IT's top budget busters

Guest post by Jerry Irvine

Many organizations overspend on IT today because they have no structured IT budget or IT strategic plan. While they may review potential purchases with their IT person annually for the upcoming year, they do not have refresh programs for existing systems, infrastructure devices or workstations, nor do they perform research and development of new technologies to determine how IT could help achieve business objectives, increase revenues or decrease overall costs.  This lack of planning not only reduces IT's impact on corporate profitability, but it also causes companies to spend more on potentially incorrect hardware chosen at the last minute, as well as emergency delivery and implementation for these unplanned systems.

For companies that do budgets for IT systems, infrastructure and resources, staying within that budget is very difficult and in many cases outside the CIO's control. The allure of new applications, devices and technologies is a major problem for CIOs to remain within budget. Over the course of the last 18 to 24 months, mobile technologies alone have thrown CIOs over the IT budget cliff. Owners and executive team members are frequently leading the demands for these new technologies. In the past, phones and mobile devices were separated from the IT budget. However, the convergence of technology and data has not only dumped the responsibility and costs of purchasing mobile devices into the CIO's court, but also given them the responsibility of supporting them.

Supporting mobile devices has increased IT help desk resource requirements significantly. The average number of devices per user has increased from one--a workstation or laptop--to two or three (workstation, smartphone and tablet). Additionally, because users are now being allowed to bring their own devices, there are no standard devices or images, and maintaining multiple solutions requires more training and time. This increase in the number of devices and the lack of standard builds for these devices is a major cause for the CIO's increased resource costs. 

That being stated, mobile devices are not the only technology throwing a wrench into the CIO budgeting process. Implementation of enterprise resource planning solutions, collaborative systems and development of executive dashboards across multiple disparate applications are major contributors to IT cost overruns. If an organization is lucky, these solutions may fulfill 70 to 80 percent of the business's requirements, but they do not meet 100 percent of the business's existing processes.

As a result, companies are often persuaded by anxious consulting companies to customize the application to perform all processes as they currently exist. These customizations can cause huge cost overruns during development, as well as in the future, since all future systems updates will require customization in order to be implemented into the customized environment. Nevertheless, most of these solutions can perform 100 percent of the business requirements without customization if minor business process modifications are implemented. As a result, companies should consider any modifications or customizations to packaged solutions carefully. Implementation of new technologies and applications should be business drivers in the development of new and more efficient business processes. Legacy business processes that are currently in place should not be eliminated from the review and change processes. Still, all projects, not just IT, need to be properly managed and both manual and automated processes should be open to new, more efficient and more productive solutions.

The most costly and frequently overlooked cause of IT cost overruns is the impact caused by systems outages, loss or corruption of data and other malicious activity. These risks often result in expensive downtime, increased resource costs, inflated hardware and software replacement, and implementation costs and potential litigation expenses. Major causes of these risks result from a lack of standard business process management. Implementation of applications and systems analysis, assessment, scanning and update solutions is required to mitigate the potential risks. Organizations should have detailed processes in place to automate and oversee core functions, such as OS and core application security patches and system updates, enterprise antivirus and vulnerability scanning of all systems, and infrastructure devices.

Additionally, standardized procedures and time frames should be maintained to perform detailed analysis and scanning of core applications, especially those that are developed in house and are publicly accessible. Many application coding vulnerabilities, such as SQL injection and cross-site scripting error, can be dedicated with application scanners, reducing the potential for loss and their financial implications to the organization.

While resource costs and risks from technology are rising every day, proper planning and teamwork between the executive team and the IT department can ensure IT projects stay on budget and fulfill business objectives.

Jerry Irvine is CIO of Prescient Solutions (IT consultant) and a member of the National Cyber Security Task Force.