On March 23rd 2016, I had the pleasure to participate in the Inaugural 2016 National Conference of Minority Cybersecurity Professionals in Washington, DC, masterfully organized by the International Consortium of Minority Cybersecurity Professionals. I was invited to take part in a panel talking about the “Business ROI for Penetration Testing” with three other cybersecurity colleagues, Charles Tendell, Andrew Malcolm, and Steve Magny.
(From left to right: Andrew Malcolm, Charles Tendell, Steve Magny, and Michelangelo Sidagni)
The topic of the panel was particularly interesting to us here at NopSec because we always try to help our customers sell security internally for value and “return on investment.”
Honestly, I am not particularly fond of the expression “ROI – Return on Investment” to “sell” security, since ROI refers to the result of the fraction between profits (revenues-costs) and capitalized investments, not just costs; and therefore it does not apply to services and Software-as-a-Service costs.
Organizations struggle to show the value of security investments in solutions and services since historically IT has always been considered a cost and not a revenue center. It is hard to show that IT costs such security costs could be linked to revenue-generating activities.
NopSec helps its customers align security initiatives with productivity enhancing and revenue generating activities. If the internal security organization can demonstrate that the costs for security could be related to an essential step in a project, which has revenue implications, the linkage of the two can be easier.
In general, customers trust organizations that have performed due diligence on their system for security. If customers could know that a certain ecommerce website had security flaws for sure they would not execute any business transaction with that website. Therefore, securing the enterprise could be interpreted like a marketing effort, a reputation enhancer, or a way to bring in new revenues.
If security tests – like a pen test – or the implementation of a security control could be interpreted not as an isolated action but as a specific step of a more complex System Development Life Cycle, then the cost could then be correlated not only to a cost center, but also to a revenue center, such as the successful completion of the project leading to correct functioning of the revenue generating engine.
Another obstacle in defining penetration testing and other security controls as revenue generating activities is the very definition of penetration testing, as opposed to plain vulnerability scanning. A lot of consulting companies sell simple vulnerability scanning as penetration testing, misleading the customers as if the two were the same.
A Penetration Test is a highly defined test with specific parameters whose goal is to gain unauthorized access to information assets. It is more important to define the goals of the test, understanding the value of the information assets to be protected and associate the penetration test results to risk management as well as to the business goals.
Penetration Test is as valuable as the assets it is trying to compromise. Therefore, it is essential that the business knows the value of all its information assets, as defined during a Business Impact Assessment (BIA) exercise.
However, most organizations we talked to might not know how to value their information assets and where all their information assets might even be located. The value of information assets can be interpreted as the monetary value that might be paid to restore those assets in case of a compromise or breach.
Since a penetration test seeks to gain access to the value information assets through the different layers of security to expose the weaknesses and the vulnerabilities at each layer, the value information assets that need protection must be defined and valued appropriately. Furthermore, inventory of information assets precedes their valuation. Based on our experience, most of organizations do not maintain a complete and accurate inventory of their information assets.
As service provider, often we ask customers the wrong questions to scope the penetration testing service. We usually ask: “How many IP addresses do you have in your network or how many pages does your web application have?” to get an idea of the service’s level of effort. However, the right question to ask to set correctly the service’s ROI are the following:
- Which asset (network or web) is the most critical to the success of the project?
- Which asset will generate the most revenue for you?
- Which asset generates the most profitability?
- Which asset would be the most expensive to replace?
- Which asset would be the most embarrassing if exposed or cause the greatest liability if revealed?
- Most of the time, the most common answer to these question is somewhat related to a database where customer information is stored.
Therefore, the value of a Pen Test comes from understanding where the whole system weaknesses are and assist the customer in determining what types of protections, redundancies, and safeguards needed to be put in place to prevent those weaknesses. Asset identification and valuation are important, but more so it is understanding the dependencies between components of the system as a critical step in the risk analysis process.
To extend the evaluation of the business value to every security initiative, it is crucial to answer the following questions to select security controls:
- What exactly are we trying to protect?
- Why exactly are we trying to protect it?
- How exactly do we best protect it?
- What exactly will happen if we don’t protect it?
- What exactly is all this going to cost?
Since the goal of a Pen Test is to “connect the dots” between an asset and its value to the organization, the associated threats and vulnerabilities, and how that translates into a quantifiable risk in hard dollars or intangibles such as company’s reputation, the monetary value of a Penetration Test could be seen as a small percentage of the total value of the information assets under protection. Out of the metaphor, if the total value of the customer information that are at risk to be compromised is several hundreds of millions of dollars, a very small fraction of that could be allocated and budgeted as cost for a well-performed, manual penetration test which is in turn is not just a mere list of vulnerability scanner’s vulnerabilities. Vulnerability scanning is one thing – a small part of vulnerability management – penetration testing – a manual professional and intensive practice – is another.