In my latest @ISACA column, I tackle the problem of project triage. Its a pernicious problem that many security departments have to manage: we have to check everything currently in place, yet new stuff is being added all the time.

I address this problem from a risk perspective: we need to allocate our scarce security resources on projects the same as we do everywhere else.