This standard is draft. It is under active development and should not be used for compliance purposes. Practitioner input is welcome.
An early-stage draft defining how security-related cloud expenditure should be identified, categorized, and attributed to the business units and products that benefit from security controls. Security costs - including WAF, DDoS protection, SIEM, security scanning, and identity services - are often treated as pure overhead, creating misaligned incentives and hiding the true cost of security posture. This draft is at an early stage and should not be used for implementation.
Rationale
Security costs that are invisible to business unit owners cannot be managed, optimized, or appropriately budgeted. Attributing security costs creates accountability, enables risk-based investment decisions, and supports the business case for security tooling and controls.
Scope
Intended scope covers all cloud-native and third-party security services that are deployed to protect cloud workloads, including but not limited to: WAF, DDoS protection, SIEM/SOAR, CSPM, identity and access management, secrets management, certificate management, security scanning (SAST/DAST/SCA), and compliance monitoring tools.
Requirements
4 requirements - MUST indicates mandatory; SHOULD indicates recommended.
Security cost components MUST be identified and tagged in the cloud billing system with a security cost category label.
Security costs MUST be categorized as Preventive, Detective, Responsive, or Compliance.
Shared security controls MUST be allocated using a risk-weighted methodology documented and approved by both the FinOps and Security teams.
Security cost reports MUST be produced quarterly and shared with the CISO and relevant business unit leaders.
Full Description
Security costs are a significant and growing component of cloud expenditure. Organizations routinely spend 15–25% of their cloud bill on security services - firewalls, intrusion detection, identity management, encryption services, secret management, security scanning, and compliance tooling. Yet these costs are almost never attributed to the business units and products that necessitate and benefit from the security controls.
This attribution gap has significant consequences. Business units that generate high security costs (due to data sensitivity, regulatory requirements, or high attack surface) are subsidized by units with lower security requirements. Security teams cannot demonstrate the cost of the controls they implement, nor can they make cost-justified trade-offs between security posture and cloud spend.
IFO4-S-012 aims to provide a framework for identifying security cost components in cloud bills, categorizing them by type (preventive, detective, responsive, compliance), and attributing them to consuming business units using risk-weighted allocation methods.
This is an early draft (v0.2.0). The Security Cost Attribution Working Group is actively seeking input from security practitioners, FinOps professionals, and compliance experts. The most significant open design questions concern the attribution methodology for shared security controls and the treatment of mandatory compliance costs versus elective security enhancements.