Selling the C-suite on preemptive IT investments

It’s common knowledge among CIOs that disaster recovery investments are always de-prioritized by company boards — until disaster strikes.

But disaster recovery is just one example of projects that are of an important and preemptive nature that CIOs want to fund but find de-prioritized when it comes to budget approval.

Others include preparation for zero-day attacks, almost anything having to do with data stewardship, as well as IT training and social engineering audits.

Worse, when budgets tighten, such projects become all but forgotten at the board level, even though the underlining issues remain, likely to compound with inattention.

And 2024 looks to be that kind of year, with John-David Lovelock, distinguished VP analyst, reporting that “IT spending will be driven by more traditional forces, such as profitability, labor, and dragged down by a continued wave of change fatigue.”

With greater scrutiny on margins and ROI, CIOs must spend wisely, making today’s economic environment a more difficult one for selling preemptive projects that don’t produce immediate ROI.

Despite these challenges, having an up-to-date disaster recovery plan that works and guaranteeing a robust network, security, and systems support framework for new business directions are foundational elements of IT that can’t be ignored — and should be funded.

So, how do you go about gaining support for projects that seem to offer so little in terms of tangible, immediate returns? There’s a trick to this, and it’s one that, ultimately, your organization will thank you for.

Here are three strategies for getting it done.

1. Invoke the what-if fear factor

Preemptive project funding and prioritization usually falls short because of other, more pressing project priorities that are pushed forward because the likelihood of the preemptive event happening is small. When this happens, corporate risk is heightened as preemptive projects get delayed — sometimes for indefinite periods of time.

CIOs can change this thinking by incorporating preemptive projects like disaster recovery into their corporate risk management strategies.

What if, for example, your company’s IT is brought down by a denial-of-service attack, or by a ransomware demand from a hacker asking for millions of dollars in payment before your systems are unlocked? Even if these events don’t occur, what kinds of premiums are you likely to pay your corporate and cyber-liability insurers when they read your latest audit reports and see you haven’t updated your disaster recovery plan or invested in hardening your network security for over two years?

The average cost of a data breach is $4.64 million, and in 2022, two out of three midsize companies experienced a ransomware attack, so disaster recovery and corporate security are serious matters.

Preemptive project investments most often needed in these areas are: updates to disaster recovery plans, and provisions for testing those plans to make sure they work; mechanisms for failover, whether to another data center or to a cloud; investments in security software, hardened systems, and zero-trust networks; and IT staff training and/or staff additions.

2. Bundle IT infrastructure needs with corporate strategies

If the corporate plan is to decentralize operations by bringing on remote manufacturing plants, or by moving more employees to remote home offices, it is likely to have an impact on IT.

Yet, when remote facility plans, such as employee home offices, are conceptualized, their ROIs focus mostly on savings due to the reduced square footage needed for leased office space. When plans for decentralized manufacturing are unveiled, the ROIs usually project reduced taxes/labor costs or reduced shipping costs because the new plants will be located proximate to raw materials needed for manufacturing.

What the ROI calculations tend to overlook are the increased costs associated with extending IT networks and systems to more edge locations — and ensuring that security is robust. When these additional costs appear, the original ROI prognosticators get unhappy.

CIOs can prevent this from happening by participating at very early stages in corporate decentralization plans so that the costs of additional IT enhancements can be baked into estimates before ROIs are calculated.

The IT enhancements likely to be needed include zero-trust networks and equipment, additional security and observability software, more bandwidth, and even SASE (secure access service edge).

3. Embrace metrics to emphasize the importance of training

Often the first category to fall on the budget battlefield, training for IT staff and end-users is an important investment — and one that is hard to recognize in terms of tangible results besides expenses. Yet without training, both IT and end-users are ill-equipped to move forward with new technologies that the company needs.

You can’t calculate ROI in customary ways when it comes to training — but you can raise awareness in the company about the risks of not having employees trained to do their jobs.

Important metrics to consider for training investments are employee retention, employee growth, and the costs of bringing in talent instead of growing it yourself internally.

In 2024, LinkedIn surveys show that half of all Americans want to change jobs. The cost of replacing an employee is running a high as six to nine months of that employee’s salary — not to mention the possibility of project delays or the adverse impact on employee morale.

CIOs need to point this out to the board, to the CEO, and to other C-level executives. In other words, how much business risk does your company run if it can’t find (or train) employees into the jobs it needs to be done?