5 Ways Penetration Testing Reduces Overall Security Costs

TL;DR:

• Penetration testing reduces the need for expensive automated scanners and helps train developers on security vulnerabilities.
• It minimizes vulnerabilities found in bug bounty programs and lowers the cost of remediating vulnerabilities.
• Penetration testing lowers the likelihood of reactive costs from breaches and can save money on cyber liability insurance fees.
• To propose penetration testing to your CFO, provide data on expected ROI, show how it fits into the current security budget, and prove the additional value it brings to the organization.

Security isn’t cheap. Well, quality security isn’t anyway. And then you think of all the individual list items in your budget like threat modelling, infrastructure support, encryption tooling, incident response, security testing, anti-phishing software, secure code training, firewalls, authentication, remediation…. The list goes on and on. Seemingly endlessly. One way to simplify your security operations is to opt for services that support your business in multiple places - like penetration testing. Discover the 5 ways penetration testing reduces overall security costs to streamline your security operations.

Understanding the Importance of Penetration Testing

Used to give you an overview of your application’s security posture, penetration testing is a manual security exercise where ethical, white-hat hackers attempt to break into your application. Penetration testers have the goal of finding as many known security vulnerabilities in your system. From there, they’ll provide detailed replication and remediation suggestions so that your developers can patch any known risks. It’s recommended that penetration tests are conducted in a separate testing or staging environment, to avoid any risks to your production environment.

Challenges in Securing Additional Budget for Security Measures

Companies usually spend between 7-10% of their IT budgets on security requirements. Of this, the things that get priority for spending include:

• Compliance mandates
• Meeting mandates from the board of directors
• Responding to a security incident that happened within their company or another related company (ie. vendor or partner)

Security budget can be hard to ask for as it’s hard to measure the success of. Unlike when sales teams can celebrate once they’ve passed their stretch quota, security doesn't have a milestone of success. In the security world, no news is good news. No breaches mean that the team has done a good job at keeping things secure. But without a momentous, celebratory event, it’s hard to connect that security is a good investment and prove that penetration testing reduces security costs.

It can also be hard for companies to prioritize security expenses over growth expenses like sales and marketing activities. This is especially true for small businesses that don’t have a lot of budget to begin with, or for firms who haven’t yet had delayed sales processes because of a vendor needing proof of security.

5 Effective Strategies Penetration Testing Uses to Cut Security Costs

1. Eliminating the Dependency on Automated Scanners

A single vulnerability scan assessment can cost between $1,000 to $10,000. While they’re super convenient and can work in agile SDLCs, automated scanners aren’t the best at finding deep vulnerabilities. To make them work a bit more efficiently, they require a lot of configuration and set-up time. With each report, it also takes time for someone to manually review all the findings and clear out false positives. On the other hand, penetration testing is a vulnerability scanning alternative that guarantees no false positives, works with any application language or framework, and doesn’t require much setup time from the client.

2. Offering Real-Time Training for Developers

With every penetration test report, your developers will receive an extensive report that contains detailed information about each vulnerability. Developers can use the replication steps in the penetration test report to learn about where vulnerabilities exist and how to find them. If you opt for an extended service such as Penetration Testing as a Service (PTaaS), your developers can also reach out to the security team for consulting advice on new builds, secure design, and patch management support. This helps integrate secure code training into your regular development workflow.

3. Decreasing Vulnerabilities Targeted in Bug Bounty Programs

Manual penetration testing is one of the best ways to get deep into your application. If you opt for white box penetration testing where the testers can see your source code, you can increase how many vulnerabilities are found on each test. This isn’t a sign of bad developers - it’s a sign of a great penetration tester! As more vulnerabilities are identified deeper in your systems, the likelihood of a third-party bug bounty finding them decreases significantly. When a bug bounty finds a security gap, you’ll be required to go through responsible ethical disclosure (RED) routines and off payouts, which range in the thousands of dollars.

4. Cutting Costs Associated with Vulnerability Remediation

If you’re working on a legacy application, you might find yourself shocked by the cost of repairing vulnerabilities at this stage. According to the IBM System Science Institute, it’s 100x more expensive to patch a vulnerability at the maintenance stage of an application compared to the design stage. With penetration testing, you can catch vulnerabilities in the implementation and testing stages. And you can leverage security consulting hours in Penetration Testing as a Service (PTaaS) to build secure application design, lowering your cost to the furthest extent. Saving money on remediation can free up a ton of budget and developer time to continue growing your products!

5. Decreasing the Likelihood of Reactive Spending

It’s no secret that breaches cost a ton of money, especially if you’re not properly insured. Penetration testing on its own can help you lower the risk of attack, which lowers the likelihood that you’ll need to prepare for a breach. Additionally, proof of a strong security posture through a penetration testing certificate can lower your cyber liability insurance fees, saving your budget here as well.

Key Recommendations for Presenting Penetration Testing to the CFO

Presenting Data on Expected ROI

Calculating the return on investment (ROI) is one of the most valuable yet most difficult parts of proposing a security investment to your CFO. To do so, there are a few key security metrics to consider when proving penetration testing reduces security costs. Some examples of these include:

1. Impacts of your vulnerabilities. Critical-level vulnerabilities require immediate attention from your team as they have a high likelihood of being exposed and would cause great negative consequences for your business. CVSS and DREAD can help you calculate vulnerability severity.
2. Breach risk ($) is equal to breach likelihood (%) multiplied by breach impact ($). You can use this to estimate approximately how much it would cost your organization if you suffered a breach.
3. Vulnerability density, which is measured by VD +V / S where S is the size of the software and V is the number of vulnerabilities in the system. Vulnerability density should decrease after a penetration test.

Demonstrating Alignment with the Current Security Budget

If you’ve already got a spot for penetration testing in your security budget then great! If not, you can make room for it. Consider first if your company is earning or maintaining compliance. If yes, then there’s likely a need for security testing. If not, then try to find another area of the budget that would no longer be needed if you invested in penetration testing.

Highlighting the Added Value to the Organization

CFOs look at four things to know if an expense is going to bring value to their organization, including:

• Reduced costs
• Reduced risks
• Increased productivity
• Increased growth (mostly for revenue)

Penetration testing helps reduce risk by providing a detailed overview of your application’s security gaps, and can also help you meet compliance requirements for frameworks like SOC 2, PCI-DSS, HIPAA, ISO 27001, and NIST. While penetration testing may have a cost associated with it, the potential cost of a data breach far outweighs the investment in testing. By identifying vulnerabilities before they can be exploited, organizations can prevent costly breaches and the associated financial and reputational damage.