Cybersecurity budgets are beginning to get cut across the country, and organizations are faced with tough choices about what should stay and what should go. As security budgets face extra scrutiny and potential cuts, it’s critical to evaluate the cost and benefits of each security practice. It can be difficult to define the value of proactive security solutions like pen testing, as a precise ROI is hard to determine. After all, how does one quantify attacks that were prevented? Despite this challenge, assessing offensive efforts it is still a worthwhile and necessary task.

With data gathered from our fifth annual Penetration Testing Report, we’ll use the survey results to see where budgetary concerns lie and whether not spending is actually more costly.

The Cost of Tools

When asked which criteria were most important when evaluating proactive security solutions, 75% of respondents admitted that cost was the key factor [Figure 19]. And we agree; it should be. But it’s important to evaluate the ultimate cost – not just short-term savings.

Open-source solutions can help, and they do lower up-front expenses. This year, 33% reported using open-source solutions for penetration testing [Figure 14]. However, the transition may be shortsighted; a recent study revealed that 84% of codebases in open-source tools have at least one vulnerability, and though familiar, the figure has increased a steady 4% from last year.

Choosing cheaper pen testing options, or worse – going without – might ease pocketbooks for a fiscal year but can have consequences in the long term. According to new research by JumpCloud, the overwhelming majority (72%) of IT admins surveyed across the US, UK, and India felt that any decrease in their security spending would increase organizational risk. And that risk can be costly.

According to IBM, the average cost of a data breach is up to $4.45 million dollars, a 15% increase over three years. If this sounds like an enterprise problem, keep in mind that 43% of breaches involve SMBs, and the average cost of a data breach for companies with under 500 employees is $3.31 million, per IBM. According to the same source, the cost of a single breached record is $161 USD.

It can be hard to prove on paper, as organizations rarely include the price of a hypothetical attack as a line item in their budget, but investing in proactive security tools is actually a cost-saving measure. Pen testing discovers vulnerabilities before bad actors have a chance to exploit them, prevents ransomware attacks, cuts potential downtime, and practically pays for itself in protection.

The Cost of Compliance

Additionally, more pen testing is needed to stay compliant. New and expanded regulations (SOX, GDPR, CMMC) have forced teams to deal with increased requirements, often without the resources or headcount to support doing so. Pen testing helps identify issues that might present an immediate danger, both from outside threat actors and government regulatory agencies.

Many of these standards either implicitly or explicitly require pen testing to vet the organization’s security standing, and the 2023 Pen Testing Report reveals that 93% of respondents reported that pen testing was at least somewhat important to accomplish their compliance initiatives. PCI DSS makes pen testing non-optional, mandating in Requirement 11.4 that a comprehensive pen testing program must be implemented.

Especially in the realm of compliance regulations, not paying now may cost you later. When we look at the cost of non-compliance, the fines really start to stack up:

• GDPR | Severe infractions can cost up to 20 million euros or up to 4% of the previous year’s total global turnover. Less severe violations can still total 10 million euros, or up to 2%.
• SOX | Non-compliance with SOX can cost up to $5 million dollars and up to 20 years imprisonment.
• PCI DSS | PCI DSS fines can range up to 50,000 per month and $90 per person affected by a data breach.
• HIPAA | There are four Tiers of HIPAA violations. To give a sense of scope, Tier 1 ranges from $100 to $5,000 per infraction and Tier 4 starts at $50,000 per infraction.
• CMMC | Fines of up to $10,000 per control can be levied for failure to comply with CMMC 2.0 requirements under the False Claims Act. Additionally, those failing to meet CMMC standards will be unable to be awarded contracts with the Department of Defense.

Interestingly, our research reveals that the increase in compliance mandates has increased the quality of pen test for over half (53%) of respondents and broadened the scope of pen tests for just as many (53%).

The Cost of Reputation

This would be a good time to acknowledge that breaches and compliance fines don’t come with well-contained price tags. Those figures only express what comes out of your corporate bank account, not everything that might go missing (or fail to come in) thereafter.

When an organization is blind to its weak spots, it is at risk of being surprised by attackers and thrown into the limelight unprepared. Difficult questions, PR campaigns, and job loss often follow data breaches and compliance debacles, and when word gets out that they were easily preventable, the intangible costs grow worse. Pen testing is good job security for C-Suite executives increasingly being pressured to take responsibility for cybersecurity mishaps, and even better insurance against the protests of customers who refuse to buy with a company after they’ve experienced a data breach (up to 60% in retail breaches).

The Cost of Remediation

Our survey also revealed that a lack of remediation resources was a challenge for 62% of respondents when it came to running their penetration testing programs. Who wants to find a swath and vulnerabilities and errors they are too limited to fix? And we agree; remediation efforts are what make pen tests valuable. Why have the information if you aren’t going to use it?

However, this challenge can hold companies back from knowing their problems at all. Instead of seeing the issues and feeling helpless to change them, many organizations stick their heads in the sand. While an understandable human reaction, it is not the only choice. Going with a managed security provider can help alleviate the burden of response and add value to your overall program.

Staying Savvy — Different Ways to Pen Test

If in-house testing is outside your reach, consider services and automated options. Fortra’s Digital Defense offers penetration testing services (Core Security SCS and Digital Defense Professional Services) as well as automated pen testing technology that enables even junior admins to run full-fledged penetration tests. This can take a burden off your plate and free your team to handle remediation efforts.

You can also consider bundling tools. Do you have a vulnerability scanner? For a reduced price, you can bundle all your offensive security tools: vulnerability management, penetration testing, and red teaming.

It costs to pen test; all good things come with a price. But the truth is that when stacked against the million-dollar threats of today’s data breaches, an increasing number of multi-million-dollar compliance fines, and unenumerated reputational damages, the price is the lowest possible cost of staying safe.