Currently we are treating InfoSec costs like overhead and spreading it evenly in our model. We would like to get some drivers to push out the costs. Talking to the InfoSec team, they want to just use headcount as the driver which feels to me to be just part of the story. Does anyone have suggests on what type of drivers we can use here?

Thanks

We allocate this to information systems. Even allocation is used for the costs. As a driver we use number of information systems. Similarly we solve monitoring costs.

Regards, Ivan

Right now we send it up to Business Services evenly.  I feel we should hit applications first - if we didn't have the apps, we wouldn't have much of the infrastructure - and it all needs security.  Very interested in hearing from others because I'd love to bring security back into the app layer.

I allocate security to the applications based on the number of servers they are on.  An application that runs on 20 servers should have more security cost than one that runs on 2 servers.  It isn't perfect, but no one has given us a better driver at this point. 

Makes perfect sense - thank you, Kelly!  Will take this back to our team to see what they think!

We're in a similar position in that we allocate Security pro-rata across all Services, and it's an item on our backlog to look at.

I've always thought that Security allocations should be multi-tiered:

1. Every app/service could receive a fixed 'insurance' allocation regardless of whether they are currently incurring any Security resource (the app/service may not be actively using Security now, but that could change at any given time should an attack occur). Riskier apps/services, including non-standard technology, could be penalised with a higher 'premium'.
   
   
2. The second part could be variable, based on a more measurable metric. Number of attacks by severity seems like an obvious one, but I'm sure there are others. Like you, we'll need to reach out to our Security team to see what MI exists. The value here is that you could provide a 'cost per attack', however the danger would be that the more attacks, the lower the unit cost!

I also agree with some of the application comments above (apps being a recognisable point to hook things onto), but I would counter that (depending on the nature of the Security team's scope), non-application services will also likely consume Security resource.

Will be good to hear some more thoughts on this.

We map the Information Security cost to the Security tower, and the security tower is mapped to the security service. We have not built the business capabilities layer of the model yet, but when we do it, the security service will be allocated to the CIO business unit.

One of the responsibilities of the CIO is to maintain a technologically secure environment for the business. It does not add any value to "tax" applications or other services with security cost. The cost of security is dictated by the requirements (provided by the CIO) and the combination of resources to implement these.