Demonstrating the ROI of Security Penetration Testing to Management

Demonstrating the ROI of Security Penetration Testing to Management

How do you demonstrate the ROI of Security Penetration testing ? From the management team’s point of view, making the decision to commit to an ongoing cybersecurity budget may be seen as adding yet another expense, with little visibility of a return on investment (ROI). This is particularly true for organisations who are not involved in the riskier areas of application development or ecommerce – perhaps they are a mid-sized manufacturing, transport or construction business – and think they’re not an attractive enough target for a cybercriminal. Think again!

High profile cybersecurity breaches regularly make national and even international news, and are often the result of a targeted attack. What is less well publicised are the more pervasive, lower profile breaches which are more opportunistic in nature and increasingly impact small and medium-sized organisations. This trend can be linked to the sophisticated way in which cyberattacks can now be automated and the introduction of new vulnerabilities resulting from the adoption of new technology and working practices (remote working and BYOD, such as laptops, tablets and phones).

Lower profile breaches which are more opportunistic in nature can impact small and medium-sized organisations.

In a rapidly changing technological landscape, organisations must not only keep pace with the speed of innovation, but also the resulting risks to information security.

Increasingly, organisations are incorporating cybersecurity into their overall risk management policy and business objectives into their security programs, with cybersecurity and information security management fast becoming the domain of management teams, not just the internal IT team. These organisations recognise that cybersecurity and information security are, ultimately, just like any other risk that they face in their business and therefore need to be managed like all those other risks, be they legal, operational, financial etc. They understand not only that they can’t afford a ‘head in the sand’ approach, but that good security practices (and compliance) is a competitive advantage.

For the organisations (predominantly SMEs), who are yet to adopt a more proactive approach to cybersecurity, complacency can be disastrous. With the increase in automated cyberattacks, you can no longer hope that cybercriminals won’t take an interest in your business.

From February 2018, the amended Australian privacy act made the disclosure of cyber breaches to regulators and shareholders mandatory. The penalty for not doing so can be up to $1.8 million for organisations and, with the inclusion of additional fines of up to $360,000 for each board member, the message is clear; take cybersecurity seriously.

Read how specialist web solutions provider The Reach Agency uses regular penetration testing to increase their competitive advantage >>

So what value does a penetration test provide?

A penetration test provides your management team with an extremely fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found, in order of severity, with advice to expedite remediation. This then provides your IT security team with the information they require to fast-track remediation work, demonstrates the ROI of existing security tools and facilitates the management team’s confident approval of security expenditure.

Explain to management that you can acquire this data in one of two ways, either proactively or via incident post-mortem and, put simply, investing in penetration testing is preferable to responding to a breach from a malicious hacker. The decision of whether to invest in penetration testing is as simple as asking: “Do you want to choose your hacker?”

The difference between an Ethical Hacker and Malicious Hacker

The below is a simple comparison between controlled expenditure on security penetration testing and the uncontrolled chaos that results from having your systems compromised by a malicious hacker. Download this infographic in PDF format here>>


Ethical Hacker

Malicious Hacker

 Intention is to help your organisation to succeed

Intention is to extort money or damage your organisation

 Known, proven, highly trained IT professional has access to your IT infrastructure in partnership with your IT department

 Unknown hacker has access to your IT infrastructure

 Careful with your IT infrastructure

 Careless with your IT infrastructure

  You control:

  • Cost (average cost of a pen test $7,000+)

  • Scope and methodology – non-disruptive

  • Timing – convenient

They control:

  • Cost (average cost of a breach US$3.86 million)

  • Scope and methodology – disruptive 

  • Timing – inconvenient

  At the conclusion of testing you are provided with:

  • A comprehensive report listing the vulnerabilities and exploits categorised according to risk level (or at time of discovery for critical/high risk vulnerabilities) and recommendations for remediation to improve your organisation’s IT security.

  • Debriefing for Executives and IT team.

Any data obtained during the test will be treated as confidential and will be returned or destroyed at the conclusion.

 At the conclusion of a malicious breach you could face:

  • A potential ransom

  • Exploited intellectual property

  • Exploited customer data

  • Potential fines and legal ramifications

  • Damaged IT infrastructure and code that takes time/money to investigate and remediate

The whereabouts of any data obtained during the breach is unknown.


Proactive and empowering experience, Improved IT security/compliance is achieved, maintain customer confidence and brand loyalty, security stakeholders have peace of mind.


Reactive and disempowering experience, damaged IT systems, lost customer confidence, damage to brand loyalty, loss of revenue, loss of share value, security stakeholders have sleepless nights/potential job losses. May bankrupt SMEs.



When compared in this way, the benefits of investing in penetration testing are self-evident.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide

Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to Shearwater’s certified Ethical Hacking Team. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.