The situation
Few UK organisations present a harder defensive problem than a large university. Tens of thousands of users, research data worth stealing, an estate that has grown organically for decades, and a threat picture that never sits still. The University of Glasgow’s security team understood its risks well; the harder problem was securing the sustained funding to address them, which meant persuading a university court that cyber security deserved serious, multi-year investment.
How the CyPro team approached it
Rather than starting with technology, we started with the argument. The team benchmarked the University’s security posture against recognised frameworks, agreed a target state that was ambitious yet respectful of real constraints, and sequenced the gap between the two into a costed, prioritised programme. Crucially, every line of it was written for the audience that would fund it: governors and executives, not engineers.
What changed
Leadership approved a multi-million pound cyber security investment on the strength of that programme. Risks that had lived on a register for years became budgeted workstreams with owners and dates, and the security team gained something rarer than budget: a mandate.