Saw this back in 2003, and you can find the original here:

By Eric Cole

To make sure you understand your organization’s issues, you should be asking the following questions before formulating a security plan:

  1. What is my organization’s critical information or digital assets? Every company has information that’s unique to it. In some companies, this question is easy to answer, and in some cases, it’s very difficult. You have to figure out what pieces of information, if compromised, would put your company out of business or make it difficult for you to continue operating.
  2. On which servers does the critical data reside? Attackers break into servers, which provide the gateway to the data. Therefore, knowing where the data is lets you concentrate your security efforts. It’s also important to prioritize servers. Most companies have a large number of servers, and not all servers have the same level of importance
  3. What are the risks to those servers? Risk is composed of threats and vulnerabilities and can be reduced by countermeasures. The following is the common risk formula: Risk = (Threat x Vulnerabilities)/Countermeasures. A threat is an adverse occurrence that allows someone to do harm to you or your assets. A vulnerability is a weakness that allows a threat to be manifested. A countermeasure is an action you perform to minimize or eliminate either the threat or the vulnerability. The important thing to remember is that if you reduce either the threat or the vulnerability, the resulting risk is also reduced. You only have to reduce one of them, not both. For example, a threat is that someone can run an Internet Information Server (IIS) buffer overflow against your external Web server. The vulnerability is that your company is running external IIS Web servers. Depending on the specifics, your risk could either be high or low. From a countermeasure perspective, there are three general approaches you can take. First, you can do nothing and accept the risk. Second, you could take actions to minimize the risk. In this case, you could minimize the risk by staying up to date and apply the latest patches in a timely manner. Third, you could eliminate the risk by taking the Web servers off-line. As you can see, in most situations, reducing the risk is the most practical approach.
  4. What is the return on investment for reducing or eliminating certain risks? Executives have to be concerned with the financial affect of given security decision. Spending $500,000 to fix a problem that has a 10% chance of occurring and would cost the company $100,000 if it occurs, isn’t a good ROI. On the other hand, spending $50,000 to eliminate a risk that has an 80% chance of occurring and would cost the company $800,000 if it occurs is a wise investment.

Here are the key questions you need to ask to determine the ROI for a given risk:

  • What is the risk?
  • What is the likelihood of it occurring?
  • If it occurs, what will it cost?
  • What will it cost to eliminate the risk?
  • What will it cost to reduce the risk to an acceptable level?

Armed with the answers to these questions, you can spend money in the proper areas.

There is a long list of additional questions that an executive should ask, but the above questions form a foundation for all of the other questions. The above questions also give CIOs a clear view of where the problem is and how bad it is.

Remember, security is mostly about understanding your infrastructure and not necessarily spending money. Taking the time to answer the above questions will best enable you and your management peers to make sure your security dollars are well spent.

Update: Questions to Ask Your Security Vendor