"You want to spend $15,000 on what? Antivirus software?"

These words are the beginning of a conversation I had years ago with the Chief Financial Officer (CFO) of a midsized company for which I was a consultant. I was asking for a budget variance—an unplanned, out-of-cycle expense—to start a virus-management program. The company was overrun with viruses, particularly Microsoft Office macro viruses, such as W97M/Class.B, which informed the user that he or she "is a big stupid jerk" but did no real damage.

A Call to Arms
"Can't you just remove the viruses?" the CFO asked. The battle was on and the CFO had just launched the first shot across the bow. In many ways, his response was appropriate and predictable. Companies don't spend money on security because it's a good idea; they spend money on security because malicious intruders can and will damage physical and informational assets. Because the viruses plaguing the company were more nuisance than destructive, the CFO was unwilling to lay out a sizable chunk of money as a capital expense. He was being a conscientious CFO and I respected that, but I still wanted to start a virus-management program. The next few minutes would determine not only whether I would win this battle with the CFO but also would shape the ongoing war that the IT department had with him. Thankfully, I was prepared for the fight.

Behind-the-Scene Calculations
Before scheduling the meeting, I had queried the Help desk log and tabulated the number of virus-related incidents the two desktop support administrators had worked on during the past 12 months. Unfortunately, at that time the company didn't track how much time an administrator spent working on a problem or how long users' computers were down, so I had to estimate. After talking with systems administrators and a few users who had recently had viruses on their computers, I estimated that each incident took about 30 minutes of an administrator's time and totaled about 30 minutes of productivity loss for the user. Because the lack of a computer didn't cause a complete loss of productivity—users can still do other work or take breaks they would take anyway—I reduced the productivity loss by 50 percent. Because the organization had contracted IT services, I knew the exact administrator expense: $50 per hour. The cost of productivity loss was more difficult to gauge. For this value, I relied on the CFO's estimate of $24 per hour. Now I was able to calculate the cost of the company's existing virus-management strategy (i.e., the cost of virus removal) by using the following formula:

Cost of virus removal = (Number of incidents × .5 hours × $50) + (Number of incidents ×.25 hours × $24)

Thus each virus incident cost the company about $31. The company had recorded about 300 incidents during the previous 12 months, so viruses had cost the company about $9300 in 1 year.

Face-to-Face Discussion
"In the past 12 months, we spent nearly $10,000 cleaning viruses," I said confidently as I handed the CFO a packet of data that included graphs showing virus expense by month. He quickly responded, "Why do we want to spend $15,000 plus installation costs to fix a problem that we're spending only $10,000 to solve right now?"

Was I sunk? Not at all. The antivirus software doesn't expire after 1 year; the company could amortize the software purchase over 3 years. Thus, the cost of the software was actually $5,000 per year plus installation and management costs; the cost of viruses over that time would project to about $27,900. After I explained these figures to the CFO, he agreed to the budget variance, asking only that we meet 1 year from that date to review the cost-benefit analysis of the antivirus software. I won the battle, but what's more important, I won the CFO's respect.

The main reason I was able to secure the budget variance was because I was able to discuss IT in the language of the CFO (thank you Ohio State University Fisher College of Business). The CFO didn't care about the antivirus software or the security repercussions of viruses; he cared about the company's bottom line. Because I knew what information would be important to him, I didn't discuss the technology involved, only the financial effects of viruses and a cost-saving solution. If you find yourself in a similar situation, here are some tips that you can use to come out on the winning side:

  • Focus on solutions, not problems. Management has enough problems to address on a daily basis. Your position will be better received if you target the solution. In my conversation with the CFO, I never talked about the problem of viruses, only the cost-saving solution.
  • Know your audience. Knowing your audience means knowing their priorities and the language they'll use to discuss the problem. When you talk with executives, focus on accomplishing company initiatives, improving products or services, or creating measurable effects on the bottom line. The classic mistake that many IT pros make is to assume that technology exists for technology's sake. It doesn't—it exists to help accomplish business objectives. When you talk with executive management, orient your conversations to the business objective, not the technology.
  • Do your homework. Never go into a high-stakes meeting unprepared—you might not get a second chance. In my case, I was prepared to answer the CFO's questions before he was able to ask them. One technique that executives often use is depth sounding: They ask direct in-depth questions, not to hear the answer, but to hear how you answer. The confidence and completeness of your response is a strong indicator of the amount of research you've done and how thoroughly you understand the topic. For example, when the CFO asked, "Can't you just remove the viruses?" he wasn't asking whether we could do this or not, he wanted to know how much I had thought about various solutions to the problem.
  • Measure your work. Although easier said than done, measuring your work in IT is crucial to your effectiveness. I wouldn't have been able to make my argument to the CFO if the company didn't monitor the work that IT administrators do. I would have needed to build my business case for antivirus software on general principle.

Proving Your Point
Because I was able to determine the cost of viruses to the company during the previous year, I was able to measure the cost savings after the company deployed the antivirus software. If your cost-savings projections are accurate, which in this case they were, you have a solid argument for why you deserve a raise.