If Your IT Strategy Doesn’t Make Someone Uncomfortable, It’s Too Safe

Written By Pekka Kujala

Most IT strategies are not strategies at all. They are compromises. Documents carefully designed to offend no one, challenge nothing, and maintain the status quo under a thin layer of new terminology. If your leadership team reviewed the latest version and everyone nodded approvingly, you should be worried. Real strategic choices make someone uncomfortable. That is how you know they are choices.

This article is for CEOs, board members, and senior executives who suspect their IT strategy is too safe. Here is how to tell whether your technology roadmap is actually moving you forward, or just giving you something to present at the next board meeting.

Why comfort is the enemy of strategy

‍A strategy, by definition, means choosing one direction over another. Saying yes to something and no to something else. The problem with most IT strategies is that they try to say yes to everything. Multi-cloud? Yes. AI? Yes. Security? Yes. Cost optimisation? Yes. Digital transformation? Absolutely yes.

That is not a strategy. That is a wish list.

The IT strategies that actually deliver results are the ones where someone in the room had to give up something. Where the CTO pushed back. Where the CFO asked hard questions about budget allocation. Where the CEO made a call that not everyone agreed with. Discomfort is a signal that real prioritisation has happened.

Economic volatility, geopolitical shifts, and AI acceleration are rewriting the rules faster than most strategy documents can keep up. The planning cycles that worked five years ago are too slow for a world where trade policies shift quarterly and new AI capabilities emerge monthly. If your IT strategy was written in 2024 and still feels comfortable in 2026, it is already outdated.

‍ ‍

Four things that separate a real strategy from a wish list

‍ ‍

A bold IT strategy does not mean reckless. It means making deliberate choices that position your organisation for what is coming, not for what has already happened. Here is what we see in organisations that get this right.

  • First, they accept that multi-cloud is operational reality. They run workloads on multiple providers. They have the governance to manage it. They do not pretend that using two different SaaS products from two different vendors counts as multi-cloud.

  • Second, they build sovereignty into their architecture. They know where their data is. They know who can access it. They have exit plans that have actually been tested, not just documented. When regulations like NIS2, DORA, and the EU Data Act create new requirements, they are ahead of the curve rather than scrambling to catch up. NIS2 became enforceable in October 2024. DORA took effect in January 2025. The EU Data Act became legally binding in September 2025. Organisations that treated these as future problems are now dealing with them as current crises.

  • Third, they invest in security as architecture, not as insurance. Security is a design principle that shapes how you build, deploy, and operate everything. Zero trust as a real architectural approach, not a vendor marketing term. Identity and access management that works across all your environments, not just the one you built first. Continuous monitoring, not annual audits.

  • Fourth, they know exactly what their next step is. Not “let us schedule a meeting.” For many of the organisations we work with, that step is a Health Check: a structured assessment of their current cloud environment that tells them, in concrete terms, where they are strong and where they are exposed. An honest evaluation.

Five questions your board should be asking right now

‍ If you are a CEO or board member reading this, here are the questions that should be on your next agenda.

  • Can we operate our core business if our primary cloud provider becomes unavailable for 72 hours? Not theoretically. Has anyone actually tested it?

  • Do we know, specifically, in which jurisdictions our customer data resides, and under whose legal authority?

  • What is our actual level of dependency on a single vendor, and what would it cost to reduce it by 50 percent?

  • When was the last time we challenged our IT strategy rather than approved it?

  • Are we making real choices, or are we maintaining a comfortable consensus?

‍If these questions make someone in the room uncomfortable, good. That discomfort is the starting point for a strategy that actually works.

‍ ‍

The compromise trap: how it happens

Here is a pattern we see regularly at Cloud2 when we conduct Health Checks and Cloud Reviews for organisations across Finland and the Nordics.

A company picks one hyperscaler five years ago. The decision made sense at the time. Over the years, the relationship deepens. More workloads move to the same platform. The vendor offers better pricing for higher commitment. Slowly, without anyone making an explicit strategic decision, the company becomes entirely dependent on a single provider.

Then something changes. A new regulation requires data to stay in a specific jurisdiction. A geopolitical event raises questions about who controls the infrastructure. A competitor moves faster because they have the flexibility to use the best tool for each job.

At this point, the leadership team faces a real strategic decision. Move workloads, renegotiate contracts, and accept short-term disruption for long-term independence. Or stay comfortable, hope for the best, and call the current situation “our multi-cloud strategy” because they use Microsoft 365 alongside AWS.

Most companies choose comfort. The ones that choose discomfort end up in a stronger position.

‍ ‍

Digital sovereignty: the uncomfortable conversation

If there is one topic that separates genuine IT strategies from comfortable ones, it is digital sovereignty. Not because it is fashionable. Because it forces you to answer questions that most organisations have been avoiding.

Who actually owns your data? Not legally. Operationally. If the relationship with your primary cloud provider changed overnight, could you continue operations? Do you know where your customer data physically resides? Could a foreign government compel your provider to hand over your data under their domestic law?

These are not hypothetical questions anymore. According to Gartner, 61 percent of Western European CIOs and IT leaders say geopolitical factors will increase their reliance on local or regional cloud providers. (Gartner, 2025) That number was significantly lower just two years ago. Something has shifted. The question is whether your strategy has shifted with it.

“The organisations acting on this now are making uncomfortable decisions. “

Gartner further predicts that by 2030, more than 75 percent of enterprises outside the United States will have a digital sovereignty strategy supported by a sovereign cloud approach. By 2028, 65 percent of governments worldwide will have introduced technological sovereignty requirements, and non-compliance will mean being locked out of essential markets. (Gartner, 2025)

The organisations acting on this now are making uncomfortable decisions. They are renegotiating vendor contracts. They are splitting workloads across providers. They are investing in governance capabilities that did not exist three years ago. It costs money, takes time, and creates internal friction. That is exactly what a real strategy looks like.

‍ ‍

The CEO’s job is not to ensure comfort

Technology decisions are business decisions. Cloud infrastructure is not an IT cost centre; it is the foundation your entire business runs on. We see it regularly: companies considering moving workloads back on premises to escape vendor dependencies, security teams struggling to maintain uniform policies across hybrid environments, finance teams realising that the “cost savings” of cloud consolidation came with hidden strategic costs. The comfortable option is also the risky option.

"When the CTO presents a technology roadmap that everyone agrees with, the CEO's first instinct should be to ask questions, not to nod along."

A CEO’s role in IT strategy is not to understand every technical detail. It is to ask the questions that nobody else in the room is willing to ask. What happens if this vendor doubles their prices next year? What happens if this region becomes politically unstable? What is our plan if our primary provider has a major outage lasting more than 48 hours? If the answers are vague, your strategy is vague.

‍ ‍

The Finnish advantage: small, fast, decisive

Finnish companies have a cultural advantage when it comes to bold IT decisions. The decision-making chains are shorter. The tolerance for unnecessary bureaucracy is lower. At Cloud2, we have seen this first-hand. When a Finnish mid-size company decides to act on sovereignty, they can move in weeks, not quarters. The CEO, CTO, and the people who actually do the work can be in the same room, making real decisions, within days.

This is a competitive advantage that most Finnish companies underestimate. While larger enterprises in Central Europe are still running RFPs and forming steering committees, Finnish organisations can have their new architecture in production. The key is having the courage to make that first uncomfortable decision.

‍ ‍

Pekka Kujala
Next

Is Your AI High-Risk? A 5-minute Assessment for Business Leaders