Strategy and Governance /

Focus resources on the proper implementation of key Controls and sell success

CIO Guide to a successful Information Security Practice

Focus resources on the proper implementation of key Controls and sell success, instead of constantly following the latest technology trends

Another commonly held view across Information Security communities is that Information Security is critically and chronically under-funded, and that obtaining the budgetary allocations it deserves is always difficult.

In fact, many large organisations (> $5B Market Caps) claim to spend in excess of 3% of their total IT spend on cyber security (‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, in collaboration with McKinsey & Company – January 2014), and on the whole – large firms have invested very significant amounts over time in Information Security.

Most of them would have had Information Security practices in operation for years, but according to the same report – in spite of the amounts invested, 79% have not yet achieved a recognisable level of cyber security maturity. This was highlighted in our February 2015 analysis of the World Economic Forum report published on

The business appetite for more investment is frequently limited by the absence of tangible results, as CISOs and their teams constantly ask for more technical resources to drive new technical initiatives. However, properly implemented essential controls can actually prevent approximately 80% of cyber-attacks – according to the UK GCHQ (“Countering Cyber Threats to Business” – Institute of Directors “Big Picture” – Spring 2013).

What Information Security teams critically need, is to focus their significant resources (budget and people) towards the real, proper and demonstrable implementation of those key controls. Focusing on People and Process as well as Technology, rather than constantly following the latest technology trends, can prevent breaches.

This is about vision, priorities and results – not just resources. The business will generally give budget if they have the confidence that real protective measures will be delivered. CIOs and CISOs must sell success internally against the backdrop of a clear long-term Information Security vision and within the context of a clear Information Security Governance model.

It should be natural for the business to want to protect itself against real and active threats, and to give resources to a person and a team that can articulate a clear vision in that respect – creating a sense of direction, and inspiring confidence that things will get done.


JC Gaillard

Managing Director – Corix Partners

This article is part of the series “The CIO Guide to a successful Information Security Practice – 8 Key Management pitfalls to avoid” in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog.

Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.