There are two vernaculars spoken in every organization: technical and non-technical. Any technical person has experienced the frustration of explaining technical details and why they’re important, just to have a non-technical person stare blankly back at them. It’s no surprise then that conveying the value of a penetration test can fall on deaf ears when business decision makers don’t understand the impact it can have on the organization. Here are a few tips for making the business case for penetration testing. Whether you are a security professional trying to get your business manager to sign off on a pentest, or a business manager trying to understand the value in standard terms, this post should help.
WHAT IS PENETRATION TESTING?
In many instances, someone doesn’t know the definition of a penetration test. A penetration is purposefully attacking a computer system, network, or application to reveal vulnerabilities that could lead to a security breach or disclosure of sensitive data.
For those who don’t know what a pentest is, try explaining it with a simple analogy. It is a lot like a primary care visit to a doctor. You hope the visit won’t produce anything major. However, if a test reveals something big, you are certainly glad you went to see the doctor. A penetration test is similar in that it diagnoses the security health of your network or application, then helps to remediate any discovered vulnerabilities.
Another way to position a penetration test is that it’s an additional layer of security on top of what you already do. You already pay for a VPN service or a certificate for HTTPS. A penetration test is another level of security check that verifies that those security systems do what they promised to do.
All systems have vulnerabilities, and many of them are not obvious. A penetration test, also known as ethical hacking, evaluates the number of points an attacker might use to gain access to your valuable assets, thus providing insights on how to improve system security.
CALCULATE THE COST OF A BREACH
Numerous factors contribute to the true cost of a security breach such as:
- Damage to your reputation
- Regulatory fines for disclosed customer data
- Cost to repair the damage
- Lost Data
- Decrease in stock prices
- Employee wages while services are down
- Revenue lost while services are down
Depending on the size and industry of your company, you can see how any of these factors can exponentially increase the cost of a breach making it difficult to determine.
The Ponemon Institute calculates the cost of a data breach is currently rising. In the 2017 report, the average cost of a security breach rose from $3.79 million in 2015 to $4 million in 2016. This includes revenue lost, regulatory fines, reputation loss, and costs to recover from an attack, among other factors.
They estimate that the cost of compromised personal information is, on average, $158 per record. So, a simple equation to calculate the cost of an incident is $158 multiplied by the number of customer or employee records.
REDUCE SECURITY WASTE AND GET MORE VALUE PER IT DOLLAR SPENT
Companies only have limited resources to contribute to their technology infrastructure. A penetration test can prioritize your current IT assets and identify where to best spend your IT budget for the most bang for your buck. It can also help prevent you from wasting money in areas that you don’t need it.
Tools used to secure your organization are expensive. Evaluate their worth by putting them to the test. In some cases, you might find that the tool needs to be reconfigured to work better. Other times, you could save money by reducing the security services you use and only paying for what works.
WHEN THE NUMBERS ARE NOT ENOUGH JUSTIFICATION
If the fear of substantial and wasteful costs are not sufficient to convince the powers at be to conduct a penetration test, then what about the value a penetration test can add to your business?
EDUCATIONAL OPPORTUNITY
Every network or system has its flaws, and what a penetration test will always do is teach. The more you know about your system and the ways to make it better, the harder it will be for attackers to penetrate it. A pen test will make your IT more efficient and more protected.
REPUTATION
It should go without saying that a security breach doesn’t look good for any company. Save face and stay out of the papers by reducing the probability that an attacker will successfully exploit your system. Customers’ trust—and their business—can easily be lost by a data breach.
COMPLIANCE AND CLIENT REQUIREMENT
This one is easy. If you work in a regulated industry, then a penetration test is likely required to comply with the law. Just ensure you’re getting the full value of what you pay out of the penetration test and not just another check box on a regulatory requirements list.
In addition to compliance, we see an increase in Rhino Security clients asking for a penetration test because a customer requires the security assessment. With cybersecurity becoming a focus in the daily news cycle, more consumers have privacy concerns and have added an organization’s security aptitude to their buying decision factors.
Because of this, we’ve begun administering an Attestation Document after remediation of any vulnerabilities we find during a penetration test. This Attestation Document declares that your company went through necessary steps to find and mitigate security vulnerabilities and therefore are considered to be secure by our standards. We find that our clients like being able to send this document to their potential customers showing they adhere to best security practices, which gives them an edge over competitors that do not do security testing.
IN CONCLUSION
In the end, the real ROI in a penetration test is education: learning about your system’s vulnerabilities and how to fix them before they become a problem. You don’t pay someone to hack your system; you pay them for the report revealing where your vulnerabilities are and how to remediate them. If a company gives you a penetration test that only reports exploits without remediation, then that doesn’t benefit anyone. Penetration tests should ensure that when an exploit is found, your engineers know how to remediate the problem and avoid it in the future.
If you’re interested in what our reports look like, you can view an example from one of our service pages. If you have questions about penetration testing, reach out to us. We are passionate about research and staying on the cutting edge of security insights. It’s why we love doing what we do every single day.