Demonstrating ROI for Penetration Testing (Part One)
by Marcia Wilson
|This is the first in a series of articles demonstrating ROI (return on investment) for a Pen-Test (penetration test). I am going to take you down a little bit different path initially than you are probably used to, but I have a particular goal in mind of teaching security professionals how to demonstrate ROI for a Pen-Test. If you stay with me through this series the light will dawn and your thinking will be a little bit more in line with how the CxO views spending money on security. I want you to think in terms of traditional project justification rather than only in terms of risk avoidance so that you can blend both points of view when selling the necessity of a Pen-Test. You will have to step into the world of budgeting, cost justification, resource allocation, and learn a few unfamiliar terms. But, it will be well worth it as you learn to speak in management terms.
Let's start with a simple example. Penetration testing, like vulnerability assessment, is similar to a health physical. You may not know if anything is wrong until you go to the doctor's office and have him examine you. Hopefully you carry health insurance to minimize the financial cost of having that health checkup. You hope the doctor doesn't find anything wrong, but that's why you go get a checkup. If there is something wrong with you and you need extensive tests or procedures done, you will have just realized the ROI on your health insurance. If you get a clean bill of health you may wonder why you carry health insurance, but peace of mind outweighs your concerns about money.
Seeking regular medical care by carrying health insurance provides tangible and intangible benefits. The tangibles are that it can provide great cost savings if you become ill, ensures your increased productivity with the aid of medications or advice, and protects your future income if a devastating medical event should occur. We are all aware of skyrocketing medical care costs in many countries. In the United States, our family's medical/dental/mental/vision policy runs about $460 per month for an annual cost of $5520. Our large family has already racked up 20+ doctor visits, some minor surgeries, and had numerous prescription costs. Most visits were related to the usual sports injuries, checkups, and illnesses, which is a good thing, however we hit our breakeven point halfway into the year. Carrying health insurance is an easy cost to justify. Security spending in the form of a Pen-Test is a little more difficult to justify, but it can be done.
In a tight spending market, CxOs are only going to spend money on something that can demonstrate a return on investment, which includes demonstrating the tangibles in the form of a Payback Period (breakeven point), Net Present Value (NPV), and the Internal Rate of Return (IRR). This installment will focus on understanding these financial terms. Later in the series I will bring in the more familiar terms associated with Risk Management: Exposure Factor (EF), Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE). The intangibles, such as the loss of reputation from a well-publicized security breach, can be difficult to calculate. The intangibles are just as critical as the tangibles, however a balance of hard numbers and soft numbers needs to be achieved in order to demonstrate a comprehensive ROI.
The importance of ROI, budgeting, politics, and power
Demonstrating Return on Investment (ROI) is critical to the success of selling a security product or service, and that includes selling the need for a Pen-Test. Security professionals and security departments within larger organizations are realizing that demonstrating ROI on security is sometimes a complicated and confusing process. You can't go to the decision makers and say, "We need to spend x number of dollars on penetration testing or someone is going to hack us!" You need to demonstrate a business case justification for the expenditure, and that expenditure needs to contribute to the bottom line: profitability. Companies are not going to spend money in these tight economic times without proof of benefit. That benefit needs to be in the form of increased revenue, greater cost savings or significant productivity gains. Executive management will expect you to quantify and qualify the "what and why" for penetration testing and any other security related initiative.
The budgeting process in any company can be political. Don't get me wrong, the budgeting process is supposed to be a straightforward process driven by the over-arching goals of the business and defined by program goals with the foundational goal of profitability. However, people define the process, and people have individual goals and agendas. How those goals and agendas are fulfilled is about who has the power. The people who make the money -- revenue generators -- usually have the power. IT security initiatives need to be aligned with and focused on the bottom line, not on scare tactics. Going out of business is much more frightening than having a security breach.
Politics and power are often difficult to determine. I am not suggesting that you immerse yourself in the politics; I'm forewarning you that you need to be familiar with who has the power, and why, before you try to sell your product, service, or initiative to the wrong people. Power is generally associated with money and often associated with "who's who". Think about how to align yourself with the bottom line.
There has been a lot of talk about the ROI for VPN (virtual private network) security. Why is that? Think about who the majority of end users are of VPN solutions. Sales? Executives? Field engineers? Customers? If purchasing a VPN solution gives secure remote access to the people who are out there making the money for the organization or customers buying through a secured extranet VPN, running the ROI numbers is not difficult. Implementation of the solution may make the sales team 150% more effective because they don't have to drive into the office, connect to the LAN to retrieve and respond to email, upload/download reports, file paperwork, or be otherwise constrained to the local network. They are free to be out there selling. Customers, partners and suppliers can connect securely and transact business in a secured and efficient manner without the need for a personal customer visit or traditional paper-based transactions. Correctly implemented VPN solutions can increase revenue, increase productivity, and provide cost savings thereby contributing to the bottom line. But what if the company has already justified and implemented a VPN solution, and is in the midst of starting a much larger project -- one that will require a significant Pen-Test?
Web-based Project Example
CxOs often talk in terms of critical success factors, which are key high-level business goals they have committed to and must personally manage to fruition within a specified period of time. These are often goals that the CxO's own performance will be measured on. If you simply ask a CxO what his critical success factors are for the next year or two he will be more than willing to tell you, as everyone within his end of the organization should be focused on understanding and achieving these same goals.
Let's say that one of the critical success factors for the CIO of Widget Manufacturing Ltd. is to increase electronic transactions with their suppliers from 30% to 80% within two years. Currently they use an ERP package (SAP) for supplier transactions, however access has only been rolled out to their top three suppliers due to security issues. At present the suppliers must VPN into a secure part of Widget Manufacturing's network, and no web-based "extranet" exists. In order to enable many more (smaller) suppliers to interact with their company, a large Web-based development project linking their ERP package to the Web is in the initial stages. However, there is serious business risk and there are security concerns with this approach as it represents a major change to the way they do business and interact with suppliers.
An astute security professional would need to align himself with this project in order to capture a portion of the budget. An analysis of the risk to the organization would be a key factor in justifying a penetration test as well as calculating the ROI. The security professional must piggyback onto the ROI calculations for this Web development project by having the cost of the Pen-Test included in the total cost of ownership. When properly positioned, the CIO would then see the pen-test as an integral part of his cost-saving "ERP supplier-extranet initiative" and an important step to reducing the overall risk. The success of the project, in part, depends on a green light from the Pen-Test.
An ounce of prevention
Generally speaking, security measures have been viewed as a necessary evil to prevent unknown disastrous events from occurring. As organizations become more educated and aware of their responsibilities in securing the environment, due to legislation or well publicized events, they are also becoming more savvy in their decision making processes. As organizations begin to get serious about security and start actually budgeting for IT security products and services they are demanding tried and true methods for evaluating and justifying the expenditures.
Internal security management and staff are struggling with the same issues that external security vendors are struggling with. How do you demonstrate security ROI? It matters not whether you are attempting to justify expenditure for an upgraded firewall solution, an IDS (Intrusion Detection System), additional staff, consulting services, or a Pen-Test (penetration testing). It's all the same issue and here's why.
Security is viewed similarly to IT and is associated with risk management. Risk management is a process whose goal is to provide the best possible protection for information systems and the storage, processing and transmission of information assets at the lowest possible cost consistent with the value of the asset. How can a process such as risk management provide a return on investment? Risk management can be associated with business value. If the value of the information asset is high, risk management needs are high. If the value of the information asset is low, risk management needs are low. The security professional needs to understand information asset valuation methods, which we will visit in depth later in this series.
The problem is not just simply a matter of coming up with formulas, methods, and models. The problem is that until you can directly correlate the security product or service (i.e., penetration testing) with business value, you cannot demonstrate a return on the investment. CxOs want to see hard numbers. In these hard times, the FUD factor (fear, uncertainty, and doubt) is no longer a good enough excuse for implementing security measures. The new attitude is "Show me the money!"
What exactly is ROI?
Return on Investment (ROI) over-simplified means that if I spend $100K on something, I want to know that in a certain period of time the money I spent is going to return something to me. I want to know how long that is going to take and what the percentage of return is so that I can make a business decision. There are financial terms that need to be understood in order to perform an ROI calculation.
Return on Investment (ROI) is the ratio of the net gain from a proposed project, divided by its total costs.
Payback Period is the time frame it takes for the project to yield a positive cumulative cash flow.
Net Present Value (NPV) is a measure of the net benefit of a project, in today's dollar terms.
Internal Rate of Return (IRR) is the discount rate necessary to drive the NPV to zero; the value another investment would need to generate in order to be equivalent to the cash flows of the investment being considered.
The usual ROI calculations are not readily applied to security initiatives, such as Pen-Tests. Technically speaking, there is no return on investment for a preventative method other than to claim that "an ounce of prevention is worth a pound of cure." However, if you align the Pen-Test with a revenue-generating project that requires it, the test can be seen as a necessary step in order to meet the project's goals.
The purpose of a Pen-Test is to discover and expose vulnerabilities in an organization's security systems. In calculating the TCO, you have to compare the security investment to the potential damage prevented. You will need to have a good understanding of the company's information assets and how those assets relate to business value. You must be prepared to spend time understanding the business side of the organization and walk executives through the valuation of information assets as they relate to business value. You must further be prepared to compare the cost of the loss of that asset with the cost of preventing the loss.
The results of a Pen-Test is the knowledge of potential risk, vulnerabilities or threats to Information Assets (IA) and the information needed to mitigate those risks. For organizations who have already been through the process of valuing their IA, it is a much simpler matter to point to a particular asset (i.e., a customer database), discuss in financial terms what that asset is worth, and then help management think about the impact of the loss of that database.
Taking the customer database example, it is helpful to discuss with the decision makers in financial terms (ROI, Payback/Breakeven, NPV, IRR) what the business value of the database is. For instance, if your organization has made a large investment in converting a legacy mainframe system to an ERP system (i.e., SAP/Oracle/Peoplesoft), they have already done the ROI calculations, estimated the Payback period, and hopefully understand the Net Present Value/Internal Rate of Return for that implementation. Your job is to understand that as well, so that you can help management understand the business impact if a security breach should occur. If the database is compromised and goes offline, what happens to the payback period? Never mind the intangible damage to the reputation of the company, which is difficult to calculate until it happens.
Hacking insurance is beginning to sell in some locales. In order to qualify for the insurance, an organization has to comply with particular security processes and have certain safeguards in place. At some point it is expected that this trend will become more popular. In the meantime, it is important for security professionals to understand how Business views and justifies expenditures. It is just as important for the security professional to teach business to think in terms of information asset valuation and correlate that to potential loss.
In the next installment, I will discuss what penetration testing is, how it relates to an overall security assessment, common penetration testing techniques, and introduce Risk Management concepts as they relate to Information Asset valuation. In the meantime, try to think in terms of business value and how to more align yourself with the bottom line of profitability.
View more articles by Marcia J. Wilson on SecurityFocus.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.