The very, very least every CFO should know about IT

Table of Contents

TLDR

• IT costs fall into these big buckets: Hardware, Software, People, Facilities, Network and Subscriptions. Each of these drills down into smaller buckets.
• Some costs might not be captured in the IT budget because of “shadow” operations in the lines of business.
• Risks, which may or may not be quantifiable, need to be captured as well as costs. This is especially true when considering the “do nothing” option.
• Consider hiring a fractional CTO before your company needs a full-time one.
• Please read on. I spent hours on this.

IT costs

Let’s be clear: Information Technology is a cost center. Sure, vendors will tell you all about how “investment” in “strategic initiatives” will provide “innovation” to make your IT department a “partner in profit”. That’s all baloney.

Unless you’re actually in the IT business, or maybe in hedge funds or the military or some other endeavor where IT is a key enabler, all that research and development isn’t worth the trouble. If, strategically, you don’t need to be first to market with the latest gee-whiz breakthrough, then let someone else pay for the privilege of inventing the stuff. A year from now, you’ll be able to buy it off the shelf, without the glitches.

I spent 15 years and hundreds of thousands of miles as an IT management consultant from IBM. For most of that time, I was focused on constructing business cases in support of target states developed by my more technical colleagues. The models I developed broke costs down into these six buckets:

1. Hardware: This includes servers, storage, desktop computers, mobile devices, printers, scanners and anything else that comes with a plug or a charger.
2. Software: Developers refer to this in terms of a “stack”. The binary code that makes it all possible sits at the bottom, but usually comes preloaded on the hardware. The operating system sits on top of that. Then comes the hypervisor, which sections off the compute power into distinct “images” or “containers” for separate workloads or separate users. The next layer comprises the management, monitoring and security software. Atop that comes the database management system. Finally, at the tip-top of the stack is the actual, user-facing applications people need to get their jobs done.
3. Facilities: It used to be that every business of any size needed a data center. That’s not true anymore for reasons we’re about to get into. But you still probably have a room in your suite that’s a tangle of wires and blinking lights that houses the rack-mounted or cabinet-enclosed hardware. This space comes at a cost, and you already know how much a square foot of office space costs per month. But then consider just how much electricity IT hardware requires. You’ve probably read about how the artificial intelligence developers are bringing nuclear plants online just to power their machines, or how some towns are having brown outs ever since crypto miners moved in. You’re nowhere near that scale, but your servers and storage arrays are definitely spinning your meter. Then consider how much heat this hardware generates, and that you’ve probably had to install a chiller in the room. It can take as much power to cool the equipment as to run it. If you do have a data center, you’ll also need a line of power distribution units to boost the flow of energy throughout the building, as well as a diesel generator to supply uninterrupted power. And when you have all that power and all that heat, you’d better have a world-class fire suppression system.
4. Subscriptions: In the old days, when more businesses had data centers, they subscribed to specialized services that couldn’t be handled in-house. In addition to software licensure and network access, which we already discussed, they also subscribed to backup-and-recovery services. And of course, mechanical, electrical, plumbing and custodial trades are usually best left to contractors on a retainer.
5. Network: Your servers and storage link up to your desktops and other user devices through a local area network, or LAN. Your company is responsible for running that. Your LAN is distinct from your metropolitan area network or wide area network, your MAN or WAN, which is a recurring charge you pay a company like AT&T or Verizon. Then there’s that “last mile” – the bridge where the MAN or WAN stops and your LAN begins. Depending on your location, you might have to pay more for that under-the-fence line than for the rest of your network combined, because it might require capital costs to install as well as a monthly ransom.
6. People: Spare a kind thought for the IT guy. If you’re with a small company – say, 25 people or less on payroll, under $10 million in revenues, regular business hours – you might be able to get by with one IT resource. But consider how much that one person does: Provide call center support. Provide deskside support. Ensure that each new employee gets all the kit they need to work effectively, then make sure departing employees give it all back. Repair and upgrade the equipment. Patch the software. Manage the LAN. Purchase then eventually decommission every bit of hardware or software that comes off the loading dock – and manage that inventory. And we didn’t even mention data security yet, which gets ever more critical every month. Clearly, this is more work than one person ought to do. As your company’s headcount grows, so must your IT department’s.

What remains

Soon enough, you’ll need to hire someone to run that department. There are actually two executive roles: the CTO (Chief Technology Officer) and the CIO (Career Is Over). The CTO is responsible for the software stack above the management level, and the CIO is responsible for all the rest – “keeping the lights on,” in IT parlance.

CTOs curate – or builds – the mix of applications and databases that will enable more efficient tools for the lines of business, while using technology to transform the ways their companies generate revenues and streamline processes. They fail 80% of the time but, bless their hearts, they keep at it.

CIOs run the IT infrastructure, managing the data center in the case of companies that still have their own on-site. These days, most CIOs spend more time managing vendor relationships with the subscription services and managing the LAN and end-user devices.

In reality, these roles are combined in one executive, who usually chooses to be known as the CTO. Going forward, that’s what we’ll call this person. The CTO, then, has responsibility to decide on a reference architecture for the entire company – a diagram of what devices each employee uses, what servers and storage drives support them and via what apps, what data gets loaded into what databases, and how all this gets managed, monitored and secured.

The problem is, line-of-business executives have the responsibility to ignore the CTO if they think this architecture doesn’t precisely match their desires. They’ve got revenue targets to hit and they don’t want to be slowed down by what they consider extraneous procedures dumped on them by HQ. These profit center executives very often develop their own “shadow IT” units that bypass the IT department.

They do this for a number of reasons. One of the most likely is that they have come to rely heavily on an obsolescent system which the CTO has determined ought to be sunset in favor of a more current solution. After all, there are only two constants in this world: change, and the resistance to it.

Another reason is cost. When your CTO develops the reference architecture, cost is only one consideration, albeit an important one. A line-of-business executive might decide that, rather than pay a chargeback to the IT department for a particular service, it would be cheaper to download something that does much the same job.

You can see the issue already: If a non-IT department found something cheaper than the IT department could, with its greater volume, negotiate with a vendor, then something must be missing. Maybe the shadow app or device:

• is no longer supported,
• was never supported,
• doesn’t fully comply with all regulations and contracts,
• was developed by a company that’s no longer in business or
• is an easy target for hackers or data thieves.

I bring this up for two reasons. First, “shadow IT” is a real cost, and you’re probably not capturing it as an IT expense. It’s nested in your other departments’ budgets under who-knows-what lines.

Second, the only reason we’re concerned about knowing the cost of IT is so that we can establish a baseline for lowering those costs. That is, we’re going to switch focus now to making a case for change. And a business case for an IT transformation – like a case to demonstrate anything – needs to include risks as well as costs and benefits. The availability of vendor support disappearing over the course of a three- to five-year time horizon is certainly one of those risks. So is its funhouse-mirror image, lock-in, which makes you a hostage to one vendor if you become too reliant on what they provide and how they provide it.

Another risk is outage. Your CTO needs as much control as possible over downtime, and there must be contracts – called service level agreements – in place to determine a financial price to be paid to your company if systems are down during a critical time period or frequently enough at random times to become a nuisance.

The most serious risk in IT, though, is data security. Your target state needs to be more secure – “as secure” doesn’t cut it – than your current state. Security consultancy Upguard offers a litany of metrics your company can adopt to determine the degree of improvement.

And it’s good that the outage and security risks can be quantified, because not all risks can. Sometimes being an empiricist – a prerequisite for a CFO – means recognizing the limits of empiricism.

Making the case

As an exercise, let’s take the case of a startup company with 25 employees, including one who do IT work but reports up to the CFO. Our next key hire will be a CTO, but when? We’re not sure if we need one just yet, and it would be a struggle to justify hiring a CTO today. So the choice is: Do we hire a fractional CTO today or not?

The factors in favor include adding a leader who can think and act strategically about technology. The factors against include the direct expense and the lack of emphasis on IT in our company’s mission. We create and see a specific product or service, and we’re at a point where we’re experiencing rapid growth and need to focus on maximizing revenue and market share. While we recognize that IT can help us add sales channels, we’re more attentive right now to how it can make us run more efficiently – and improving margins isn’t our biggest concern at the moment. Frankly, there’s no “burning platform” driving us to make a hasty choice.

So the whole decision rests on how we can quantify the strategic value of a fractional CTO, and we’ll assume a three-year time horizon. Here’s the current state of the IT spend:

Our IT budget had been around 7% of anticipated revenues – in line with small-company norms – but this is the first time we’re counting the IT person’s fully burdened pay and the facilities costs along with the gadgetry. Realistically, IT is costing us around 9% of the top line, or around $220,000 per quarter.

“Current state” doesn’t mean “do nothing.” You’ll need to add hardware devices, software licenses and network costs in proportion to your growing headcount – about 10% per quarter. Within six months, you’ll have to repurpose an adjacent 10x10 room to supplement your existing data closet. And regardless of who’s in charge, you already need to add two more IT resources as soon as you can, and you’ll probably need to add at least two more every year going forward.

So let’s compare that to a target state:

The fractional CTO will cost us $30,000 per quarter, and we’ll see a 5%-per-quarter increase in subscription costs, but here’s what we get for it after a six-month time lag:

• Sharp decreases in hardware and software costs due to better vendor management
• Foregone cost of repurposing another office into a data closet
• Decrease in the rate of growth of network costs, also due to better vendor management
• Slower growth in direct contributors’ headcount and fully-burdened rate as the CTO hires other fractional professionals

But these aren’t the whole litany of benefits. What doesn’t fit on the spreadsheet include:

• Lower risks of outages, security breaches, device theft and compliance issues
• Qualitatively better end-user support
• Better match between services offered and those required by the profit-center departments, so less need for “shadow IT” and its unknown costs
• More executive time returned to the CFO, who can now focus more on financial planning and analysis

The one-time costs would be negligible in this case, but your mileage may vary. If you do incur some Year 0 transition expenses, then you can capture them in a model that calculates the payback period and internal rate of return. You could also apply a discount rate and determine net present value.

Taking action

This is all very generic, and some of the assumptions are entirely arbitrary. A paper such as this can’t address the particular costs and challenges of your company. I would, however, like to have the opportunity to do that, along with the StratifyIT team of subject matter experts.

Together, we can determine if the time is right for your business to engage a fractional CTO. You can reach out to us at MeetUs@StratifyIT.tech to start the conversation.