Cost justification is the hard bit

How much money does a firewall save you?

What value do you place on problems that don't happen?

Which makes the company more profit: email or an ERP system?

The basic problem with IT is that once you get away from the front-line servers: the ones where customers click "Buy Now" and give you money, you can't place a specific pounds and pennies value on any individual machine - or the people who run it. You can't even say if a £50K/yr sys-admin is better value than a £20K/yr one. They might have a brain the size of a planet, but does that confer an extra £30K of benefits? It's impossible to measure.

Putting aside systems that HAVE to be installed, for legal or regulatory reasons the best you can do is guess at how many staff, a new system would either replace or fill vacancies for. So a call-centre computer that knocked 15 seconds off a 3 minute call, could fairly be said to be worth one-twelfth of the staff costs. Sadly most new stuff isn't so clear cut and requires a mixture of guesses and lies to justify. Making unmeasurable claims for intangible benefits, padding it out by the amount you think it'll be cut back and hoping the unbudgeted stuff can be hidden in someone else's cost-code. Then playing a game of bluff with the holders of the funny money, to put your case against all the competing bids for the pot o' gold.

In the end, IT turns out to be like the NHS. Everyone wants it, but no-one wants to pay for it. Like the NHS therefore, it should best be financed centrally - rather than recovering costs from individual users/departments. Those who feel hard done by can complain to the central authority who's job it is to apply pressure for cost reductions, top-down. You still have the problem of measuring bang-per-buck, but that just puts IT in the same boat as all the other cost-centres: facilities, personnel, and the managing director too!