With one eye on the growing number of cybersecurity threats and the other on budgetary constraints, Australia’s public-sector organisations are grappling with how best to secure their IT infrastructures, writes Michael Bovalino.
The challenge is made more acute by a requirement often faced to lock in or predict expenditure for cybersecurity programs of work for periods of between three and five years. This is to align spending with everything from government funding cycles to elections and changes of government.
Broadly speaking, departments have a choice of two payment methods when it comes to cybersecurity measures: consumption-based or user-based licencing.
When government agencies undertake security programs of work, key factors such as budget allocation, the duration of the program, and resource allocation tend to be the main areas of focus. From a licencing standpoint, user-based models are often the option of choice with the agencies able to achieve and maintain price predictability.
Under a consumption-based licence model, agencies face the prospect of potentially needing to revisit budgets or expenditure outlays for the programs of work due to increased data or usage consumption.
Unfortunately, taking this approach can present risks from a security perspective. Securing additional funding can take time and cause a delay in an agency’s ability to quickly mobilise additional security monitoring, visibility capabilities, or protective measures.
That said, a consumption-based model can work effectively if an agency is sure of its level of data consumption over the duration of the contract period. Meanwhile, a user-based licence structure assumes certain levels of data consumption which may be lower than those that actually occur.
Shifting between the two
If the need arises to shift from one licencing model to the other, there are a range of factors that agencies need to consider. These include:
- Increased training costs:
A change in the model being used can alter the user experience or adoption of a security product. This, in turn, can lead to an increase in costs associated with training and development. This may mean funding has to be diverted from other areas to meet the shortfall. - Need for data migration:
Shifting models may also create a need to migrate significant amounts of data to meet licencing requirements. As well as creating additional costs, this could potentially cause delays or unintended disruption to agency activities and services. - Vendor penalties: It will be important for agencies considering changing models to carefully check the conditions of any current vendor contracts. Some agreements can lead to potentially high costs if any changes are made during the life of the contract.
Balancing the benefits
All government agencies continually face the task of managing budgets and reducing costs due to economic factors or when other competing programs of work need to take priority.
With this in mind, consumption-based pricing is not always the best option to pursue. While the approach can provide cost optimisation and flexibility, factors such as resource allocation and usage predictability need to be taken into consideration.
Embracing user-based pricing can therefore deliver some significant benefits to agencies. These include:
- Simplicity and scalability: User-based licence pricing simplifies things by tying costs directly to the number of users. This approach makes it easier to understand and forecast costs as an organisation grows or scales down.
- Improved cost efficiency: This model of licencing can also be very cost-efficient, especially for organisations with a large number of users. Instead of purchasing licences for each individual system or device, user-based pricing allows organisations to pay for licenses based on the number of users, which can result in cost savings.
- Better flexibility and mobility: User-based licensing provides flexibility for organisations that have employees who work remotely, use multiple devices, or frequently switch devices.
- A user-centric approach: By focusing on users, this pricing model aligns with the idea that they are at the centre of cybersecurity. It ensures security solutions are accessible to all and helps promote a culture of awareness and responsibility throughout the organisation.
Maintaining a focus on security
The importance of having robust security measures in place will continue to increase as the threat landscape evolves. For this reason, it is vital government agencies allocate sufficient funding for cybersecurity.
Undertaking regular risk assessment is also important. This will help security teams identify and understand the specific risks and vulnerabilities their organisation is facing.
Following this assessment, security teams should then classify and prioritise IT assets based on their value and criticality. This helps to determine the appropriate level of protection needed for each asset and enables allocation of cybersecurity resources accordingly.
It should also be noted that collaborating with other government agencies, private-sector organisations, and cybersecurity experts is a valuable activity. Sharing information, best practices, and resources can enhance an agency’s cybersecurity capabilities and facilitate a co-ordinated response to cyberthreats.
Finally, there must be a program of continual monitoring and improvement. Security teams should regularly assess the effectiveness of security controls, perform vulnerability assessments, conduct penetration testing, and update policies and procedures based on lessons learned and emerging threats.
In this way, agencies can be as prepared as possible to withstand cyberthreats while at the same time adhering to spending budgets. The chance of disruption can be minimised, and focus maintained on delivering services to citizens.
*Michael Bovalino is ANZ Country Manager at LogRhythm
Leave a Reply