The starting point
A large university is among the hardest security briefs anywhere: tens of thousands of users, research data adversaries genuinely want, and an estate accumulated over decades. Glasgow’s security team already understood its risk picture in detail. The missing piece was sustained funding, which meant persuading a university court to treat cyber security as a multi-year investment rather than an annual cost line.
The approach
CyPro began with the argument, not the technology. The University’s posture was benchmarked against recognised frameworks, a target state was agreed that respected genuine constraints, and the distance between the two became a costed, sequenced roadmap. Every page was written for the audience holding the budget: governors and executives, not the engineers who were already convinced.
The outcome
Leadership approved multi-million pound investment on the strength of the case. Register entries became funded workstreams with owners and dates, and the security team gained something budget alone does not buy: a standing mandate to keep improving, benchmarked the same way an ISMS is.