Let's be honest, security is primarily sold on the fear of something bad happening. If a breach occurs how will business continuity be affected? What will it cost? How bad could it be? These are the questions penetration testing seeks to answer for you. The end result is completion of a cost benefit analysis for purchasing security controls. The cost benefit analysis is calculated by totaling the cost of a single loss or breach, multiplied by breach likelihood, and comparing that to the price of security controls. Penetration tests help to identify the cost by revealing what exactly can be breached. The likelihood can be judged by how easy systems were to compromise during the penetration test. This is how you obtain the potential annual costs for deficient security.
We have enough data to support this: the Ponemon Institute, Verizon Business, Forrester Research, and the FBI periodically publish data. They calculate the likelihood of a data breach, the costs of system downtime, the value of stolen/deleted/manipulated data, legal costs, and revenue impact from lost existing and future customers. Currently, the Ponemon Institute estimates the cost per lost customer data set at about US$204. If your database contains 10,000 customer records, this works out as just over US$2 million in damages.
These numbers are certainly helpful, but they're often not usable for IT professionals in large enterprises because they're so large that most people won't believe that they're realistic. Also, the numbers were almost exclusively generated in the United States, where heavy compliance regulation has driven up the cost of data breaches, so they're often not accepted by business audiences in other countries, although this is changing as more countries are introducing ever stricter regulations. Also bear in mind that these numbers must be weighed against the entire IT security budget, not only a single penetration test.
Selling the upside of security to the business may be a better way to sell your project internally.
If you enjoyed this post, you may also like the white paper "How to Justify Your Security Assessment Budget".