Ruslan Rakhmetov, Security Vision
In the previous article on the resource-service model, we discussed what companies are made of (assets, configuration items, resources, services, etc.) and how they ensure the security of all assets. However, in today's corporate environment, a paradoxical situation exists: on the one hand, cybersecurity is recognized as a top priority (according to reports, 57% of small and medium-sized businesses prioritize information security over growth and customer retention, and global spending on information security amounts to trillions of dollars). On the other hand, chief information security officers (CISOs) continue to face enormous pressure to protect their budgets. Boards of directors and finance leaders are increasingly demanding not just technical reports, but financially sound proof of return on investment, so today we'll focus on how the resource-service model can help.
IT and information security departments traditionally rely on technical metrics: the number of vulnerabilities, the number of repelled attacks, uptime, and so on. Businesses, however, think in terms of profit, risk, process continuity, and the cost of serving customers. So, when a CISO requests a budget for a new firewall or leak prevention system, it often feels like a "black box," investing in acronyms whose impact on business services remains unclear (incidentally, we recently published a review and classification about these very acronyms). If we recall the "layered cake" of the resource-service model we described in the previous section (infrastructure, applications, processes, and services), we can move from the language of "IT asset vulnerabilities" to the language of "service risks." This is what we will focus on today.
1. Building a competent RSM
a. Definition of services and services
b. Building graphs and dependencies
2. Financial transparency
a. TBM
b. Direct allocation
c. Allocation by consumption
d. Allocation by number of assets
e. Uniform allocation
3. Budget justification
a. BIA
b. KPI
c. Time-to-market
1. Building a competent RSM
Building an effective RSM requires painstaking work on mapping dependencies and understanding the logic of the business.
a. Definition of services and services
The first step is to create a service catalog: it's critical to use business-accepted terminology. A business service (or business asset) is something a business is willing to pay for or whose loss would directly impact its bottom line.
- For example, a critical type of service (Mission Critical) when stopped, it leads to immediate financial losses and reputational damage. This could be online banking or a card processing service.
- About the operational type stop (Business Operational services (likely a "device") block internal processes, shipments, and sales. For example, CRM system updates temporarily halt processes, while ERP systems (like 1C or SAP) also impact operational services.
- Communication services (corporate email and messenger, video conferencing services) facilitate communication both within the team and with external contractors and clients. A service disruption halts or slows down interactions, but short-term downtime is generally considered acceptable.
- The other type, ancillary, has minimal impact on business. Downtime in the meeting room booking system or replacement of air conditioning systems in the office do not cause significant revenue problems.
Determining the criticality of the service at this stage allows for a differentiated approach to security in the future: investing millions in protecting Online Banking and using basic measures for auxiliary systems.
b. Building graphs and dependencies
After defining the services, it is necessary to build a dependency graph:
1. The entry point to the service is determined (for example, the URL of a web portal);
2. The system defines a load balancer that distributes traffic;
3. Web servers and application servers processing requests are identified;
4. The databases that applications access are determined;
5. Network devices (switches, routers) that provide connectivity are identified;
6. IT resources (virtual machines, hosts) on which all of the above components are running are identified.
The CISO's key task at this stage is to integrate security tools into this map. The connection between information security and business processes is achieved by linking the security tools to the protected objects, as is done in the Security Vision Asset Management module (Security Vision AM). For example, a firewall isn't just a network component; it acts as a security gateway for the specific segment where the CRM service is hosted. A failure or incorrect configuration of this firewall directly impacts the availability or confidentiality of the CRM.
2. Financial transparency
One of the most challenging tasks for a CISO is financial transparency: how can one explain why the information security budget is growing if the business isn't launching new facilities? The answer lies in the service-finance model, which is a superstructure over the RSM. Several approaches can be proposed here:
а) TBM (Technology Business Management)
Provides a taxonomy that allows technical costs to be translated into business service costs when costs are passed through several layers:
1. Cost Pools (Cost Pools), or primary costs (staff salaries, software licenses, equipment depreciation, external services);
2. IT Towers (Technology Towers), functional areas of IT (Data Center, Network, Computing, Security);
3. Solutions / Services (Solutions/Services), final services for business.
With RSM, we can accurately allocate costs from the cybersecurity "tower" to specific services.
b) Direct allocation (Direct Allocation)
This is used when the security system is dedicated exclusively to a single service. For example, when a hardware encryption module (HSM) is used only for signing transactions in the Client- Bank system, 100% of its cost (depreciation and maintenance) is included in the cost of the banking service.
c) Consumption - Based Allocation
Distribution is proportional to the measured resource consumption. For example, the cost of a WAF (Web Application Firewall costs are distributed among protected web portals proportionally to the volume of incoming HTTP traffic or the number of requests processed (RPM). A service that generates more traffic and requires more WAF power pays a larger share of the cost.
d) Count - Based Allocation
Distribution is proportional to the number of protected units. Thus, the cost of antivirus or EDR licenses is distributed among business services based on the number of servers and workstations involved in providing each service. If the Accounting service uses 5 servers and 20 workstations, and the Company Website service uses 2 servers, then Accounting will bear the greater share of the Endpoint Security costs.
e) Even allocation (Even Spread by number (Headcount)
It is used for corporate-wide information security services, such as employee training platforms (Security Awareness Training) or protection of corporate email from spam are distributed among all business units in proportion to the number of employees.
This level of detail allows for meaningful dialogue when a business wants to reduce costs. A CISO can demonstrate, "We can disable Anti-DDoS and save $5,000, but then the risk of service downtime will increase to 48 hours per year."
3. Budget justification
Successful information security budget justification provides a basis for investment protection based on data, not emotion or FUD (Fear, Uncertainty, Doubt). This approach is based on business impact assessments (BIA). Impact Analysis), GAP analysis (Good, Average, Poor) and implementation of KPI (Key Performance I indicator).
1) Damage modeling for budget justification under BIA categorizes damage into types, such as operational interruption, response, recovery, customer churn, lost revenue, and regulatory fines. Each type has its own probability and financial impact, and the resulting potential damage allows the CISO to justify a budget request. BIA, as defined here, is part of the Security Vision Business Continuity Management module (Security Vision BCM).
2) KPI metrics for information security resonate with the board's goals: technical indicators should be transformed into business indicators. For example, the number of critical vulnerabilities (CVSS>9) detected by the Security Vision VS module shows the probability of failure of key processes (this is the integral level of risk of business services), and the mean time to close an incident (MTTR), i.e. the time to restore a business function after an attack (which can be reduced by automating Security Vision SOAR) will ensure the minimization of financial downtime.
3) The value of information security for business goes beyond loss prevention. PCM can be used to demonstrate how information security contributes to faster time-to-market . When automating security checks in the CI/CD pipeline (DevSecOps through Security Vision ASOC), shows a reduction in the time it takes to release new releases of business applications.
Demonstrating a high level of customer data protection becomes a competitive advantage, allowing marketing to use security as a selling point. And identifying duplicate security tools or "zombie services" (which consume security licenses but are not used by the business, as discussed earlier) through RSM helps reduce OpEx .
The transition to a resource-services model of asset management is a necessary evolutionary step for a mature information security function. This model serves as a universal "translator," enabling the transformation of complex technical aspects of cybersecurity into business-friendly terms of cost, risk, and service quality.
Cybersecurity built on RSM ceases to be a separate entity and is fully aligned with business goals. Information security budgets become transparent, justified, and tied to specific service consumers, and the ability to see the actual impact of vulnerabilities and incidents on business processes in real time accelerates communication between departments.
A CISO who employs a resource-services model becomes a business partner who helps securely earn money, not just block threats. Implementing such a model requires efforts to streamline asset accounting and change the mindset of IT and information security teams. However, in the digital economy (where business services are the business itself), the absence of such a model creates unacceptable risks of blind flying, which a modern company cannot afford.
 2 - копия.jpg)
.jpg)