Make a Winning Business Value Case for Pentest Reporting Automation at Your MSSP

Penetration testers know all too well the pain of manual reporting processes. That’s especially true for pentesters who work for security service providers and who perform pentests and have to manually write reports — again and again.

For pentesters, the benefits of adopting a pentest-reporting automation solution may seem obvious. But unless you also have the authority to approve a purchase order, you need to convince the boss to sign off on it.

Let’s face it, an MSSP practice manager has lots of issues vying for a limited budget. So, how can a pentester who has spent countless hours manually writing, editing (and re-editing) reports convince the boss to approve a report automation solution?

Here’s a five-step method for building a strong business value case that highlights the potential revenue growth reporting automation can bring to the service provider. In this post, we’ll empower pentesters to make the case to their boss for a report automation solution by helping you:

• Understand the primary business concerns of an MSSP manager.
• Evaluate a solution on criteria relevant to the business value it provides.
• Calculate potential ROI of efficiency in increased service margins. 
• Compile a pitch that makes your purchase request an easy “yes.”

Working as a professional pentester requires skill and training. However, it doesn’t automatically make you a trained communicator, let alone a graphic designer. But the pentest report delivered to your client is the payoff for all your hard work — especially late nights spent copying and pasting bits and pieces of content from past reports, searching for or recreating artifacts, and all that formatting.

Let’s examine the four steps of selling your boss on an automated pentesting report solution.

Step 1: Articulate the Pain Points in the Pentesting and Reporting Workflow

Before you make your pitch you need to clearly understand and quantify the inefficiencies and issues in your team’s current pentest workflow. Inefficiencies and manual, tedious work performed by highly skilled professionals are a business liability. Assessing these pain points is a good foundation on which to build a case for an automation and workflow management solution.

Here are some common parts of the pentesting workflow that are ripe for automation.

• Managing automated and manual data produced in the testing process — Pentesters use many tools to find low-hanging fruit and scope their projects, in addition to manually testing security vectors. Capturing and aggregating the data needed for a strong report is challenging and often inefficient.
• Collaborating and editing content consistently — Achieving quality and consistency across a team of pentesters and staff, is another common pain point. Many teams try to manage these processes using software not designed for collaboration, never mind the specific data and relationships critical to the cybersecurity workflow.
• Building the report to the client’s specifications — When the testing is finished and the content triaged, testers then spend a lot of time building the report in the required template and to the specifications of the client. Updating customer information, locating boilerplate elements, and adjusting styles are tedious tasks better suited for automation.

These pain points of the pentesting practitioner may not be of great concern to a practice manager on the surface. However, when inefficiency and ineffective processes cost enough in lost time for highly paid practitioners and reduced quality in deliverables to clients, they become extremely relevant to the business. Documenting bottlenecks and time sucks that annoy pentesters and how much time is spent on them will provide a strong basis to measure potential business ROI of pentesting automation.

Step 2: Examine the Business Priorities for Adopting New Technologies

After identifying areas for improvement and assessing the time and quality costs of not addressing them, the next step is relating them to the priorities of the manager and the goals of the organization. Managers have budget and change-management constraints to consider. They must weigh the added value of a given solution against other requests. They also must prudently build a tech stack that properly resources the team while maintaining profit margins.

Manager priorities to consider when recommending purchase of a reporting solution include:

1. Value — Is the price justified?
2. Integration — Will the product fit the business and be useful for many team members?
3. Scalability — Will the solution grow with the business and help it scale?
4. Personnel — Will the product help your team work more productively and collaboratively?
5. Customer Satisfaction — Will the product solve internal issues and positively impact customers?

Addressing these questions will help the boss say “yes.”

Step 3: Calculate the Potential Financial Benefits

The most important information for convincing your boss to buy a pentesting automation solution is its potential return on investment (ROI). Managers of security service providers need to know that an automated pentest solution will make a positive contribution to the bottom line.

The best pentest reporting automation solution can — and should — increase service margins by significantly driving efficiency, scale revenue opportunities with existing resources, and produce better client outcomes with more actionable findings. Present the following areas to your manager as ripe for significant direct and indirect ROI.

Use the intelligence you’ve gathered to present the expected ROI of the reporting solution in terms of time savings for the team, which also means they can reallocate that saved time to conduct more client engagements. Ask your preferred provider to back up their ROI claims by providing details — ideally a calculator in which you can plug key statistics from your business, including:

• The estimated number of pentests your organization performs per year
• How long it takes to create a final report
• Total hours spent on report creation
• Revenue these activities generate
• Labor cost
• Profit
• Gross margin

Then create a second column using vendor data about how much time your team will save — and how much additional revenue, profit and gross margin you will generate. That gross margin growth is the killer stat that will show your boss exactly how much your organization will benefit from the solution. Calculate your ROI with PlexTrac using our handy business impact calculator. 

Step 4: Communicate with Your Manager to Overcome Objections

Armed with a concrete ROI estimate, case studies and testimonials, and clear rationale for the product you’re recommending, it’s time to effectively present a clear, compelling case.

Even if your boss sees the value of the report automation solution you’re proposing, there still could be some concerns, including:

• Limited resources: Use the ROI information you’ve gathered and emphasize both the savings and new business growth potential.
• Product capabilities: A manager may question whether a product is worth buying based on its functionality or fit for the company. This is where you can show you’ve done your homework and that the product you’re recommending ticks more boxes than any other. Share any info on the product roadmap and the company’s customer success team. An open API is another major capability to emphasize if the product you are recommending has one.
• Maintenance requirements: A vendor that’s confident about the value its product provides should be willing to work with your company on a proof of concept and make key team members available to answer questions from your boss or other team members. Take advantage of that confidence and put them to the test.

By following these guidelines and doing your homework, you should feel good about making the case for a pentest automation solution that will bring significant business benefits to your organization.

Read the full eBook Selling Your Boss on Pentest Reporting Automation for more tips on investigating and presenting a reporting automation solution to your team.