3 Ways to Boost Pentesting ROI

If you’re a car owner, it can be tempting to put off an oil change, tire rotation or other recommended vehicle tune-up. But reality becomes all too clear when you’re sitting on the side of the highway waiting for AAA. And it’s even more painful when you’re hit with a massive repair bill a few days later that far exceeds any short-lived savings. 

Like many frustrated drivers, businesses are currently learning this lesson the hard way with cybersecurity. Last year, data breaches at organizations increased by 68% to reach their highest volume ever, according to Identity Theft Resource Center’s 2021 Data Breach Report

Even as data breaches become more prevalent and costly, many organizations continue to hold off on vital cybersecurity measures, as well as neglect routine pentesting and provisioning maintenance. This short-sighted approach costs organizations more in the long run. 

In order to prevent hacks and breaches, businesses must act quickly and treat cybersecurity as a long-term investment; learning how to drive the most value from security testing instead of waiting for a cyberattack to occur.  

Pentesting: A Proactive Approach to Cybersecurity

One of the most effective ways to increase your cybersecurity readiness is penetration testing (pentesting, for short)—a simulated cyberattack designed to discover vulnerabilities in an organization’s IT systems. 

Pentesting involves stepping into hackers’ shoes to identify weak spots. By role-playing how a hacker might breach your security configurations, this process helps identify potential vulnerabilities and threats, test security responses and capabilities and measure ongoing improvements to your cybersecurity system. 

Your pentesters can come from either your internal security experts or from a third-party team. They dig into your security systems one by one, starting with a set of objectives to carry out an attack. Most teams combine black-box and white-box testing: For black, the pentester acts as a true external hacker with little or no knowledge of the IT landscape; for white, the pentester acts as an internal developer with complete knowledge of the landscape. 

Here’s what the process typically looks like:

  • Pentesters begin with low-privilege identity credentials from someone in a network, but they also look for vulnerabilities from any unauthenticated perspectives. After gaining remote access, pentesters explore your system and search for exploitable security gaps.
  • Based on what they find, pentesters develop and carry out a cyberattack. The aim is to gain escalating privileges and a greater ability to modify your systems, which packs a bigger punch than stealing data alone.
  • Once an attack commences, pentesters report their findings, rank vulnerabilities in terms of severity and advise you on remedies. After changes are implemented, pentesters test again to ensure you’ve properly closed all gaps. 

How to Get the Most out of Pentesting

For most organizations, reservations about pentesting aren’t rooted in a lack of understanding about the strategy’s benefits; instead, it comes down to time and money. In fact, 74% of IT professionals and security leaders said they would test their systems more frequently if it wasn’t so cumbersome, while 71% said it was too expensive.

So, how can you ensure your investment pays off? 

Here are three ways to achieve greater ROI on pentesting that are worth your resources: 

  1. Don’t skimp on scope or substance. On average, a high-quality pentest costs between $30,000 and $60,000 depending on the size and complexity of your organization. Large enterprises, for example, may spend closer to $100,000.  While it’s tempting to choose the cheapest option available on the market, low-cost alternatives often sacrifice test quality and deliver results that are far too narrow to provide meaningful remedies. Pay for a test that looks at your cybersecurity system comprehensively and is capable of producing results that benefit your security team in the long term.
  2. Set clear objectives and test cases. Most CISOs have a laundry list of security concerns that keeps them up at night. Pentesting is a great way to put those scenarios to rest. You can assemble a detailed list of top security concerns for pentesters to target first, which ensures that testing is specific to your industry, your company and your security framework.
  3. Incorporate testing (and retesting) as part of your cybersecurity routine. Security systems—and threats that aim to compromise them—are constantly changing. Routine testing on an annual or semiannual basis ensures your cybersecurity remains up-to-date and provides a metric for constant improvement. In fact, 85% of cybersecurity pros reported conducting such tests at least once a year. Retesting verifies that issues you’ve identified in the past have been fixed. 

The consequences of a cyberattack are more devastating than ever: In 2021, the average cost of a data breach reached a record $4.24 million, according to IBM’s annual Cost of a Data Breach Report.

Yet the average cybersecurity budget only constitutes 15% of a business’s overall IT budget. It often takes a catastrophe to galvanize organizations to update and improve cybersecurity measures. But by that time, the damage is done—loss of business, broken trust with customers, damage to your reputation and even regulatory fines.

Rather than waiting for a security incident, incorporate routine pentesting to ensure your cybersecurity defenses are ready for a potential attack. For cars, every 5,000 miles is a good rule of thumb for an oil change or tire rotation. For cybersecurity teams, an annual pentest is a solid start to boost your organization’s cybersecurity maintenance and drive sustained improvements that are well worth the cost. 

Avatar photo

Ray Overby

Ray Overby is co-founder and chief technology officer at Key Resources, Inc.

ray-overby has 2 posts and counting.See all posts by ray-overby