Tag: Budgets

School IT: Capex or Opex?

In schools your IT costs are one of the biggest and the pandemic has highlighted the need for investment.   But should this investment be a capital, outright purchase or are leasing options better?

I was always told that the three biggest costs for a school are staff, buildings/estates, and your IT/technology costs.    The last year and a half, and the pandemic have shown us that some schools weren’t ready in terms of technology, in terms of their infrastructure and the client end devices or at least there was a need for improvement.   I have already posted on several occasions that there is a clear need for investment.   The issue though is should this investment be in the form of outright capital-based purchasing or leasing revenue-based purchasing?

Capital

I used to believe, for big spends such as device replacement or significant infrastructure upgrades, the only way was capital.   If you own the equipment you might be able to squeeze extra years out of the kit plus a capital purchase has no leasing charges associated.  Capital purchasing was simply cheaper in the longer term, but painful in the short term due to the upfront costs.

I came to learn though that its not quite that simple.   All too often I have seen capital purchases for devices or infrastructure approved but without thinking longer term about future replacement costs.   In other words, the immediate cost was approved but without planning a replacement cycle, leading to difficult questions in the future.   Additionally, capital purchases lend themselves to scope creep.   So, the school has replaced 25 PCs; Someone will ask to keep 5, of the old machines being replaced, at the back of the maths class or 5 for English and suddenly you now have 35 PCs.    That’s 10 additional PCs which will require software and licensing costs, which will require support, and which will require eventual replacement.    The quiet years, maybe 3 or 4 years after you have replaced most of your PC fleet, are also an opportunity for spending on other projects, etc, without considered the high capital replacement cost which will recur when the fleet once again needs replacement.   This can then lead to overspend.    Now this can be avoided if you are disciplined in your capital purchasing and in your approval processes, but this requires care and discipline.

Leasing

Leasing shifts the costs to a revenue model and a “cost of doing business”.    The costs associated with your technology are therefore much more visible as these costs are spread equally across the leasing cycle.   It is therefore easier to avoid scope creep or overspending, as the technology costs are clear to see.    Sadly though, like everything, leasing does have its downsides.   These are the leasing costs, which I note continue to decline, and also the fixed nature of the cycle.   This means the option of squeezing an extra couple of years out of your devices, etc, isnt available as once the lease finishes you need to enter a new lease.   I am becoming less and less concerned by this.   Technology usage is on the increase, which increases wear are tear, plus cyber security is requiring more frequent updates leading to quicker device obsolesce.   As such I feel the days of managing to squeeze a couple of extra years out of things are quickly disappearing meaning fixed replacement cycles such as that enforced through leasing are becoming more acceptable.

Leasing is also often seen as less flexible than capital purchases as you are locking in for the lease period whereas capital spends feel more “one-off” and individual allowing for change in a year or so’s time.   This might be true up to a point, but once your requirements are beyond a significant cost level, you must be considering the hardware as being usable for 4 or more years at which point even with capital spends, once the money is spent, you need to make the purchase work and therefore don’t have the flexibility you might feel you do.  

Given the long term nature of a leasing arrangement and the resultant long term nature of the relationship with the leasing vendor, it is also important to find the right company for your leasing requirements.    That said, this is likewise important with a capital purchase, at least during any warranty and support period, albeit these periods may be less than your leasing period.

Lease-Purchase

Now there are other options in terms of leasing, such as lease-purchase whereby you pay the leasing costs spread across the period of the lease, but with a final option to purchase at the end.   I havent covered this in any detail as for me it brings the worst of both worlds.  Leasing costs and the opportunity for scope creep, etc, once the devices or hardware have been bought out at the end of the lease.

Conclusion

I don’t think there is a perfect solution.  It will depend on the items being purchased, the anticipated lifespan, school finances, organisational risk assessment and several other factors.  Sometimes you will want to purchase outright and sometimes I suspect leasing will be better.   All I can say for sure is that I am now much more likely to at least consider leasing and an opex spend.

Reframing cyber costs in education

Schools and colleges need to focus their available funds on teaching and learning, and in the students within their care.   As such it can be difficult to justify significant spending on cyber security.   Investing in cyber security is investing in preventing the possibility, a chance, of a cyber incident occurring.   The challenge therefore is establishing a way to frame the costs in order to identify what represents good value.

Cyber security is all about risk management.   Every risk has a probability of occurring.   This might be a 1 in 100 or 1 in 1000 or 1 in 1 million.    This is where the difficulties in justifying spending on cyber security arise.    For the last 10 years an institution may not have suffered any significant incidents.   As such how can the head of their IT justify spending an additional £4000 or £5000 per annum on cyber security?    We are working from the point that it is more likely an incident wont happen that it will.   Viewed from the point of view of past experience, the institution has been fine for 10 years, with the probability of an incident assumed to remaining roughly the same, so is likely to be fine in the next 10 years, excepting for this small probability.    So, stay as is or spend £40,000 – £50,000 over 10 years to provide additional protection just in case?   Viewed from this point it may be difficult to justify the spend especially if the overall budget for the school is low.

Let’s take a more mathematical approach to the problem; If we take approximately 25,000 schools in the UK where I am aware of around 20-25 which have experienced cyber incident this year.   Let’s assume I am aware of only a small number of the schools which actually experience incidents, say 10%.   So, lefts take a probability of 250 incidents per 25,000 schools or 1 in 100.   At this point rather than looking at the chance of an incident occurring, we are assuming that an incident is guaranteed to occur within a given period.  Taking this probability, in 100 years, every school in the UK would likely have been hit.   If hit, let’s make an assumption that the cost would be £250,000 to recover (this is very much a guess figure and would be dependent very much on the size of the school, its type, complexity, infrastructure, etc).   Taking the probability of 1 hit every 100 years, with each hit costing £250,000, this means the approximate annual equivalent cost would be £2500 per annum.   The cost for the additional protection is looking a little better at this point.    All it would take is for the recovery costs to grow to £400,000 or for the probability of a hit to increase to 1 in 62.5 rather than 1 in 100 schools.   

For me the key things is to move from a position of looking at the chance on an incident happening, where we assume it is more likely an incident wont occur and moving to a position of “not if but when.”   At this point we are accepting an incident is guaranteed to occur within a given time period, but we just don’t know when.   With this viewpoint we can start to make a more reasoned judgement on costs.    We can also factor in the schools risk appetitive, with a school with a high risk appetite likely to choose to underestimate the probability of an incident while one with a low appetite for risk likely to overestimate.

We very much need to reframe how cyber risk and cyber security investment is looked at.   Hopefully the above presents at least one possible way to do this in an easy but yet meaningful way.

Cyber Security ROI

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.This investment in reducing a probability is problematic.

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.    This investment in reducing a probability is problematic.

The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events.   Entropy is clearly at play.

In the worst-case scenario, an incident happens and there is an impact on the organisation.  In this case we know that our current solutions and the related investment have been insufficient.  I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident.   It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.

The issue with all of this is that our current setup is fine until it isn’t.   We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur.    How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective?     And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?

I have always believed in taking a risk-based view.   We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen.   From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk.   So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000.  If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.

The above isnt a science sadly; There is no magic Return on Investment (ROI) formula.   It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance.    It also isnt easy.   Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach.   Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once.   This is why I continue to believe in a “healthy paranoia”.

We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends.    We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now.   We need to communicate the decision-making processes and ensure these are understood.   In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made.   We need to balance our paranoia in the interest of our sanity and wellbeing.   We need to accept that we won’t always get it right!

Return on investment on cyber security spends, in my view, will always be difficult.    If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment.   The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet.   Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective.    This is the kind of proof you just don’t want to see.

So, for now I will continue with the difficult decision process in relation to cyber security investment.  That fine balance between cyber security and business operations/cost.