The ROI Of Security Investments: How Cybersecurity Leaders Prove It
Cyber threats are intensifying, and cybersecurity has become critical to business operations. As security budgets grow, CEOs and boardrooms are demanding concrete evidence that cybersecurity initiatives deliver value beyond regulation compliance.
Just like you wouldn't buy a car without knowing it was first put through a crash test, security systems must also be validated to confirm their value. There is an increasing shift towards security validation as it allows cyber practitioners to safely use real exploits in production environments to accurately assess the efficiency of their security systems and identify critical areas of exposure, at scale.
We met with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, to discuss how to effectively communicate the business value of his Security Validation practices and tools to his upper management. Here is a drill down into how Shawn made room for security validation platforms within his already tight budget and how he translated technical security practices into tangible business outcomes that have driven purchase decisions in his team's favor.
Please note that all responses below are solely the opinions of Shawn Baird and do not represent the beliefs or opinions of DTCC and its subsidiaries.
Q: What value does Security Validation bring to your organization?
Security Validation is about putting your defenses to the test, not against theoretical risks, but actual real-world attack techniques. It's a shift from passive assumptions of security to active validation of what works. It tells me the degree to which our systems can withstand the same tactics cybercriminals use today.
For us at DTCC, we've been doing security validation for a long time, but we were looking for tech that would serve as a performance amplifier. Instead of relying solely on expensive, highly-skilled engineers to carry out manual validations across all systems, we could focus our elite teams on high-value, targeted red-teaming exercises. The automated platform has built-in content of TTPs for conducting tests, covering techniques like Kerberoasting, network scanning, brute forcing etc, relieving the team from having to create this. Tests are executed even outside regular business hours— so we are not confined to standard testing windows.
This approach meant we weren't stretching our security staff thin on repetitive tasks. Instead, they could focus on more complex attack scenarios and critical issues. Pentera gave us a way to maintain continuous validation across the board, without burning out our most skilled engineers on tasks that could be automated.
In essence, it's become a force multiplier for our team. It goes a long way to improve our ability to stay ahead of threats while optimizing the use of our top talent.
Q: How did you justify the ROI of an investment in an Automated Security Validation platform?
First and foremost, we see a direct increase in our team's productivity. Automating time-consuming manual assessments and testing tasks was a game changer. By shifting these repetitive and effort-intensive tasks to Pentera, our skilled engineers could focus on more complex work. And without needing additional headcount we could significantly expand the scope of tests.
Second, we're able to reduce the cost of third-party contractors. Traditionally, we relied heavily on external expert contractors, which can be costly and often limited in scope. With human expertise built into a platform like Pentera, we reduced our dependence on expensive service engagements. Instead, we have internal staff - analysts with less expertise - running effective tests.
Finally, there's a clear benefit of risk reduction. By continuously validating our security posture, we can significantly reduce the probability of a breach and the potential cost of a breach, if it occurs. IBM's 2023 Cost of a Data Breach report confirms this, reporting an 11% reduction in breach costs for organizations using proactive risk management strategies. With Pentera, we achieved just that—less exposure, faster detection, and quicker remediation—all of which contributed to lowering our overall risk profile.
Q: What were some of the internal roadblocks or hurdles you encountered?
One of the key hurdles we faced was friction from the architectural review board. Understandably, they had concerns about running automated exploits on our network, even though the platform is 'safe-by-design'. The idea of running real-world attacks in production environments can be unnerving, especially for teams responsible for the stability of critical systems.
To address this, we took a phased approach. We started by running the platform on a reduced attack surface, targeting less critical systems to demonstrate its safety and effectiveness. Next, we expanded its use during a red team engagement, running it alongside our existing testing processes. Over time, we're incrementally expanding the scope, proving the platform's reliability and safety at each stage. This gradual rollout helped build confidence without risking major disruptions, so now trust in the platform is fairly well established.
Q: How did you allocate the funds?
We allocated the funds for Pentera under the same line item as our red teaming tools, grouped with other solutions like Rapid7 and vulnerability scanners. By positioning it alongside offensive security tools, the budgeting process was kept straightforward.
We looked specifically at our cost for assessing our environment's susceptibility to a ransomware attack. Previously, we spent $150K annually on ransomware scans, but with Pentera, we could test more frequently at the same budget. This reallocation of funds made sense because it hit our key criteria, mentioned earlier: improving productivity by increasing our testing capacity without needing to hire, and reducing risk with more frequent and larger-scale testing. Lowering the chances of a ransomware attack and limiting the damage if one occurs.
Q: What other considerations came into play?
A few other factors influenced our decision to invest in Automated Security Validation. Employee retention was a big one. Like I said before, automating repetitive tasks kept our cybersecurity experts focused on more challenging, impactful work, which I believe has helped us retain their talent.
Improvement in security operations was another point. Pentera helps us ensure our controls are properly tuned and validated, it also helps coordination between red teams, blue teams, and the SOC.
From a compliance standpoint, it made it easier to compile evidence for audits - allowing us to get through the process much faster than we would otherwise. Finally, cyber insurance is another area where Pentera has added further financial value by enabling us to lower our premiums.
Q: Advice to other security professionals trying to get a budget for secure validation?
The performance value of Automated Security Validation is clear. Most organizations don't have the internal resources to conduct mature red teaming. Whether you have a small security team or a mature offensive security practice like we do at DTCC, it's very likely that you do not have enough security expert resources to do a full assessment. If you don't find anything, no proof of a malicious insider in your network you can't demonstrate resilience - making it harder to achieve regulatory compliance.
With Pentera, you have built-in TTPs, giving you a direct path to assess how well your organization responds to threats. Based on that validation you can harden your infrastructure and address discovered vulnerabilities.
The alternative—doing nothing—is far riskier. The cost of a breach can result in stolen IP, lost data, and potentially shutting down operations. On the other hand, the cost of the tool brings peace of mind knowing you've reduced your exposure to real-world threats and the ability to sleep better at night.
Watch the full on-demand webinar with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, and Pentera Field CISO, Jason Mar-Tang.
Source: thehackernews.com