This is part 8 of 9 in the Getting More Out of Your Security Budget Series
Security isn’t cheap. Well, quality security isn’t anyways. And then you think of all the individual list items in your budget like threat modeling, infrastructure support, encryption tooling, incident response, security testing, anti-phishing software, secure code training, firewalls, authentication, remediation…. The list goes on and on. Seemingly endlessly. One way to simplify your security operations is to opt for services that support your business in multiple places - like penetration testing. Here are 5 ways penetration testing reduces security costs for your team.
Used to give you an overview of your application’s security posture, penetration testing is a manual security exercise where ethical, white-hat hackers attempt to break into your application. Penetration testers have the goal of finding as many known security vulnerabilities in your system. From there, they’ll provide detailed replication and remediation suggestions so that your developers can patch any known risks. It’s recommended that penetration tests are conducted in a separate testing or staging environment, to avoid any risks to your production environment.
Companies usually spend between 7-10% of their IT budgets on security requirements. Of this, the things that get priority for spending on include:
Security budget can be hard to ask for as it’s hard to measure the success of. Unlike when sales teams can celebrate once they’ve passed their stretch quota, security doesn't have a milestone of success. In the security world, no news is good news. No breaches means that the team has done a good job at keeping things secure. But without a momentous, celebratory event, it’s hard to connect that security is a good investment, and prove that penetration testing reduces security costs.
It can also be hard for companies to prioritize security expenses over growth expenses like sales and marketing activities. This is especially true for small businesses that don’t have a lot of budget to begin with, or for firms who haven’t yet had delayed sales processes because of a vendor needing proof of security.
A single vulnerability scan assessment can cost between $1,000 to $10,000. While they’re super convenient and can work in agile SDLCs, automated scanners aren’t the best at finding deep vulnerabilities. To make them work a bit more efficiently, they require a lot of configuration and set up time. With each report, it also takes time for someone to manually review all the findings and clear out false positives. On the other hand, penetration testing is a vulnerability scanning alternative that guarantees no false positives, works with any application language or framework, and doesn’t require much set up time from the client.
With every penetration test report, your developers will receive an extensive report that contains detailed information about each found vulnerability. Developers can use the replication steps in the penetration test report to learn about where vulnerabilities exist and how to find them. If you opt for an extended service such as Penetration Testing as a Service (PTaaS), your developers can also reach out to the security team for consulting advice on new builds, secure design, and patch management support. This helps integrate secure code training into your regular development workflow.
Manual penetration testing is one of the best ways to get deep into your application. If you opt for white box penetration testing where the testers can see your source code, you can really increase how many vulnerabilities are found on each test. This isn’t a sign of bad developers - it’s a sign of a great penetration tester! As more vulnerabilities are identified deeper in your systems, the likelihood of a third party bug bounty finding them decreases significantly. When a bug bounty finds a security gap, you’ll be required to go through responsible ethical disclosure (RED) routines and off pay-outs, which range in the thousands of dollars.
If you’re working on a legacy application, you might find yourself shocked with the cost to repair vulnerabilities at this stage. According to the IBM System Science Institute, it’s 100X more expensive to patch a vulnerability at the maintenance stage of an application compared to the design stage. With penetration testing, you can catch vulnerabilities in the implementation and testing stages. And you can leverage security consulting hours in Penetration Testing as a Service (PTaaS) to build secure application design, lowering your cost to the furthest extent. Saving money on remediation can free up a ton of budget and developer time to continue growing your products!
It’s no secret that breaches cost a ton of money, especially if you’re not properly insured. Penetration testing on its own can help you lower the risk of attack, which lowers the likelihood that you’ll need to prepare for a breach. Additionally, proof of a strong security posture through a penetration testing certificate can lower your cyber liability insurance fees, saving your budget here as well.
Calculating the return on investment (ROI) is one of the most valuable yet most difficult parts of proposing a security investment to your CFO. To do so, there are a few key security metrics to consider when proving penetration testing reduces security costs. Some examples of these include:
If you’ve already got a spot for penetration testing in your security budget then great! If not, you can possibly make room for it. Consider first if your company is earning or maintaining compliance. If yes, then there’s likely a need for security testing. If not, then try to find another area of the budget that would no longer be needed if you invested into penetration testing.
CFOs look at four things to know if an expense is going to bring value to their organization, including:
Penetration testing helps reduce risk by providing a detailed overview of your application’s security gaps, and can also help you meet compliance requirements for frameworks like SOC 2, PCI-DSS, HIPAA, ISO 27001, and NIST.
301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4