Cyber threats are increasing and cyber security has become critical to business operations. As security budgets grow, CEOs and boardrooms demand concrete evidence that cybersecurity initiatives deliver value beyond regulatory compliance.
Just as you wouldn’t buy a car without knowing it’s been crash tested, safety systems should also be tested to prove their value. There is a growing shift toward security testing as it allows cyber practitioners to safely deploy real-world exploits in production environments to accurately assess the effectiveness of their security systems and identify critical areas of impact at scale.
We sat down with Sean Baird, Associate Director of Offensive Security and Red Teaming at DTCC, to discuss how to effectively communicate the business value of his security testing methods and tools to senior management. Here’s a look at how Shawn made room for security validation platforms within his already tight budget and how he turned technical security practices into tangible business results that drove purchasing decisions for his team.
Please note that all responses below are solely the opinion of Sean Baird and do not represent the beliefs or opinions of DTCC or its affiliates.
Q: What value does a security audit bring to your organization?
A security audit is about testing your defenses not against theoretical risks, but against real attack methods. It’s a shift from passive security assumptions to actively testing what works. This shows me the extent to which our systems can withstand the same tactics used by cybercriminals today.
For us at DTCC, we’ve been doing safety testing for a long time, but we were looking for technology that would serve as a performance enhancer. Instead of relying solely on expensive, highly skilled engineers to perform manual checks on all systems, we could focus our elite teams on targeted, high-value exercises. The automated platform has built-in TTP content to run tests covering techniques like Kerberoasting, network scanning, brute force, etc., freeing the team from having to build it. Tests are conducted even after hours, so we are not limited to standard testing times.
This approach meant that we did not burden our security staff with repetitive tasks. Instead, they could focus on more complex attack scenarios and critical issues. Pentera gave us a way to support continuous validation across all lines without wasting our most skilled engineers on tasks that could be automated.
In fact, it has become a force multiplier for our team. We place great importance on improving our ability to stay ahead of threats while optimizing the use of our best talent.
Q: How do you justify the ROI of an automated security screening platform?
First of all, we see a straight line improving the productivity of our team. Automating time-consuming manual assessments and test assignments has changed the game. By offloading these repetitive and time-consuming tasks to Pentera, our skilled engineers could focus on more complex work. And without the need for additional staff, we could significantly expand the scope of testing.
Second, we can reduce the cost of third-party contractors. Traditionally, we have relied heavily on external expert contractors, which can be expensive and often limited in scope. With the human expertise built into a platform like Pentera, we’ve reduced our reliance on expensive services. Instead, we have in-house staff – analysts with less experience – who run effective tests.
Finally, there is an obvious benefit risk reduction. By constantly reviewing our security posture, we can significantly reduce the likelihood of a breach and the potential cost of a breach should it occur. IBM’s Cost of Data Breach 2023 report confirms this, reporting an 11% reduction in breach costs for organizations using proactive risk management strategies. With Pentera, we’ve achieved just that – lower exposure, faster detection and faster remediation – all helping to lower our overall risk profile.
Q: What internal hurdles and obstacles have you faced?
One of the main obstacles we faced was friction from the architectural commission. Understandably, they were concerned about running automated exploits on our network, even though the platform is “secure by design.” The idea of launching real-world attacks in production environments can be unnerving, especially for teams responsible for the stability of mission-critical systems.
To solve this problem, we took a stepwise approach. We started by running the platform on a reduced attack surface, targeting less critical systems to demonstrate its security and effectiveness. We then expanded its use during red teaming by running it alongside our existing testing processes. Over time, we gradually expand the scope, proving the reliability and safety of the platform at every stage. This gradual rollout helped build trust without the risk of major disruptions, so trust in the platform is now pretty well established.
Q: How did you distribute the funds?
We have allocated funds for Pentera in the same position as our red pooling tools, grouped with other solutions such as Rapid7 and vulnerability scanners. By placing it next to the offensive safety tools, the budgeting process was simple.
We specifically reviewed our cost to assess the susceptibility of our environment to a ransomware attack. We used to spend $150,000 a year on ransomware scans, but with Pentera we were able to run tests more frequently on the same budget. This reallocation made sense because it met our key criteria mentioned earlier: increasing productivity by increasing our testing capabilities without the need for hiring, and reducing risk by testing more frequently and at scale. Reducing the chances of a ransomware attack and limiting the damage if it does occur.
Q: What other considerations came into play?
Several other factors influenced our decision to invest in automated security testing. Employee retention was great. As I said before, automating repetitive tasks has allowed our cybersecurity experts to focus on more complex and efficient work, which I believe has helped us retain their talent.
Improving the security of operations was another point. Pentera helps us make sure our controls are properly configured and validated, it also helps coordination between red teams, blue teams and the SOC.
From a compliance perspective, it made it easier to gather evidence for the audit – it allowed us to move through the process a lot faster than otherwise. Finally, cyber insurance is another area where Pentera has added additional financial value by allowing us to lower insurance premiums.
Q: Any advice for other security professionals trying to get a budget for a security audit?
The performance value of automated security testing is clear. Most organizations do not have the internal resources to conduct a mature red team. Whether you have a small security team or a mature offensive security practice like ours at DTCC, it’s highly likely that you don’t have enough expert security resources to conduct a full assessment. If you find nothing, no evidence of a malicious insider in your network, you will not be able to demonstrate resilience, making regulatory compliance difficult.
With Pentera, you have built-in TTPs that give you a direct way to assess how well your organization is responding to threats. Based on this audit, you can harden your infrastructure and fix any vulnerabilities you find.
The alternative—doing nothing—is much riskier. The cost of a hack can lead to stolen IP addresses, data loss, and potential downtime. On the other hand, the cost of the tool provides peace of mind knowing you’ve reduced your exposure to real threats and the ability to sleep better at night.
Watch the full webinar on demand with Sean Baird, Associate Director of Offensive Security and Red Teaming at DTCC, and Pentera Field CISO, Jason Mar-Tang.
