Three categories, five questions, and one test that tells you whether your IT planning process worked — before Q3 tells you the hard way.
Every January, the same scene plays out in mid-market companies across the country. The budget was approved back in November. The fiscal year starts. And within a few weeks, the first invoice arrives that wasn't in the plan.
This year, for a lot of companies, that invoice says "Extended Security Updates" on it.
We'll come back to that one. But first, the scene itself — because the problem isn't the invoice. It's the conversation that happened in October.
Here's how IT budgeting usually goes in a $50M–$250M company. IT (or whoever holds the IT portfolio — often the CFO's own team) assembles a list: licenses, renewals, headcount, a couple of projects, a contingency line. Finance reviews it, asks why it went up, trims 10%, and everyone moves on.
Notice what never happened in that exchange: nobody asked what the business gets for the money. The list was organized by what things cost, not what they do. So the only lever available to the CFO was "less" — and the only defense available to IT was "we need it."
Both sides lose that conversation every year. There's a better one.
Take the same spend and sort it into three buckets:
Keep the lights on. Everything required to run the business as it is today — infrastructure, core licenses, support, the people who keep it all up. This should be the most scrutinized bucket, because efficiency here funds everything else.
Reduce risk. Security, resilience, compliance, and — critically — retiring things before they become emergencies. This bucket is insurance in the truest sense: its value shows up as things that didn't happen.
Create value. The projects that change what the business can do — the new platform, the integration that makes an acquisition actually pay off, the data work that finally gives sales a straight answer.
The ratio between the three tells you more than the total does. A company spending 85% on lights-on isn't frugal; it's stuck. And a budget that's all value-creation with a hollowed-out risk bucket is a bet that this is the year nothing goes wrong.
There's no universal right ratio — it depends on where the business is, what the owners expect, and what got deferred last year. But the moment spend is framed this way, the CFO can finally do what CFOs do well: make trade-offs between outcomes, instead of haggling over line items.
Now, back to that January invoice.
Windows 10 support ended on October 14, 2025 — a date Microsoft published years in advance.1 Companies that still had a fleet of Windows 10 machines on that day are now paying for Extended Security Updates: $61 per device this year, doubling each year they stay on the bridge.2
If that line item surprised your budget, the useful question isn't "who missed it?" It's this: what else has a published date that isn't in the plan? Server operating systems, databases, ERP versions, network hardware — most common components of the stack have a countdown attached, and the dates are knowable today. (This is exactly why we built EOL Radar — the retirement dates for commonly run platforms in one view, with a "start by" date for each.)
Unplanned IT spend is almost never bad luck. It's a planning process without a calendar.
If you're the CFO — or the CEO reading over the CFO's shoulder — these five questions will tell you more than any spreadsheet review:
What's our lights-on / risk / value ratio, and what was it last year? Direction matters more than the number.
What known dates fall inside this budget year — and the next? Every end-of-support deadline, contract cliff, and capacity ceiling should already have a line, even if the line is "decide by June."
Which of these projects would we still fund if we were acquired tomorrow? A useful filter for value-creation spend, and not hypothetical if you're PE-owned.
What did we defer last year, and what's the carrying cost? Technical debt doesn't appear on the balance sheet, but it accrues interest all the same.
Who, by name, owns each of the big bets? Budgets fund projects; accountability delivers them.
None of these require technical depth. They require someone in the room who has seen how the answers usually go wrong — which is, candidly, the seat we're usually brought in to fill.
The decisions that are too big to get wrong — the ERP selection, the security overhaul, the platform that has to survive the next acquisition — get funded or starved at budget time, months before anyone feels the consequences.
The budget's already approved this year. That's fine. The mid-year reforecast is coming, and the fall planning cycle after that. If January's invoices told you the process needs work, that's not a failure — it's an early, cheap warning.
A conversation now costs an hour. The alternative usually shows up in Q3, and costs considerably more. Start the conversation.
Thirty minutes with a former CIO, CTO or CISO — someone who has sat on both sides of the budget table. No pitch, no deck, no SDR layer.
No SDR layer. We sell expertise, not products.