LEADERSHIP BRIEF
Remember the bit about agilefall and checklists? Far too often, when there’s a checklist, checking the boxes becomes the point of it all instead of the checklist being used as a way of keeping track. Information security is subject to the same challenge, especially when there’s a compliance certification attached.
PCI, the payment card industry security standard, comes to mind. You might recall that Target lost 40 million or so customer records back in 2013 in spite of its PCI compliance — far from the only loss of data from businesses that had passed some form of information security assessment.
If a CIO thinks information security is tight, he’s probably wrong. It’s the CIOs who are concerned their information security might have a few holes who just might be in decent shape.
Let’s go back to the whole business alignment thing again. IT governance is supposed to make sure only the highest value projects are funded. And yet, no matter how well-crafted the process, it’s still implemented by the same cast of characters who aren’t “aligned” with each other in the first place.
So in addition to estimating each project’s value to the business there’s horse-trading and sheer spitefulness involved in the final set of decisions.
Add to that another annoying detail: Projects whose benefit is cost reduction will take precedence over projects whose benefit is increased revenue. Why? Reducing cost is within the control of the business. If everything goes according to plan, costs will go down.
But increasing revenue calls for customers doing what you want them to do. Often, they don’t. You can’t boss them around. You have to persuade them.
Not a bad habit for your everyday executive to get into, by the way, but not one enough everyday executives have.
Want a bottom-line takeaway from all this? It’s this: If you’re certain — about anything — you’re almost certainly wrong. If you’re a CIO and you’re sure about any of these nine topics, or, for that matter, any others, ask yourself this simple question: Why?
CIO self-deception #8: Our information security is tight.
CIO self-deception #9: Our IT governance processes make sure we only undertake high-business-value projects.
9 Lies CIOs Tell Themselves
80