Friday, May 24, 2013

How to build C-level support for the benefits of penetration testing

Performing an external penetration test is extremely valuable. At the same time, it can also be difficult to develop C-level support when talking up the benefits of penetration testing  -- especially if the company hasn’t experienced a public breach.

However, before trying to cross that chasm, it’s important to determine what type of external penetration test you’d like to have performed. For example, if you’re at an e-commerce company, I would favor a Web application assessment over a network assessment. If you’re at a public company or under some type of regulation, like Sarbanes-Oxley (SOX) or the Payment Card Industry Data Security Standard (PCI DSS), you’ll most likely be able to leverage these regulations to get a penetration test against your infrastructure in order to meet compliance requirements. I’ve seen many security-related budget items pass simply because an auditor told the company it needed the items to stay compliant. Pen tests are expensive, but are done by professionals in the field and are considered a third-party view.

If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
  • Exposure Factor: The percent of loss that occurs if a breach were realized on a system.
  • Single Loss Expectancy (SLE): The amount of money that is assigned to one event. This is calculated by multiplying the Exposure Factor by the assets value in dollars.
  • Annualized Rate of Occurrence (ARO): The estimated number of times the event or breach could occur on the asset.
  • Annualized Loss Expectancy (ALE): The sum of the overall dollar value of the SLE multiplied by the ARO.
This might seem like quite a bit of work, but it’s a good way to get a better idea of what you need to do to help protect your company’s network and show the executives your view in dollars and cents. If you want to give the executives a more eye-opening number, let them know it would cost the company an average of $194 per record lost as a result of a breach. Considering most breaches involve thousands of lost records, the numbers add up quickly.

Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.

Read the rest of my article here:

No comments:

Post a Comment