Remember the bit about agilefall and checklists? Far too often, when there's a checklist, checking the boxes becomes the point of it all instead of the checklist being used as a way of keeping track. Information security is subject to the same challenge, especially when there's a compliance certification attached.

PCI, the payment card industry security standard, comes to mind. You might recall that Target lost 40 million or so customer records back in 2013 in spite of its PCI compliance — far from the only loss of data from businesses that had passed some form of information security assessment.

If a CIO thinks information security is tight, he's probably wrong. It's the CIOs who are concerned their information security might have a few holes who just might be in decent shape.

CIO self-deception #1: We're aligned with the business.

CIO self-deception #2: The only reason to upgrade software is when a new version provides important business value.

CIO self-deception #3: The big mission-critical project that's fallen behind schedule? We'll catch up in the next phase and deliver it on time.

CIO self-deception #4: We're doing ITIL.

CIO self-deception #5. We're doing agile.

CIO self-deception #6. We're doing devops.

CIO self-deception #7: We have a customer service culture.

CIO self-deception #8: Our information security is tight.

CIO self-deception #9. Our IT governance processes make sure we only undertake high-business-value projects.

CIO self-deception #10: We don't need to involve the business in this.