Skip to main content

Business Owners — Strategy

Altitude: years. The questions here set direction for the whole business, not just the IT budget.

At this level you're not deciding which firewall to buy. You're deciding what role technology plays in the business, how much risk you're willing to carry, and how you'll know whether the money is well spent. Get this layer right and the tactical and operational decisions mostly follow; get it wrong and no amount of good configuration will save you.

Technology spend as an investment, not a cost

The most expensive mistake an owner can make is to treat IT purely as overhead to be minimised. The better frame is return: every dollar should be traceable to an outcome — revenue protected, time saved, risk reduced, or a capability the business couldn't otherwise offer. When you can't draw that line, that's the spend to interrogate.

This is also where the build-vs-buy-vs-outsource decision lives. Running IT in-house buys you control and institutional knowledge but costs you payroll and key- person risk. Outsourcing to a managed service provider buys you capability and coverage but transfers less risk than people assume — the accountability for an outcome rarely transfers with the work. Most small and mid-sized businesses land on a blend, and the strategic skill is knowing which parts to keep close.

Cyber risk appetite

Every business carries cyber risk. The strategic question is how much you're willing to carry, expressed in terms a board understands: what would a week of downtime cost? What's the impact of a privacy breach on customer trust and on your regulatory exposure? What's the worst case you could absorb without existential damage?

That appetite then translates downstream into concrete things you pay for — cyber insurance, security controls, and continuity capability. Treating the Essential Eight as a board-level maturity target is a useful anchor here: it gives you a single, defensible measure of "how protected are we?" that you can fund, track, and report on without needing to understand the underlying controls yourself. (More on what it is in Tactical and the Technical Library.)

Your regulatory obligations

You don't need to be a lawyer, but you do need to know which obligations apply to you, because ignorance isn't a defence:

  • Privacy Act 1988 (Cth). If you handle personal information, the Australian Privacy Principles likely apply. The Privacy and Other Legislation Amendment Act 2024 — which received Royal Assent in December 2024 — strengthened the regulator's enforcement powers, introduced a statutory tort for serious invasions of privacy, and created a criminal offence for doxxing. A second tranche of reforms is in development and is expected to be more significant — including a "fair and reasonable" test and the likely removal of the small-business exemption many SMBs currently rely on. The direction of travel is clearly toward more obligation, not less.
  • APRA CPS 234 and CPS 230 — relevant if you're an APRA-regulated entity (or a material service provider to one). CPS 234 governs information security; CPS 230 (operational risk management) applies from 1 July 2025 and brings service-provider oversight and business-continuity requirements into sharp focus.
  • Industry-specific obligations — health, finance, and government supply chains often carry additional contractual or legislative requirements. Know yours.

Total cost of ownership, and the language to interrogate a budget

A quoted price is not the cost. Total cost of ownership includes licensing, implementation, training, support, the cost of downtime, and the eventual cost of replacement. When you're handed an IT budget, the strategic questions aren't technical — they're these: What outcome does this buy? What happens if we don't fund it? What's the risk we're accepting by going cheaper? How will we know in twelve months whether this was money well spent?

If your IT provider or internal team can't answer those in plain English, that's a signal worth acting on — and it's exactly what the Tactical and Operational pages are designed to help you with.