As many security professionals, I often find it very hard to justify making certain expenditures. Especially when money must be spent before a real incident has taken place (or rather, before a real incident has been identified), fully developed detailed justifications are often hard to capture.
As a result, I am truly looking forward to what Rich and Adrian over at Securosis are working on. Today, they put up--what will hopefully be--the first post of many on business justifications for data security spending.
The approach appears to be based on a thoughtful combination of quantification and qualification and consists of the following four steps:
- Data Valuation
- Risk Estimation
- Potential Loss Assessment
- Positive Benefits Evaluation
I look forward to reading more of their work!