Want to survive as CIO? You need the right priorities. And for most CIOs, at this precise moment, your average CIO\u2019s top 5 priorities are:\n\nNotice what\u2019s missing? If your answer is \u201ceverything is missing,\u201d go to the head of the class.\n\nSecurity is, for today\u2019s CIO, a two-edged blade. One sharp edge is underinvesting in security. In the past, investing too little in security meant accepting a higher risk of intrusions that could lead to significant financial pain.\n\nRansomware has changed the game. Underinvesting in security now means accepting a higher risk of being knocked entirely out of business. So underinvesting in security is one sharp edge.\n\nThe other is underinvesting in IT-driven new business value.\n\nThe real risk of IT leadership\n\nIn case you missed the news, digital-as-a-noun is a big, big deal. It\u2019s all about using information technologies to drive revenue and competitive advantage. Underinvest here and more aggressive competitors will, over time, eat your company\u2019s lunch.\n\nIt\u2019s Hobson\u2019s choice: risk being knocked out of business with a single punch vs. risking a slow but just as lethal outcome from loss of customers, marketshare, and mindshare.\n\nAdd to the challenge this risk-management maxim: Successful prevention is indistinguishable from absence of risk. What this means is that nobody will congratulate you and your team for a job well done, nor will anyone ask what support you\u2019ll need to continue to keep the company safe.\n\nNo, every year your information security practices succeed is one more year IT\u2019s budget approvers will be convinced you\u2019ve been overstating the risks.\n\nIf you don\u2019t believe me \u2026 Y2K.\n\nThe chargeback trap\n\nAre you ready to fall into the pit of despair?\n\nDon\u2019t give in just yet. You have alternatives. Some are more appealing than others; all are better than giving up.\n\nCall the first the NoSuch maneuver, short for There\u2019s No Such Thing as an IT Project, something you should be championing with or without today\u2019s information security challenges.\n\nBehind NoSuch is the idea that so-called \u201cIT Projects\u201d are really attempts to make some part of the business run differently and better. That being the case, funding for these no-longer-IT-projects shouldn\u2019t come out of the IT budget. They should be funded by the departments that will benefit from them. That way, their funding won\u2019t compete with IT for the increased budget needed for information security.\n\nChargebacks. If your company\u2019s management embraces a more traditional approach to the IT\/Business relationship you can keep information security from competing for resources with new business value through the time-honored mechanism of chargebacks, which will shift the cost of IT\u2019s application services to the business areas that will make use of whatever they\u2019re asking IT to develop and implement.\n\nThe difference between chargebacks and the NoSuch maneuver is subtle, but important. When there\u2019s no such thing as an IT project, IT\u2019s involvement in business change is as a leader in identifying and championing opportunities, and as a full and equal collaborator in achieving them.\n\nWhen IT charges back for its services, it abandons its leadership roles in identifying strategic opportunities and achieving intentional business change. Instead, it relegates IT to being a mere order taker.\n\nAn alternate strategy for addressing security spend\n\nHere\u2019s one more option. Suggest reassignment of responsibility for information security to a group that doesn\u2019t report to you. The best potential victims candidates are the enterprise risk management (ERM) practice and whoever owns business continuity planning.\n\nCall it the SEP gambit (that\u2019s Someone Else\u2019s Problem to the uninitiated). It might not do a thing for the business as a whole, but from your selfish perspective, hanging the albatross around someone else\u2019s neck has a lot of upside to recommend it.\n\nAnd it actually does offer some business benefit. Reassigning responsibility for information security lets its new owner put a spotlight on the need for additional funding, dodging the usual gripes about IT being a money pit.\n\nThese three alternatives \u2014 the NoSuch maneuver, chargebacks, and SEP gambit \u2014 have the same objective. That\u2019s to avoid having information security and investments in new capabilities compete for executive time and attention, something that directly translates to their funding decisions.\n\nThis is a skill \u2014 being able to direct decision-maker-awareness to the right targets \u2014 that\u2019s central to any CIO\u2019s success.