This paper presents a portfolio optimization approach to information technology (IT) security investment decisions in an organization. This approach has been motivated by the extreme variations that are found in IT security requirements for organizations in addition to the diversity of starting conditions found in organizations that choose to embark on a formal approach to managing their security. Often, a budgetary allocation is made for IT security and IT managers and management are faced with the problem of how to allocate these monies or resources across competing projects and products that can potentially improve or enhance IT security in an organization. Instead of ranking or rating the various alternatives based on their benefits only, it is demonstrated how, by identifying organizational objectives, and then aligning the decisions with the objectives, one can optimally allocate resources across the IT security portfolio. The approach in this paper has been to provide a generic decision framework that can be customized by practitioners and fine-tuned by other researchers. The approach is explained and then the results are discussed using a case study. Both the strengths and weaknesses of this approach are highlighted and suggestions for how this approach can be deployed and enhanced are provided.