Why Does 'IT' Cost So Much?

The dramatic increase in IT directly correlates to the increase in the money spent on IT. Costs have skyrocketed, and CIOs charged with IT strategy and management are becoming concerned. CIO magazine, a publication for top IT professionals, reported in a December 2002 survey of CIOs that 67 percent of CIOs named decreasing IT costs as their No. 1 business priority.

The Maintenance Madness
To understand the rising costs, you must understand how IT budgets are spent. In general, IT budgets today range from 1 to 10 percent of a corporation's overall revenue. Top IT experts conclude that 78 percent of an IT budget is spent just managing existing system and software infrastructures. In 2001, Gartner Group, a global analyst firm tracking the high-tech market, published a report that summarized the typical IT budget (see Figure 1).



Figure 1: How much of your IT budget goes to maintenance?


This is bad news for any company looking to reduce IT costs. The fact that 78 percent of your IT budget is spent maintaining existing systems means less money for IT innovation and for alignment with business processes. It means that psychologically, IT managers have more of a stake in keeping current systems running, rather than looking for better ways to manage technology. Table 1 shows the scenario for eight large companies, assuming they spend 1 percent of total revenue on IT and that 78 percent of that budget is spent managing existing software.



Table 1: Estimated dollar-figure scenarios for IT maintenance, assuming companies spend 1 percent of revenue on IT, 78 percent of which goes to maintaining existing systems.


The dollar figures are huge. Even estimating conservatively, the cost to these eight companies for managing their existing computing infrastructure tops US$1 billion per year.

In the face of reduced or flat IT budgets and the need to cut costs, there are few resources available to do anything new or strategic. If the lack of ability to innovate continues, IT is in danger of being relegated once again to the backroom where computer systems first emerged.

Why is it so expensive to maintain existing systems? And how much should it cost? According to Gartner Group, "Customers can spend as much as four times the cost of their software license per year to own and manage their applications." Consider the implications of this statement. Assume you purchase software for US$500,000.

At four times the purchase price, the cost to operate will be US$2 million per year. Over five years, that's US$10 million. So the company is not making a US$500,000 decision, it's really a US$10.5 million decision.

Why are the costs so astronomical? Amy Mizoras, a leading analyst at International Data Corporation (IDC), cites five major areas that cost companies millions of dollars annually. "CIOs and their departments really focus on five key aspects to the management and maintenance of their computer and software systems: availability, security, performance, problem management, and change management."

Availability
Understanding the hidden costs behind these numbers helps reveal the problems CIOs and their departments face. While the cost of availability management may be high, the cost of not managing availability may be higher.

A highly visible example took place in June 1999 when shares of eBay plunged 30 percent in the wake of a site crash that cost the online auction house millions of dollars. The company revealed that a nearly 24-hour crash of its auction site was expected to reduce sales by 10 percent in the second quarter of that year.

This is not an isolated event. During the Thanksgiving holiday weekend of 2000, Amazon.com suffered a series of outages. Investment firm Thomas Weisel Partners estimated that one 20-minute outage deleted roughly 20,000 product orders and US$500,000 in revenue. While many companies may not be as dependent on IT as Amazon and eBay, the cost of an outage ranges between US$100 and US$10,000 per minute of downtime.

Security
But protecting against physical disasters is not the only area of expense. The cost of ensuring a secure system has received increased visibility in the wake of the Melissa, Blaster, and Sobig.F viruses and worms. The cost to companies of these viruses is estimated in the billions.

While the cost of not paying attention to security is high, the cost of managing security can seem daunting. A team at Los Alamos laboratory estimated that for their 11,000 desktop systems, if they had to make a single security patch per month, it would require 87 people working full time, at an average of 19 updates per person per day.

Performance
Security management clearly gets the front-page headlines, but there is also a significant cost to managing application performance. Consider the simple issue of managing disk performance. IDC estimates that corporations lose as much as US$50 billion per year as a result of not defragmenting every server and workstation on the network. Perhaps disk performance isn't being managed because the cost of doing it is so high.

IDC estimated the annual cost per machine to run the manual disk defragmentation utility at approximately US$2,080 (52 weeks x 1 hour per week x US$40 per hour). For a network with 25 servers and 5,000 workstations, the annual cost would be US$10 million, and that is assuming the company had the extra 250,000+ person-hours needed to do the job.

Problem and Change Management
Another area where the cost of software can skyrocket beyond the cost of purchase is in change management. In a March 2002 Serverworld magazine article, Gartner Group estimated the cost of migrating from Microsoft Windows 9x to Windows 2000 Professional at US$2,015 and US$3,191 per desktop—dwarfing the US$257 per-seat license. But the cost of change is not limited to the desktop.

A major ERP upgrade will run about 18 percent of the original installation cost, according to an AMR Research survey of 109 companies in January 2002. For companies with 500 users, the average cost was more than US$500,000, or about US$1,000 per user. For companies with 2,000 users, the cost was US$1.2 million, or about US$595 per user. For large companies with more than 8,400 users, the total came to US$2.6 million, or US$300 per user. If that was the cost two years ago, what is your cost today?

Whether it's database software, e-mail, financial applications, or home-grown or packaged applications, it's expensive to keep your software running.

More Than Money on the Table
Clearly, your IT strategy can't just be about cutting costs, regardless of how astronomical they may seem. It's also about increasing effectiveness. Your strategic software systems are a valuable asset for the corporation and must be managed as such. But how do you know you're managing a system well? How do you know you're making effective use of the money you're spending?

Achieving effectiveness across all five key areas of IT management is a huge task; assessing management effectiveness is an even greater one. The United States Department of Defense (DoD) had such a challenge in the 1980s. As the DoD was increasingly both purchasing software and having software built under contract, it had to find a way to assess the quality of the software and ensure that the software was delivered on time and under budget.

In 1984, the DoD awarded the contract for the Software Engineering Institute (SEI) to Carnegie Mellon University, in Pittsburgh, Pennsylvania. By 1987, the SEI published the first Capability Maturity Model (CMM) for software. This was later expanded in Watts Humphrey's book, Managing the Software Process.

The fundamental underpinning of the CMM was that if the software organization could gain control of the key development processes, then high-quality software would be produced efficiently. Furthermore, these key software development processes could be characterized by the maturity of implementation.

The processes fell into five maturity levels: Initial, Repeatable, Defined, Managed, and Optimized. Although the definitions below are specific to software development, it's clear you can apply them to other areas of business as well.

1. Initial. The software development process is characterized as ad hoc, and even chaotic. Few processes are defined, and success depends on individual effort.

2. Repeatable. Basic software development management processes are established to track costs, schedules, and functionality. The necessary process discipline is in place to repeat earlier successes on projects with similar applications.

3. Defined. The software development process for management and engineering activities is documented, standardized, and integrated into a standard software process for the organization. All projects use an approved, tailored version of the organization's standard software process for developing and maintaining software.

4. Managed. Detailed measures of the software development process and product quality are collected. Both the software process and products are quantitatively understood and controlled.

5. Optimized. Continuous development process improvement is enabled by quantitative feedback from the process and from piloting innovative ideas and technologies.

Predictability, effectiveness, and control of an organization's processes improve as the organization moves up these five levels.

Operational Capability Maturity Model: Key Management Processes
But what happens once the software is in the field? It's critical at that point to manage the cost, quality, and effectiveness of operating the software. Leveraging the lessons from the CMM, Oracle has developed an Operational Capability Maturity Model to focus on the key software operations processes: management of availability, security, performance, problems, and change.

Based on experience we've gained managing hundreds of software systems, we've identified a set of key management processes that any organization can apply to its IT management.

Availability Management. The purpose of 24/7 Availability Management is to ensure continuous availability of applications, database, systems, and hardware. Whether you have a small or a large global business, you must have systems that are available 24/7.

Disaster Management. Disaster Management ensures that there is a process from disaster to recovery in a predictable time.

Security Patch Management. This process guarantees that when a security patch is available from a vendor, it is applied to the production systems in a known period of time.

Audit Management. Audit Management ensures an audit is performed at least once a year. Audits can be specialized or may adhere to standards such as the SAS70, (Statement on Auditing Standards No. 70) an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants

Capacity Management. This is the process of making sure there are adequate hardware and software resources to deliver a specified level of application performance.

Resource Management. Resource Management ensures there is a process for adding and shedding infrastructure (people and computers) as load increases and decreases.

Update Management. This is the process of ensuring your software is updated at least once a year.

Production Assessment. This process determines whether changes have degraded the performance, availability, or security of production systems.

Escalation Management. Escalation Management ensures there is a process from problem definition to resolution.

Proactive Problem Management. With Proactive Problem Management, you establish a process to take high-priority fixes from the software company and apply them in a predictable amount of time.

Establishing the process is critical, but just as important is the maturity of the process. Is it an ad hoc process, meaning that if your system administrator or DBA comes into the office the process works, but if they're out that day, who knows? Is it a defined process, meaning that it is documented?

Is it repeatable, meaning you are using this process 10 to 100 times per year? Is it optimized? Are you using data to change and improve the process? And finally, is it automated? Ultimately, any repetitive process can be automated—that's the key to higher quality and lower cost. Use the "Key Management Process" checklist (Figure 2) below to find out where you stand.



Figure 2: How mature are the management processes in your enterprise? Check off the appropriate column in each row to find out where you stand.


The challenge is clear. IT costs are large and dominated by the cost of managing the existing software systems. The costs can be broken down around ensuring the availability, security, performance, and problem and change management of complex software systems. Cutting costs is easy, but the key is increasing the effectiveness of the delivery of service.

Core Versus Context
The challenge facing the IT organization, which is the same problem facing the entire corporation, is that too much time is being spent on tasks that are context, too little on tasks that are core. The task is core when its outcome directly affects the competitive advantage of a company. For core activities, the goal is to differentiate as much as possible and to assign the best resources to that challenge.

The goal for context tasks is to execute them as effectively and efficiently in as standardized a way as possible. This is the central theme of Geoff Moore's book Living on the Fault Line. He writes, "Differentiating on context is the single biggest waste of resources in Fortune 500 operations." Some companies understand the difference, Moore continues: "For Chuck E. Cheese, the actual pizza is context, for Round Table, it is core." Moore argues that a deeper emphasis on core versus context has emerged as the key distinction in allocating resources to improve shareholder value.

But the core-versus-context argument goes even further. Managers know that while we might try to "do it all," in the end, dealing with the issues brought up by managing context always influences our focus on the core. "Stick to your knitting" might be a simple timeworn phrase, but it is no less important today as we head into global markets, where differentiation on value is the key competitive advantage.