The Cost Center Illogic of IT and Infosec

Published by Ryan Miller on

For decades IT and InfoSec have been looked upon as money suckers as a result of the poor understanding of their value and the true role they play in creating revenue.

The idea of removing IT and InfoSec from a cost center view has stirred up strong emotion on Twitter. I posited that, since IT and InfoSec have become the core of business operations should they be considered a cost center? People replied in agreement that it’s time to move at least IT from the cost center classification to some other term that isn’t in the lexicon of accountants because the definition of cost center doesn’t reflect reality.

Other people responded with accusations that I have an IT/InfoSec world-centric view, which is patently false. I never made my view about IT or InfoSec being greater than another department, such as sales, where you get into the “chicken or the egg” logical circle. You can’t deny that technology and the information systems that support technology are intrinsic in everyday life.

According to the Accounting Coach the definition of a profit center “is a subunit of a company that is responsible revenues and costs,” and the definition of a cost center “is a subunit of a company that is responsible only for its costs.” My view is that IT drives sales beyond what would be capable without IT. InfoSec isn’t as cut and dry as IT because of the different purpose it serves.

Cost recovery for InfoSec (some say there is no cost recovery) becomes obvious when your company is experiencing downtime due to virus infections, ransomware, and the nightmare of information disclosure (accidental or purposely) because it’s money walking out of the front door.

The cost center mentality has harmed IT since its inception, but more so InfoSec over the last eight or nine years as evidenced by the size and volume of breaches and information disclosures. I have seen legitimate projects rejected or shelved that would have benefitted the company had it not been for the “no cost recovery” context that comes with being classified as a cost center.

There are a myriad of studies showing that IT has propelled developing nations GDP.

Here’s a handy list.

https://www.tandfonline.com/doi/abs/10.1080/10438590600661889

https://apcss.org/Publications/Edited%20Volumes/BytesAndBullets/CH3.pdf

https://royalsociety.org/~/media/about-us/international/g-science-statements/2017-may-3-new-economic-growth.pdf?la=en-GB

https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0048903

Microsoft has an IT Business Value Blog, and in an article from 2009, they explain that “There seems to be a steady stream of books published on the role of Information Technology within the business it supports. The role of IT is constantly evolving and has changed significantly from the days when the IT organization was often referred to as “data processing.” Today, in many industries, IT enables some businesses to differentiate themselves from their competitors. Those companies that leverage IT for competitive advantage often differ from their competitors in two ways with respect to their IT organizations: they view IT as a strategic business enabler instead of as a cost center, and they work to maximize the efficiency of their IT operations so that they can focus their resources on providing value to the business and respond to today’s environment of rapidly changing business conditions.”

There is a mountain of evidence that shows how I and others view IT and InfoSec shouldn’t be considered opinion but as fact. Unfortunately, many are still beholden to the archaic cost center mentality because they can’t see past what they’ve been taught.


Ryan Miller

A husband, a father of 3, my daughter's sounding board, writes on all topics of cybersecurity, an expert at dad humor, a security engineer, an analyst, a network administrator, and Desktop Support Tier I-III.