Educause Security Discussion mailing list archives
Re: Security team and budget
From: Hugh Burley <Hburley () TRU CA>
Date: Thu, 3 Mar 2016 01:32:19 +0000
Hi Theresa, My approach has been to consider information security as an institutional program rather than a department. From my perspective, it doesn’t matter where an individual reports or which department manages a tool, if they are performing an information security function I include that solution cost and any portion of staff time in my budget. Including this information my program runs between 5% and 7% of ITS budget. If we believe Larry Poneman, we should be seeing the best cost benefit ratio at some where closer to 11%. I am be curious to know how your auditor derived what they believe your budget should be. Hugh Burley Manager Information Security Thompson Rivers University BCCOL 223 Phone: 250-852-6351 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Rowe Sent: Tuesday, March 1, 2016 9:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Security team and budget Hi, After a recent security audit, the auditor suggested that the security budget, inclusive of staffing, was underfunded. Using Gartner and other data, for a university our size, the suggested budget was around $500,000 to $700,000. We are at 45-55% of that amount. At first I thought a major difference would be what we spend on staff; there are two staff members on the team. But when I go to Educause Core Data, and compare our Carnegie class and a created group of identified peers, 2 is the size of the team. This makes me wonder what we are not buying in our security budget. We have AV, logging (hosted Splunk), and the usual stuff, or so I thought. Would anyone be willing to share details about what is included in their security budget? Thanks in advance - -- Theresa Rowe Chief Information Officer Oakland University
Current thread:
- Security team and budget Theresa Rowe (Mar 01)
- Re: Security team and budget Akbari, Amir (Mar 01)
- Re: Security team and budget David Seidl (Mar 01)
- Re: Security team and budget Youngquist, Jason R. (Mar 02)
- Re: Security team and budget Theresa Rowe (Mar 02)
- Re: Security team and budget Hugh Burley (Mar 02)
- Re: Security team and budget Theresa Rowe (Mar 03)
- <Possible follow-ups>
- Re: Security team and budget dsarazen (Mar 02)
- Re: Security team and budget Spahr, Todd M. (Mar 02)
- Re: Security team and budget dsarazen (Mar 03)