Being in the financial services sector, we hear the term 'security' a lot. We are required by regulators to have policies and practices in place to protect the data in which we are entrusted. The question we must ask ourselves is how we allocate the budget we have to defend ourselves against an adversary that has better resources and greater funds then we do. The US government spends billions of dollars on security, and we hear stories of their data breaches on a regular basis. If scammers can breach even their highest security level, how do we do it with budgets that are a fraction of theirs?