The business case for penetration testing – Preaching to the unconverted:

demonstrating statistics

How do you communicate ROI on Penetration Testing to gain buy-in?

Did you get your car insurance renewal quote in recently? Chances are it’s gone up and chances are you are wondering whether it’s worth it.

For non-tech savvy finance folk and to be fair, some tech-savvy non-finance folk, you can understand why they might view penetration testing in much the same way. They shouldn’t though, if they fully understood the cost to business and reputation even a relatively harmless data breach or hack could have, they would be throwing wads of cash at you faster than you could pick it up. OK, maybe not, but you get the picture.

Communicate with the Finance Department

It’s not always easy to communicate with the finance department, they deal in the bottom line, in facts and in figures. What you need to do is articulate the cost of the security service needed and compare it to investing in the potential damages that the penetration test would prevent. For this undertaking, you’ll need a solid understanding of your company’s Information Assets (IA) and how valuable those assets are to the business.

Warning: Sleep inducing initialisms ahead (& some egg sucking instruction)!

As mentioned, Finance Departments like to talk figures, the clue is in the name really. They also like to talk in initialisms. By the way, I was going use the term acronyms, but it turns out an acronym is an abbreviation formed from the initial letters of other words and pronounced as a word – i.e. NASA. Who knew? What, everyone except me!?

Anyway, back to initialisms, a perennial favourite of the ‘bottom liners’ is Return on Investment (ROI). Simply put; it’s some confirmation that if you spend £xxx, by a certain time you will receive £xxx in return – basically “what’s in it for me?” This is where you’ll need to demonstrate the cost of a breach to the business vs the cost of a penetration test.

They might also ask for a Payback Period (PP) – which is “OK, you’ve told me what I am going to get, when I am going to get it?” Your answer to this one is “just before the next penetration test.”

If thanks to your penetration testing programme, they have reached the next one without suffering the greater cost of a breach or hack then that’s their ROI.

Educate on the intangible business benefits

Next stop on the initialism fun-ride is Net Present Value (NPV) basically the mechanism for valuing current value of future cash flows – this is where you will need to re-introduce the less tangible aspects of suffering a data breach. If you need something to help your cause just point them to historical share prices of a high-profile company pre & post breach and watch the colour drain from their faces! This linked with Initial Rate of Return (IRR) means that your job is tricky but not impossible – you can’t go bowling in with “we need to spend £xxx on penetration testing or someone is going to hack us

Instead, once armed with this data and knowledge, you take it to those that hold the purse strings and you demonstrate how you came to the valuation of the Information Assets (IA), remember them? These same people may have already assisted you in the valuation – in which case you’ll have a head start. Then you present them with the cost of protecting the IA – in the form of a security or penetration test. This can be a test on its own or as part of a comprehensive Information Risk Management programme – we’ll leave it to you to test the waters of how receptive they may be!

Consult industry experts to support your business case

Risk Crew will not only help you with the penetration testing itself, but we can also help you with making the business case for it. We can guide you in speaking the language that’s required, we can discuss Return on Investment (ROI), Payback / Breakeven, Net Present Value (NPV) and Internal Rate of Return (IRR) and any other sleep-inducing terms as required.

Risk Crew