Rationalizing a Penetration Test to Senior Leaders

We get it. It can be tough to sell or rationalize a penetration test or one-time security service to senior management that may not be aware of the importance of security for your organization. You are constantly peppered with questions like “can’t we spend our security budget on a blinky box that will protect our network? Why do we need to get this “penetration test” if it’s just going to point out the weaknesses we know are there but not fix them?” Today, we explore strategies to help rationalize security services, including a penetration test, to senior leaders.

“This penetration test seems expensive and, besides, we employ you security people to prevent a hack, right?”

We hear this all the time. The blue team gets push back from upper management on spending as they think spending on the team itself is a enough. While you certainly need to have a security team, blind spots exist in companies, and one of the best ways to uncover them is through a penetration test conducted by an expert third-party. Often times, as companies grow organically or through acquisitions, things get missed, new products are brought on-board by different teams and not tested for security flaws, etc. At the end of the day, a penetration test can help uncover these flaws and help you sleep better at night knowing you have had a comprehensive assessment and you have identified your current risks.

“We just had a penetration test last year! Why do we need another one this year?”

As technology, tactics, and tools continue to evolve, the ways in which hackers try to break into your company change as well. Having a penetration test conducted at least annually is a good idea because as the threat landscape shifts, your security controls and resource investment has to shift. New vulnerabilities are constantly being introduced which may not have shown up on last year’s report, but could be a critical item this year that needs to be addressed as soon as possible. Besides the external factors at play, organizations tend to change over time, also. These changes often include additional hosts that get deployed to support new/expanded services, representing additional attack surface for your company.

“The security team is a cost center, not a profit center, and we need to minimize costs this year.”

This take is always tough to hear. We like to refer to security teams and the security budget as a profit pre-server rather than a cost center. While yes, it can be tough to directly attribute profit to the security team, going through a breach will help you see what it can do to your profit! By having a penetration test conducted, you are helping to preserve future profits and help reduce the risk of unexpected costs associated with a breach.

“Why would I pay so much for a piece of paper?”

To be blunt, this piece of paper may save your company from being breached and all of the headache that comes along with it. The reputational risk alone is enough to destroy most small and medium-sized businesses. If fact, according to the National Cyber Security Alliance, 60% of small and mid-size businesses that are hacked go out of business within 6 months, meaning your organizational security can be a matter of life and death for your company. Here at Triaxiom, while our ultimate deliverable is a polished report, we make ourselves available anytime following an assessment to assist our clients in anything security-related.

There is constantly going to be a push for businesses to cut costs to improve the bottom line, but in our eyes, risking your security should not be seen as discretionary spend. A simple, yet effective way to evaluate and improve your security is through some form of penetration test. Interested in learning how we can help? Reach out today and we would be happy to discuss!