What do the six IT levers actually do, and what do they cost?
The Vencer framework for operational IT capability rests on six specific levers. Here's what each one does, what it costs to deploy, and where to start.
FOR: Owner-operators & CFOs · all archetypes · framework reading
Quick answer
Across thirty Canadian oil and gas M&A transactions, dozens of Fractional CIO engagements, and eleven years of managed security operations, the same six operational IT capabilities show up as the difference between operators who thrive across cycles and operators who get crushed by them. The six levers: cyber posture maturity, identity hygiene, vendor consolidation, integration capacity, measurement discipline, AI deployment readiness. Each has a typical cost band, a typical timeline to deploy, and a typical compounding rate. The framework matters because the order in which you pull them matters more than which ones you pull.
Across thirty M&A transactions, dozens of fractional CIO engagements, and eleven years of managed security operations, the same six operational IT capabilities show up as the difference between operators who thrive across cycles and operators who get crushed by them.
We call them the six levers. They're not a maturity model. They're concrete capabilities that compound when deployed correctly and become bottlenecks when ignored. Here's what each one does, what it costs to deploy at mid-market scale, and where to start if you're behind.
Lever 1 - Operational Technology (OT)
What it covers: SCADA systems, historians, field data capture, production telemetry, OT-side cybersecurity (the Purdue Model layers your IT team probably doesn't think about).
What strong OT capability looks like: Production data flows reliably from wellsite to historian to production accounting to financial close. Anomaly detection catches well performance issues 3-7 days before traditional alarm thresholds. OT network is segmented from IT network with documented architecture and jump-host access controls.
What weak OT capability looks like: Production data has unexplained variances. OT systems are running on the corporate network. Field tablets sync to whatever cloud the field crew set up. Vendor remote-access is via corporate VPN.
Cost to deploy at mid-market scale: $40-120K for initial segmentation and architecture work. Ongoing $20-50K/year for monitoring and maintenance. Compare to a single OT-side incident (which can shut production for days).
Lever 2 - Cyber Posture
What it covers: The twelve controls framework - identity, MFA, EDR, email security, immutable backup, IT/OT segmentation, 24/7 monitoring, tested IR plan, vendor cyber attestation, governance.
What strong cyber capability looks like: Named industry-standard products on all twelve controls. 24/7 SOC with documented incident response. Tabletop within the past 12 months. Cyber insurance renewals proceed without surprises.
What weak cyber capability looks like: "My MSP says we have cyber." White-label EDR. SMS-based MFA. Backups on the same network as production. No tabletop in recent memory. Each cyber insurance renewal feels stressful and expensive.
Cost to deploy at mid-market scale: $80-150K initial deployment for a 75-person operator. Ongoing $60-120K/year for monitoring and licensing. Compare to the post-incident cost of a single ransomware event (typically $500K to several million plus operational disruption).
Lever 3 - Identity & Access
What it covers: Single sign-on, phishing-resistant MFA, privileged access management, documented offboarding with evidence.
What strong identity capability looks like: One identity provider (Microsoft Entra most commonly) with SSO coverage above 90% of business applications. FIDO2 keys on privileged accounts. Documented offboarding completes within 24 hours for privileged accounts, 72 hours for standard.
What weak identity capability looks like: Per-application authentication. Stale accounts not visible centrally. "Domain admins know who they are." No structured offboarding evidence.
Cost to deploy at mid-market scale: $20-50K for initial deployment if not already on Microsoft 365 Entra. Bundled if you are. Ongoing operational cost: minimal if maintained properly. This is the highest-leverage lever for mid-market operators because it underlies everything else.
Lever 4 - Data Architecture
What it covers: Master data management, JIB automation, AFE reconciliation, integration readiness across operational and financial systems.
What strong data architecture looks like: Single source of truth for partner master data, AFE register, production volumes. Reconciliation between production data and financial systems is automated, not manual. M&A integration can absorb 25 new partners in under a week.
What weak data architecture looks like: Partner data lives in three places. AFE reconciliation is manual spreadsheet work that takes a person two weeks per month. JIB aging accumulates because nobody is running the quarterly review. Production data has variances the team can't explain in real time.
Cost to deploy at mid-market scale: Variable - depends heavily on current state. Typical range $80-300K for substantial data architecture work over 6-12 months. Pays for itself fastest of any lever because the cash flow improvements are direct.
Lever 5 - Vendor Stack
What it covers: Microsoft 365 deployment, production accounting platform, named cyber tools, vendor governance program.
What strong vendor stack looks like: Focused consolidation around named industry-standard products. Quarterly vendor review between CFO and IT lead. Contract calendar with renewal dates tracked. SaaS sprawl actively managed.
What weak vendor stack looks like: 15-25 SaaS vendors with overlapping capability. Auto-renewing contracts nobody is tracking. The CFO sees "SaaS expense" as a line item, not as a managed category.
Cost to deploy at mid-market scale: The audit work itself is two days. The consolidation work is 3-9 months depending on contract terms. Net cost is typically negative - savings from consolidation exceed transition costs by year two.
Lever 6 - Governance
What it covers: CISO function (internal or fractional), board cyber reporting, tabletop discipline, vendor risk management, the operational rhythm that keeps everything else honest.
What strong governance looks like: Quarterly board cyber report. Annual tabletop with documented after-action. Named CISO function (full-time at 200+, fractional below). Documented vendor risk register reviewed quarterly. The IT-and-the-cycle review tied to operational planning rhythm.
What weak governance looks like: "The IT lead also handles cyber." No board reporting on cyber. No tabletop in recent memory. Vendor risk is informal.
Cost to deploy at mid-market scale: $40-100K/year for fractional CIO function. Compare to $200K+ all-in for a full-time CISO. The governance lever is what makes the other five compound - without it, the technical investments drift.
The full framework - six levers, four growth walls, two arcs (20→80 and 80→200), and the specific deployment patterns for each - lives in The Operating System. Chapter 2 covers the six levers in depth.
If you'd rather have someone assess your operation against the six levers, the IT-and-the-Cycle Assessment is the structured way to do it - three to five days, written report, no obligation.
Pattern recognition from 19 years of running operator IT - not prescription for your specific situation. Anyone offering prescription from a blog post is selling something. (Possibly to you.) The 30-min CIO review is where the pattern becomes specific to your operation. Free, no proposal, no slide deck.
→ Book the 30-min review