fix

5 Ways Penetration Testing Reduces Overall Security Costs

Learn more about the ways penetration testing can reduce your overall security costs and how to propose penetration testing to your team.

By
Alex Hewko
3 min read

Security isn’t cheap. Well, quality security isn’t anyways. And then you think of all the individual list items in your budget like threat modeling, infrastructure support, encryption tooling, incident response, security testing, anti-phishing software, secure code training, firewalls, authentication, remediation…. The list goes on and on. Seemingly endlessly. One way to simplify your security operations is to opt for services that support your business in multiple places - like penetration testing. Here are 5 ways penetration testing reduces security costs for your team.

What is penetration testing?

Used to give you an overview of your application’s security posture, penetration testing is a manual security exercise where ethical, white-hat hackers attempt to break into your application. Penetration testers have the goal of finding as many known security vulnerabilities in your system. From there, they’ll provide detailed replication and remediation suggestions so that your developers can patch any known risks. It’s recommended that penetration tests are conducted in a separate testing or staging environment, to avoid any risks to your production environment.

Why is it hard to request more budget for security activities?

Companies usually spend between 7-10% of their IT budgets on security requirements. Of this, the things that get priority for spending on include:

  • Compliance mandates
  • Meeting mandates from the board of directors
  • Responding to a security incident that happened within their company or another related company (ie. vendor or partner)

Security budget can be hard to ask for as it’s hard to measure the success of. Unlike when sales teams can celebrate once they’ve passed their stretch quota, security doesn't have a milestone of success. In the security world, no news is good news. No breaches means that the team has done a good job at keeping things secure. But without a momentous, celebratory event, it’s hard to connect that security is a good investment, and prove that penetration testing reduces security costs.

It can also be hard for companies to prioritize security expenses over growth expenses like sales and marketing activities. This is especially true for small businesses that don’t have a lot of budget to begin with, or for firms who haven’t yet had delayed sales processes because of a vendor needing proof of security.

5 ways penetration testing reduces security budget requirements

1. Reduces the need for automated scanners

A single vulnerability scan assessment can cost between $1,000 to $10,000. While they’re super convenient and can work in agile SDLCs, automated scanners aren’t the best at finding deep vulnerabilities. To make them work a bit more efficiently, they require a lot of configuration and set up time. With each report, it also takes time for someone to manually review all the findings and clear out false positives. On the other hand, penetration testing is a vulnerability scanning alternative that guarantees no false positives, works with any application language or framework, and doesn’t require much set up time from the client.

2. Helps train your developers on the fly

With every penetration test report, your developers will receive an extensive report that contains detailed information about each found vulnerability. Developers can use the replication steps in the penetration test report to learn about where vulnerabilities exist and how to find them. If you opt for an extended service such as Penetration Testing as a Service (PTaaS), your developers can also reach out to the security team for consulting advice on new builds, secure design, and patch management support. This helps integrate secure code training into your regular development workflow.

3. Minimizes vulnerabilities to be found in bug bounty

Manual penetration testing is one of the best ways to get deep into your application. If you opt for white box penetration testing where the testers can see your source code, you can really increase how many vulnerabilities are found on each test. This isn’t a sign of bad developers - it’s a sign of a great penetration tester! As more vulnerabilities are identified deeper in your systems, the likelihood of a third party bug bounty finding them decreases significantly. When a bug bounty finds a security gap, you’ll be required to go through responsible ethical disclosure (RED) routines and off pay-outs, which range in the thousands of dollars.

4. Reduces the cost to remediate vulnerabilities

If you’re working on a legacy application, you might find yourself shocked with the cost to repair vulnerabilities at this stage. According to the IBM System Science Institute, it’s 100X more expensive to patch a vulnerability at the maintenance stage of an application compared to the design stage. With penetration testing, you can catch vulnerabilities in the implementation and testing stages. And you can leverage security consulting hours in Penetration Testing as a Service (PTaaS) to build secure application design, lowering your cost to the furthest extent. Saving money on remediation can free up a ton of budget and developer time to continue growing your products!

5. Lowers likelihood of spend on reactive costs

It’s no secret that breaches cost a ton of money, especially if you’re not properly insured. Penetration testing on its own can help you lower the risk of attack, which lowers the likelihood that you’ll need to prepare for a breach. Additionally, proof of a strong security posture through a penetration testing certificate can lower your cyber liability insurance fees, saving your budget here as well.

A few tips for proposing penetration testing to your CFO

Provide data on the expected return on investment

Calculating the return on investment (ROI) is one of the most valuable yet most difficult parts of proposing a security investment to your CFO. To do so, there are a few key security metrics to consider when proving penetration testing reduces security costs. Some examples of these include:

  1. Impacts of your vulnerabilities. Critical-level vulnerabilities require immediate attention from your team as they have a high likelihood of being exposed and would cause great negative consequences for your business. CVSS and DREAD can help you calculate vulnerability severity.
  2. Breach risk ($) is equal to breach likelihood (%) multiplied by breach impact ($). You can use this to estimate approximately how much it would cost your organization if you suffered a breach.
  3. Vulnerability density, which is measured by VD +  V / S where S is the size of the software and V is the number of vulnerabilities in the system. Vulnerability density should decrease after a penetration test.

Show how it fits into the current security budget

If you’ve already got a spot for penetration testing in your security budget then great! If not, you can possibly make room for it. Consider first if your company is earning or maintaining compliance. If yes, then there’s likely a need for security testing. If not, then try to find another area of the budget that would no longer be needed if you invested into penetration testing.

Prove the additional value it brings to the organization

CFOs look at four things to know if an expense is going to bring value to their organization, including:

  • Reduced costs
  • Reduced risks
  • Increased productivity
  • Increased growth (mostly for revenue)

Penetration testing helps reduce risk by providing a detailed overview of your application’s security gaps, and can also help you meet compliance requirements for frameworks like SOC 2, PCI-DSS, HIPAA, ISO 27001, and NIST.

About the author

Alex Hewko

Get security insights straight to your inbox

Additional resources

Here to get you started

Featured Post Image
Icon

The State of Penetration Testing as a Service- 2022 Edition

Say goodbye to 300+ page penetration test reports

Providing the quality of the biggest names in security without the price tag and complications.

Book a 30 min consultation

Manual penetration testing

Full time Canadian hackers

Remediation support

CTA background