For a long time, some large companies, not all of them, did not sufficiently consider the importance of cybersecurity strategies. They have learned the hard way that it is better to invest to protect themselves than to suffer attacks.

Today, while large companies are mobilizing the necessary budgets to protect themselves against cyber-attacks, in France, SMEs and ETIs still invest little in  cybersecurity . These companies are less aware of the  risks  that accompany a  cyber-attack , and consider that the protection of IS is a lesser issue for them since their notoriety, less important than large companies whose setbacks were still recently mentioned in the press, will not make a difference. they are the  target of hackers . Mechanically, they therefore often wait to be victims of  ransomware  to understand that cybersecurity also concerns them.

However, the GDPR has changed the situation. From now on, companies are legally obliged to reveal any  security breach  that would affect them to the general public and to the CNIL. Protecting oneself has therefore become an  image issue  for both small and large companies.

However, this investment, while unavoidable, represents a non-negligible cost and new budgets. To assume them, two profiles emerge: some release lines  and the  corresponding budgets immediately, others want a financing plan over 3 to 5 years. In any case, each company must be able to  invest  according to its portfolio.

Following the many   technological developments , has the way of investing evolved  ?

The budgetary envelopes dedicated to cybersecurity have not changed drastically, but the way of investing is no longer the same.

Indeed, the value of hardware has decreased, and software is gradually being replaced by software as a service (Saas). From an accounting point of view, these two types of investment are different: we no longer buy equipment, with a  fixed cost that can be scaled  ; now we are moving to a  software subscription model .

This new way of consuming cybersecurity tools is part of a context of the advent of  outsourced solutions  : more and more companies want to adopt a payment corresponding to a service. This evolution towards a SaaS mode is explained in particular by a modification of the infrastructures: where it was enough to protect a server on a defined zone a few years ago, today, in the era of mobile phones, tablets, and connected objects (the car fleet for example) the challenge for companies is to protect their nomadic users (whether they are their employees or their customers).

What are the business benefits of investing in cybersecurity?

Investing in  cybersecurity in SaaS mode  has many  advantages  for companies, including a  lower  investment cost since there is no structure to finance. In addition, the purchasing departments can request monthly payments according to the subscription, to  stagger the expenditure  if necessary.

The challenge is to regulate these  new practices  by supporting publishers and resellers who are facing a sudden change in business model. When a publisher is accustomed to selling licenses and receiving the fee the moment the sale is made, switching to a subscription can cause significant cash flow problems: in 14/15 months, the working capital requirement is equivalent with a turnover of approximately one year! It is therefore necessary to put in place  specific contracts  to overcome this and help them to preserve their cash flow during this change.

Of course, the two models can coexist. The publisher alone has the key to this development: it is he who drives this  trend on the market . Microsoft did it for its Office suite, Cegid switched to a licensing model… The BFR issue is the same for resellers, moving from one model to another. It is necessary to support both publishers and its network of integrators in this development by  adapting to their needs  and creating  specific tailor-made contracts  (payment plans, so-called « subscription » or  » subscriptions »).

Source: DAF-MAG