Call us on 03450 21 21 51

Pen testing: putting a price on peace of mind
The SRM Blog

Pen testing: putting a price on peace of mind

Julia Wailes-Fairbairn

Written by Julia Wailes-Fairbairn

10th June 2019

Share this article

pen testing price of peace of mind

When it comes to securing appropriate budgets for pen testing, the key thing is not cost, but value. Yet there is sometimes an uncomfortable dichotomy between what people want and what they are prepared to pay for. We have recently spoken to individuals who say they cannot sleep at nights for worrying about the impact a breach would have on their business, particularly their concern that their company could fold in such a situation.

During follow up discussions, and after careful scoping, it then became apparent that the size of the project required just over a week to cover the necessary testing and provide remediation advice. Although they were desperate for serious professional input, however, they expected this to take around a quarter of the time and therefore be available to them at a quarter of the cost.

What is perhaps most surprising is that these were security division leaders with considerable experience behind them. But they were unwilling to request more budget in order to access a service which would provide them with the peace of mind they (and their stakeholders) were looking for. It is hard to imagine business people expecting their lawyers or accountants to serve their needs appropriately on a severely restricted budget. Yet the risk around the fallout of a data breach could extend to hundreds of thousands, bringing that business to its knees.

Although many involved in cyber security tend to use lots of acronyms and techno-speak, it’s often the simplest of idioms which make the most sense. So, when thinking about the budget for a thorough information security strategy, the first one to consider is ‘how long is a piece of string?’. It all depends on what you require and your current state of readiness. But the other idiom which applies is: ‘if something’s worth doing, it’s worth doing well’.

These expressions may sound out of kilter with the digital age, but there is a reason they are still in common usage: it’s because they hold valuable truths. If your business is vulnerable to a breach and could potentially fold if a serious incident occurred, what is the value of peace of mind? In the context of a catastrophic business failure, it must surely be at least equal to the value of top class legal or accountancy advice.

There are instances when we are called in to companies in real trouble who have relied on low cost products or services. In some cases, they have not had the benefit of their investment because incorrect tools have been used or because they did not have access to the expertise required to scope the project fully. In these circumstances it is often the case that people then go on to ‘buy cheap, buy twice’ trying to improve upon the first attempt. But true value for money is gained from selecting the right products or services at the outset.

If something as important as online security and the protection of data is not a priority at board level, then some serious questions need to be asked. Going for the cheapest option will rarely deliver what is required. After all, when it comes to pen testing, you get what you pay for. And using the services of highly trained experienced professionals does not cost the earth, because they genuinely add value and will not recommend products or sell services you do not need. Only the ones you do.

To discuss your penetration testing requirements, call +44(0) 3450 21 21 51.

Or visit our website.

Follow us on Linkedin.

Or read our blog:

Why the prioritisation of breach identification and containment are crucial elements of every cyber defence strategy

Pen testing: seeing both the wood and the trees

It’s not a Dark Art: how we demystify cyber security

Back to top