Imagine that you are a CISO of a company having a meeting with the CFO. You have spent a lot of time building a solid case for MDR, and your CFO leans back and says, “Why are we paying a subscription for this when we can just buy the whole thing at once?”
The CFO’s question isn’t wrong, but from another perspective. He might be thinking from a financial point of view. Therefore, to convince the CFO, you have to show them in their language (in terms of EBITDA, cash flow, balance sheet, etc.) why subscription might be better than a one-time expenditure.
In this blog, we will understand what CapEx and OpEx really are, what CFOs expect, and how to make the right choice between CapEx and OpEx.
What CFOs really expect? What should CISOs know?
For CISOs to convince CFOs, they need to talk in financial terms instead of technical ones. It means clearing the language barrier (technical vs financial) and speaking in terms of cash flow, balance sheet treatment, depreciation, and EBITDA.
What are CapEx and OpEx? How do they (CapEx and OpEx) differ?
CapEX or capital expenditure includes all the long-term asset purchases. These include firewall hardware, on-premises server infrastructure, software licenses, and custom-built security tools. These are long-term assets that depreciate in three to seven years. In terms of EBITDA, CapEx purchases improve only in the year of purchase. If you are an owner of a private equity-backed company or an organization that is approaching Merger & Acquisition, this matters the most.
OpEX or Operating expenditure, on the other hand, are recurring expenses. MDR subscriptions, SaaS security tools, and fees paid for a Virtual CISO all fall under the OpEX category. OpEX doesn’t come with the problem of buying the new hardware every time it reaches End-Of-Life and offers the breathing space for cash flow.
Both the CapEX and OpEX have their own benefits and limitations, but what matters the most is what CFOs are tracking – EBITDA, Cash flow, internal talent available to manage/operate owned setup, and the growth stage the company is currently at.
By mapping the security stack to those four variables as a CISO, you significantly improve your chances of winning budget conversations.
|
Variable |
CapEX |
OpEX |
What CFO care about? |
How can CISO justify it? |
|
EBITDA Impact |
Better short term EBITDA because of capitalized costs |
Lowers EBITDA due to recurring expenses |
Investor impression and margin performance |
CapEX helps improve accounting presentatin while OpEX improves operational continuity |
|
Cash Flow |
Large upfront cash outflow |
Predictable/Monthly |
Liquidity preservation |
OpEX secures cash flow even during uncertain economic times |
|
Budget Predictability |
Irregular and spiked spending |
Stable recurring costs |
Forecasting accuracy |
OpEX reduces surprising infastructure refresh costs |
|
Time-to-Value |
Longer both procurement and deployment |
Faster deployment and onboarding |
Faster risk reduction |
Threats evolve at least quarterly not every five years! |
|
Total Cost of Ownership (TCO) |
Hidden long term maintenance costs and refresh |
Transparent and recurring pricing |
Efficiency (long term) |
OpEX comes with predictable and stable costs unlike CapEX that often comes with hidden and unpredictable costs (like staffing, maintenance, and upgrade costs) |
What is the real cost of buying (CapEx)?
All CapEX comes with a sticker price that doesn’t show the hidden costs. The sticker cost looks affordable for year one, but in the five-year period, hidden costs add up, including the cost of licensing, staffing, infrastructure, maintenance, and refresh cycle that may make the real cost of CapEX one high cost.
What to pick CapEx or OpEx?
Any market-leading license increases by 9-10% annually, add the cost of hiring security analysts, domain experts, vendor experts, maintenance contracts, and a four-year hardware refresh to that. That is the real TCO of CapEX.
Compare that to the cost of the subscription path of (let’s say MDR), including the cost of onboarding, hiring a single internal security lead, and service subscription cost. The difference between CapEX and OpEX is big, and OpEX also offers 24/7 coverage, which helps improve the overall ROI from cybersecurity investment in the long run.
So, in terms of EBITDA, Cashflow, and cost/budget predictability, OpEX is the clear winner. However, the smart move would be using a mixed/hybrid approach of using CapEX (infrastructure) with longer life (hardware, networking, physical security appliances) while using OpEX for detection, response, and monitoring.
How does SharkStriker help?
SharkStriker’s MDR service delivered via its purpose-built STRIEGO platform converts a million-dollar SOC build (on people like security analysts and incident responders, and technology like a SIEM solution) into a single affordable OpEX item.
Its security platform STRIEGO is vendor-agnostic, open-architecture security and multi-tenant, meaning it can easily integrate with existing security investments instead of replacing them, so organizations don’t have to write off already deployed existing CapEX assets.
Organizations with existing SIEM investment can use SharkStriker’s managed SIEM service to make the most of their existing CapEX SIEM investments with the specialized SIEM experts through a single OpEX item.
For organizations looking for CISO-level expertise without having to invest in a full-time CISO, including the cost of recruiting, equity, and benefits, SharkStriker’s vCISO service can be used to meet security and compliance goals within budget.
