Commercial businesses and government agencies are migrating significant infrastructure and workload from their in-house data centers to commercial cloud providers. The transition from their own facilities and equipment to commercial cloud domains has proven to reduce the cost of IT, while continuing to provide flexible, scale-able and secure services. Commercial cloud services have proven to be as capable, fast and reliable as their own in-house services.

As the use of commercial cloud providers has increased, the need for more focused and dynamic cybersecurity management has also increased. We rely on information technology for everything – making us vulnerable to a wide host of unwelcome criminals, viruses and invaders. Corporations and government agencies, though, are discovering that cloud providers can help them meet their own industry’s standards for risk-based cybersecurity management by sharing the roles and costs for cybersecurity management between their internal IT activities and their cloud providers.

Decisions on the amount of sharing and what to share requires an understanding of the costs for the life cycle management of a business system, including the total ownership costs for cybersecurity. This is especially important as organization evaluating shifting costs from capital expenses (CAPEX) to operating expenses (OPEX). Multiple studies over the last 5 years, by industry research groups and the federal government, have identified key capital expenses and operating expenses associated with life cycle management of a business system. In recent years, though, research efforts are turning to understand the specific costs for just cybersecurity management. The key to effective trade-off decisions between in-house services and cloud sourced services is in-depth analysis of these costs to find the optimal (affordable) mix to employ for a business system. A comprehensive trade-off / optimization matrix is required to evaluate Key Performance Parameters (KPPS) against acceptable cost thresholds. Current evaluations frameworks such as Cost-As-An-Independent Variable (CAIV) provide a methodology for finding the optimal trade space.

Capital expenses include infrastructure (HW- hardware, SW- software, Communications), along with program management and engineering labor for integration, configuration control and testing of data center equipment-to include cybersecurity specific HW and SW. Operational expenses include the recurring sustainment of capital equipment and facilities, as well as recurring program and engineering management-to include life cycle management of cybersecurity upgrades, modifications and enhancements. The recently Released DOD Mil-Std-881D now includes specific cybersecurity cost categories for IT and Information Systems. Using these suggested categories, it is possible to now provide discreet analysis of cybersecurity costs to recommend hosting trade-offs between user owned data centers and cloud service providers.

PRICE (now know as Unison Cost Engineering) is currently collaborating with the Chief Security Officer for IBM Cloud Operational Services to evaluate and map the Mil-Std-881D categories, and rationalize the trade-offs associated with the TCO for cybersecurity of business systems. We are also collaborating on a comprehensive cloud migration framework, mapping industry standard categories of Workloads, Technology, Governance and Cloud Services to Mil-Std-881D categories.