Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results.
The benefits of pen testing are clear. By empowering “white hat” hackers to attempt to breach your system using similar tools and techniques to an adversary, pen testing can provide reassurance that your IT set-up is secure. Perhaps more importantly, it can also flag areas for improvement.
As the UK’s National Cyber Security Centre (NCSC) notes, it’s comparable to a financial audit.
“Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.”
While the advantages are obvious, it’s vital to understand the true cost of the process: indeed, the classic approach can often demand significant time and effort from your team. You need to get your money’s worth.
Pen testing hidden costs
There’s no one set form of pen test: it depends on what exactly is being tested, how often the pen test occurs, and how it takes place. Nevertheless, there are some common elements of the classic approach that could generate significant costs, both financially and in terms of your employees’ time.
Let’s take a look at some of the costs that might not be immediately obvious.
Administrative overheads
There can be significant admin involved in arranging a “traditional” pen test. First, you need to coordinate schedules between your own organization and the testers you’ve hired to conduct the test on your behalf. This can cause significant disruption to your employees, distracting them from their day-to-day tasks.
What’s more, you’ll need to develop a clear overview of the resources and assets at your disposal before the test can occur, by gathering system inventories, for instance. You’ll also need to prepare access credentials for the hackers, depending on the type of pen testing approach you intend to take: for example, the testers may need these credentials to develop a scenario based on the risk of a disgruntled employee targeting your systems, for instance.
Scoping complexity
Again, determining the precise scope of the test is important – what is “in-scope” for the hackers, and what should remain out of scope?
This will be determined in-house, and will be built on several factors, depending on the precise needs of the organization; there may be certain applications, for instance, that cannot be included in the test. No matter the reasons, determining the overall scope of the testing will take time.
Of course, this isn’t set in stone: some organizations might deal with highly sophisticated environments, which change over time. You will need to devote resources to assessing the potential impact of these changes – as your environment changes, should you include new elements for the testers to target?
All of this raises the risk of “scope creep”, where a pen test grows beyond its original aims, creating additional work – and costs – for both the in-house team and the external testers.
Indirect costs
As we’ve seen, pen testing by its nature can pose significant risks of disruption for your team, including operational disruptions during the testing window. It’s vital to keep this under control right from the outset.
There’s also the time and costs associated with remediation, a somewhat ill-defined phase that could include consultation with the testers to overcome and solve any issues that might have arisen during the pen testing. This could even involve re-testing – launching yet another pen test to check that everything is now safe and secure.
All of this can add up to extra time and money for your organization.
Budget management challenges
You’ll also need to consider how you go about paying for the work. For instance, do you opt for a fixed-cost pricing model, where the testers provide a set rate? Or do you go for “time and materials”, where they provide an hourly rate based on estimated hours (or through another measure), but add in anything over these estimates?
“There’s a reason it’s so hard to benchmark penetration testing costs: every test with every firm is unique,” notes Network Assured, which provides independent pricing guidance on pen testing and other cybersecurity services.
That being the case, how can you go about getting the best return on investment and optimizing cost effectiveness?
 |
| Figure 1: Some factors may not be immediately obvious when talking about the overall cost of a penetration test. |
Pen testing as a service (PTaaS)
To ensure you’re getting exactly the pen testing capability you need (at the right cost) an “as-a-service” approach can pay dividends. Such an approach can be customized to your needs, reducing the risks of unnecessary efforts.
For example, Outpost24’s CyberFlex combines the strengths of our Pen-testing-as-a-service (PTaaS) and External Attack Surface Management (EASM) solutions, providing continuous coverage of the application attack service on a flexible consumption model. This enables organizations to have full insight into their costs and capabilities, all while achieving the discovery, prioritization, and reporting needs they require.
Pen testing is crucial to defend your organization’s systems, but a cutting-edge capability doesn’t have to cost the world. By taking a smart approach, based on delivering the services you need at the right time, you can discover the vulnerabilities you need to address, without causing undue disruption or incurring unnecessary costs. Book a live CyberFlex demo today.
