“IT and security can trip over each other’s shoelaces,” says Mark Settle, especially when one team makes changes or purchases tools without informing the other.
To avoid this, he recommends adopting a “no surprises” approach to regular operational check-ins. These can be used to surface infrastructure changes, upcoming tool deployments, or policy updates early.
“When surprises occur, feelings get hurt, issues get escalated to higher management, and trust is eroded at multiple management levels,” Mark says. “But when teams stay in sync, there’s less friction, fewer escalations, and better outcomes.”
3. Use unified messaging to drive shared priorities
Matt Muller, Field CISO, Tines, and formerly, security leader at Coinbase
When IT and security teams present a consistent message to the rest of the organization, the benefits go far beyond reducing risk – it builds credibility and trust, and makes it easier to get employee buy-in for major initiatives.
Procurement is just one example. “It’s an underrated lever for reducing attack surface,” Matt Muller explains, pointing to the issue of shadow IT. “IT procurement doesn’t want to be the bad guy. They want to help end users get the tools they need, and security can reinforce that message by explaining why certain guardrails are in place.”
“It’s about unifying that communication so security and IT become a joint voice in the organization,” Matt adds. That unified voice is especially valuable during major organization-wide changes like an MFA rollout or a tool migration. A strong internal brand, backed by consistent messaging, makes it far more likely that employees will engage and adopt new IT and security practices.
4. Collaborate on automation use cases
Thomas Kinsella, Co-founder and CCO, Tines, formerly a security leader at DocuSign and eBay
Too often, security and IT teams build automations in parallel, solving similar problems with separate tools.
“Both teams are trying to reduce manual work, reduce risk, increase consistency, and move faster,” Thomas Kinsella says. “If both teams are automating use cases like identity and access management, or related ones like vulnerability management and patch management, why not solve those problems together? The best security and IT teams we work with don’t just collaborate on goals, they collaborate on specific workflows.”
By working with the same vendor-agnostic automation platform, these teams gain visibility into each other’s priorities, reduce duplication, and avoid tool sprawl.
5. Make the end-user experience a joint responsibility
Matt Muller, Field CISO, Tines, and formerly, security leader at Coinbase
“In an ideal world, security creates zero friction for end users – but we’ll never hit that,” says Matt Muller. “One thing I’d love to see more security teams do is run a friction survey of the employee population. Ask them, ‘How often does security annoy you?’ and make a commitment to IT to improve on the results.”
Some of the most painful end-user experiences are owned by IT but governed by security policies, Matt adds. “Take login systems, for example. They’re often maintained by IT, and then security says, ‘Sorry, you have to reauthenticate every 35 seconds.’ That’s miserable for the end user – and it means IT can’t provide the experience it wants to the organization.”
“Security teams need to think about how to measure that friction,” Matt adds, “and work with IT to drive joint metrics around the end-user experience.”
Learn how IT teams use Tines to scale their operations.
