Jul 3, 2026

Where the money goes

Infrastructure Series
| Part
7

Reading time:

7 min

Ten places infrastructure spend leaks. Not a list of cuts. A map of where the work goes wrong.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

Here’s the part everyone asks for, usually right after they ask if you can “just make it cheaper.”

The honest answer is yes. But not by negotiating harder or buying a shinier dashboard. The savings show up when you stop paying for confusion, rework and the same avoidable mess on repeat.

Ten places. Real money. No magic.

1. Ghost infrastructure

Those “temporary” circuits and services that outlived two restructures and a major migration? Still billing you. Monthly. Nobody touches them because nobody’s sure what happens if they disappear. So they stay, like that mystery Tupperware in the office fridge. [source] Once you can actually see what they do and whether Gary still depends on them, you can schedule the shutdown instead of funding the haunting.

2. Tool hoarding

Three monitoring tools. Three sets of alerts. Three licence renewals. One truth, supposedly, but nobody agrees which dashboard has it. Rationalise capabilities, retire overlap, make one platform responsible for one outcome. Kyndryl Bridge didn’t land 1,400+ customers by accident. [source] It exists because most teams were spending more time arguing about which alert was real than fixing the thing that triggered it.

3. Slow response on a fast clock

Unit 42’s 2026 report puts median time to exfiltration at about two days. The fastest quarter? Seventy-two minutes. [source] That’s not a lot of runway when your response model still involves tickets, escalation chains and someone checking a shared calendar. Kyndryl customers in manufacturing have seen up to 95% reduction in disruptive incidents through coordinated operations on Bridge. The money isn’t in preventing every incident. It’s in preventing the small ones from becoming expensive ones.

4. Change-day roulette

The cost of a failed change is not the rollback. It’s the three post-mortem meetings, the re-test cycle, and the two-week freeze on all other changes because everyone’s spooked. Multiply that by a few times a quarter and you’re paying serious money for an organization that’s afraid to touch its own infrastructure.

Kyndryl runs 100 million automations a month. Not because automation is exciting. Because humans doing repetitive ops work at 2am is a premium-priced liability.

5. Recovery as folklore

Kyndryl protects 9,000+ customers and backs up over 3.5 exabytes annually. [source] The point isn’t the number. It’s the discipline that scale forces: tested patterns, orchestrated sequences, proof that it works before you need it to. The alternative is learning important truths during the incident. Terrible time to learn anything.

6. Senior people doing junior work

We’ve watched a principal engineer spend half a Tuesday stitching screenshots into a deck for a compliance review that could have been a query. That’s not a staffing problem. That’s an environment that’s trained its best people to be very expensive administrators.

Automate the sorting. Automate the evidence collection. Let humans do judgement work. The hours you get back are the only ones that actually reduce incident volume long-term.

7. Compliance as archaeology

When evidence lives in systems instead of people’s heads, audits stop hijacking entire weeks. Kyndryl ties Bridge outcomes to increased adherence to compliance requirements. [source] In Canada, this is where sovereignty becomes provable instead of implied. When your logs, backups and access trails live in Canadian-controlled systems, compliance evidence is a query. Not a project. Not a three-week scavenger hunt where someone dusts off a binder nobody’s opened since the last audit.

8. Paying for gaps you don’t have

Microsoft Defender XDR includes automatic attack disruption, built to contain incidents in progress and buy your team time. [source] Most orgs running E5 are using maybe 40% of what’s included. The rest is sitting there, licenced and unconfigured, while someone down the hall is writing a business case for a new tool to fill the “gap.” The gap is configuration. Not capability. Inventory what you’ve already got before you buy more.

9. The seam tax

The expensive incidents are seam problems. Network blames security, security blames cloud, cloud blames the app team, everyone CCs leadership. When one team owns the operating model across those domains, the seam goes away. That’s not a vendor feature. That’s a delivery structure choice. Kyndryl’s Bridge can pull signal across a messy estate [source], but the real win is ISM delivering locally with stable technical ownership, so the person triaging at 2am is the same person who wrote the runbook.

10. Context that walks out the door

Turnover is a line item. The bigger bill is the missing context it leaves behind. Repeat incidents, permanent exceptions, “nobody touch that” systems that quietly run the show. Gary better not retire.

Stable technical leadership shrinks the churn tax. And if the staffing model lets you bring the same person back three months later with context intact, draw ten hours this week, pause, thirty next month, you stop paying restart costs every cycle. Fewer re-onboarding weeks. Fewer “who built this?” digs. Not glamorous. Cheaper than rebuilding the same knowledge every year.

What to fix first

Catalogue what you have Tie spend to services and owners. If you can’t explain what something does, you can’t justify paying for it.

Build privacy into daily work Logs, test data and recovery copies should not create new incidents.

Operationalise governance Approvals, exceptions, evidence. In systems. Exceptions expire by default.

Secure the data itself Control access, validate restore points, prove where data lives and who can touch it.

A lot of infrastructure spend is fear in a trench coat.

ISM architects the patterns, controls and runbooks that make the environment predictable. Kyndryl brings the scale and alliances that let those patterns hold in big messy estates. Delivery stays local, stays accountable, stays Canadian. When it works, it’s quieter, cheaper and nobody has to explain to finance why the bill went up again.

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA