A typical crisis meeting scenario: The Management and myself as an external consultant or information security officer sitting in a conference room:
Our processes are being slowed down by too many security requirements.
Employees are complaining.
‘Your’ IT security is becoming a risk to our business.
Such statements mark an important turning point for IT in small and medium-sized enterprises. They reflect concerns about change and loss of control.
Where collaboration used to be shaped by proximity and hierarchy before, successful companies rely on teamwork, clear processes, modern management tools, and automation today. A few examples:
- Manual tasks are turned into scripts and stored in Git(Ops) repositories.1
- Work is no longer done “on demand” but through clearly documented tickets, linked to assets.2
- Static Excel sheets are replaced by dynamic management tools that can be accessed by business intelligence3 applications such as Metabase.4
- External partners and suppliers are managed through access management systems.5
- Know-how is documented in a company-wide wiki or knowledge management system.6
- Mobile devices are centrally managed by a MDM.7
The Elephant in the Room
How should one respond to such criticism? There is no universal solution. Every company is different. Sometimes, taking a clear stance also means that paths must diverge.
IT strategies require both, flexibility where it makes sense, and consistency where basic requirements are concerned. Anyone without backbone in such discussions, who cannot distinguish between compromise and necessity, will fail in the long run.
The key questions are:
- Is there a genuine willingness to work in a modern, transparent, and team-understandable way?
- How can successful operated IT be measured or even communicated?
Calculating the Real Cost of Downtime
The answer is surprisingly simple and can be found in any accounting system. Factors include:
- Wages and salaries
- Insurance, taxes, and recurring payments
- Rent, leases, and financing for buildings, machines, vehicles
- Ongoing contracts for electricity, gas, water, communication
- Maintenance, license, and service contracts
- Membership fees or other obligations
We are not talking about hard to calculate factors like reputational damage or loss of revenue. This is about concrete figures fixed costs incurred every day, regardless of whether the company can work productively or not.
Even with a medium two-digit staff size the fixed costs quickly sum up to tens of thousands of Euros per day. For companies with a low three-digit employee count on its payroll, we are somewhere in the six-digit figures per working day.
At this point, discussions about risk minimization8 and IT security gain a very tangible perspective. For example, the cost of adding an extra node in a high-availability cluster may represent only a few percent of the potential damage caused by an outage. Or when the question arises whether two-factor authentication is “too complicated” and “slows down work.”
A Shift in Perspective
From this point on, it becomes clear that every hour of downtime leads to measurable losses. The most important metric for IT success is therefore not efficiency, but security and stability.
Anyone who views IT solely through a business lens, or merely as a service provider, will always see security as an obstacle. This leads to misguided priorities, incentive structures, and KPIs in practice.
Understanding IT Monitoring Strategically
Every IT Monitoring, personally I prefer the open-source software Zabbix,9 can deliver the key operational metric: availability.
A scale value where the difference between 98%, 99%, or 99.99% may seem small at first glance, yet in reality, it can determine the very survival of a company.
Ironically people with a business background often don’t trust the math and I end up explaining that 98% availability means about 1.5 working days of downtime per month.
If I would follow the Pareto principle10 and would be satisfied with just 80%, that would mean accepting up to six days of downtime per month. No company in the world should run its IT in that way.
In fact several companies in Germany are “switched off” by ransomware every single day.11 According to Bitkom the annual damage to the overall economy amounts to 289 billion Euros.12 And this happens despite extensive controlling and executive dashboards showing everything is fine.
It’s quite like on the R.M.S. Titanic: Once declared unsinkable, everything in the green until just before the disaster. A radioed iceberg warning from the nearby Californian was ignored. Greeting messages were given higher priority.13 The ship steamed ahead at full speed into the night, effectively blind. The trajectory of failure in typical cyber incidents is frighteningly similar.14
Conclusion
IT is sustainably successful when operated properly and measured against actual downtime costs. Of course in addition to security posture, user trust and resilience. When machines run without interruption, customers experience no delays and invoices can be paid on time.15
As a consultant and especially as an information security officer (CISO), my job is to clearly identify risks and ask critical questions. Not to block decisions or complicate processes, but to make consequences visible and to mitigate problems.
This may be uncomfortable and requires the strength to draw clear lines and to say “No” sometimes.
Yours,
Tomas Jakobs
https://blog.jakobs.systems/blog/20240908-gitops-veeam-ersatz/ ↩︎
https://blog.jakobs.systems/blog/20231010-supplychain-management/ ↩︎
https://blog.jakobs.systems/blog/20240506-service-tips-windows/ ↩︎
https://blog.jakobs.systems/micro/20221025-geplatzte-ads/ ↩︎
https://bitkom.org/sites/main/files/2025-09/bitkom-pressekonferenz-wirtschaftsschutz-cybercrime.pdf ↩︎
https://revolutionsincommunication.com/features/radio-and-the-titanic/ ↩︎
https://blog.jakobs.systems/micro/20240128-sit-ransomware-abschlussbericht/ ↩︎
https://blog.jakobs.systems/blog/20250420-zweitbeste-loesung/ ↩︎