Performing an external penetration
test is extremely valuable. At the same time, it can also be difficult to develop C-level
support when talking up the benefits
of penetration testing -- especially if the company hasn’t experienced a public
breach.
However, before trying to cross that chasm, it’s important to determine what type of external
penetration test you’d like to have performed. For example, if you’re at an e-commerce company, I
would favor a Web application assessment over a network assessment. If you’re at a public company
or under some type of regulation, like Sarbanes-Oxley (SOX) or
the Payment
Card Industry Data Security Standard (PCI DSS), you’ll most likely be able to leverage these
regulations to get a penetration test against your infrastructure in order to meet compliance
requirements. I’ve seen many security-related budget items pass simply because an auditor told the
company it needed the items to stay compliant. Pen
tests are expensive, but are done by professionals in the field and are considered a
third-party view.
If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.
Read the rest of my article here: http://searchsecurity.techtarget.com/answer/How-to-build-C-level-support-for-the-benefits-of-penetration-testing
If you’re not at a public company and do not have a regulator pushing you to perform these assessments, you’ll most likely have to default to research, awareness, and a good presentation to upper management. With spending tight in IT departments, most executives are not going to open the corporate purse until they can see hard numbers on the return on investment (ROI). This can be difficult to calculate, so you’ll need to brush up on your risk management terminology. Certain areas to look into include:
- Exposure Factor: The percent of loss that occurs if a breach were realized on a system.
- Single Loss Expectancy (SLE): The amount of money that is assigned to one event. This is calculated by multiplying the Exposure Factor by the assets value in dollars.
- Annualized Rate of Occurrence (ARO): The estimated number of times the event or breach could occur on the asset.
- Annualized Loss Expectancy (ALE): The sum of the overall dollar value of the SLE multiplied by the ARO.
Another way to help convince the executives is to show them similar attacks that have happened in the past, potentially to similar companies, and the reputational and financial damage each company incurred.
Read the rest of my article here: http://searchsecurity.techtarget.com/answer/How-to-build-C-level-support-for-the-benefits-of-penetration-testing
No comments:
Post a Comment