For a CIO to survive, they need the right priorities. And for most CIOs, at this precise moment, their average top five priorities are:
- Not to mention security.
Notice what’s missing? If your answer is “everything is missing,” go to the head of the class.
Security is, for today’s CIO, a two-edged blade. One sharp edge is underinvesting in security. In the past, investing too little in security meant accepting a higher risk of intrusions that could lead to significant financial pain.
Ransomware has changed the game. Underinvesting in security now means accepting a higher risk of being knocked entirely out of business. So underinvesting in security is one sharp edge.
The other is underinvesting in IT-driven new business value.
The real risk of IT leadership
In case you missed the news, digital-as-a-noun is a big, big deal. It’s all about using information technologies to drive revenue and competitive advantage. Underinvest here and more aggressive competitors will, over time, eat the company’s lunch.
It’s Hobson’s choice: risk being knocked out of business with a single punch vs. risking a slow but just as lethal outcome from loss of customers, marketshare, and mindshare.
Add to the challenge this risk-management maxim: Successful prevention is indistinguishable from absence of risk. What this means is that nobody will congratulate a CIO and their team for a job well done, nor will anyone ask what support they’ll need to continue to keep the company safe.
No, every year information security practices succeed is one more year IT’s budget approvers will be convinced that CIOs have been overstating the risks.
If you don’t believe me … Y2K.
The chargeback trap
Is your CIO customer ready to fall into the pit of despair? They shouldn't give in just yet. They have alternatives. Some are more appealing than others; all are better than giving up.
Call the first the NoSuch manoeuvre, short for There’s No Such Thing as an IT Project, something they should be championing with or without today’s information security challenges.
Behind NoSuch is the idea that so-called “IT Projects” are really attempts to make some part of the business run differently and better. That being the case, funding for these no-longer-IT-projects shouldn’t come out of the IT budget. They should be funded by the departments that will benefit from them. That way, their funding won’t compete with IT for the increased budget needed for information security.
Chargebacks. If a company’s management embraces a more traditional approach to the IT/business relationship they can keep information security from competing for resources with new business value through the time-honoured mechanism of chargebacks, which will shift the cost of IT’s application services to the business areas that will make use of whatever they’re asking IT to develop and implement.
The difference between chargebacks and the NoSuch maneuver is subtle, but important. When there’s no such thing as an IT project, IT’s involvement in business change is as a leader in identifying and championing opportunities, and as a full and equal collaborator in achieving them.
When IT charges back for its services, it abandons its leadership roles in identifying strategic opportunities and achieving intentional business change. Instead, it relegates IT to being a mere order taker.
An alternate strategy for addressing security spend
Here’s one more option for CIOs. Suggest reassignment of responsibility for information security to a group that doesn’t report to them. The best potential victims candidates are the enterprise risk management (ERM) practice and whoever owns business continuity planning.
Call it the SEP gambit (that’s Someone Else’s Problem to the uninitiated). It might not do a thing for the business as a whole, but from a selfish perspective, hanging the albatross around someone else’s neck has a lot of upside to recommend it.
And it actually does offer some business benefit. Reassigning responsibility for information security lets its new owner put a spotlight on the need for additional funding, dodging the usual gripes about IT being a money pit.
These three alternatives — the NoSuch maneuver, chargebacks, and SEP gambit — have the same objective. That’s to avoid having information security and investments in new capabilities compete for executive time and attention, something that directly translates to their funding decisions.
This is a skill — being able to direct decision-maker-awareness to the right targets — that’s central to any CIO’s success.