Re: Security team and budget

[dsarazen <dsarazen () BRANDEIS EDU>]

The highest I've heard, and this included for profit organizations, was 3 to 6 percent of the TOTAL budget. That was 
from a SANS instructor, Dr. Eric Cole, in 2014. None of the members of the class (about 50) thought their school was 
investing even 2% of their budgets towards IT Security. 
But only a risk assessment can help you quantify what you really should be spending. I have Dr. Cole's SANS based risk 
assessment if you'd like to see it. Again, it's two years old, but maps to ISO/NIST/HIPAA and PCI DSS.
Good luck,
Dan Sarazen, CISA, CISSP 


Sent from my Verizon Wireless 4G LTE smartphone

-------- Original message --------
From: Theresa Rowe <rowe () OAKLAND EDU> 
Date: 03/03/2016  8:43 AM  (GMT-05:00) 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: Security team and budget 

The auditor started with a Gartner number of 7% of the IT budget, then reviewed gaps and history of funding to make a 
recommendation.
On Wed, Mar 2, 2016 at 8:32 PM, Hugh Burley <Hburley () tru ca> wrote:








Hi Theresa,
 
My approach has been to consider information security as an institutional program rather than a department.  From my 
perspective, it doesn’t matter where an individual
 reports or which department manages a tool,  if they are performing an information security function I include that 
solution cost and any portion of staff time in my budget.  Including this information my program runs between 5% and 7% 
of ITS budget.  If we
 believe Larry Poneman, we should be seeing the best cost benefit ratio at some where closer to 11%. 

 
I am be curious to know how your auditor derived what they believe your budget should be. 

 
Hugh Burley
Manager Information Security
Thompson Rivers University
BCCOL 223
Phone: 250-852-6351
 

 
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]
On Behalf Of Theresa Rowe

Sent: Tuesday, March 1, 2016 9:57 AM

To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: [SECURITY] Security team and budget
 

Hi,

 


After a recent security audit, the auditor suggested that the security budget, inclusive of staffing, was underfunded.  
Using Gartner and other data, for a university our size, the suggested budget was around $500,000 to $700,000.  We are
 at 45-55% of that amount.


 


At first I thought a major difference would be what we spend on staff; there are two staff members on the team. But 
when I go to Educause Core Data, and compare our Carnegie class and a created group of identified peers, 2 is the size 
of
 the team.


 


This makes me wonder what we are not buying in our security budget.  We have AV, logging (hosted Splunk), and the usual 
stuff, or so I thought.


 


Would anyone be willing to share details about what is included in their security budget?



Thanks in advance -



 

-- 

Theresa Rowe

Chief Information Officer

Oakland University

 









-- 
Theresa Rowe
Chief Information Officer
Oakland University