This paper was presented at the FIRST 2005 conference in Singapore, and discusses a model we developed at Cisco to rapidly triage which IT projects required information security engagement, and those that presented less risk and therefore required fewer resources.