How do you arrive at the IT decisions you make? What factors do you use in security spending decisions? If you are having a hard time defining this, you are not alone. I am continually surprised at the lack of information organizations have, and still make critical business decisions. It may seem obvious, but it is a reality that bad decisions are being made all the time. Bad decisions increase organizational risk. Decision-making needs to have discipline and rigor just like any successful business process. This talk uses real world examples of successful and failed decisions, and their outcomes, as a learning tool. The takeaway is better, more solid ways to make, justify and defend your decisions.