You know what you need. Now convince the money handlers.

"You want to spend \$15,000 on what? Antivirus software?"

These words are the beginning of a conversation I had years ago with the Chief Financial Officer (CFO) of a midsized company for which I was a consultant. I was asking for a budget variance—an unplanned, out-of-cycle expense—to start a virus-management program. The company was overrun with viruses, particularly Microsoft Office macro viruses, such as W97M/Class.B, which informed the user that he or she "is a big stupid jerk" but did no real damage.

A Call to Arms
"Can't you just remove the viruses?" the CFO asked. The battle was on and the CFO had just launched the first shot across the bow. In many ways, his response was appropriate and predictable. Companies don't spend money on security because it's a good idea; they spend money on security because malicious intruders can and will damage physical and informational assets. Because the viruses plaguing the company were more nuisance than destructive, the CFO was unwilling to lay out a sizable chunk of money as a capital expense. He was being a conscientious CFO and I respected that, but I still wanted to start a virus-management program. The next few minutes would determine not only whether I would win this battle with the CFO but also would shape the ongoing war that the IT department had with him. Thankfully, I was prepared for the fight.

Behind-the-Scene Calculations

Cost of virus removal = (Number of incidents × .5 hours × \$50) + (Number of incidents ×.25 hours × \$24)

Thus each virus incident cost the company about \$31. The company had recorded about 300 incidents during the previous 12 months, so viruses had cost the company about \$9300 in 1 year.

Face-to-Face Discussion
"In the past 12 months, we spent nearly \$10,000 cleaning viruses," I said confidently as I handed the CFO a packet of data that included graphs showing virus expense by month. He quickly responded, "Why do we want to spend \$15,000 plus installation costs to fix a problem that we're spending only \$10,000 to solve right now?"

Was I sunk? Not at all. The antivirus software doesn't expire after 1 year; the company could amortize the software purchase over 3 years. Thus, the cost of the software was actually \$5,000 per year plus installation and management costs; the cost of viruses over that time would project to about \$27,900. After I explained these figures to the CFO, he agreed to the budget variance, asking only that we meet 1 year from that date to review the cost-benefit analysis of the antivirus software. I won the battle, but what's more important, I won the CFO's respect.

The main reason I was able to secure the budget variance was because I was able to discuss IT in the language of the CFO (thank you Ohio State University Fisher College of Business). The CFO didn't care about the antivirus software or the security repercussions of viruses; he cared about the company's bottom line. Because I knew what information would be important to him, I didn't discuss the technology involved, only the financial effects of viruses and a cost-saving solution. If you find yourself in a similar situation, here are some tips that you can use to come out on the winning side:

• Focus on solutions, not problems. Management has enough problems to address on a daily basis. Your position will be better received if you target the solution. In my conversation with the CFO, I never talked about the problem of viruses, only the cost-saving solution.
• Know your audience. Knowing your audience means knowing their priorities and the language they'll use to discuss the problem. When you talk with executives, focus on accomplishing company initiatives, improving products or services, or creating measurable effects on the bottom line. The classic mistake that many IT pros make is to assume that technology exists for technology's sake. It doesn't—it exists to help accomplish business objectives. When you talk with executive management, orient your conversations to the business objective, not the technology.
• Measure your work. Although easier said than done, measuring your work in IT is crucial to your effectiveness. I wouldn't have been able to make my argument to the CFO if the company didn't monitor the work that IT administrators do. I would have needed to build my business case for antivirus software on general principle.

Because I was able to determine the cost of viruses to the company during the previous year, I was able to measure the cost savings after the company deployed the antivirus software. If your cost-savings projections are accurate, which in this case they were, you have a solid argument for why you deserve a raise.