I’m looking to justify the value of an external network penetration test to our corporate executives. Obviously we want to avoid being breached, but quantifying the likelihood of a network intrusion in a way executives can value seems basically impossible. Any advice on approaching the problem?
Performing an external penetration test is extremely valuable. At the same time, it can also be difficult to develop C-level support when talking up the benefits of penetration testing -- especially if the company hasn’t experienced a public breach.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
However, before trying to cross that chasm, it’s important to determine what type of external penetration test you’d like to have performed. For example, if you’re at an e-commerce company, I would favor a Web application assessment over a network assessment. If you’re at a public company or under some type of regulation, like Sarbanes-Oxley (SOX) or the Payment Card Industry Data Security Standard (PCI DSS), you’ll most likely be able to leverage these regulations to get a penetration test against your infrastructure in order to meet compliance requirements. I’ve seen many security-related budget items pass simply because an auditor told the company it needed the items to stay compliant. Pen tests are expensive, but are done by professionals in the field and are considered a third-party view.
If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
- Exposure Factor: The percent of loss that occurs if a breach were realized on a system.
- Single Loss Expectancy (SLE): The amount of money that is assigned to one event. This is calculated by multiplying the Exposure Factor by the assets value in dollars.
- Annualized Rate of Occurrence (ARO): The estimated number of times the event or breach could occur on the asset.
- Annualized Loss Expectancy (ALE): The sum of the overall dollar value of the SLE multiplied by the ARO.
This might seem like quite a bit of work, but it’s a good way to get a better idea of what you need to do to help protect your company’s network and show the executives your view in dollars and cents. If you want to give the executives a more eye-opening number, let them know it would cost the company an average of $194 per record lost as a result of a breach. Considering most breaches involve thousands of lost records, the numbers add up quickly.
Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.
Lastly, a healthy dose of security awareness to all employees, including executives, is a good primer for when the time comes to put an item on the yearly security budget. If management doesn’t understand the risk, they’re not going to approve. Initiate a security awareness program and get yourself visible to the enterprise. Even if they don’t approve your pen test, you’ll still be making a difference in security.
This was first published in June 2012