I often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. "You want me to authorize you to break into my systems?" they ask.
We are all afraid of things we don't understand. This is why you should first make your management comfortable with the concept of penetration testing. Why don't you try this example: We should all visit our doctor for regular medical check-ups, even when we feel healthy. This is the only way to recognize and treat grave illnesses early. Such an exam should be obvious to every responsible adult who wants to protect his family and himself in the long-term.
Likewise, penetration testing should also be conducted regularly on important systems so we can detect where our systems are vulnerable. We have to find these vulnerabilities before criminals, spies, and cyber punks can harm our enterprise. Penetration tests are one of the tools for responsible IT management to identify and mitigate risks. As with a health check, you should entrust this to trained experts: medical doctors and penetration testers.
Have you found a different way of explaining penetration testing to your business audience? Please share your experience of what works and what doesn't with your peers by posting a comment below.
If you enjoyed this post, you may also like the white paper "How to Justify Your Security Assessment Budget".