Unlike the financial analysis of a “normal” project or investment, it is tough to ultimately determine the return on investment of a penetration test. We like to relate a penetration test to your annual physical with your doctor. You go to your doctor to get a check-up as a preventative measure with the hope that nothing is wrong, however, if something is wrong, you catch it early enough to avoid more serious effects. Similarly, a penetration test looks to determine where your business has security vulnerabilities so they can be remediated to improve your security posture, before your organization falls victim to a breach. When considering the ROI of a penetration test, it’s important to understand what benefit your organization sees from this testing and carefully consider the negative consequences of worst case security-related scenarios.
Is a Penetration Test an Investment?
When speaking with business leaders, we have been asked if a penetration test is an investment or not. Generally speaking, an investment is expected to produce future returns (aka generate profit). This is a loaded question, as different businesses get penetration tests for different reasons. If the reason you are getting a penetration test is that a potential client is requesting that you have one done before signing a contract, then yes, this could be looked at as an investment. Your firm is able to directly correlate profit and returns to the completion of a penetration test.
If your firm is truly looking to get a penetration test to improve your security posture, then it may be tough to quantify the ROI. As we have discussed in the past, according to a report by the SEC, over half of small businesses that experience a data breach go out of business within 6 months. With that in mind, one could argue that there is an infinite return on the investment of a penetration test if it prevents your company from going out of business. Unfortunately, this is tough to quantify as you will never truly know if a penetration test thwarted an attack on your business or not.
An Apple A Day Keeps the Doctor Away
While your physical health and the health of your business are very different things, we can draw many similarities. Often times, medium and small businesses represent the livelihoods of the owners and the employees. If the business fails due to a security breach, the owners and employees suddenly find themselves unemployed. Similar to your annual physical exam, a penetration test can be the difference between your business thriving or failing.