IT leaders must face a hard truth: Global disruptions such as tariffs and trade controls, policy shifts, and economic uncertainty do not stop at companies and their technology functions. In recent years, leaders across all business functions have focused their efforts on scaling the adoption of cloud services and, more recently, putting gen AI to use. Operating models were set up globally, integrated outsourcing was employed at scale, and efficiency was the paradigm.
But as the global landscape continues to change, companies and government entities will need to reassess the setup of their value chain as they continue to develop and deploy their technology landscape. IT leaders will need to consider priorities such as ensuring sovereignty over infrastructure and data and reassessing IT delivery models, supplier relationships, and the location of operations or data centers.
At McKinsey’s CIO Roundtable at the Hamburg IT Strategy Days, German CIOs and CTOs discussed these priorities in relation to the European Union and ideated strategies to bolster IT operations and outperform competitors in the face of global disruptions.
Four priorities that equip IT leaders to respond swiftly to trends and disruptions
The results of the CIO Roundtable reflected the prevailing mood among leading German CIOs and CTOs regarding the strategic importance of four priorities affecting gen AI development, supplier management, and IT delivery models.
Sovereignty for data and technology gains strategic importance with gen AI
The next stage of gen AI development will be characterized by increased AI sovereignty as companies and authorities increasingly develop their AI application landscape. This trend is driven by the need for bespoke solutions and by security and data protection concerns. AI sovereignty includes control over technology development, models, and applications, as well as control over algorithms and flexible, adaptable architectures that allow companies to respond quickly to new requirements.
Another key factor is the traceability of AI systems: Companies need to ensure that data origins, model decisions, and processes are always transparent and auditable by always having access to and control over their data. In the CIO Roundtable discussion, participants agreed with this priority, citing their own experience. At the same time, however, executives also stated that data and technology sovereignty were mostly unrealized in their organizations.
For data risk management, participants proposed a classification approach based on the traffic light principle (red, yellow, and green), where “red” data must not be used in gen AI applications. Gen AI projects are often managed by a central team that maintains an overview of data usage. Participants described as challenging the exchange of data with external partners—for example, in the healthcare ecosystem between pharmaceutical manufacturers, insurers, doctors, hospitals, and pharmacies. While there are numerous ideas for gen AI use cases, some companies focus on projects with a quick payback (that is, less than a year). However, the high costs of individual use cases pose a hurdle for smaller companies. Moreover, many formerly self-developed solutions are now available on the market for a fraction of the original cost.
Participants emphasized that sovereignty does not necessarily mean developing all technologies internally. Smaller companies, especially, are severely limited in their possibilities, and sovereignty encompasses more than just the location of the data center—the source of the hardware and software also play a crucial role.
Changes in the provider landscape require strategic supplier management
Market concentration in areas such as cloud infrastructure and software platforms leads to a few large providers dominating the market. This reduces the flexibility of IT organizations. Internal measures such as adjusting usage or switching to another provider often cannot compensate for price adjustments, forcing IT departments to closely monitor budgets and be prepared for price increases. These challenges may require a reassessment of supplier relationships. IT organizations may need to reevaluate their relationships with large providers and could consider alternative partnerships, such as working with classical IT service providers or smaller providers, to increase the resilience and flexibility of the IT infrastructure.
This priority also found high approval among the roundtable participants, with some participants stating that their organizations had largely implemented it. In the discussion, participants had a strong interest in data centers that are “closer to home” in the European Union, given the risks of global business volatility and regulatory divergence. Participants also discussed new considerations, such as the increasing use of gen AI and dominant players, when deciding between developing in-house service centers (“build”) or purchasing external solutions (“buy”).
Some smaller providers and companies have started to rebuild their own on-premise capacities—an aspect that tech talent finds attractive because it offers the opportunity to work on a real tech infrastructure instead of pure service provider management. Moreover, on-premise solutions can enable better planning and prevent the uncontrolled growth of software-as-a-service (SaaS) costs. However, limited budgets and a lack of alternatives to SaaS make implementing on-premise solutions difficult. Replacing software licenses before their end of life is financially challenging, and negotiating or optimizing the complexity of software license models is increasingly seen as critical. Many companies, therefore, try to integrate multiple providers and contractually secure hosting in Europe. Overall, participants reported that the priority of strategic supplier management has shifted from pure procurement to a board-level topic.
Geopolitical tensions require rethinking IT delivery models
Most companies have been working to capture economies of scale by globally consolidating their IT operations or data centers. But with international relations in flux, companies are being forced to reassess their IT delivery models whether they’ve consolidated or not. In either case, companies need to design their IT operations so that they can quickly respond to unforeseen events without jeopardizing business operations. Roundtable participants considered this a relevant priority, but due to its complex nature, many companies have struggled to implement it.
Companies that invest early in resilient structures may secure a strategic advantage. Approaches such as nearshoring, in which IT services are relocated closer to—but not inside—the home market, may help minimize geopolitical risks. Companies can use these regional IT hubs to reduce their dependence on global supply chains and increase their flexibility. That said, the labor cost advantages of the past have slimmed significantly.
Another approach to supply chain strategy has been emerging. Local shoring—or “local for local”—maps out a company’s entire IT value chain to stabilize it within a country’s legal framework and allows companies to operate closer to local markets and to better understand their specific requirements. Local teams can then adapt swiftly to market trends and tailor their solutions to regional conditions, which can strengthen the company’s competitive advantage. Some roundtable participants argued that this approach needed to be differentiated at the business process level to ensure long-term success. For example, a local-for-local approach would be difficult for banking organizations that need to connect their operations to international payment systems. Therefore, it is important for global and local teams to closely collaborate to identify where their services overlap and to exchange information about the local versus global market conditions and customer demand.
Some roundtable participants also mentioned that recruiting qualified employees for different regional locations was an obstacle to implementing this priority. The necessary tech talent needs to not only have relevant tech expertise but also understand local conditions to successfully meet the specific challenges of the respective markets. Especially in regions with a shortage of skilled workers, companies need to find innovative ways to attract and retain talent in the long term. Companies can ensure that this talent is available through targeted training programs, collaborations with educational institutions, or attractive working conditions.
Simultaneously, companies need to balance compliance with various data protection requirements. While the European Union, for example, requires that data be processed exclusively within the Union, other countries such as China require data to be stored locally. These diverging requirements complicate global IT architectures, increasing the importance of flexible architectures that can quickly respond to market and legal changes.
New cybersecurity threats require innovative strategies to protect data
The rapid development of AI technologies has created new security risks, including deepfakes, automated attacks, and data misuse, increasing the importance of efficient threat detection and defense. Traditional protection mechanisms such as firewalls or endpoint protection are less effective against sophisticated cyberthreats. IT teams therefore need innovative approaches and tools that quickly adapt their security infrastructures within the dynamic threat landscape. Implementing real-time verification is crucial to quickly identifying and neutralizing fake content and harmful data. AI-powered defense tools can be used to identify patterns and anomalies that indicate potential attacks.
Nearly all the roundtable participants considered the topic relevant to their daily work, with many having partially or fully implemented new protection technology. In the discussion, the danger of deepfakes was repeatedly highlighted. In the hands of malicious actors, deepfakes can engender devastating consequences—including, for instance, the erosion of customers’ trust in targeted companies or the theft of intellectual property and identities. Participants also questioned how they could protect against threats when trained employees cannot reliably recognize fake content. At the same time, participants discussed which AI systems could execute security processes more efficiently versus systems that could complement processes with a human factor.
Worldwide uncertainty guarantees that CIOs and CTOs will need to prioritize resilience, agility, and strategic adaptability in their IT and technology initiatives. IT leaders who focus on building flexible, secure, and scalable IT operations could enable their organizations to remain innovative and competitive amid unpredictable economic and market conditions.
André Jerenz is a partner in McKinsey’s Hamburg office, Anna Wiesinger is a partner in the Düsseldorf office, Gérard Richter is a senior partner in the Frankfurt office, and Thomas Elsner is a partner in the Munich office.
The authors wish to thank Björn Michalik and Philipp Hühne for their contributions to this blog post.