Educause Security Discussion mailing list archives

Re: Security team and budget

From: David Seidl <dseidl () ND EDU>
Date: Tue, 1 Mar 2016 13:45:58 -0500

Theresa,

Here are some major items that I've seen as security cost drivers:

- IDS/IPS
- Threat insight/advanced anti-malware tools (related to IDS/IPS, but aimed
at APT and similar issues)
- Layered firewalls
- SIEM
- Vulnerability management
- Awareness programs
- Forensic capabilities
- Compliance efforts - PCI, export controls, and others
- Endpoint security, including BYOD and desktop/laptop/mobile device tools
- Encryption and other data security items

The big network devices and SIEM systems tend to have major outlays and
reasonably large ongoing support costs that scale with the size of the pipe
you're protecting. Datacenter security tends to cost quite a bit too, as
that bandwidth if often bigger than campus borders

And a few others that are sometimes related, depending on organizational
design:

- eDiscovery tools and support
- Identity related tools like auditing and monitoring systems
- Patch management / version management

Finally, this recent SANS Reading Room article seems useful as a way to
think about trends and where you are spending your security budget dollars:

https://www.sans.org/reading-room/whitepapers/leadership/security-spending-trends-36697

Page 12 was the big impact page for me.

David

David Seidl
Senior Director of Campus Technology Services
dseidl () nd edu | 574-631-7305

On Tue, Mar 1, 2016 at 12:56 PM, Theresa Rowe <rowe () oakland edu> wrote:

Hi,

After a recent security audit, the auditor suggested that the security
budget, inclusive of staffing, was underfunded.  Using Gartner and other
data, for a university our size, the suggested budget was around $500,000
to $700,000.  We are at 45-55% of that amount.

At first I thought a major difference would be what we spend on staff;
there are two staff members on the team. But when I go to Educause Core
Data, and compare our Carnegie class and a created group of identified
peers, 2 is the size of the team.

This makes me wonder what we are not buying in our security budget.  We
have AV, logging (hosted Splunk), and the usual stuff, or so I thought.

Would anyone be willing to share details about what is included in their
security budget?

Thanks in advance -

--
Theresa Rowe
Chief Information Officer
Oakland University

Current thread:

Security team and budget Theresa Rowe (Mar 01)
- Re: Security team and budget Akbari, Amir (Mar 01)
- Re: Security team and budget David Seidl (Mar 01)
- Re: Security team and budget Youngquist, Jason R. (Mar 02)
- Re: Security team and budget Theresa Rowe (Mar 02)
- Re: Security team and budget Hugh Burley (Mar 02)
  - Re: Security team and budget Theresa Rowe (Mar 03)
- <Possible follow-ups>
- Re: Security team and budget dsarazen (Mar 02)
  - Re: Security team and budget Spahr, Todd M. (Mar 02)
- Re: Security team and budget dsarazen (Mar 03)