New research suggests enterprise technology can deliver significantly more value. But getting there will take changes to how organizations think about platforms, data, talent, and cyber risk.

Enterprise technology leaders are being asked to do more with less, support growing business demands, and adopt new technologies like AI while managing risk and keeping systems secure. According to recent research from McKinsey, there’s real potential to improve the return on enterprise tech investment while keeping pace. In fact, organizations that adopt six core changes to how they manage technology could see three times the EBITDA lift from their enterprise technology spend by 2030.

However, getting there will take more than adopting new tools or hiring a few AI specialists. Organizations will have to rethink how technology teams operate, how they work with business leaders, and how they embed security and resilience throughout everything they build and run.

“Use AI to transform the way you do technology, no less than how you’d use it to transform the rest of the business. The time is now,” said James Kaplan, a McKinsey partner and one of the authors of the report.

Rethink the Economics of Technology Investment

For decades, organizations have worked to reduce the price of infrastructure, but the cost and complexity of software development have remained stubbornly high. That’s starting to change. AI-based tools are now making it possible to significantly improve engineering productivity and reduce spend in delivering new functionality.

“There’s now a real opportunity to improve the economics of enterprise tech, but it only happens if organizations invest intentionally in foundational IT and platforms.”

James Kaplan

McKinsey’s research shows that organizations investing early in core IT see better returns over time than those primarily funding short-term business applications. For CISOs, this is an opening to make the case for security as a foundational enabler of future tech value.

Modernize Platforms, Reduce Debt, and Build for Scale

One of the clearest opportunities for impact is platform modernization. That means reducing technical debt, streamlining development environments, and enabling AI to be deployed more broadly and reliably.

Kaplan shared one example of a Latin American bank that used AI to refactor millions of lines of mainframe code. They saw major improvements in cost and time, but also invested in doing it securely.

“It’s critical not to create the next wave of technical debt,” Kaplan noted. “Security needs to be considered from the beginning.”

Security and engineering teams need to work closely during platform upgrades, not just for compliance, but to ensure the systems being built are resilient, observable, and safe to scale.

Improve Data Foundations

AI requires a lot more data than just structured tables. The ability to extract value from various content is now viable at scale. Yet, this also raises questions about data quality and governance.

CIOs and CISOs alike will need to work together to establish clear accountability and controls for how data flows into AI systems and across teams. This includes both structured and unstructured data, and requires updated approaches to classification, logging, and governance.

Redesign How Talent and Teams Work

The traditional engineering model, where small teams write and deploy code manually, is changing. Increasingly, developers will coordinate workflows between human engineers and AI agents.

“We’re seeing early cases where teams are getting two to three times the throughput from engineering when they rethink the process,” Kaplan said.

For cybersecurity teams, new tooling introduces risk but also automates parts of the security function itself. The key is building the right guardrails and oversight mechanisms while helping teams develop the skills to manage hybrid AI-human workflows.

Reevaluate Vendor Strategies

As AI changes the economics of building versus outsourcing, decisions are being reshaped.

“We’re seeing some companies reduce their reliance on long-tail SaaS by replacing those tools with AI-driven workflows built in-house,” Kaplan noted.

That has implications for procurement, vendor risk, and cybersecurity. With more in-house development powered by generative tools and third-party models, teams need clear standards for model provenance and secure integration. This is also a chance for CISOs to partner with procurement and engineering to define new norms for AI and agentic systems.

Take a Broader View of Risk and Resilience

Cybersecurity has always been about managing risk, but the landscape is shifting quickly. AI introduces new types of risks, ranging from model errors to unintentional actions by agents to increased difficulty in monitoring and controlling systems.

“AI adoption depends on trust,” Kaplan said. “That trust comes from resiliency and security, built in from the beginning.”

More organizations are starting to use AI within security itself. Kaplan stresses that resilience is about design. Teams should be thinking in terms of security controls that are continuous, automated, and tightly coupled with the workflows AI is powering.

Where to Start: Focused, End-to-End Execution

When asked which of the six imperatives offers the fastest return, Kaplan pushed back on the question:

“Don’t try to change one thing everywhere. Change everything somewhere. Pick a part of the organization where you can apply multiple imperatives together and show real results,” he said.

This integrated approach can demonstrate what’s possible and build momentum for broader change.

The Disconnect Between Tech and Business

While the technology is advancing quickly, organizational alignment often lags. McKinsey’s research shows only 13 percent of CIOs say they consistently get support from business partners across key areas like platform investment and operational change.

Kaplan attributes part of this to a gap in understanding.

“Many business leaders don’t need to understand the technology, but they do need to understand the economics,” he said. “They often don’t see how investing in platforms or security lowers the marginal cost of functionality.”

Closing that gap will require CIOs and CISOs to communicate real value. It means backing up plans with clear performance metrics and explaining how changes to technology architecture or spending can translate into business benefits.

The Wrap

Kaplan leaves technology leaders with two simple questions to guide their planning heading into 2026:

• Do we have facts about our performance?

• Do we have an aspiration and a vision about how we’re going to change the organization?

Answering both requires collaboration across technology, business, and security—and a shared willingness to rethink long-held assumptions about how enterprise IT delivers value.