Does Penetration Testing Pass the ROI Test?
May 19, 2008
Let’s start with a simple example. Penetration testing is similar to a health physical. You may not know if anything is wrong until you go to the doctor’s office and have him examine you. You hope the doctor doesn’t find anything wrong, but that’s why you go and get a check-up. If there is something wrong with you and you need extensive tests or procedures done, you will have just realised the ROI on your health insurance. If you get a clean bill of health you may wonder why you carry health insurance, but peace of mind outweighs your concerns about money. Carrying health insurance is an easy cost to justify. Security spending in the form of a penetration test is a little more difficult to justify, but it can be done.
In a tight spending market, CIOs are only going to spend money on something that can demonstrate a return on investment, which includes demonstrating the tangibles in the form of a Payback Period (breakeven point), Net Present Value (NPV), and the Internal Rate of Return (IRR). The intangibles, such as the loss of reputation from a well-publicised security breach, can be difficult to calculate. The intangibles are just as critical as the tangibles; however a balance of hard numbers and soft numbers needs to be achieved in order to demonstrate a comprehensive ROI.
Icon courtesy of Joesph North.
Comments
Got something to say?
