Bob Lewis

The CIO’s missing priority

Apr 07, 2022
CIOIT Leadership

Directing decision-maker-awareness to the right targets is a key skill for CIO success. Investment risks that pit information security vs. information technology prove the point.

puzzle / inspect / examine / identify / missing piece / magnifying glass / solution
Credit: Thinkstock

Want to survive as CIO? You need the right priorities. And for most CIOs, at this precise moment, your average CIO’s top 5 priorities are:

  1. Security.
  2. Security.
  3. Security.
  4. Security.
  5. Not to mention security.

Notice what’s missing? If your answer is “everything is missing,” go to the head of the class.

Security is, for today’s CIO, a two-edged blade. One sharp edge is underinvesting in security. In the past, investing too little in security meant accepting a higher risk of intrusions that could lead to significant financial pain.

Ransomware has changed the game. Underinvesting in security now means accepting a higher risk of being knocked entirely out of business. So underinvesting in security is one sharp edge.

The other is underinvesting in IT-driven new business value.

The real risk of IT leadership

In case you missed the news, digital-as-a-noun is a big, big deal. It’s all about using information technologies to drive revenue and competitive advantage. Underinvest here and more aggressive competitors will, over time, eat your company’s lunch.

It’s Hobson’s choice: risk being knocked out of business with a single punch vs. risking a slow but just as lethal outcome from loss of customers, marketshare, and mindshare.

Add to the challenge this risk-management maxim: Successful prevention is indistinguishable from absence of risk. What this means is that nobody will congratulate you and your team for a job well done, nor will anyone ask what support you’ll need to continue to keep the company safe.

No, every year your information security practices succeed is one more year IT’s budget approvers will be convinced you’ve been overstating the risks.

If you don’t believe me … Y2K.

The chargeback trap

Are you ready to fall into the pit of despair?

Don’t give in just yet. You have alternatives. Some are more appealing than others; all are better than giving up.

Call the first the NoSuch maneuver, short for There’s No Such Thing as an IT Project, something you should be championing with or without today’s information security challenges.

Behind NoSuch is the idea that so-called “IT Projects” are really attempts to make some part of the business run differently and better. That being the case, funding for these no-longer-IT-projects shouldn’t come out of the IT budget. They should be funded by the departments that will benefit from them. That way, their funding won’t compete with IT for the increased budget needed for information security.

Chargebacks. If your company’s management embraces a more traditional approach to the IT/Business relationship you can keep information security from competing for resources with new business value through the time-honored mechanism of chargebacks, which will shift the cost of IT’s application services to the business areas that will make use of whatever they’re asking IT to develop and implement.

The difference between chargebacks and the NoSuch maneuver is subtle, but important. When there’s no such thing as an IT project, IT’s involvement in business change is as a leader in identifying and championing opportunities, and as a full and equal collaborator in achieving them.

When IT charges back for its services, it abandons its leadership roles in identifying strategic opportunities and achieving intentional business change. Instead, it relegates IT to being a mere order taker.

An alternate strategy for addressing security spend

Here’s one more option. Suggest reassignment of responsibility for information security to a group that doesn’t report to you. The best potential victims candidates are the enterprise risk management (ERM) practice and whoever owns business continuity planning.

Call it the SEP gambit (that’s Someone Else’s Problem to the uninitiated). It might not do a thing for the business as a whole, but from your selfish perspective, hanging the albatross around someone else’s neck has a lot of upside to recommend it.

And it actually does offer some business benefit. Reassigning responsibility for information security lets its new owner put a spotlight on the need for additional funding, dodging the usual gripes about IT being a money pit.

These three alternatives — the NoSuch maneuver, chargebacks, and SEP gambit — have the same objective. That’s to avoid having information security and investments in new capabilities compete for executive time and attention, something that directly translates to their funding decisions.

This is a skill — being able to direct decision-maker-awareness to the right targets — that’s central to any CIO’s success.

Bob Lewis

Bob Lewis is a senior management and IT consultant, focusing on IT and business organizational effectiveness, strategy-to-action planning, and business/IT integration. And yes, of course, he is Digital. He can also be found on his blog, Keep the Joint Running.