IT Decision Making Process

How do business leaders make decisions regarding IT?  Do they have a formal process, or is it informal word of mouth?

IT operations have traditionally done a poor job of communicating technology in terms business leaders can easily understand.  Every IT decision should be made to meet a business need or requirement, no matter how small or large. This underscores the importance of always tracing IT decisions to some level of business justification.

A difficult but ongoing aspect of technology is that many services and benefits are 'under the waterline', not visible to employees or management. This means that 'no news is good news' and ‘all quiet’ and ‘boring’ are great places to be, but it also highlights the need for proactive management of these hidden IT aspects.  However, this requires constant communication between IT and business leadership on what is being done and why.  

What is the justification behind each cost that makes up our total IT spend?

Currently, we are in a period of sustained and general economic uncertainty. While some industries may be doing well, most of the feedback from business leaders, regardless of industry, is that 2024 has not met hopeful expectations and has been relatively flat.  This has forced many to look at their overall spending for areas to control and cut costs.  IT is one targeted area because it is typically a big number that is the least understood.  It is also one of all businesses' most important core foundational operations. It has only increased in importance with the rise in cybersecurity threats and respective solutions to mitigate those threats and risks.

I recently spoke with the CEO of a healthcare company with over 25 branch locations nationwide.  In a recent meeting, we had to discuss their overall IT strategy for the next 12 to 24 months, she stated, “Don’t put a proposal or quote on my desk and assume it will be approved because you tell me we must have it.”  This made sense to me, but I could tell was a bit jarring for the internal IT staff.

She said that if you (IT) are recommending we add any IT service or solution that has any additional cost, I need the business case to support doing it.

This can be a conundrum because IT could be better at business cases or translating the clear benefit they see into business terms the C-level can handle.  Returning to my discussion with the CEO, she shared an example where two of their customers independently and separately sent an IT cybersecurity audit to them, stating they must meet their cybersecurity requirements to meet HIPAA compliance.   

In many cases, the business would scramble to understand the audit questionnaire and its implications to quickly determine how to meet the requirements.  The problem with this is it assumes any implication requiring additional solutions, services, and related costs would be more than justified, given the specific value of that customer's business.

In this case, the savvy CEO rightly looked at each customer and the value (revenue, margin, profit, etc.) they brought to the company and required IT to provide similar details on the actual costs, risk mitigation, and value of the proposed additional cybersecurity measures.  In short, the long-term value of the customers’ business must be weighed against the long-term value and additional cost of the new cybersecurity solution and services.  The ultimate decision on whether to proceed is based on objective data from both sides.

Decision-making is based on making a business case for each solution/service. Although not written in a formal document, it was clear the CEO had a very specific method for decision-making.

The challenging aspects of dealing with cybersecurity services and solutions include:

1. The new security solution/service may benefit the entire company and all customers, not only the ones sending the questionnaire.  The value is greater than what's associated with a single customer.
2. Although the business desires to control costs, additional spending on higher cybersecurity capabilities may be required due to the industry's compliance requirements or baseline expectations.  You have to spend more time finding other areas to curb costs.

Now, compare this scenario with a more common practice.  Something bad happens or has a likelihood of happening that could ruin the business.  IT panics and pushes solution alternatives to the management for approval.  Without any translation or common ground on the ‘why’, the business leadership approves or declines the request quickly.  The primary driver is fear.  Making decisions out of fear is never preferred compared to making them confidently.  Decisions based on fear are often reactive, whereas confidence-based decisions are proactive.  One has limited information to support it, whereas the latter typically is well thought out and presented in a more easily understandable fashion.

We are in a period where cybersecurity is the number one concern of business leaders (not IT leaders, CIOs, IT Directors). 

Cybersecurity has been in the top 10 list for many years and has crept into the top 5 more recently.  Having it jump to the number one spot is telling.  The overall business landscape has changed.  The increasing universe of threats and the ability for a single one to take down a business has pushed dealing with them to the top of my mind.

As a result, while scrutinizing IT operation spending should be an ongoing best practice for saving, the awareness and acknowledgment that the company may require additional spending in areas related to cybersecurity is very real. This is precisely where the IT decision-making process comes into the spotlight.  Being able to translate the very complicated and complex cybersecurity needs and related solutions is difficult even for technology professionals to discuss and agree upon. Correctly translating them into terms business leaders can understand is increasingly monumental yet critical to educated decision-making. 

If I were to state to a CEO – “We need to implement an SIEM and SOC to meet the current compliance requirements.”, I would expect the CEO’s eyes to roll back and either agree to get me out of the office or push back and state “In English, please.”

IT leaders and professionals must address and solve this increasingly difficult puzzle. 

How does IT translate and articulate complex technology into business terms when it is difficult, even between IT professionals?  How can a business make an educated decision without it?

If IT has done well, the result should be the proverbial ‘duck on the water.’  On the surface (to the business employees and management), things are all quiet and calm, while under the water, technical professionals are paddling their hearts out to keep them productive and safe.