Editor’s Note: Zachary Lindeman, Manager of Information and Technology at Brooklyn based agency Work&Co, explains the various IT stages of companies defining their budgets. It was surprising for us to hear how “productized” you can see IT evolving along the business side of an organization. Thanks for sharing these insights Zachary!
Getting started with IT budgets - follow your responsibility
As an IT Manager, I have a lot of responsibility - I typically divide this responsibility into the following three categories which I’ll dive into more detail in a little bit:
- Seamless end-user experience - Allowing people to do their job efficiently without interruption
- Getting stuff done - Evaluating whether to buy a tool or hire another staff member versus how much manual work can you really do. The goal is to automate everything possible.
- Risk management - Pre-empting and avoiding things that could potentially go wrong
The interesting thing is that these categories are applied differently to companies when they are in different stages. This means application will differ for a 25 versus 250-person organization.
At this point, you might be thinking: Nice, but how does this piece of information help? That gets us to our next point:
To get IT budgets right, IT has to be business aligned
In order for an IT director to efficiently decide what to spend money on, he has to be an essential partner to the business - not just a “tech plumber” whom people call on demand.
For me, I like to understand the business roadmap over the next few years (or at least twelve months) in order to understand the plan. Will it be doubling headcount, getting large clients on board, open multiple new offices, or simply keep growing organically?
Based on this outlook as well as the current stage of the business, I will then plan the IT budget accordingly.
The different stages of companies that define IT budgets
We are just about getting to the juice here -- I view IT budgets as dependent on the headcount within an organization.
There are certain thresholds that you can align yourself on. Here is my rough model I’ve seen in the companies I worked at:
10 person organization
Pretty much considered a glorified “garage operation” - you have a whiteboard, a projector, maybe one wireless access point, a beefed up home fiber line and everyone using cloud based email - G-Suite or Office 365.
25 person organization
The business might be able to run from a coworking space instead of a garage, with double the previous setup. They might have their first firewall and probably start using a file sharing program.
They will have to be more professional when in a customer facing position i.e. a strong need for at least one professional looking conference room. Co-working spaces are excellent for this stage of a business - keeping costs low but still offering the professional environment to attract clients and get work done.
50 person organization
This is a serious business already. They have designated employee structure and don’t buy used Mac’s off Craigslist anymore.
Password sharing is under control, 2FA is introduced, and GoDaddy hosting doesn’t use any personal owner accounts anymore. Actual business assets are tracked and information is being shared in a more secure manner.
100 person organization
The incremental change here is real. These businesses have actual revenue, a solid web presence (including social media), executives and real company culture.
Uptime of the business becomes essential - with a 100 people organization and a $100k average annual salary, they’d lose $5000 for each hour of downtime -- all with zero return. Hiring someone for IT (vs outsourcing) becomes imminent. Future proofing the business with best practices becomes a strategy instead of an idea.
That gives the first clear indication of budget for uptime. IT managers should get the most they can for the budget and might switch from a Time Warner coax line to Pilot Fiber or Cogent. A primary ISP and a backup are necessity to deliver constant uptime. At this stage, an extra $500 per month is not that significant anymore. Risk budget is based on pre-empting potential attacks and business continuity instead.
250 person organization
Running IT here is a different ball game -- IT managers should install something like a Meraki Firewall, try to have everything cloud managed so they can keep your IT team running lean but have the ability to control everything remotely.
It is time to look at Single Sign On, and also at moving accounts to business / enterprise level. For SaaS applications like Box and Dropbox, G-Suite, more robust features are offered at enterprise level.
500 person organization
A 100% cloud solution for everything starts becoming expensive at this point of time, and hybrid deployments can be considered (because it can save costs in hosting some of the files, for example). This is when use-cases get more diverse and the best approaches for the same problem differ for different situations.
The reason that it’s time to look at on-premise vs hosted is because of cost. When looking at SaaS applications like Dropbox, they charge per-user @ around $12 a month. At that cost, 500 end-users can cost upwards of $80k a year for file sharing. This is why Dropbox is offering more tools like Dropbox Paper and Showcase - to keep the SaaS applications attractive at scale. A true cost-benefit analysis will have to be done for all facets of the technology toolkit.
At this stage it is also very important to start looking at best practices for security. A breach can cost a company upwards of a million dollars. Mitigating risk is much more cost effective.
You may be asking yourself why it is best practice to start with all cloud based technologies vs on premise. The reason is cost vs functionality. For a low cost you can build a website and get email running, which means getting a startup company off the ground can be done in a manner that will yield very low cost vs a high functionality of tools.
G-suite is the best example - for $5 per user per month, you get Mail, Drive, Hangouts, and Meet (Meet is one of the tools combines Hangouts and Chat into a fairly robust video / meeting / screen sharing system- it’s an amazing tool to get as an inclusion into an email system).
When the company only has five employees and a website, you can crank out awesome work and have less than $200 in monthly digital business overhead (cell phones excluded).
As a company scales to hundreds of employees - this digital overhead increases at the same rate - which is where is is time to start looking at the hybrid solutions. Servers can cost thousands of dollars, and you have to pay someone to set them up. Cloud based is always the best way to go at the beginning.
>1,000 person organization
This is a full-fledged enterprise. Every network event is logged. Facilities are locked down and a tight control is kept over who is coming in because IT managers certainly don’t want laptops to leave the premises randomly. Slack, Google Business and all other accounts are upgraded to Enterprise and there’s actually an IT team to rely on.
Security at the top level. At this level there is not only a need, but a requirement for a CTO and a CSO for technology. Information and company secrets must be safeguarded by physical and logical security.
Access control is necessary. If this is e-commerce, PCI compliance is an absolute must have. Policies must be in place. End-user training and education on best practices will help keep the business safe from a highly impactful data breach. Systems must be in place to collect logs and send alerts when something is out of the ordinary. Risk mitigation is a daily task.
The business impact of IT
IT can often become a valuable business enabler when it’s done right. A few examples:
- You could win a few larger projects if you update your security. Let’s say you are on the lower end of a 1-10 scale for security, and implementing a 2FA of secure file sharing will bring up to a 6. How much would this cost you? And what is the potential revenue of the new projects you might be able to win by having the security measures in place? Essentially, it is a cost-benefit-analysis of implementing security measures.
- Running a TCO (Total Cost of Ownership) analysis on implementing SSO versus hiring an additional person on the IT team can yield a valuable output for business decisions - especially answering the question if you should invest in buying new tools or investing in new headcount.
- You should also look at how much work you or your IT team can realistically handle. If you run into the danger of losing track and having no documentation because there are too many moving parts, you might lose trust. Hence, you will need to be prepared for what you have planned in the pipeline - be it growth, expansion, or just daily maintenance.
The different faces of IT
IT comes in various forms- as tools, on-demand vendors, or as in-house staff:
To grow your organization without adding headcount, you need to invest in the tools that propel your organization to the next level. This is how tools normally work -- those which are really easy to implement and highly secure are typically expensive.
If you would like to reduce costs without compromising security, you could build the tools yourself. As painful as this sounds, this could also create new business opportunities. Amazon did exactly so by building their own server infrastructure, and then leasing it out becoming one of the world’s most popular cloud hosting services.
Imagine this on smaller, much more niche scale - maybe you have a specialized file sharing service that gives your agency a competitive edge or you implement blockchain encryption that gets you some pioneer press. Whatever it is, there might be an additional benefit to it - something built in-house could be marketed and sold.
These are super important in case of an emergency. When the network is down at a remote office, you will need boots on the ground to help solve the problems quickly. There is a need for someone you can call in case of an emergency, usually compensated by a time + materials agreement.
Once there is a solid setup and the organization starts scaling there is a need to start building out the IT team -- but make sure you are not scaling the operational overhead. There should be a nice balance of about 150 end users per IT head. That scale can slide based on remote tools and geographical location of the offices.
A SaaS budget case study
Now every month or so, someone in your organization leaves and you might remember to turn off 90% of all access rights they had -- that means they still would have access to the remaining 10%.
The question to ask now would be “How often would I self-audit this setup to detect the remaining 10%?” In a perfect world of IT - where the internet never goes down and there are no “fires” to extinguish, these audits can happen regularly. But, the answer might be that this might cost you too much time so it’s always put off.
Here’s the argument for SSO: At the click of one button, you know you are 100% compliant because you can be sure the person doesn’t have access to any service any longer and that 10% human error is gone.
If that service cost something like $7/user/month in a 100 people organization that would be $700 x 12 for one year. Can we afford the fees to prevent a data leak? In a 100 person organization, certainly yes.
However there is something that people call “sticker shock” where you are a smaller company with lower revenue, and you might be shocked by what the prices are out there for some of the tools, because either you don’t have the problem yet or you didn’t assess it correctly.
Hence the case for a tool like SSO - it really depends on which stage a business is at.
This is a really simplified overview of how I think of IT budgets, but I hope it helps to assess your situation and give some sort of direction.
Phone-based systems are not just a small-business solution. CEO of Kisi, Bernhard Mehl, comments: “If you see the average of three doors connected then that might seem low but, in reality, one door relates to around 50 employees—so those are locations with about 150 people on average, including satellite offices. That’s quite significant.”
Mobile Access Control Adoption by Industry
Kisi examined which industries are investing the most in mobile access control technology. To do so, the average size of mobile access control installation projects by industry were measured. Commercial real estate topped the list with 23.5 doors running mobile access per facility. Education management came in last with 1.0 door running mobile access per facility.
The number of shooting incidents at K-12 schools, according to the CHDS, reached an all-time high at 97 incidents in 2018—compared to 44 in 2017. Cloud-based access control companies, like Kisi, offer a lockdown feature for active shooter situations or emergencies, making it an effective protective layer for places that are targeted, such as religious institutions, which come in near the top of the list with 4.0 doors running mobile access per facility.
Based on industry size, it makes sense that commercial real estate tops the list, with 23.5 doors running mobile access per facility. Cloud-based access control enables these larger organizations to scale more seamlessly and allows large organizations, like telecommunications, to deploy the most manageable IT solutions available, eliminating the need to create and manage a business’s own IT infrastructure over time.
“Commercial real estate is, of course, the driver of mobile adoption since they have the largest buildings,” Mehl adds. “The key here is to show that mobile-first technologies are not a risk but an innovation that brings positive ROI and allows agencies to reposition their buildings as forward-thinking establishments.”
The scalabelilty and ease of use in onboarding an organization allows many different types of industries and businesses of different sizes to adapt a cloud-based access control system, either using keycard or mobile credentials for access.
Mobile Access Control by State
Looking specifically at the United States, Kisi analyzed in which states companies are investing the most into upgrading to smartphone-enabled access systems. Of the currently installed base of access control readers, around 20 percent will be mobile capable by 2022, according to a recent IHS report. Cloud-based systems, like Kisi, are future-proof—allowing over-the-air updates in real time and unlimited scalability for users.
“Mobile unlock technology makes you think of the major tech hubs like New York, San Francisco or Los Angeles,” Mehl adds. “Looking at which states have the largest projects, it’s surprising and refreshing that those are not the typical ‘tech cities, and yet that’s where access control technology really makes an impact.” The fact that the largest projects are seen in states outside of the typical tech startup landscape is evidence that mobile access control is highly applicable across industry sectors.
For further questions about this study, reach out to Kait Hobson (firstname.lastname@example.org)