Hello all,

We are currently in the process of working through improving our costing and charging for a variety of services.  Cybersecurity has come up as a relatively large one that we want to work to improve our chargeback allocation methodology for.  Today, all of our cyber costs are housed in one cost center.  This expense feeds directly in to a "Cybersecurity" service, that is charged back to consuming business lines based off of a simple FTE breakout.  

We're looking for alternative ways to think about costing and charging out this service.  We've thought about possibly using application risk profiles to help charge out the expense- business lines that engage in using more risky applications would receive a greater charge for cyber.  However, we'd appreciate any insight in to how other organizations are thinking about costing out and charging these expenses.

Thanks!
#CostingStandard(CT-Foundation)

Hi @Reid Solomon - was actually thinking along those same lines - definitely a great place to start!  Looking forward to hearing more ideas from folks - thank you for posting this!​​
Original Message:
Sent: 08-02-2022 15:47
From: Reid Solomon
Subject: How does your organization cost/chargeback Cybersecurity related expenses?

Hello all,

We are currently in the process of working through improving our costing and charging for a variety of services.  Cybersecurity has come up as a relatively large one that we want to work to improve our chargeback allocation methodology for.  Today, all of our cyber costs are housed in one cost center.  This expense feeds directly in to a "Cybersecurity" service, that is charged back to consuming business lines based off of a simple FTE breakout.

We're looking for alternative ways to think about costing and charging out this service.  We've thought about possibly using application risk profiles to help charge out the expense- business lines that engage in using more risky applications would receive a greater charge for cyber.  However, we'd appreciate any insight in to how other organizations are thinking about costing out and charging these expenses.

Thanks!
#CostingStandard(CT-Foundation)

Hi @Reid Solomon,

the model approach we have taken is to build out the "direct" costs of all applications and services in a custom object. This object sits above ITRT/Infra ​and below the OOTB Applications and Services objects. All costs flow through this custom object, and it is in effect an amalgamation of ALL of our apps and services.

Applications/Services are then defined as either "Business" or "Technical". The costs for the business apps/services are simply passed straight through this custom object and back on to themselves in the OOTB Apps and Services objects

The technical costs are reallocated on to the business apps/services through a few strategies. We have some direct targeted allocations (eg. a tech app might be reallocated and spread on to one or a number of defined business apps). We also have some more generic spread allocations, so a tech app might be spread over all business apps evenly or using cost follows cost.

Cyber Security apps are treated as technical in our model, and their cost are typically spread over all of our business apps (a few different strategies based on feedback from the app owner here). So we in affect see these as a technical overhead to our business facing apps and services. Users are "recharged" cyber security through how they consume the business facing stuff.

Happy to give more detail if required.

Mark
Original Message:
Sent: 08-02-2022 15:47
From: Reid Solomon
Subject: How does your organization cost/chargeback Cybersecurity related expenses?

Hello all,

We are currently in the process of working through improving our costing and charging for a variety of services.  Cybersecurity has come up as a relatively large one that we want to work to improve our chargeback allocation methodology for.  Today, all of our cyber costs are housed in one cost center.  This expense feeds directly in to a "Cybersecurity" service, that is charged back to consuming business lines based off of a simple FTE breakout.

We're looking for alternative ways to think about costing and charging out this service.  We've thought about possibly using application risk profiles to help charge out the expense- business lines that engage in using more risky applications would receive a greater charge for cyber.  However, we'd appreciate any insight in to how other organizations are thinking about costing out and charging these expenses.

Thanks!
#CostingStandard(CT-Foundation)

I posted this yesterday when the thread was under Bill of IT (sometimes this community baffles me):

Depending on the scope of your applications, you may want to employ a hybrid approach, @Reid Solomon.

1. If you have laptops in scope (we don't), you could allocate a fraction of the costs to the BUs based on the number of FTEs (like you do now).
   
   
2. The rest, based on that risk profile you talk about in your post.

In the vein of @Mark Johnson's answer, we typically have a collection object (we call it Tools-between Towers and Applications. Check this blog post for more details: link) and then spread the costs of the "Cybersecurity" tool to the various applications using different logic.

You could use a table like this:

I hope this helps.​

​

------------------------------
Regards, Guillermo
------------------------------

Original Message:
Sent: 08-02-2022 15:47
From: Reid Solomon
Subject: How does your organization cost/chargeback Cybersecurity related expenses?

Hello all,

We are currently in the process of working through improving our costing and charging for a variety of services.  Cybersecurity has come up as a relatively large one that we want to work to improve our chargeback allocation methodology for.  Today, all of our cyber costs are housed in one cost center.  This expense feeds directly in to a "Cybersecurity" service, that is charged back to consuming business lines based off of a simple FTE breakout.

We're looking for alternative ways to think about costing and charging out this service.  We've thought about possibly using application risk profiles to help charge out the expense- business lines that engage in using more risky applications would receive a greater charge for cyber.  However, we'd appreciate any insight in to how other organizations are thinking about costing out and charging these expenses.

Thanks!

#CostingStandard(CT-Foundation)