Should security spending be a one-time capital expense or as an ongoing operating expense? At first glance, the question appears to be an accounting issue with little impact on the actual equipment or systems involved. However, as security professionals seek to cost-justify new systems, the question may be central to providing the “best security for the money” and a system that fits the company’s continuing needs. We asked this week’s Expert Panel Roundtable: Should security be a capital expense (CAPEX) or an operating expense (OPEX)? Is the trend shifting and what is the impact?
The answer is OPEX and the trend is absolutely shifting. The forces that are causing the shift are from the customer and the security integrator. Today’s customer is recognising there’s very little value in ownership and the antiquated CAPEX consumption model. The reason is the rapid depreciation of the solution, driven by an acceleration in technology. Economics 101 says you don’t take after tax-dollars and throw it and a non-revenue generating asset that plummets in deprecation the day after it’s installed. This is why more and more customers are embracing the subscription consumption model or Security as a Service. At the same time Integrators are desperately seeking ways to sell more services to build Recurring Monthly Revenue (RMR), which is received monthly. A subscription is paid monthly. Neither of those fit into a CAPEX model. The good news is the impact serves great value to both the Customer and Integrator.
Up until a few years ago, security spending would have most likely been a CAPEX item. However, with growing pressures on company cash flows due to the severe economic issues brought about by both the pandemic and the resulting financial effects, this is now trending towards an OPEX point of view, with the acquisition of technology on an ‘As a Service’ model. Security as a Service has been a progressing trend in recent years, and the pandemic is only accelerating the inevitable. Procuring services on an ongoing basis is completely normal for many other business services (with monthly or similar payments) as it spreads out the costs and adds greater flexibility in terms of scaling services as required. The benefits for security suppliers are also apparent. The pressure to constantly drive sales each month is reduced, as longer-term and more stable contracts stabilise revenues.
Security solutions are a necessity for companies across the globe, regardless of organisational size. As with all things, we should provide customers with the option of both CAPEX and OPEX purchase plans, helping to tailor custom solutions from technology selection to payment options. However, we have seen an increase in customers using their security system for more than physical security or asset protection. Sometimes the business intelligence tools, advanced analytics software, and AI toolsets can seem out of reach. We have also noticed rapid innovation and change in security industry technology, suggesting solutions deployed today could quickly become obsolete. The best way forward is to embrace options available with an OPEX model and shift customers to a monthly recurring cost where possible. This strategy increases customer stickiness, gives the customer protection from outdated equipment, and opens the potential for capital expenditure that would have been taken off the table otherwise.
There is no black-and-white answer to this question because there are typically a variety of budgetary constraints and procurement norms -- both inside of organisations and within specific industries -- that influence how businesses procure IT solutions. How or when someone pays for security matters at some level, but because security is not a “set it and forget it” solution, it requires regular updates and upkeep to remain valuable. It’s also important to remember that the work of the vendor does not end when a solution has been delivered to the customer. Customers expect vendors to help them realise the outcomes they had envisioned when they first selected the product. From this perspective, it makes sense that the vendor is held to account – and paid on an ongoing basis to keep the solution current and fit-for-purpose as the organisation continues to evolve.
Security from a broad perspective should be accessible whether you're a Fortune 100 company, or a mom-and-pop shop with a single location. Arguably, the shift toward implementing security to more of a managed service, or OPEX, allows a broader segment of the population to access security solutions in line with their ability to invest in what could be technology and oversight that might be cost-prohibitive. Another factor in the emergence of OPEX is the idea around Security-as-a-Service (SaaS) in delivering a service-based approach that takes the burden off the end user and places it in the hands of the integrator and OEM. For the integrator, the recurring nature of revenue helps even out challenging months with reliable income while the end user benefits from cost-sharing across a period instead of an all-at-once investment. Integrators should be getting on board with the concept as more end users are demanding it.
It's not a matter of "should" security be one or the other. Integrators and dealers are going to have clients that need to keep the same cadence for security technology updates and investment through a CAPEX model because that's what works for them. But more and more businesses are taking a step back and determining that the high up-front expense and ongoing upkeep of this model just isn't working for them anymore. So they become more open to an OPEX model, where they engage in an agreement with a managed services provider that can provide ongoing support and automatic updates that keep these technology investments operational for longer, with little to no engagement needed from the organisation. As more organizations realize the lower TCO associated with the OPEX model, as well as more functionality and options coming down the pipeline from these MSPs, we will see that shift continue.
It wasn’t long ago that IT departments were reliant on internal mainframe computing technologies with each new application requiring the purchase of yet another black box. SaaS providers and cloud companies such as AWS have put an end to most of those CAPEX purchases. The same migration is happening in security with video as a service (VaaS) and other cloud-based service offerings. Making an OPEX investment in cloud video storage as opposed to a CAPEX investment in a DVR hard drive is but one example. Increasingly, security investments are made in solutions in which equipment (i.e., CAPEX) is simply one piece of a much larger puzzle. As devices on premises/at the edge become cheaper, more powerful and centrally administered in the cloud, these security solutions will further lend themselves to a recurring OPEX service model. Expect to see OPEX take a larger share of security budgets as cloud-based services evolve.