Missing the ROI On Your Penetration Test? It's Time to Demand Real Value. 

Missing the ROI On Your Penetration Test? It's Time to Demand Real Value. 

This is not my first rodeo, and if you’re reading this, I am guessing it's not yours either. I’ve not only procured penetration testing engagements, but I’ve also built application security programs and managed offensive security teams – the best in breed ethical hackers. So, when I found myself in a new environment looking to hire for a fresh new engagement, I knew what I was looking for. The problem is – the ‘solutions’ that were out there were disappointing to say the least.  

I interviewed 5 well established vendors with my requirements in hand. The results? Ambiguity, variability, confusion and a pile of quotes that spanned a range of $10,000 to $60,000 for a run of the mill, standard network pen test.      

We all know we need to and should proactively assess our environments, and lucky for us, so do the vendors.  

Let’s be honest, we all have more important things we could be doing than battling sales pressures and decision fatigue. As cybersecurity leaders, our plates are overflowing. Whether it's monitoring evolving threats, managing complex infrastructure, and trying to keep our organizations secure, the last thing we need is another seemingly endless and ultimately underwhelming process – like evaluating and assessing penetration testing firms. 

Many leaders feel the burden of: 

• The Vendor Gauntlet: Sifting through countless pen testing firms, each promising the moon but often delivering the same lackluster results. 

• The "Check-the-Box" Syndrome: Feeling like your pen tests are more about compliance than actual security improvement. You get the report, tick the box, but do you get actionable information that results in risk mitigation? 

• Marginal Returns on Significant Investment: Pouring budget into pen tests that uncover the same low-hanging fruit year after year, without providing deep, actionable insights into your unique vulnerabilities and what matters most. 

• The Time Sink: Spending valuable time managing the pen testing process, from initial evaluation to deciphering often technical and unactionable reports. 

Sound familiar? The good news is – there's a better way. 

It's time to shift your perspective and demand more value from your cybersecurity investments. 

A quality penetration test serves a crucial strategic purpose; we’re not talking an automated scan of your environment. It's about actively validating how well your security controls work, understanding your current risk exposure, and gaining a realistic view of your organization's resilience when confronted by imminent threats. 

So, what should you expect to get out of a quality penetration test? 

Here are the key outcomes that should make the evaluation process worthwhile and deliver tangible security value: 

1. Realistic Threat Simulation, Not Just Vulnerability Scanning:

Forget the automated scans that spit out a laundry list of potential issues. A quality pen test simulates real-world attack scenarios, mimicking the tactics, techniques, and procedures (TTPs) of actual threat actors. This goes beyond identifying theoretical vulnerabilities and reveals how an attacker could actually compromise your systems and data. 

• Look for: Testers who understand your industry and know of your environmental challenges. Experts should be able to explain what relevant threat actors are targeting you and how they tailor their approach accordingly. If they don’t do manual testing or try to charge extra for that – keep it moving.   

2. Actionable Insights, Not Just a List of Findings:

A massive report filled with technical jargon and CVSS scores isn't helpful if you don't know where to start or how to fix the issues. A quality pen test delivers clear, concise, and prioritized recommendations with actionable steps your team can take immediately. 

• Look for: Reports that focus on exploitable findings with real world impact, including the "why" behind each finding, the potential business impact, and specific remediation steps with varying levels of effort. Bonus points for testers who offer post-testing remediation testing and consultation to help you understand and implement the recommendations. 

3. Deep Understanding of Your Security Posture, Beyond the Surface:

A superficial pen test might scratch the surface, but a quality engagement dives deep into your critical systems and processes. It should uncover complex vulnerabilities and weaknesses in your security controls, configurations, and even human factors. 

• Look for: Testers who demonstrate a thorough understanding of your infrastructure and applications. They should be willing to spend the time to explore non-obvious attack vectors and provide a holistic view of your security posture. 

4. Improved Internal Capabilities, Not Just an External Assessment:

A quality pen test can be a valuable learning opportunity for your internal security team. Testers who are willing to share their methodologies and insights can help your team better understand attack vectors and improve their own detection and response capabilities. 

• Look for: Testers who offer knowledge transfer sessions or are open to collaborating with your team during the engagement. This can empower your internal team and lead to long-term security improvements. 

5. Tangible Reduction in Risk, Not Just a Point-in-Time Snapshot:

Ultimately, the goal of a penetration test is to reduce your organization's risk. A quality engagement should provide you with the information and recommendations needed to make meaningful security improvements that demonstrably lower your attack surface and potential impact of a breach. 

• Look for: Testers who understand your business objectives, are familiar with your technology stack and can align their findings and recommendations with your technical and risk management and strategy. They should help you identify opportunities for improvement to better detect, contain and remediate gaps in your controls and procedures. 

It's time to stop feeling burdened by the pen testing process and start demanding real value. By focusing on these key outcomes, you can move beyond the "check-the-box" mentality and leverage penetration testing as a powerful tool to truly strengthen your organization's security posture. 

Ask the tough questions during the evaluation process.  

Demand clarity on their methodology, reporting, and post-testing support. Your security – and your sanity – depend on it. 

Affordable, Actionable Cybersecurity 

At NYSERNet, we understand the challenges that nonprofits, campuses, and research institutions face. Our Penetration Test are: 

• Tailored to your organization’s unique needs. We don’t use a one-size-fits-all approach.  

• Designed for efficiency. We maximize value and minimize disruptions to your time and operations. 

• Cost-effective. We focus on right-sized effort for high-impact outcomes without unnecessary expenses. 

Don’t wait for a cyber incident to prove the importance of a Penetration Test. Get ahead of threats today and let us help you improve your cyber resiliency.  

Emilyann Fogarty 

Chief Information Security Officer