Justifying Penetration Testing Budget

September 18, 2013

Today's Whiteboard Wednesday features Chris Kirsch, Rapid7's Product Marketing Manager for Metasploit, who will be talking about how you can effectively justify your penetration testing budget to your executive team.

Often there is a disconnect between top executives and pen testers when it comes to justifying a penetration testing budget. Here are some proven tactics you can use to put together an effective business case that will resonate with decision makers.

If you are interested in getting started with our top-rated penetration testing tool, try out our free trial of Metasploit Pro today!

Video Transcript

Hello, and welcome to Rapid7's Whiteboard Wednesday. Today, I want to talk a little bit about how you can justify your penetration testing budget. A lot of times, especially the more technical folks are having trouble connecting with the business folks on especially that topic. I just want to show some alternatives on how you can do that.

Show more Show less

The first part is how do you explain penetration testing to your boss? I see a lot of people struggling with that, especially when they say, "Hey, I want to break into your next words. I want to hack our systems, and it's cool stuff. Trust me. It's going to be awesome." They might not like that too much. I was thinking about how you can explain that to somebody who is maybe a little less technical and more in a management position, to make them more comfortable with that concept. I was thinking about how is it when you build a car. You might have really smart engineers. They are putting the car together. They are focusing on safety, but you don't really know how safe the car is until you actually do a crash test. A crash test is seemingly quite scary, but it actually is the only way to find out how safe the car is, how secure the car is.

Similarly, think about penetration testing as a QA, a quality assurance for your IT security. You have all the smart people in your organization. You might have hired the absolute best people in the world to set up your network, to configure your firewalls, to set up your IPS, all that good stuff. Even the best people overlook things. There are complexities in the systems. Most networks are so complex that not a single person can overlook all the systems and know all the configurations. Having a good QA process for that in place is a fantastic idea. Penetration testing can be that QA for your IT security.

How do you sell that to your boss? A lot of people sell all of IT security with fear. That may work, and sometimes there is not another way, but I think there are alternatives to that. People will say, "Hey. A data breach will cost you $5.5 million. It's going to be all this money, and you will lose your job, and it will be in the headlines and all that." Yes, but I like to think there is a better and more positive way to talk about this. Think about things like, "Let's ensure that our business continuity is there." Think about what happens if our ERP system goes down for a week, because somebody hacked into it or deduced it, and brought down the system, disrupted something. Think about compliance. Let's make sure that we pass the audit without any trouble, and that we are compliant, and we can move on to bigger and better things.

Risk validation. This ties into vulnerability management. Here, the idea is you do your vulnerability management. You have a ton of different vulnerabilities that are found on the network. The trouble is that you usually have more vulnerabilities than you can fix. How do you prioritize? What you can discount, what you can downgrade, and so on? The same tools that you use for penetration testing can actually be re-purposed and used for risk validation. That saves you hard dollars in your vulnerability management program and in remediation and litigation afterwards. Then, also your corporate reputation. Making sure that if you build a brand and invest in a brand that you protect that equity, and don't get into the headlines in a bad way.

Let's move on to this side of the board here for calculating business case. Calculating a business case really depends on what situation you are in. You need to figure out what situation you are in before you can start making that calculation. For example, let's say you are introducing pen testing to the organization. That's a little bit of a tough one, because you really need to say, "What happens if we don't pen test? What happens if we do pen test?" If you don't pen test, you might see that $5.5 million, and you might have to go back to that number. Not great, but it works. Bear in mind though that that $5.5 million, you can't just compare and contrast that just through penetration testing. You have to compare and contrast it to your entire IT security program. It's not always a good comparison.

For risk validation, you might introduce a calculation. How many vulnerabilities am I trying to fix each month right now? If I could prioritize and validate risk, and actually discount some of the risks, I may only have to do half of that or a third of that. That really saves me time in IT operations, when I'm trying to remediate and mitigate. This is actually a good case to calculate. There's one on here that I haven't listed, which is introducing a different tool. Let's say, you are currently pen testing with a command line tool. You are trying to upgrade to a more professional tool with lots of productivity features that introduces efficiency. You might save about half of your time in a penetration test, especially in large penetration tests. That's really easy to calculate, the current state and what you could be doing with a better tool.

Then, also, maybe you are doing penetration testing, and you outsource it currently. Here, you take the cost of how much you are paying for the penetration testing consultant. You are saying, "Alright. I have maybe four penetration tests I need to do a year." Or maybe it's more. You say, "If I took that in-house, if I bought a tool, if I trained somebody up and calculate how much time they need to spend on it, how would that fare and how would that compare?"

Then, the last one here is aligning with the company goals. I call that business jiu-jitsu. Think about what are the company goals overall. What are the goals that your CIO has for the quarter or for the year? Figure out how you can align security with those goals. Let's assume that your CIO has the goal to align the ERP system with all of the partners, and kind of exchange data with the partner's ERP systems. That could be a big security concern. I would try and look for those strategic goals that have probably a good chunk of budget assigned to them. Get in with those, and align with the business. Ensure that you are seen as an enabler for these projects, rather than being asked to come in at the last minute. I think that can also give you some budget and justify that penetration testing budget.

If you think about all of these, if you have more than one, you can actually add up all the positive side of these business cases and present an overall business case, which will help you because all of these expenses that you make in training and software licenses and so on, will be purchased once but used many times. That's the Whiteboard Wednesday for today. I hope you enjoyed listening. Goodbye