Using Penetration Tests to Demonstrate ROI
You need to compete for dollars internally to fund your cybersecurity projects
Use ROI on prior investments to build confidence for new budget requests
When done right, penetration testing can show ROI on your prior cybersecurity investments.
One of the biggest challenges faced by cybersecurity leaders is proving the return on their cybersecurity investments to their leadership. Every day, you compete for dollars and balance the resources you are given. Unlike other areas of business, showing ROI isn’t straightforward because you are trying to put a value on events that haven’t happened and may never happen.
Using penetration testing to show ROI on your prior cybersecurity investments is an important and often overlooked outcome. Pentest result, breach facts, and consistent reporting proves that what you’ve spent in the past has a positive ROI. This positive look at the past gives you and your leadership confidence that your future budget requests will be no different. We make most decisions in life by considering past results, and cybersecurity should be no different.
ROI on Cybersecurity Investments: Mixing Oil and Vinegar?
The standard return on investment formula immediately poses a high degree of subjectivity when applied to cybersecurity.
It doesn’t take long to see the problem…what is the “Gain from investment”? For any given technology, there are murky layers contributing to the difficulty of estimating savings, such as:
What does a breach cost?
How much does the investment reduce the risk that a particular breach will happen?
Does the technology automate/replace any manual processes and what are the associated savings?
Does the technology help achieve compliance with industry or government regulations? Does that represent a savings in possible fines? Or, is it a mandate to even be in business?
This list could go on, but you get the point; the very nature of cybersecurity creates challenges due to the gaping problem of estimating savings from any solution or technology.
Let’s make this really complicated
Many believe a more complicated calculation is necessary. You need to modify the formula to consider Annual Rates of Occurrence, Loss Expectancy, Modified Loss Expectancy and so on.
As your formula grows, your story begins to feel less believable.
The insurance industry is notorious for using complicated calculations. It works because they have decades of loss data. Applying this to cybersecurity is problematic because risk adjustment changes with new technology and new threats. It’s too fast and the data just doesn’t align well.
There are many helpful studies of loss averages. IBM’s Cost of A Data Breach Report is among the best. The problem is aligning a particular investment to an overall cost-of-breach.
Keep it Believable
One avenue to explore is to instead focus on broader groupings of security controls rather than homing in on the return from singular technologies. This approach makes more sense considering that there is no such thing as a silver bullet solution in cybersecurity that prevents all types of attacks.
Instead of looking for silver bullets, organizations need to layer together multiple levels of security controls for holistic defense in depth. When one type of measure or one layer fails, there are other technologies and solutions to act as extra defensive layers. It’s far better to build a compelling ROI story using groupings of controls rather than one solution. This is where penetration testing helps.
Building a Realistic ROI Story with Penetration Tests
The foundation for any penetration test is to simulate how real-world threat actors would probe your IT environment and exploit vulnerabilities. Typically, the outcome of a pentest is focused solely on a list of things to remediate.
At Security Pursuit, we extend our penetration testing services to support the ROI on the tested security controls. This ROI story rests on the scope of the penetration test engagement. For example, if we perform only an external network pen test, we build an ROI story focusing on your investments in perimeter security defenses.
Broader penetration testing results in a broader footprint for ROI. Include internal network penetration testing, wireless, and/or application penetration testing and you can build an ROI story around those controls, too.
Security Pursuit extends the ROI story by aligning our penetration tests to best practice controls. We’ve provided an example of our worksheet to do this against CIS v8 controls at the end of this post. When reported correctly, this provides real legitimacy to your story.
A Working Example
Let’s go through an example using an external network pentest.
For investments, the figure is a (relatively) straightforward sum of your company’s total technical investment in your external perimeter defenses. This figure includes hardware, software, third party service providers, and human resources allocated to perimeter security. And don’t forget, the cost of the external network pen test also needs factoring in. The only slight nuance to bear in mind is the typical amortization of technical investments over several years—your CFO is a good person to turn to for these numbers.
Putting some real numbers in our example, let’s say you have $450,000 per year in direct technical investments, you pay an MSSP $60,000 to monitor your perimeter, a security analyst spends a salary equivalent proportion of time on external network events equalling $30,000 and the pen test costs $35,000. The total investment is then $575,000.
The external network pentest gets aligned to the appropriate CIS v8 controls in our worksheet. Because you are testing a group of controls, those larger “cost of breach” statistics now become relevant. Now you can use the IBM report above, or any others you feel more relevant. In fact, it might be useful to source a loss figure from two or three reports or statistical sources and then take the median (middle value) for a more well-rounded estimate.
Use a loss figure that most closely matches the industry you operate in and the size of your company. Using the report, let’s use a figure of $3.34 million per loss from external perimeter system breaches. The savings calculation isn’t yet complete because you need to know the frequency of such breaches, which you can again either use reported figures, or your own statistics based on log analysis. For this example, we’ll say that technical external compromises happen with a probability of 0.75.
The final calculation of ROI for perimeter security controls is calculated as follows:
In other words, the savings from perimeter security controls are worth 3.35 times what you invested in them. Not bad!
Keep in mind this story is that the ROI for all perimeter controls is 335%. What are those perimeter controls? This is where you align your test to a control framework, like CIS v8. You can download our free worksheet that spans the entire CIS v8 framework.
Tying it to budget requests
By now, we have a solid foundation based on fact for ROI for perimeter controls. You still need to tie this return to a particular future investment. This alignment can be done as performance improvement (example, your expected loss goes down) or with cost savings (the cost of perimeter controls goes down).
Attempting this kind of calculation, we demonstrated using a single technology becomes convoluted very quickly because savings is almost impossible to put anything resembling a realistic figure on. Most business leaders don’t understand the details of particular technologies anyway; they want to know about cost avoidance for the money invested. Building out your ROI story against a set of controls provides a credible estimate that can justify ongoing or future investments in your critical security areas.
Contact us today to find out more about how Security Pursuit uses penetration testing to help our clients prove ROI on their cybersecurity investments.