How to put a number on the cost of something that may not even happen? How to assign value to abstract and subjective constructs like “brand reputation” or “customer trust”? How do we know if we’re spending enough on security, and how to tell if we’re spending too much?

Assuming we have the budget for software security, where should we invest it? And in the absence of a budget, what can we do to obtain it?

In this talk, I’ll demonstrate a few basic techniques used in finance that we can use to gauge what is a reasonable spend in software security. I’ll also show how to recognize high-value activities, how to tell them apart from security theater, and share my tips for communicating your numbers with the executives.