I was asked this question by a senior executive.   My first reaction was that the question was misguided and a little bit naive.   The more I reflected on it, the better I understood the question.   The answer can only be accurately by first defining the appetite for risk that the leaders of the company have defined.   Once the appetite for risk is defined, I can answer the question.

The lack of a true understanding of  risk appetite means the answer to the question may very well be there will never be enough security.   The definition of a risk appetite defines the the target state of an organization, without this guidance security professionals tend to reach for the stars and try to solve the unsolvable.   The problem is sometimes solving the unsolvable is  easier than getting the answer to the question “How much risk is the company willing to accept”.

So I suggest that the answer to the original question is basically “you tell me”.   Now that is a question that cannot be easily answered without a good risk management program.

Click to access SP800-39-final.pdf