Re: Security team and budget

[Hugh Burley <Hburley () TRU CA>]

Hi Theresa,

My approach has been to consider information security as an institutional program rather than a department.  From my 
perspective, it doesn’t matter where an individual reports or which department manages a tool,  if they are performing 
an information security function I include that solution cost and any portion of staff time in my budget.  Including 
this information my program runs between 5% and 7% of ITS budget.  If we believe Larry Poneman, we should be seeing the 
best cost benefit ratio at some where closer to 11%.

I am be curious to know how your auditor derived what they believe your budget should be.

Hugh Burley
Manager Information Security
Thompson Rivers University
BCCOL 223
Phone: 250-852-6351


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa 
Rowe
Sent: Tuesday, March 1, 2016 9:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Security team and budget

Hi,

After a recent security audit, the auditor suggested that the security budget, inclusive of staffing, was underfunded.  
Using Gartner and other data, for a university our size, the suggested budget was around $500,000 to $700,000.  We are 
at 45-55% of that amount.

At first I thought a major difference would be what we spend on staff; there are two staff members on the team. But 
when I go to Educause Core Data, and compare our Carnegie class and a created group of identified peers, 2 is the size 
of the team.

This makes me wonder what we are not buying in our security budget.  We have AV, logging (hosted Splunk), and the usual 
stuff, or so I thought.

Would anyone be willing to share details about what is included in their security budget?

Thanks in advance -

--
Theresa Rowe
Chief Information Officer
Oakland University