As many security professionals, I often find it very hard to justify making certain expenditures. Especially when money must be spent before a real incident has taken place (or rather, before a real incident has been identified), fully developed detailed justifications are often hard to capture.

As a result, I am truly looking forward to what Rich and Adrian over at Securosis are working on. Today, they put up--what will hopefully be--the first post of many on business justifications for data security spending.

The approach appears to be based on a thoughtful combination of quantification and qualification and consists of the following four steps:



  1. Data Valuation
  2. Risk Estimation
  3. Potential Loss Assessment
  4. Positive Benefits Evaluation
The choice of words by itself makes me hopeful. Rather than pretending that risk can be calculated completely, Rich and Adrian use the term estimation and Instead of a loss calculation, they use the phrase assessment.


I look forward to reading more of their work!