You know your enterprise needs a ROC. Your leadership isn’t yet. This playbook gives you the exact narrative arc, the talking points, the objection responses, and the one-slide summary to make the case in 10 minutes flat.
If you’re an architect, a senior engineer, a VP of Engineering, or an IT Director who has lived through enough war rooms, enough post-mortems with the same findings, and enough audit scrambles to know that the current model is broken, this is for you. You don’t need more conviction. You need a pitch that works on the people who control the budget.
Leadership doesn’t buy tools. They buy outcomes. They don’t fund “unified observability.” They fund “fewer incidents, faster resolution, lower costs, and a compliance posture that doesn’t require a quarterly panic.” Your job isn’t to explain technology. Your job is to connect their pain to a solution in language they already think of.
Here’s how. Step by step.
Before the Meeting: Set the Stage
The 10 minutes in the room are the performance. The preparation is the rehearsal that makes it land.
Know your audience’s current pain. Before the meeting, identify the two or three incidents from the last quarter that caused the most leadership visibility the P1 that took 6 hours to resolve, the audit that required 3 weeks of preparation, the security event that turned out to be correlated with an operational issue that nobody connected until it was too late. These aren’t hypothetical examples. They’re your evidence. Leadership remembers the incidents that disrupted their week. Anchor your pitch to those memories, not to abstract concepts.
Get one number ready. The single most powerful thing you can bring into the room is a number your leadership doesn’t currently know. The total annual expenditure across all monitoring and security tools across all group companies. The average MTTR for cross-domain incidents over the last two quarters. The number of hours your senior engineers spent on war rooms last month. Pick the number that will make your CTO pause. If you can’t get the exact number, get a defensible estimate. “We spent approximately 340 engineering hours on war rooms last quarter” is more powerful than any slide deck.
Prepare the one-page leave-behind. After 10 minutes, leadership will discuss it without you in the room. They need something to reference. One page. Problem statement, solution summary, three outcomes, ROI range, and next step. Not a brochure. A business case summary they can forward to the CFO. We’ll cover what goes on this page at the end.
Start with Their Pain, Not Your Solution
Do not open with “I want to talk about a Resilience Operating Centre.” Nobody in leadership wakes up thinking they need a ROC. They wake up thinking about the incident that embarrassed them, the audit that stressed them, and the cost number they can’t explain.
Open with a question they can’t answer comfortably.
“Quick question, can anyone in this room tell me, right now, what our total annual spend is across all monitoring, observability, and security tools across every group company? And whether that spending is giving us a unified view of enterprise risk or 17 separate dashboards that no one looks at together?”
Or:
“Last quarter’s P1 on the payment service took 4 hours to resolve. Our post-mortem said the root cause was identified within the first 30 minutes by two different teams independently. They just didn’t know the other team was looking at it. The remaining 3.5 hours were coordination, not diagnosis. What did that incident cost us?”
Or:
“Our last audit required 3 weeks of evidence gathering from 6 different teams. By the time we compiled it, some of the data was already stale. We passed, but only because the auditor was lenient. What happens when they’re not?”
Pick the one that lands hardest with your specific leadership team. The goal is not to alarm. The goal is to surface a pain they already feel but haven’t articulated as a structural problem. You’re giving them the language.
Name the Structural Problem
Now that the pain is on the table, name the cause. Not the symptoms. The cause.
“The reason this keeps happening isn’t our teams or our tools. Both are strong. The problem is that our operations, security, and compliance functions run independently, different teams, different tools, different data, different escalation paths. When an incident crosses those boundaries and most serious incidents do, nobody has the full picture. We spend more time gathering context than solving the problem.”
Then land the three-line diagnosis:
“Our NOC sees infrastructure issues but can’t see security context. Our SOC sees threats but can’t see operational impact. Our compliance team checks posture quarterly but has no real-time visibility. Each function is excellent within its domain. None of them can see across domains. That gap is where our incidents get expensive, our audits get stressful, and our leadership gets surprised.”
You’re describing their experience back to them and naming the cause for the first time.
Introducing the Solution in Business Terms
Now, introduce the ROC. But don’t lead with the name. Lead with what it does.
“What if we had a single platform that pulled data from every monitoring, security, and compliance tool we ran into one data lake and used AI to correlate across all of it in real time? So, when an incident fires, instead of three teams investigating three symptoms in three tools, we get one incident view with one root cause, one business impact assessment, and one recommended resolution, before anyone picks up the phone.”
Pause. Let that land.
“That’s what a Resilience Operating Centre does. It doesn’t replace our tools. It connects them. It adds the intelligence layer that none of them were designed to provide cross-domain correlation, resolution recommendations from past incidents, business impact mapping, and continuous compliance monitoring. All in one console.”
Then immediately anchor it to the three capabilities that matter most to your audience:
For a CTO/CIO: “It cuts our MTTR from hours to minutes by eliminating the context-gathering phase. It reduces tool overlap and storage costs. And it gives you one dashboard for enterprise risk posture not six conflicting reports.”
For a CISO: “It correlates security events with operational data, so your team sees business impact instantly not after a separate investigation. It reduces false positives dramatically. And it monitors compliance continuously no more audit scrambles.”
For an IT Director: “It takes 340 bridge call hours per quarter and collapses them. It captures the institutional knowledge of your senior engineers into the platform, so MTTR doesn’t spike when someone goes on leave. And it gives your team one console instead of five dashboards.”
Show the Numbers
This is where conviction becomes a business case. Leadership approve ROI.
“Let me give you the numbers.”
Cost of the current model:
- Engineering hours wasted on bridge calls and cross-tool correlation: [calculate, or estimate 300–500 hours/quarter]
- Annual spending across monitoring and security tools that could be rationalized: [calculate, or estimate based on tool count]
- Cost of the last major incident in resolution time, customer impact, and post-mortem effort: [calculate]
- Weeks spent on compliance audit preparation annually: [calculate]
What the ROC delivers:
- 20–30% reduction in IT staff time on incident management and compliance
- 2–5% revenue protection from improved uptime and faster resolution
- 50–70% ROI on an initial investment of $500K–$1M, with payback in 6–12 months
“This isn’t a multi-year transformation. The value shows up in Q1. Payback is within the first year. And the implementation is phased we start with one use case, prove value in 60–90 days, and expand from there.”
Handle the Objections Before They’re Asked
There are five that come up every time.
“This sounds expensive.” “The initial investment is $500K to $1M. But we’re currently spending [your tool cost number] across 15+ tools with significant overlap, plus [your bridge call hours] engineering hours per quarter on manual correlation. The ROC pays for itself within 6–12 months through tool rationalisation and efficiency gains alone before counting the MTTR reduction and revenue protection.”
“We just invested in [tool X]. We can’t replace it.” “We don’t replace anything. The ROC integrates with what we have through open-telemetry standards. Datadog stays. Splunk stays. ServiceNow stays. The ROC adds the correlation and resolution intelligence layer on top. Our teams keep their tools. They just finally work together.”
“We don’t have bandwidth for another transformation project.” “That’s exactly why this is phased. We start with one use case event correlation or automated RCA in one business unit. We prove value in 60–90 days. We expand only after we’ve demonstrated measurable results. This isn’t a 12-month migration. It’s a 60-day proof of value.”
“Our teams are already good at what they do.” “They are. That’s not the issue. The issue is that our best people are spending 60–70% of their incident time gathering context instead of solving problems. The ROC gives them the full picture from minute one so they can do what they’re actually good at diagnosing and resolving instead of chasing data across five dashboards.”
“Can’t we just improve our current tools and processes?” “We’ve been doing that for years. We’ve tuned alert rules, added dashboards, built runbooks, and improved our IR plans. Each improvement helps within its domain. But none of them solve the fundamental gap: our tools don’t talk to each other, our data lives in silos, and no single platform correlates across operations, security, and compliance. That’s not a tuning problem. It’s an architecture problem. The ROC is the architecture answer.”
You won’t need all five. Pick the two or three most likely to come from your specific audience and have the responses ready.
The Ask
Don’t end with “thoughts?” End with a specific, low-commitment next step.
“I’m not asking for budget approval today. I’m asking for one thing: let me run a 60-day proof of value with one use-case in one business unit. We’ll integrate with our existing tools, deploy event correlation or automated RCA, and measure the results MTTD improvement, MTTR reduction, engineering hours saved. If the numbers don’t work, we stop. If they do, we have a data-driven business case for the next phase.”
This is the lowest risk ask you can make. You’re not asking for money. You’re asking for permission to prove it works. Leadership can say yes to this without committing to anything larger. And once the 60-day results are in, the business case makes itself.
The One-Page Leave-Behind
After you leave the room, this is what they’ll reference. One page. Clean. Forward ready.
Problem: Our operations, security, and compliance run independently. Cross-domain incidents take 3–6 hours to resolve because teams spend most of that time gathering context, not solving problems. Audit preparation takes 3+ weeks. Tool sprawl costs are untotalled.
Solution: A Resilience Operating Centre (ROC), a unified platform that integrates with our existing tools, correlates data across all domains in real time using AI, and delivers one incident view, one root cause, one business impact, and one resolution recommendation through a single console.
Three Outcomes:
- MTTR reduction from hours to minutes through AI-driven correlation and resolution intelligence
- $550K–$1.2M annual savings from tool rationalisation, storage reduction, and efficiency gains
- Continuous compliance, always audit-ready, violations detected in real time, evidence always current
ROI: 50–70% on $500K–$1M investment. Payback: 6–12 months.
Next Step: 60-day proof of value. One use case. One business unit. Measurable results. Zero disruption to current operations.
The Mistakes That Kill the Pitch
Avoid these. Each one has killed a ROC pitch in real boardrooms.
Don’t lead with technology. Nobody in leadership cares about open-telemetry, centralized data lakes, or AI correlation engines, until they understand the business problem those things solve. Always lead with pain, never with architecture.
Don’t present it as a replacement project. The moment leadership hears “we need to replace our tools,” the conversation shifts from opportunity to disruption. Always frame the ROC as an integration layer that makes existing investments work together.
Don’t ask for full budget approval at the first meeting. The 60-day proof of value is your foot in the door. Asking for $1M in the first conversation triggers procurement processes, budget reviews, and delays. Asking for a pilot triggers a yes.
Don’t make it about one team’s problem. If you frame the ROC as “the NOC team needs better tools” or “the SOC is overwhelmed,” leadership will treat it as that team’s budget issue. Frame it as an enterprise problem cross-domain incidents, fragmented risk visibility, compliance gaps that affect the entire business. That’s what gets funded at the CxO level.
Don’t skip the numbers. Passion and logic don’t approve budgets. Numbers do. If you can’t tell leadership what the current model costs them in engineering hours, tool spend, incident impact, and audit overhead they have no basis for approving a change. Get the numbers. Even estimates are better than none.
The Real Pitch Isn’t About the ROC
Here’s the truth that the best internal champions understand: the pitch isn’t really about a Resilience Operating Centre. It’s about the gap between how your enterprise operates today and how your leadership wants it to operate.
Your CTO wants incidents resolved faster. Your CISO wants threats correlated with business impact. Your CIO wants one view of enterprise risk. Your IT Director wants their team to spend time on engineering instead of bridge calls. Your CFO wants the tool landscape rationalized. Your Board wants assurance that resilience isn’t dependent on three people who might leave.
The ROC is how all of those outcomes converge into a single investment.
Your job in those 10 minutes isn’t to sell a platform. It’s to show your leadership that the problems they already care about share a single structural cause and that cause now has a proven, measurable, phased solution.
iStreet is an AI-powered Resilience Operating Centre that unifies AIOps, SecOps, and Compliance into a single platform. If you’re ready to make the internal case, we provide the proof-of-value framework, the ROI modelling, and the phased implementation roadmap that turns your 10-minute pitch into a funded initiative.
