For years, CIOs have been asked to do the impossible: make the business run faster and safer at the same time – while also reducing spending.
Post-pandemic cost discipline has returned, regulators have expanded the scope of critical operations and the C-suite increasingly views technology as the execution engine of strategy. Meanwhile, the cloud has splintered under sovereignty and in-country data requirements. If the job of the CIO was ever a balancing act, today it’s a full-blown acrobatics routine.
The stakes are higher, and the board is watching, with resilience now a core expectation
And yet, the paradox is solvable. Leaders must stop treating performance and security as rival objectives and start designing architectures where they are the same motion.
“Historically, the CIO’s primary mandate was performance,” says John Whittle, chief operating officer at Fortinet. “Security came second. But that order has flipped. The threat landscape has become far more sophisticated, effectively jumping to a whole new level. The stakes are higher, and the board is watching, with resilience now a core expectation.”
Cybercrime is a business and, increasingly, a geopolitical weapon, emphasises Whittle. “You can stop a hospital as effectively as you can stop a factory line.”
Collapse the stack – or be crushed by it
Complexity is the quiet killer of both performance and security. Tool sprawl fragments policies, duplicates agents and creates expensive gaps.
To address this problem, firms would be wise to pursue a platform approach that converges networking and security under a single operating system, policy model and telemetry fabric.
At Fortinet, this is called a secure-by-design approach. “Fortinet has led converging networking and security for 25 years. We see network and security as one discipline,” says Whittle. “Treating them as one enables organisations to provide security and networking without compromising performance or resilience, and to more efficiently detect, analyse and respond from a single dashboard. Otherwise, you’re doing manual correlation across logs and consoles and hoping to be fast enough.”
Simple but powerful correlations, such as edge CPU spikes combined with suspicious encryption behaviour, can signal ransomware in motion. “The point isn’t a clever rule. It’s that you can only correlate at speed if you see the whole,” he explains.
This is where the performance/security trade-off starts to disappear. When protection is built into the way people and applications connect, systems don’t just stay safer – they run faster. A single, consistent set of policies means fewer gaps and faster change, while a shared technology backbone makes integration a natural state, not an endless IT project.
SASE, without the sovereignty hangover
Secure-access service edge (SASE) was a breakthrough because it fused SD-WAN connectivity – the backbone of modern enterprise networks – with security. “As you connect, you protect,” says Whittle. “You don’t bolt security on later as an afterthought.”
But SASE’s traditional reliance on vendor-cloud points of presence can hit sovereignty and data-residency limits. The new move is sovereign SASE: delivering the full SASE stack in customer-controlled environments so traffic and telemetry never leave approved boundaries, while keeping the unified policy, identity and zero-trust model.
This means CIOs don’t have to choose between user experience and compliance; they can require both in the design. The litmus test for suppliers is simple: can they enforce one policy everywhere – the office, home offices, factories, different branches, the public cloud and private data centres – and keep inspection and storage where the law (and risk appetite) demands?
You can have the best cyber strategy in the world, but if you don’t have the people to execute, you’re still at risk
If SASE is where performance and security converge for users and edges, cloud-native application-protection platforms (CNAPP) are where they converge for modern software. Over the past decade, cloud security has fractured into discrete tools: posture management, workload protection, entitlement governance, container scanning and infrastructure as code (IaC) checks. CNAPP consolidates these into a single data model from code to runtime, turning a noisy audit exercise into an engineering workflow.
“It’s not about how many findings you have. It’s about which ones matter to business risk and resilience and how fast you can fix them,” says Whittle.
Fortinet’s approach looks at both the application behaviour (Is it doing something that violates policy?) and the underlying resources (Are the components and links themselves introducing risk?) to provide a complete view of exposure and ensure nothing slips through the gaps.
People, platforms and the paradox
Elsewhere, operational resilience has become a legal mandate across sectors, expanding what counts as “critical”. That pushes architecture decisions into the boardroom. Where is inspection performed? Where are logs retained? Who can access telemetry? Can you prove segmentation and policy consistency across facilities, partners and clouds?
Here, convergence pays a second dividend: compliance by construction. If your platform maintains one policy ontology and one audit trail, evidencing obligations becomes a by-product of the way you run, not a scramble after the fact.
At the same time, no platform strategy works without people. Skills shortages are a structural risk, and AI has sharpened both the threat and the opportunity. Attackers use AI to mimic language and context convincingly, which makes it critical for organisations to provide AI for security while ensuring security for AI systems themselves.
“AI can already deceive human reflexes and the equivalent defences in hardware and software,” Whittle says, “while defenders can use AI to speed triage, summarise alerts and harden code earlier.
Speed or safety? No longer a compromise
CIOs should be pragmatic here: choose platforms your team can operate, then invest in targeted upskilling that exploits embedded automation and AI safely. As Whittle puts it: “You can have the best cyber strategy in the world, but if you don’t have the people to execute, you’re still at risk.”
“The CIO role is changing,” adds Whittle. “New legal, geopolitical and operational dimensions are coming their way. But they don’t have to choose between speed and safety,” he says. “Fortinet was founded on that premise, integrating both and never having to jeopardise one over the other. See the network and security converged as one, keep a holistic view and execute from a single fabric. That’s how you stay fast and secure.”
The performance/security paradox is no longer a zero-sum game. By unifying networking and security, CIOs can embed protection directly into design. AI-enabled tools and skilled teams then make speed, safety and compliance achievable at once. The key is to treat performance and security as two sides of the same coin, not competing priorities.
For more information please visit fortinet.com
For years, CIOs have been asked to do the impossible: make the business run faster and safer at the same time – while also reducing spending.
Post-pandemic cost discipline has returned, regulators have expanded the scope of critical operations and the C-suite increasingly views technology as the execution engine of strategy. Meanwhile, the cloud has splintered under sovereignty and in-country data requirements. If the job of the CIO was ever a balancing act, today it’s a full-blown acrobatics routine.
The stakes are higher, and the board is watching, with resilience now a core expectation
