This is the first in a series of articles demonstrating ROI (return on investment) for a Pen-Test (penetration test). I am going to take you down a little bit different path initially than you are probably used to, but I have a particular goal in mind of teaching security professionals how to demonstrate ROI for a Pen-Test. If you stay with me through this series the light will dawn and your thinking will be a little bit more in line with how the CxO views spending money on security. I want you to think in terms of traditional project justification rather than only in terms of risk avoidance so that you can blend both points of view when selling the necessity of a Pen-Test. You will have to step into the world of budgeting, cost justification, resource allocation, and learn a few unfamiliar terms. But, it will be well worth it as you learn to speak in management terms.

Let's start with a simple example. Penetration testing, like vulnerability assessment, is similar to a health physical. You may not know if anything is wrong until you go to the doctor's office and have him examine you. Hopefully you carry health insurance to minimize the financial cost of having that health checkup. You hope the doctor doesn't find anything wrong, but that's why you go get a checkup. If there is something wrong with you and you need extensive tests or procedures done, you will have just realized the ROI on your health insurance. If you get a clean bill of health you may wonder why you carry health insurance, but peace of mind outweighs your concerns about money.

[ Read more ]