Educause Security Discussion mailing list archives

Re: Security team and budget

From: "Spahr, Todd M." <tspahr () TOWSON EDU>
Date: Wed, 2 Mar 2016 13:58:03 +0000

Theresa,

I agree with Dan that an assessment should be done as risk management is key to a great security program.  If not then 
we fall into the path of just buying the next buzz word.

Todd Spahr · Director, Information Security
Office of Technology Services . Administration and Finance
Towson University<http://www.towson.edu/> · 8000 York Road · Towson, Maryland,  21252-0001
t. 410-704-5185

[signature]
Confidentiality Notice: This message may contain information that is confidential, privileged, proprietary, or 
otherwise legally exempt from disclosure. If you are not the intended recipient, you are notified that you are not 
authorized to read, print, copy or disseminate this message, any part of it, or any attachments. If this message has 
been sent to you in error, please notify the sender by replying to this transmission, or by calling the Office of 
Technology Services at 410-704-2041.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of dsarazen
Sent: Wednesday, March 02, 2016 8:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security team and budget

Hi Theresa,

Has your institution completed an IT risk assessment? If so, that should give you a road map for short and long term 
planning. If not, maybe you should spend some money on conducting a risk assessment.

Good luck,

Dan


Sent from my Verizon Wireless 4G LTE smartphone


-------- Original message --------
From: Theresa Rowe <rowe () OAKLAND EDU<mailto:rowe () OAKLAND EDU>>
Date: 03/01/2016 12:56 PM (GMT-05:00)
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Security team and budget
Hi,

After a recent security audit, the auditor suggested that the security budget, inclusive of staffing, was underfunded.  
Using Gartner and other data, for a university our size, the suggested budget was around $500,000 to $700,000.  We are 
at 45-55% of that amount.

At first I thought a major difference would be what we spend on staff; there are two staff members on the team. But 
when I go to Educause Core Data, and compare our Carnegie class and a created group of identified peers, 2 is the size 
of the team.

This makes me wonder what we are not buying in our security budget.  We have AV, logging (hosted Splunk), and the usual 
stuff, or so I thought.

Would anyone be willing to share details about what is included in their security budget?

Thanks in advance -

--
Theresa Rowe
Chief Information Officer
Oakland University

Current thread:

Security team and budget Theresa Rowe (Mar 01)
- Re: Security team and budget Akbari, Amir (Mar 01)
- Re: Security team and budget David Seidl (Mar 01)
- Re: Security team and budget Youngquist, Jason R. (Mar 02)
- Re: Security team and budget Theresa Rowe (Mar 02)
- Re: Security team and budget Hugh Burley (Mar 02)
  - Re: Security team and budget Theresa Rowe (Mar 03)
- <Possible follow-ups>
- Re: Security team and budget dsarazen (Mar 02)
  - Re: Security team and budget Spahr, Todd M. (Mar 02)
- Re: Security team and budget dsarazen (Mar 03)