Tag: Finance

School IT: Capex or Opex?

In schools your IT costs are one of the biggest and the pandemic has highlighted the need for investment.   But should this investment be a capital, outright purchase or are leasing options better?

I was always told that the three biggest costs for a school are staff, buildings/estates, and your IT/technology costs.    The last year and a half, and the pandemic have shown us that some schools weren’t ready in terms of technology, in terms of their infrastructure and the client end devices or at least there was a need for improvement.   I have already posted on several occasions that there is a clear need for investment.   The issue though is should this investment be in the form of outright capital-based purchasing or leasing revenue-based purchasing?

Capital

I used to believe, for big spends such as device replacement or significant infrastructure upgrades, the only way was capital.   If you own the equipment you might be able to squeeze extra years out of the kit plus a capital purchase has no leasing charges associated.  Capital purchasing was simply cheaper in the longer term, but painful in the short term due to the upfront costs.

I came to learn though that its not quite that simple.   All too often I have seen capital purchases for devices or infrastructure approved but without thinking longer term about future replacement costs.   In other words, the immediate cost was approved but without planning a replacement cycle, leading to difficult questions in the future.   Additionally, capital purchases lend themselves to scope creep.   So, the school has replaced 25 PCs; Someone will ask to keep 5, of the old machines being replaced, at the back of the maths class or 5 for English and suddenly you now have 35 PCs.    That’s 10 additional PCs which will require software and licensing costs, which will require support, and which will require eventual replacement.    The quiet years, maybe 3 or 4 years after you have replaced most of your PC fleet, are also an opportunity for spending on other projects, etc, without considered the high capital replacement cost which will recur when the fleet once again needs replacement.   This can then lead to overspend.    Now this can be avoided if you are disciplined in your capital purchasing and in your approval processes, but this requires care and discipline.

Leasing

Leasing shifts the costs to a revenue model and a “cost of doing business”.    The costs associated with your technology are therefore much more visible as these costs are spread equally across the leasing cycle.   It is therefore easier to avoid scope creep or overspending, as the technology costs are clear to see.    Sadly though, like everything, leasing does have its downsides.   These are the leasing costs, which I note continue to decline, and also the fixed nature of the cycle.   This means the option of squeezing an extra couple of years out of your devices, etc, isnt available as once the lease finishes you need to enter a new lease.   I am becoming less and less concerned by this.   Technology usage is on the increase, which increases wear are tear, plus cyber security is requiring more frequent updates leading to quicker device obsolesce.   As such I feel the days of managing to squeeze a couple of extra years out of things are quickly disappearing meaning fixed replacement cycles such as that enforced through leasing are becoming more acceptable.

Leasing is also often seen as less flexible than capital purchases as you are locking in for the lease period whereas capital spends feel more “one-off” and individual allowing for change in a year or so’s time.   This might be true up to a point, but once your requirements are beyond a significant cost level, you must be considering the hardware as being usable for 4 or more years at which point even with capital spends, once the money is spent, you need to make the purchase work and therefore don’t have the flexibility you might feel you do.  

Given the long term nature of a leasing arrangement and the resultant long term nature of the relationship with the leasing vendor, it is also important to find the right company for your leasing requirements.    That said, this is likewise important with a capital purchase, at least during any warranty and support period, albeit these periods may be less than your leasing period.

Lease-Purchase

Now there are other options in terms of leasing, such as lease-purchase whereby you pay the leasing costs spread across the period of the lease, but with a final option to purchase at the end.   I havent covered this in any detail as for me it brings the worst of both worlds.  Leasing costs and the opportunity for scope creep, etc, once the devices or hardware have been bought out at the end of the lease.

Conclusion

I don’t think there is a perfect solution.  It will depend on the items being purchased, the anticipated lifespan, school finances, organisational risk assessment and several other factors.  Sometimes you will want to purchase outright and sometimes I suspect leasing will be better.   All I can say for sure is that I am now much more likely to at least consider leasing and an opex spend.

Cyber Security ROI

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.This investment in reducing a probability is problematic.

Investment in organisational cyber security is very much a preventative measure to hopefully prevent or reduce the likelihood of a cyber security incident.    This investment in reducing a probability is problematic.

The ideal is always that no cyber incidents, where a threat succeeds on having an impact on a organisation, occur however as we project off into the future the likelihood of an incident can only increase in line with the unpredictability of future events.   Entropy is clearly at play.

In the worst-case scenario, an incident happens and there is an impact on the organisation.  In this case we know that our current solutions and the related investment have been insufficient.  I note this is not to say that we need to spend more following an incident, although I suspect this will be the trend, more that what has been spent has not delivered the outcomes we wish and helped in preventing a incident.   It may be that we need to spend on different things going forward, but the expenditure to date has been ineffective.

The issue with all of this is that our current setup is fine until it isn’t.   We can be happy with our current investment until it is revealed that it is ineffective by an incident, but we don’t want this to occur.    How do we therefore decide on an investment which is appropriate to the organisation, without waiting for incidents to prove what we have is ineffective?     And at the same time how can we avoid spending excessive amounts on cyber security, which would therefore be drawing funds away from the organisations core business, assuming the core business isnt cyber security itself?

I have always believed in taking a risk-based view.   We need to first identify the risks which we believe exist, the likelihood they will occur and the impact they would have on the organisation should they happen.   From this we can start to consider the amount of investment we might apply to mitigate measures, to cyber security, in relation to the risk.   So, a risk with a potential impact of £500,000 which is considered low likelihood might merit a £10,000 investment annually but is unlikely to merit £400,000.  If the risk impacts a business-critical system, it might merit more investment than a risk impacting on a low business value system.

The above isnt a science sadly; There is no magic Return on Investment (ROI) formula.   It is all based on subjective judgements hopefully based on experience and hopefully backed up by a third party to provide some level of assurance.    It also isnt easy.   Whatever amount you invest there will always be a probability that in the future it will be proven to have been ineffective by a single breach.   Those overseeing the cyber security must get it right all the time while the cyber criminals only need to get it right once.   This is why I continue to believe in a “healthy paranoia”.

We need to be concerned, to be paranoid, and to be constantly reviewing the risks, our organisation, the available technologies and threat trends.    We also need to be concious that we cannot know the future with any certainty and can only predict based on what we know now.   We need to communicate the decision-making processes and ensure these are understood.   In the future our decisions from today may be proved to be wrong; That’s always easy to do in hindsight but at the moment of decision making and with the information available, a decision which seemed appropriate at the time was made.   We need to balance our paranoia in the interest of our sanity and wellbeing.   We need to accept that we won’t always get it right!

Return on investment on cyber security spends, in my view, will always be difficult.    If all goes well then everything runs smoothly and no cyber incident occurs but this doesn’t prove your investment.   The future incident may have been brilliantly prevented or more likely it just hasn’t happened yet.   Sadly, the only definitive proof is when things go wrong, when an incident proves that your spend on cyber security was ineffective.    This is the kind of proof you just don’t want to see.

So, for now I will continue with the difficult decision process in relation to cyber security investment.  That fine balance between cyber security and business operations/cost.