Educause Security Discussion mailing list archives

Re: Security team and budget

From: Theresa Rowe <rowe () OAKLAND EDU>
Date: Thu, 3 Mar 2016 08:43:02 -0500

The auditor started with a Gartner number of 7% of the IT budget, then
reviewed gaps and history of funding to make a recommendation.

On Wed, Mar 2, 2016 at 8:32 PM, Hugh Burley <Hburley () tru ca> wrote:

Hi Theresa,



My approach has been to consider information security as an institutional
program rather than a department.  From my perspective, it doesn’t matter
where an individual reports or which department manages a tool,  if they
are performing an information security function I include that solution
cost and any portion of staff time in my budget.  Including this
information my program runs between 5% and 7% of ITS budget.  If we believe
Larry Poneman, we should be seeing the best cost benefit ratio at some
where closer to 11%.



I am be curious to know how your auditor derived what they believe your
budget should be.



Hugh Burley

Manager Information Security

Thompson Rivers University

BCCOL 223

Phone: 250-852-6351





*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Theresa Rowe
*Sent:* Tuesday, March 1, 2016 9:57 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Security team and budget



Hi,



After a recent security audit, the auditor suggested that the security
budget, inclusive of staffing, was underfunded.  Using Gartner and other
data, for a university our size, the suggested budget was around $500,000
to $700,000.  We are at 45-55% of that amount.



At first I thought a major difference would be what we spend on staff;
there are two staff members on the team. But when I go to Educause Core
Data, and compare our Carnegie class and a created group of identified
peers, 2 is the size of the team.



This makes me wonder what we are not buying in our security budget.  We
have AV, logging (hosted Splunk), and the usual stuff, or so I thought.



Would anyone be willing to share details about what is included in their
security budget?

Thanks in advance -



--

Theresa Rowe
Chief Information Officer
Oakland University




-- 
Theresa Rowe
Chief Information Officer
Oakland University

Current thread:

Security team and budget Theresa Rowe (Mar 01)
- Re: Security team and budget Akbari, Amir (Mar 01)
- Re: Security team and budget David Seidl (Mar 01)
- Re: Security team and budget Youngquist, Jason R. (Mar 02)
- Re: Security team and budget Theresa Rowe (Mar 02)
- Re: Security team and budget Hugh Burley (Mar 02)
  - Re: Security team and budget Theresa Rowe (Mar 03)
- <Possible follow-ups>
- Re: Security team and budget dsarazen (Mar 02)
  - Re: Security team and budget Spahr, Todd M. (Mar 02)
- Re: Security team and budget dsarazen (Mar 03)