Penetration testing has been established as a standard security tool in the past years: While the topic was mostly used in the military and intelligence services until recently, penetration testing is now an integral part of regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Penetration testing is now even featured in movies and TV shows. This is not surprising since penetration testing is not only an exciting field to word in but also tangible business benefits. Penetration testing experts seem to have a bright future. One topic that a lot of technical IT professionals have problems with – maybe you as well – is selling security to their non-technical management. This white paper aims to help you with this endeavor: explaining the benefits of penetration testing to the business and securing the necessary budget.
Penetration testing has been established as a standard security practice in recent years: while the topic was originally used in the military and intelligence services, penetration testing is now an essential part of regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Penetration testing is now even featured in movies and TV shows. This is not surprising since penetration testing is not only an exciting field to work in, but also offers tangible business benefits. Penetration testing experts seem to have a bright future.
How to Explain Penetration Testing to Your Boss
We often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. “You want me to authorize you to break into our systems?” they ask.
Everyone is reluctant to agree to things they are not familiar with. It can help to use analogies to explain how penetration testing works: how do you know whether cars are safe? Even the most experienced engineers will find it hard to accurately predict all aspects of security without a crash test.
Likewise, you should carry out penetration testing regularly on important systems so you can detect where your systems are vulnerable. You have to find these vulnerabilities before criminals, cyber punks, and even spies can harm your enterprise. Penetration tests are one of the tools for responsible IT management to identify and mitigate risks.
“We’ve spent all this money and you’re still telling me that you don’t know whether our systems are secure?” your manager might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really.
IT systems are more complex than ever: organically grown and connected with the outside world at many points. In many networks, it is very difficult for one individual to have a clear view of all assets. The most talented network specialists can still make mistakes and overlook hard to find security issues. To complicate matters, attackers are increasingly stealthier and the signs of a breach are not always obvious. We need an acid test, a reality check, a quality control for our network’s security.
Penetration tests are such a quality assurance test for security to achieve, well, “security assurance”. It verifies that all our firewalls, permission systems, intrusion detection systems, and data loss prevention solutions work as expected.
Let’s be honest, security is primarily sold on the fear of something bad happening. If a breach occurs how will business continuity be affected? What will it cost? How bad could it be? These are the questions penetration testing seeks to answer for you. The end result is completion of a cost benefit analysis for purchasing security controls. The cost benefit analysis is calculated by totaling the cost of a single loss or breach, multiplied by breach likelihood, and comparing that to the price of security controls. Penetration tests help to identify the cost by revealing what exactly can be breached. The likelihood can be judged by how easy systems were to compromise during the penetration test. This is how you obtain the potential annual costs for deficient security.
We have enough data to support this: the Ponemon Institute, Verizon Business, Forrester Research, and the FBI periodically publish data. They calculate the likelihood of a data breach, the costs of system downtime, the value of stolen/deleted/manipulated data, legal costs, and revenue impact from lost existing and future customers. Currently, the Ponemon Institute estimates the cost per lost customer data set at about US$204. If your database contains 10,000 customer records, this works out as just over US$2 million in damages.
These numbers are certainly helpful, but they’re often not usable for IT professionals in large enterprises because they’re so large that nobody believes that they’re realistic. Also, the numbers were almost exclusively generated in the United States, where heavy compliance regulation has driven up the cost of data breaches, so they’re often not accepted by business audiences in other countries, although this is changing as more countries are introducing ever stricter regulations. Also bear in mind that these numbers must be weighed against the entire IT security budget, not only a single penetration test.
Selling penetration tests with fear is possible then, but there are also other ways, which may resonate better with your management because selling through fear could be interpreted as “black mailing”. Not a good approach for a business relationship.
One possibility is to demonstrate that penetration testing can reduce the costs of a vulnerability management program. Many enterprises already have an established program for vulnerability management but cannot remediate all vulnerabilities because there are simply too many. Vulnerability scanners never have trouble finding vulnerabilities – the issue is to know which ones are important. By using penetration testing software such as Metasploit, you can verify which vulnerabilities are exploitable and must therefore be remediated first. This refinement of your processes not only ensures that the most important security issues are fixed first, but also reduces the cost of your vulnerability management program because you can identify, and therefore ignore, non-exploitable vulnerabilities that don’t pose a risk to your infrastructure.
Compliance should ideally be achieved through good security. In reality it is used as a bridge for IT security professionals to communicate the need for security budget with business managers. Managers know that their division has to comply with certain regulations to avoid penalties. On the other hand, IT security professionals know that they can get additional budget if the business has compliance needs. Compliance is not equal to security, but the compliance budget can, if correctly used, achieve higher security.
Most business cases for penetration testing relate to what happens if data gets stolen. Almost none take into account the cost of systems being brought down or how it could their public image. Simply ask the question: “How would it impact our organization if our ERP system were down for a week?” Your managers will find this easier to imagine than their customer data being on sale on a hacking website. Even the costs should be easier to calculate.
A company’s reputation, represented by its brand, can take a huge hit in a data breach, but it’s also one of the hardest things to calculate in hard dollars. Imagine that all buildings of the Coca-Cola company burn down today.
Someone is offering you to buy the rights to use the brand Coca-Cola in the future to sell beverages. What would this right be worth to you? Although the entire enterprise has ceased to exist, the brand still has a certain value.
Many companies invest a lot of money for advertising, especially when products are generic, for example bank accounts. Unless your best buddy works as a customer representative in one of the banks, your perception of the company and your trust relationship with the brand are probably the biggest factors in making a decision.
What happens when the trusted relationship to “your brand” is damaged by a data breach? As a consumer, your privacy has been violated when your online bookshop inadvertently publishes your purchasing history of the past three years. Maybe you even have to cancel your credit card. If the competitor’s product is virtually identical with the one you’re using now, the emotional decision is simple: You’re switching. This has direct impact on the revenue of the organization that made the error.
One topic that a lot of technical IT professionals have problems with – maybe you as well – is selling security to their non-technical management. This white paper aims to help you with this by explaining the benefits of penetration testing in relevance to the business so you can secure the necessary budget.