Demonstrating ROI for penetration testing (part one)

Friday, 25 July 2003, 10:43 AM EST

This is the first in a series of articles demonstrating ROI (return on investment) for a Pen-Test (penetration test). I am going to take you down a little bit different path initially than you are probably used to, but I have a particular goal in mind of teaching security professionals how to demonstrate ROI for a Pen-Test. If you stay with me through this series the light will dawn and your thinking will be a little bit more in line with how the CxO views spending money on security. I want you to think in terms of traditional project justification rather than only in terms of risk avoidance so that you can blend both points of view when selling the necessity of a Pen-Test. You will have to step into the world of budgeting, cost justification, resource allocation, and learn a few unfamiliar terms. But, it will be well worth it as you learn to speak in management terms.

Let's start with a simple example. Penetration testing, like vulnerability assessment, is similar to a health physical. You may not know if anything is wrong until you go to the doctor's office and have him examine you. Hopefully you carry health insurance to minimize the financial cost of having that health checkup. You hope the doctor doesn't find anything wrong, but that's why you go get a checkup. If there is something wrong with you and you need extensive tests or procedures done, you will have just realized the ROI on your health insurance. If you get a clean bill of health you may wonder why you carry health insurance, but peace of mind outweighs your concerns about money.

[ Read more ]


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Aug 29th