IT Pro Panel: The Battle of the Budgets
Wrestling with spreadsheets is rarely fun - but how can CIOs make the best of their budgets?
It probably comes as no surprise that when asked about their favourite part of the job, very few senior IT leaders mention budgets. It’s easy to see why; on top of being somewhat dull and time-consuming, a lack of budget and investment is one of the most common complaints from CIO, CTOs and CISOs.
IT professionals are often forced to make do with fewer resources than they would like, stretching those resources to cover multiple competing business priorities and objectives. In this month’s IT Pro Panel, we asked our expert panellists how they managed their budgets, what types of spending they prioritise, how they make sure they’re using their resources efficiently and what happens when the money runs out.
Where does all the money go?
The first thing to consider when looking at budgets is where all of that money actually goes and unsurprisingly, the answer is different for different organisations. For Ian Thornton-Trump, CompTIA global faculty member and former European head of cyber security for AmTrust International, there’s rarely much money devoted to exploring new projects and the vast majority tends to go towards existing costs such as staffing.
“70% of your spend is on people and probably 20% is on renewals of your existing security controls, and/or annual expenses like pentest or audits. So you maybe have 10% of your total budget to ‘try new things’,” he explains. “Otherwise you need to be really good at using other people’s budget to get them to bake in some cyber security; I once built an entire data centre by using other parts of the company’s budget.”
William Hill group CISO Killian Faughnan, by contrast, spends the majority of his budget on tooling rather than staff. He notes, however, that he always finds it easier to obtain additional investment for new tooling than for new staff. This is an experience shared by Chris Stanley, IT manager for ICC Wales.
“I agree with Killian,” he says, “headcount seems a lot harder to get signed off over projects which are initially a lot more costly. Maybe it’s because hardware can be written off over a period of time, whereas personnel would cost more year on year thanks to wage inflation, tax and pension contributions.”
If you need extra staff resources but have maxed out your budget, Thornton-Trump’s advice is to work with other business units to find enough money for a contractor. Once you have a great contractor who can demonstrate the benefits of having someone to perform the role in question, he says, it’s easier to convince senior staff to authorise hiring a full-time employee.
“One difficulty I have is weighing up whether it’s better to invest in a new system that you know will have a positive effect on your business versus taking on additional staff members,” Stanley says. “There is so much technology in companies’ portfolios today, and it can be enhanced by employing staff to be more focused on maintenance and optimisation of the current systems.”
Regardless of whether budgets are weighted towards tools or people, when the two come together they bring another inevitable cost in the form of training. This is something that Thornton-Trump says he has seen multiple businesses caught off-guard by, particularly while undertaking projects with new technologies at the behest of business leaders. As he puts it, “no budget survives digital transformation”.
Cloud migration is a key example, and he points out that IT is often asked to make it happen with no budget for training or tools to do so. When these projects stall out or rack up unexpected costs to complete, he says, IT ends up getting the blame.
“It seems because cloud is ‘new-ish’, no one really knows the cost of migration, cost of operating and the costs of IT and security tooling.”
“I understand, Ian,” Stanley agrees. “The budget is agreed but ongoing training and improvement budget for these systems and projects can be harder to get signed off. It’s very frustrating when other business departments are making demands that we cannot support quickly enough.”
“Yes,” Thornton-Trump adds, “like when the proper investment has not been made and you’re trying to make an ancient system compatible with, say, an audit finding that service accounts must be 16 characters in length. Meanwhile, the application generates millions of dollars in revenue, the disaster recovery plan for it is ‘find parts on Ebay’ and the OS can't support a 16 character password.”
“I have taken the approach over the last few years to focus on automation and more convergence of systems where possible,” Stanley goes on. “I now find I have some fantastic technology but keeping up with continuous improvement is the challenge,” he says. “The sheer amount of software and updates means lots more training to keep staff on their A-game in supporting these applications, which again comes back to budget - and IT training isn't cheap!”
Stanley attempts to square this circle by asking vendors to include training as part of the cost of major contracts, but training isn’t something that Faughnan generally includes in his own budgets, saying that he’s “always found this as a central cost borne by HR (though usually with some extra around the edges when needed)”.
The place where budgeting gets a little more stressful, he says, is when the semi-elastic costs of cloud infrastructure start coming into play.
“The actual budgeting itself isn't an issue in general, though as Ian pointed out it gets less predictable once you start adding in cloud infrastructure - in particular, things that need dynamic scaling. There are options to help manage these better, but this does mean that you need to budget for a tool to help manage and predict your cloud budget.”
Splurging and saving
Faughnan’s heavy use of cloud technology involves more financial considerations than simply elastic costs though, and he raises the point that reporting can get tricky when you’re working with the rest of the business via shared reporting systems – particularly given that running systems in different regions can involve working with different tax structures.
This raises the question of whether budgets should be weighted towards CapEx or OpEx, and there are arguments for both. CapEx-based models reduce the unpredictability of flexible cloud costs, but are also more rigid and rely on large investments which are then written off over the next several years. OpEx approaches, on the other hand, favour subscription-style payment plans due to the increased agility they offer.
“In terms of budget split, I tend to run OpEx-heavy budgets,” Faughnan says. “I've some CapEx but between the high percentage of our activities that are focused on maintaining 'business as usual' and the fact that SaaS spend is OpEx spend, I'm almost entirely OpEx now.”
Stanley, meanwhile, has only recently started shifting towards an OpEx model. He says that since adopting SaaS products like Office 365, the business has become a lot more open to OpEx. This kind of shift in attitudes can be incredibly helpful for IT teams; as he points out, the technical literacy of the board can play a huge role in getting projects signed off.
“If it's a system where there are obvious savings or profits from day one then these can be given the go-ahead at any stage of the year. It’s always difficult to get IT projects in when the people deciding the budget don't fully understand the technology, but that's where we have to be able to interpret for them.”
“I've never found it particularly difficult to get additional budget where needed,” Faughnan adds, “but I do have a tendency to bear down on getting the most out of what I've got before moving on to the next thing – which is something appreciated by most CFOs.”
Thornton-Trump, however, warns that there’s a “huge risk” of “crazy executives” throwing unexpected curveballs along the way, noting “those companies that are divesting or acquiring are a nightmare for security”.
These scenarios can be challenging, but the most difficult position for a CIO to be in when it comes to budgets is what happens when they get cut. Financial struggles can affect all but the luckiest organisations, and at some point, you’ll be forced to cut costs.
Faughnan says that the best way to reduce outgoings is to be tougher on price during contract renegotiations with vendors, as well as app consolidation. “Most businesses have more than one app that deliver broadly the same service,” he says.
Stanley finds that while the IT department usually isn’t the first in the firing line when it comes to redundancies, staff are more likely to be let go of than systems or applications, as the business is still “heavily dependent” on them. In these cases, he says, it’s a case of keeping both yourself and your team positive about the situation.
“If you're highly digital in terms of not just business support but also product development, it means you'll be carrying an awful lot more than heads in tech and any sufficiently large division will end up with at least some suboptimal distribution of resources,” Faughnan argues. “It's just a natural consequence of scale. Over time, things move from a planned to organic operating model, which after a time needs realignment, which usually involves a review of the organisation, which could end in a reorganisation, reductions or increases.”
Budgets might not be anyone’s favourite part of the job but at worst, they’re a necessary evil – and as Stanley says, they can even be kind of fun.
“It doesn't help the stress levels, that's for sure – but it can be exciting from the angle that you can see some projects that would make a massive difference to your business getting some momentum.”
If you're an IT leader who wants to join the IT Pro Panel, please email firstname.lastname@example.org.
How virtual desktop infrastructure enables digital transformation
Challenges and benefits of VDIFree download
The Okta digital trust index
Exploring the human edge of trustFree download
Optimising workload placement in your hybrid cloud
Deliver increased IT agility with the cloudFree Download
Modernise endpoint protection and leave your legacy challenges behind
The risk of keeping your legacy endpoint security toolsDownload now