Security-FinOps collaboration can reap hidden cloud benefits: 11 tips

For enterprises operating on the cloud, security and cost management are rising concerns.

Typically, these issues are addressed in silos, with cyber teams and FinOps teams pursuing their charters and priorities separately — and with little thought given to collaboration opportunities between these teams that could be leveraged for better business results.

As CIOs seek to gain more control over their cloud spending and security, it’s time for these teams to work together more closely. This can be challenging, as CISOs and FinOps teams often do not fall under the same reporting structure, which can impede collaboration in some corporate cultures, especially those where security operates in a silo.

Moreover, there are tooling, processes, and data practice differences between these teams’ operations that will need to be addressed to unlock the potential their collaboration can have on the enterprise’s overall cloud strategy.

For example, from a technology perspective, cloud security posture management (CSPM) and cloud workload protection platforms (CWPPs) are brimming with data that can assist FinOps teams, in addition to what they already do for security teams. Likewise, cloud cost management platforms and other FinOps tools have data that security teams can also leverage for alerting and reporting.

Here are 11 tips for blending security and FinOps operations for a more secure, cost-conscious approach to cloud management.

Establish shared reporting and analytics

The first step to integrating your security and cloud cost management tools is establishing shared reporting and analytics that unify security and cost metrics on one dashboard. Bringing such data together enables your teams to analyze the financial impact of your security strategies and track key performance indicators (KPIs) that align with your FinOps and security goals.

An example would be integrating AWS Cost Explorer with other AWS security services to provide combined insights over security and cloud metrics. Other options for building dashboards include Azure Monitor or open-source tools such as Grafana or Kibana. Such combined insights might consist of:

• Compliance status metrics that measure how well your environment adheres to industry compliance standards
• Resource utilization rates to capture overutilized and underutilized resources
• Cloud spend variance — primarily a FinOps metric — to check cost variances against your budget, which can also have security implications

Integrate monitoring tools

Taking shared reporting a step further, by integrating FinOps and security monitoring tools, you can not only gain a more comprehensive view of your cloud operations but also create alerts for the benefit of FinOps and security alike.

For example, unusual spending patterns may indicate security breaches, such as cryptocurrency mining or denial-of-wallet attacks. Monitoring for both cost anomalies and security events enables your organization to better correlate cost spikes with potential security incidents, leading to faster remediation.

Automate remediation

Automated remediation is of new importance as an integration strategy to address cost and security issues. Automating shutdown or the rightsizing of underutilized resources, applying security patches and updates to reduce vulnerabilities, and enforcing encryption and other security controls over provisioned resources are now dual-purpose and no longer strictly the domain of security.

FinOps practices can help cybersecurity teams drive or validate the need to reduce attack surfaces, thus minimizing potential vulnerabilities.

Look to CMP and K8s management tools

Another key technology layer that sits between security and FinOps are cloud management platforms (CMPs). Kyle Campos, CTO of CMP startup Cloudbolt, stresses the importance of day-one deployment blueprints and drift detection, stating that CMPs provide cloud and security teams with actionable insights, especially configuration data.

Cast AI — a Kubernetes automation platform with cloud and Kubernetes cost management features — is taking the FinOps and security integration discussion head on by launching a new Kubernetes security posture management (KSPM) solution that builds on its current platform. Laurent Gil, Cast AI’s co-founder and chief product officer, says such a solution helps teams manage for cost and security from the “same box.”

Gil is also a strong advocate for efficiency through automation, which makes sense as security teams often outnumber FinOps team members in meetings and Zoom calls. Automation from both CMPs and K8 management tools enables regular node rotation and other operations tasks and can significantly reduce vulnerabilities without downtime, freeing both teams for more strategic work.

Standardize tagging to unify reporting

As mentioned, FinOps teams are often small; as such, improving how teams access data asynchronously and communicate with a common lexicon is vital. One area worth focusing on is your tagging taxonomy, Cloudbolt’s Campos says.

To truly collaborate, security and FinOps teams must come into alignment on taxonomy standardization down to the cloud workload, he says. This standardization lets both teams view the same reports, alerts, and response patterns.

In Campos’ experience, organization silos first manifest in data structures, then leak into behaviors and lack of communication, often resulting in work that overlaps without knowing it. Moreover, security tooling often provides earlier detection of issues compared to FinOps tooling, which often delays data visibility longer, Campos says. All the more reasons to get security and FinOps teams on the same page, with the same lexicon, to ensure they can leverage each other’s work and tools to the benefit of the enterprise as a whole.

Develop a common language for collaboration

Going deeper into the subject of a common lexicon, CMPs give your organization a foundation for creating a common language between your security and FinOps teams because they deliver both security and cost insights.

Other steps for creating a common language include:

• Developing and publishing internally a shared vocabulary that defines and documents key terms and concepts relevant to both cloud security and FinOps
• Identifying common goals that benefit both security and cost optimization and developing KPIs that apply to both considerations

Cross-train your teams

Conducting cross-training, whether informal knowledge-sharing sessions between your security and FinOps teams or even full-on corporate support for the teams pursuing industry certifications, is another way to improve team collaboration and performance.

Of course, prying away a security team member to attend FinOps Certified Practitioner training requires a willing participant. But priorities and incentives can help motivate training, just as business considerations such as billable work and staffing levels also impact training strategies.

Establish a cross-functional cloud CoE

Rani Osnat, SVP of strategy at Aqua, points that many companies establish “a cloud Center of Excellence, or some sort of cross-functional cloud team where cloud security, FinOps, cloud admins, and DevOps or infrastructure managers sit together or at least occasionally meet.” He emphasizes the importance of driving overall awareness around cloud deployments because of the security and financial implications either way.

Your Cloud CoE can collaborate on designing and developing reports that integrate cloud security and financial aspects to foster a common understanding. Here are some examples:

• Designing reports that show the financial impact of security measures
• Creating dashboards that display security posture alongside cost metrics
• Regularly reviewing these reports in joint meetings to discuss implications and actions

Collaborate via DevOps — or not

While Campos downplays the role of DevOps for security and FinOps team collaboration, Cast AI’s Gil is pro-DevSecOps for FinOps and security team collaboration to balance costs and security.

Campos further advises that FinOps teams should aim for high leverage, with a small number of staff having a significant impact across the organization. His advice means experimenting with automation plus other tools and strategies to extend the reach of FinOps data such as improved reporting. DevOps teams are well-verse in automation and can likely be of help here, with that’s at the ideation or implementation stage.

Treat security as a line of business

Rob Martin, FinOps principal with the FinOps Foundation, advises treating security as a line of business for your organization. “The security teams or CISO’s organizations in general are not treated like a product that the company has to do. It’s a product that we’re investing money in. We’re expecting outcomes, but we may not expect financial outcomes.”

“One big area where the FinOps Foundation has been investing over the past couple of years is the FinOps Open Cost and Usage Specification (FOCUS),” Martin adds. “This open-source project is a massive deal for the practitioner community, and the four major cloud platforms are already producing data in FOCUS format, allowing companies to more easily normalize their cost and usage data to support FinOps practices.” Cybersecurity is now an allied persona in the latest FOCUS release.

“Thinking this through in the context of security, it is probably another place where a consistent view of cloud resources and usage data will benefit security teams,” Martin says. For example, the teams can query a joint data lake and see more consistency in that data over time, even from SaaS products or other data sources, because FOCUS is not specific to clouds but applicable to anyone with billing data to share.

Facilitate culture change — with a top-down approach

Collaboration between FinOps and security teams can be challenging, starting with the fact that FinOps practices, being newer, need to catch up to cybersecurity practices at most organizations. Moreover, the intersection of cloud costs and technology can be intimidating to even the most seasoned cybersecurity engineer or cloud solution architect, making collaboration between teams a tough sell and requiring executive sponsorship to make reality.

Launching a cross-functional initiative to bring both teams working together closer often requires sponsorship from the CIO and the CISO. From there, the teams should set priorities to build out the reporting, tagging, and automation that enables both teams to access newly unified data. Don’t be afraid to iterate, as this work might bring up new data and information that your teams have not yet been able to integrate into their workflows.

“Truly balancing cloud costs and security requires recognizing that what you’re seeing from a cost perspective might have security reasons behind it and vice versa,” says Aqua’s Osnat, adding that the security team might impact costs negatively or positively. And if the security team can do something that positively impacts cloud costs, they should advertise it, he says.