CostObserverThe Engineering Leader's Guide to Cloud Cost Accountability
When the cloud bill is both a cost problem and a security problem, who actually owns it? The answer is not FinOps. It is not SecOps. It is you.
Most Engineering Leaders have a version of this conversation every quarter.
The FinOps team presents a cost forecast for the next six months. Clean numbers. Compute trending up 12%. Storage flat. Data transfer manageable. The SecOps team, in a separate meeting the same week, mandates a new endpoint detection agent on every EC2 instance in production. The agent is necessary. It also adds 15% CPU overhead per instance, which means the FinOps forecast is now wrong before the quarter even starts.
Nobody told FinOps. Nobody asked SecOps to model the cost impact. The forecast goes to the board. The bill comes in higher. The Engineering Leader gets asked why.
This is not a tooling problem. It is an accountability problem. According to the FinOps Foundation State of FinOps Report, “empowering engineers to take action” on cloud costs has ranked as the number one or two challenge in the industry for three consecutive years. The gap between knowing what the bill is and knowing who is responsible for it has not closed.
The Accountability Structure Cloud Was Not Designed For
FinOps owns cost visibility. SecOps owns risk visibility. Neither team owns the intersection.
That intersection is larger than most Engineering Leaders realise. Security tooling decisions directly affect compute costs. Cost optimisation decisions directly affect security posture. The two disciplines share an infrastructure but operate on separate planning cycles, separate budgets, and separate success metrics.
The AWS Well-Architected Framework treats cost optimisation and security as separate pillars. That is a useful model for building systems. Running an engineering organisation is different, because a single resource decision can move both pillars simultaneously.
Three Accountability Gaps That Show Up in Post-mortems
Gap 1: Security mandates with no cost modelling
When SecOps mandates a new control, the cost impact rarely gets modelled before the mandate goes out. An endpoint agent on every EC2 instance. A new WAF rule set that increases request processing volume. A GuardDuty configuration change that expands log analysis scope.
Each of these is a legitimate security decision. Each of them also has a direct billing consequence that lands in the FinOps forecast without warning.
AWS GuardDuty charges per CloudTrail management event, VPC Flow Log, and DNS log analysed. Expanding GuardDuty coverage to a new account or enabling S3 protection across a large bucket estate can add hundreds of dollars per month to the bill. That cost appears in the Security, Identity, and Compliance category in Cost Explorer. Most FinOps teams do not own that category. Most SecOps teams do not see it.
The fix is a cost impact review as part of every security mandate. Not a veto. A number. Before the mandate goes out, someone models what it costs. That number goes into the forecast. The Engineering Leader stops being surprised.
Gap 2: No single owner during an active billing attack
A large billing spike from a compromised credential or a runaway process creates an immediate operational problem that most organisations are not structured to handle cleanly.
FinOps notices the spike first. They open a cost investigation ticket. SecOps gets a GuardDuty finding. They open a security incident ticket. Both teams are now working the same event. Neither team has the authority to do what actually needs to happen: revoke the credential, terminate the instances, and file the AWS Support escalation to request a billing credit.
That escalation requires someone who can speak to both the security incident and the financial impact simultaneously. In most organisations, that person is the Engineering Leader, and they find out about the incident when both teams escalate to them separately, hours into the investigation.
The AWS Security Incident Response Guide outlines a clear containment and eradication process for compromised credentials. What it does not address is who owns the financial remediation in parallel. That gap is an organisational decision, not a technical one. It needs to be made before the incident, not during it.
Gap 3: Budget cycles that treat security spend as unpredictable
Cloud security costs are not fixed. They scale with attack volume. AWS WAF charges $0.60 per million requests processed, including blocked malicious traffic. A sustained scanning campaign or a DDoS event increases WAF costs before it increases the security team’s alert queue.
Most engineering budgets treat WAF, GuardDuty, and Shield as fixed line items. They are not. They are variable costs that respond to external threat activity. When attack volume increases, the bill increases. FinOps sees the cost increase and investigates it as a potential misconfiguration. SecOps does not see the billing data at all.
The Engineering Leader who builds a budget that separates security-driven infrastructure costs from operational infrastructure costs has a materially better picture of what is happening in their environment. The cost of being attacked is a real number. It belongs in the forecast.
What Good Accountability Looks Like
This is not about reorganising teams. FinOps and SecOps should remain distinct disciplines. The change is in three specific handoffs.
Security mandates go through a cost review before they ship. Not a lengthy process. A one-page impact assessment: what does this control cost per resource, per account, per month? That number goes to FinOps before the mandate goes out. The forecast stays accurate.
One named owner for billing incidents. When a cost spike cannot be explained by a deployment or a known traffic event within two hours, one person has the authority to treat it as a potential security incident and act accordingly. That person has access to both the billing console and the security tooling. In most organisations, this is a senior platform or infrastructure engineer, not the Engineering Leader directly. But the Engineering Leader needs to have named that person before the incident happens.
Security spend tracked as a separate budget category. WAF, GuardDuty, Shield, Security Hub, and the compute overhead of security agents are security costs. They belong in a security budget line, not scattered across compute, networking, and management categories. This is a tagging and cost allocation decision that takes an afternoon to implement and gives the Engineering Leader a number they currently do not have: what does it cost to run this environment securely?
Fact-check: Does this require new tooling?
No. AWS Cost Explorer supports custom cost categories. AWS Cost Categories let you group WAF, GuardDuty, Shield, and related services into a single “Security Infrastructure” category that appears as a line item in your billing reports. It is a one-time configuration that takes under an hour.
The Metric Worth Adding to Your Dashboard
Most Engineering Leaders track cloud spend, security posture score, and incident response time as separate metrics. None of those captures the cost of the gap between FinOps and SecOps.
The metric worth adding: time from unexplained cost anomaly to security investigation. How long does it take, from the moment a cost spike appears that cannot be explained by a deployment, for someone to ask whether it has a security cause?
In most organisations, the answer is measured in days. Sometimes it is never, because the cost spike normalises before anyone connects it to the security finding.
That number is the operational cost of running FinOps and SecOps as separate disciplines. It does not appear on any dashboard. It shows up in post-mortems.
Try CostObserver. Read-only access, no credit card, connects in minutes. Or explore the demo without signing up.