Tom Pickett
Chief Financial Officer and Compliance Officer

IT Security & Spending: What is Your “Core” Focus?

2015 IT Budget

As a CFO I think the highest priority for IT in 2015 is security. As a corporate risk manager, I want to make sure that our company data and information is secure and protected. This is hugely important from a business operations and strategy perspective.

It’s also important because as companies leverage the Internet and cloud for engaging with their customers, they have greater access to their customers’ information. Breaches of security that allow unauthorized access to customer data can be incredibly debilitating to a company’s reputation and future business, and sets up a company for potential legal liability.

The question of security is being asked more and more by CEO’s and Boards of Directors. The high profile security breaches at companies like Sony, Walmart, and JP Morgan Chase have put security front and center as CEOs and Boards are asking if breaches could happen in their companies.

Beyond security, I think the next highest priority for IT organizations is to become more disciplined about managing companies’ technology infrastructure. In the past when the only real opportunity to implement technology solutions was at the enterprise level, CFO’s knew significant capital expenditures and operating expenses would be required, and they focused principally on making sure IT was minimizing both while delivering the enterprise solution. Now, with the increasing development of cloud-based solutions and the extensions of SaaS, the opportunities for implementing applications that require less upfront investment and infrastructure are expanding. This places a greater burden of discipline on IT organizations.

The focus today needs to be breaking up IT spending between “core” and “non-core” activities. By “core” I mean strategically significant activities. Because it’s often easy for people to find strategic significance to almost any activity, I like to take a simple approach and define core and non-core in this way:

  • Core activities: anything that, when done well, you are rewarded; when done poorly, no one notices
  • Non-core activities:  anything that, when done well, no one notices—BUT if you don’t do it well, you will be penalized. 

Take, for example, your network. If your network is up and running, no one notices but if your network goes down, everyone is up in arms – that’s non-core. It’s become so ubiquitous that it has become expected.

Compare that to a customer-facing portal that you and your customers use to engage in business that allows you to service them better and more effectively. If you have this tool and customers love it, you will be rewarded with better customer satisfaction, greater visibility in both your industry and the analyst community and, ideally, more customers and more revenue. If you don’t have this portal, no one really notices or cares (as long as your competitor doesn’t have it)—your customers will continue to do business with you the way they always have in the past.

So, the goal of IT should be to separate core activities from non-core and then outsource the non-core activities as much as possible to someone who views your non-core activities as their primary focus. As an example, why run your own network when you can outsource it to someone whose business is built around running networks for other companies? They will most likely do it better, and for less money than you can do yourself.

By moving the non-core activities out, IT capital expenditures and operating expenses should go down. Rather than take those savings to cash flow and earnings, why not reinvest those savings into core activities? Invest in the strategically relevant technology areas for the company without raising overall IT spending—or at least keeping IT spending growth modest and directly tied to the strategic success of the organization.

These are the opportunities and challenges facing IT organizations today: learning to be more strategically focused and moving away from the pure technology infrastructure delivery business. By making these transitions, the IT organization becomes a much more relevant contributor to strategic success.

Keep in mind that this cycle never ends; what is core today will be non-core tomorrow.

Share this article