From strategy to operations: The evolution of the IT function

The pandemic introduced new trends and challenges for IT leaders and their teams involved in supporting M&A transactions. From the shift to cloud, talent shortages, and technical debt, IT areas of focus both before and after a transaction have changed significantly over the past few years.

Mike Banks, director of technology consulting in the complex infrastructure delivery M&A group at RSM US LLP, joined the ACG Middle Market Growth Conversations podcast to discuss the evolution of IT, the strategic function IT serves within an organization, and ways to leverage technology more effectively across the enterprise.

This interview has been edited for clarity and length.

Middle Market Growth (MMG): The pandemic seemed to be this kind of wake-up call for business leaders as far as technology goes. They all of a sudden needed to keep their staff working remotely, needed to reach customers when they weren't in person, and so on. That's my very nontechnical perspective. So, I'm interested to hear from you as an IT insider. Which developments from the past two years would you say have had the biggest impact on the IT function for midsize companies?

Mike Banks: The increase in remote workers definitely led to many more businesses having the capability for remote work. Many midsize businesses did not have widespread capability for that before the pandemic.

But in addition to that, I'd say moving toward services-based architecture, software-as-a-service systems, was a really big shift. It really lends itself well to remote workers versus having an on-premise infrastructure with services and applications that you'd have to connect to your office to access. Software as a service is kind of like the next step beyond cloud-based architecture.

Another thing is outsourcing—especially outsourcing security, managed service providers, managed SOCs (security operations centers). And with midsize businesses being more targeted by bad actors nowadays, that's become very important.

MMG: What have some of these changes meant for midsize companies that are having to adopt these new types of systems, switching to a software-as-a-service model? Has this come with the need for greater expenditure, bigger IT budgets? Have they had to reevaluate security measures? What have these changes meant on the ground?

Banks:  IT staffing looks a lot different in that model than it did in the past. It's a much different skill set we're staffing for. IT budgets are a lot different than they were with the traditional infrastructure—a lot more opex, a lot less capex. There's no need in a cloud environment to make large purchases of on-premise infrastructure, servers, etc. All that becomes opex in the cloud, and it's much easier to rightsize and adjust up and down as needed so that you have a lot more control over your budget.

The application landscape has changed quite a bit. Cloud software as a service, like Microsoft 365, is not a new skill, not a new product—but the amount of people that have moved to services like Microsoft 365 over the last few years is immense. People who have been employed by a company for a long time have to change those skill sets, or those companies have to hire new talent.

I have a client in the Midwest with super-great retention of their employees. They have employees that have been there 20 or 30 years. That’s fantastic—they must be a great company to work for. But it causes problems when technology was fairly consistent for a number of years and had minor changes here and there.

What we've seen recently is more of a wholesale change in the way IT infrastructure and IT applications work. Businesses need to understand the impacts of cybersecurity, which is a lot different in an environment of software as a service or cloud infrastructure. There's no longer a front door that you can lock to keep people out. It's out there in the world. It's on the Internet. It's accessible to a lot of people, especially with software as a service.

MMG: I spoke with your RSM colleague Malia Mason for the cybersecurity episode of this series, and she talked a lot about the talent gap in cybersecurity and people leaving the field. Are you seeing similar trends within IT staffing?

Banks: Absolutely. That's huge, especially this year. There's a big gap with IT staffing—the skill sets and the availability of people. Skill sets are a lot different today than they were even a couple of years ago. And there's just a lot less people in the job market. That's especially true with midsize businesses in smaller markets—fewer people are available that can do the IT jobs, and they're more in the larger markets. The cost of IT staff has gone up as well, based on the shortages of skilled people.

MMG: I'm interested in the factors that go into the decision of whether to outsource services or bring them in-house. What are some considerations for midsize businesses as they weigh that choice?

Banks: Managed service provider outsourcing is very common in midsize businesses, especially after a transaction.

A lot of midsize, privately owned businesses insource their IT and have a lot of older technologies in place. When a PE (private equity) firm buys a privately held company, a lot of times there's that wholesale change in the technology, the move to the cloud. And when that happens the skills they have in-house are typically not up to the task of managing the new technologies, so it makes managed service provider outsourcing a pretty easy choice. Typically they'll outsource service-desk and user-support components, and monitoring and managing of infrastructure.

But we also commonly see project outsourcing, and there's been huge growth in the managed security service provider space. Cost for middle market companies is typically lower to outsource than insource, based on the lack of skills, especially in smaller markets, and the cost to employ those people—whereas the cost is spread across multiple companies if you outsource.

Another consideration would be geography. If you have a lot of smaller locations versus one large location, it's going to be much harder to staff.

Some considerations that might cause you to go in the other direction would be if you have specialized applications that there's not a lot of skills out in the market for—like manufacturing applications, things in the oil and gas industry, or chemical manufacturing. Those skills aren't as widespread in managed service provider spaces.

Or if you have proprietary information, like life sciences, you might want to keep that in-house to keep your arms around the spread of that knowledge.

MMG: I would imagine the insource/outsource question is going to be on the mind of a buyer in an M&A transaction as they think about what steps to take with the business after they acquire it. Are there other IT-related aspects that come up during an M&A transaction that either tend to get neglected or maybe don't get the attention they deserve?

Banks: Absolutely. Almost every transaction I've been involved in has had a lot of tech debt. That happens when companies do not have a hardware life-cycle program and they're not managing their technology to keep it up to date. You have older systems that either don't have the security features of modern systems or do not have the ability to accept updates to the current system. Those situations can cause security concerns. Essentially, technical debt will end up costing a buyer more money and technology than they had potentially planned on.

Also, some industries, like manufacturing, have a huge amount of applications. A tech business or a bank is going to have a limited scope of applications that are pretty common throughout a lot of industries, but in manufacturing or oil and gas businesses you could have 100 or more applications in the scope of a transaction.

One other thing is shadow IT. Let's say you're carving out a division of a large multinational that has a lot of controls on their IT. You might run into some shadow IT people putting their data in Google Drive—something that's outside of the company control. Industries like tech have that issue as well, because a lot of tech-savvy people go out and find solutions to their problems that the company may not be providing.

MMG: Interesting. How does one go about investigating shadow IT? Is it a matter of talking to employees, or are there other ways to look beneath the hood?

Banks: I spend a lot of time just talking to employees, talking to leaders of different functional areas within a business. And one of the things we often uncover is the shadow IT.

MMG: What about after a transaction? What are some of the best practices around IT that you recommend after a deal closes?

Banks: When we do a carve-out or an integration I see this in sort of distinct phases. We typically do a stand-up, where you're getting off your TSAs (transitional service agreements). You're integrating into the existing target operating model and the existing business functions.

The key is getting started as soon as possible. With discovery, you're planning some TSAs. Allow for an incremental exit so you can exit portions of the TSA sooner than others—a lot of them have financial benefits for exiting before the end of the TSA period.

We focus on what I call a fast and functional IT environment. Our goals are to create infrastructure solutions based on leading practices, industry standards, vendor reference architectures—and focused on a cloud-first strategy according to the policies of the company we're working with.

After we do a stand-up, there's typically a period of stabilization where things sink in. Then we move into optimization, where things like advanced security come into play—enabling advanced security features, business continuity planning, disaster recovery planning, overall process improvement. And then looking at rightsizing after you do a stand-up, when we enable cloud services like Azure or AWS (Amazon Web Services), typically with pay-as-you-go pricing.

That's very typical with implementations across any situation. It's not specific to a carve-out or an integration. And afterward you can look at either Azure or AWS, which have built-in calculators to help you determine cost-saving opportunities—like reserve instances, where you pay for some compute power ahead of time, in increments of a year or six months or three years, or whatever it is. That can save you some money in the long run, and should definitely be taken into consideration after you complete a stand-up.

MMG: You mentioned a cloud-first strategy. I wonder where the cloud trend, for lack of a better word, goes from here for midsize businesses. Is it just a matter of more companies transitioning their physical systems to cloud-based technology? Or have most already started this process and it's the continuation of that migration?

Banks: That depends on where the business is and their ownership structure. Most middle market businesses I've come across that are privately owned are still heavily on-premise and not as much in the cloud. They have some of the typical services in the cloud like email, but the majority of their systems and applications are on-premise.

When those companies are acquired, they typically do go to the cloud. That is best practice, but also the preference of pretty much every PE firm out there. Larger companies in a carve-out are typically already in the cloud; we're basically switching like for like in that case.

If it's a privately owned company that's been acquired, there's probably a lot of tech debt and on-premise, noncloud solutions in place. Earlier I mentioned services-based architecture—kind of a SaaS-first focus and one step beyond cloud-first. SaaS-based applications and ensuring the right security features around that—including single sign-on so that the company owns the identity and doesn't allow the service provider or the SaaS provider to own and manage the identity—is important. Multifactor authentication is important. If you do that, then SaaS-type infrastructure is just as or more secure than a traditional infrastructure.

MMG: What do you mean by “own the identity”?

Banks: Good question. Let's say you log in to an application like Facebook. Your email address and password are stored in Facebook's database of user records. If the company manages the identity through a single sign-on provider, that provider is the database of record for the account information.

There's a reference in the SaaS provider's system that points back to that single sign-on identity management. That way you have control over the identity management. If, let's say, one of your employees leaves and that employee has access to key systems, including three SaaS providers, and identity was managed by each provider individually, you would have to go to each system or contact each provider to remove access for that former employee from that system. If you manage the identity in one place, you can disable that account in the system you manage the identity in, which disables access for that user to all of your SaaS providers.

MMG: I see. So a best practice when working with SaaS providers is for the company itself to own the identity.

Banks: Correct.

MMG: Beyond what we've talked about so far, are there other things that middle market companies can do to use IT to optimize overall business performance across the organization?

Banks: There are so many businesses looking to use the data they already own, that they already have, as an opportunity for improvement. I've done a lot of work in oil and gas, where there's a lot of information coming from meters and sensors that are out in the field or on tanks or in a lot of different pipelines. All that data is gathered but not necessarily used for optimization or improvement.

Since the downturn in 2009, when oil and gas companies lost a lot of employees, they had to find some areas for improvement and production, not just in IT. This was where IT was an enabler for the business. I had a client that basically put in a wireless network over miles and miles of West Texas where there was no connectivity. They could feed all that information from those flow meters and sensors and different things back into their central systems in their data center and crunch the numbers to use data analytics to improve processes.

MMG: It sounds like the oil and gas sector came to that out of necessity and survival. Are there other industries where you've noticed a discrepancy in the level of attention, focus, or spending on IT? Either some industries that are doing a lot of that or others that may have neglected their IT function?

Banks: Overall, industrials—specifically manufacturing, construction, things like that—have a much lower IT spend than other industries. They have thinner margins. They don't want to spend their money on IT. They don't look at it as an enabler; they look at it as more of an expense. But some of them are breaking that trend and see the importance of data analytics.

I have a chemical manufacturing client looking to use data analytics to optimize the input of raw materials into their recipes for their final products so they can optimize the use of those raw materials and reduce waste overall. Another example is motors with sensors in them that can report maintenance requirements before they break down—they can save companies downtime in manufacturing, for example.

MMG: It sounds like there's data available; it's a matter of making the commitment to harness it. And that, of course, takes investment. And budget dollars.

Banks: It does. I think benchmarks are a good guidepost. I don't think they really determine anything as far as IT spending. But banking, for example, spends on average 5% to 6% of their revenue on IT. Whereas industrials, including manufacturing, is closer to 1% to 2%.

MMG: We've covered a lot of ground today. Are there any other trends you're watching within the IT space that you expect to impact businesses in 2022, that investors or operators should be aware of?

Banks: We touched on shortages of IT staff—that's a real problem. Making better use of analytics is a big uptrend right now. It's been trending for a while, but I think it'll continue. There are some technologies around data analytics, AI (artificial intelligence) and machine learning that have been talked about for a few years but have not really come to fruition, especially in middle market companies. I would look for that to be on the horizon.