In today’s rapidly evolving digital landscape, the relationship between the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) is emerging as a cornerstone of effective, resilient business operations. This dynamic was recently explored in a compelling 2025 Electronic Markets article by M. Eric Johnson and Hans Brechbühl: “The CIO-CISO relationship in a globally networked business- An interview with Nestlé AG.”
The article spotlights Nestlé’s Group CIO Chris Wright and CISO John Petersen, whose partnership demonstrates why collaboration, trust, and adaptive strategy are critical in navigating today’s mounting cybersecurity challenges.
When Threats Transcend Traditional IT
Nestlé, as the world’s largest food and beverage company, operates across 185 countries, with over 270,000 employees and 340 factories worldwide. Its digital journey has gone from traditional data centers and system controls to a seamless, global network harnessing the power of AI, cloud computing, SaaS platforms, and a proliferation of connected devices. This transformation has brought unparalleled efficiency, but also a vastly expanded cyber threat landscape.
From Data Centers to a Global Network
Wright and Petersen describe a world where cyber threats now transcend the boundaries of IT, extending deep into manufacturing, supply chain, and even public perception. Today’s attackers are organized, technologically empowered, and able to leverage tools such as generative AI to accelerate their operations.
The Foundation of a Modern Defense: Trust and Communication
Nestlé’s leaders emphasize that trust is the foundation of the CIO-CISO partnership. The ability to “put the fish on the table” and candidly discuss difficult topics enables both sides to respond effectively to both incidents and non-incidents, which can be just as threatening if mishandled in public or on social media.
Why Trust is a Mission-Critical Control
With the rapid spread of both real and fabricated news, prompt and strategic communication during incidents, including so-called “non-incidents” where no breach has occurred, is now a must. Both the CIO and CISO must be constantly aligned, preparing statements in advance, and calibrating who needs to be informed, balancing transparency without causing unnecessary alarm within the organization.
To Report or Not to Report: Debating the CISO Structure
Debate continues as to the ideal reporting relationship for CISOs. Some firms separate the CISO from IT to guarantee independence; others, like Nestlé, keep security within IT, prioritizing operational speed and integration. At Nestlé, the model is clear: the CISO reports to the CIO, enabling rapid, decisive action and shared accountability.
Shared Accountability and Operational Speed
This close collaboration means that security and compliance become collective responsibilities within the IT organization, encouraging the kind of daily, operational partnership that moves beyond traditional silos.
The Expanding Front Line: New Risks and Pressures
Nestlé’s experience highlights the growing importance of operational technology (OT) security. Factories and production lines, traditionally managed by engineers for generations, are now connected to the digital ecosystem, presenting new risks and requiring new relationships between IT and OT communities.
Navigating Geopolitical Tensions and Regulations
Geopolitical tensions and rapidly shifting privacy regulations, from Ukraine to China, further complicate the landscape. Nestlé navigates complex compliance and ethical requirements, localization of services, and regulatory uncertainty, all while maintaining global operational efficiencies. In certain regions, food production is critical infrastructure, bringing additional national oversight and dependencies.
The Expanding Threat of Misinformation and GenAI
How GenAI Amplifies Existing Threats
Generative AI is now amplifying existing threats and creating new ones: enabling sophisticated phishing scams, deepfakes, and the manipulation of public perception. The ability for misinformation to go viral, whether rooted in fact or fabrication, creates risks not only to IT but also to brand and business continuity.
Protecting the Brand from Viral Misinformation
Consequently, robust monitoring of news and social channels, proactive communication, and preparing for rapid incident response have become central components of the security function.
Key Takeaways for Today’s Security Leaders
Drawing from Nestlé’s experience, several critical lessons emerge for global organizations:
- Build Trust Before a Crisis: Trust between the CIO and CISO must be constructed through daily, open communication. In a crisis, it’s too late to start.
- Network Relentlessly: Professional relationships with peers inside and outside the industry are just as valuable as technical controls. Information sharing enhances resilience across organizations, not just within them.
- Continuously Audit and ‘Hack Yourself’: Regularly test defensive assumptions. Sometimes the biggest vulnerability isn’t where it’s expected.
- Prepare for Misinformation: Develop clear and rapid communications protocols for both technical incidents and reputational threats fueled by social media.
- Tailor Structure to Fit the Mission: There is no universal reporting structure for the CISO role. Each company should adapt based on industry needs, risk appetite, and internal culture.
Conclusion: The Partnership That Enables Resilience
Nestlé’s story, as shared in the 2025 article by Johnson and Brechbühl, is a testament to the power of partnership, agility, and preparation. Future-ready enterprises must evolve both their technologies and their trust-based relationships, integrating cybersecurity not as a standalone function, but as an operational backbone for the entire business. Because, in the end, it’s the partnership between technology and trust that enables resilience for the organizations that feed, fuel, and connect our world.
Further Reading:
Johnson, M. Eric, and Hans Brechbühl. “The CIO–CISO relationship in a globally networked business—An interview with Nestlé AG.” Electronic Markets, vol. 35, 2025, https://doi.org/10.1007/s12525-025-00786-8.
