Sarah walked into the conference room already skeptical.
As CFO of a mid-sized manufacturing company, she’d approved the $6,000 penetration test because the CISO insisted it was necessary for their cyber insurance renewal. Fine. But now she was being pulled into a “findings debrief” that would probably be an hour of technical jargon about theoretical risks that may or may not matter.
She had actual budget meetings to attend and real business decisions to make.
But what happened in that conference room changed how she thought about cybersecurity spending, and led to immediate approval of a $25,000 remediation budget she’d previously rejected.
The Skeptical CFO
Sarah wasn’t anti-security. She just needed things to make business sense.
The company had antivirus software and a firewall. They required password changes every 90 days. IT seemed to have things under control. Why did they need to pay someone to “test” security they’d already paid to implement?
When the CISO first proposed penetration testing, Sarah responded, “How is this different from the vulnerability scanning we’re already doing?”
The answer she got (something about “manual testing” and “real-world attacks”) sounded like a way to justify spending more money on something they were already covering. But the insurance company specifically asked about pen testing, so she approved it with the expectation that the report would confirm everything was fine.
Now, sitting in the debrief with the pen testing team and her CISO, she was prepared for what these meetings usually were: technical people talking to other technical people, while she wondered when they’d get to anything that mattered to the business.
Lost in Translation
The pen tester opened his laptop and started presenting.
“We identified several findings during our assessment. Let me walk you through the summary. We found three critical vulnerabilities, seven high-severity issues, and twelve medium-severity findings. The critical vulnerabilities have CVSS scores ranging from 9.1 to 9.8, indicating significant risk to your infrastructure.”
Sarah nodded politely, already tuning out. CVSS scores? She had no idea what that meant or why she should care.
The pen tester continued: “The first critical finding is CVE-2023-12345, a remote code execution vulnerability in your Apache Struts implementation that allows for deserialization of untrusted data. We successfully exploited this to gain initial access, then used Mimikatz to extract credentials from LSASS memory, which enabled lateral movement across the internal network.”
Her CISO was taking notes furiously. The IT manager was asking questions about patch levels and configuration details. Meanwhile, Sarah was completely lost.
This was exactly what she’d expected: a room full of people speaking a language she didn’t understand, discussing problems she couldn’t evaluate, and ultimately asking for money to fix things that sounded scary but might not actually matter.
She glanced at her watch. How long until she could politely excuse herself?
The Question That Changed Everything
Then Sarah asked the question she always asked in these meetings:
“Okay, but what does this actually mean for the business? What could really happen?”
The pen tester paused. This was the moment that usually separated good security consultants from mediocre ones: the ability to translate technical findings into business impact.
“Let me show you something specific,” he said, closing the technical slides and opening a different section of the report.
“During our testing, we gained access to your production database through a chain of vulnerabilities. Once inside, we had full access to your customer order system. Let me walk you through what an attacker could do with that access, not theoretically, but based on what we actually demonstrated during testing.”
Now Sarah was paying attention.
The Finding That Reframed Everything
The pen tester pulled up a simple diagram showing the path from external internet access to the customer database.
“Here’s what we did: We exploited a vulnerability in your customer portal that allowed us to bypass authentication. From there, we accessed your internal network and found a server with default credentials (username ‘admin’, password ‘admin’). That server had stored credentials for your production database.”
“Once in the database, we had complete access to customer orders, pricing, and payment information. We could view, modify, or delete any of this data. During testing, we extracted a sample of 50,000 customer records to prove access. We obviously didn’t do anything malicious with it, but an actual attacker could.”
Sarah was leaning forward now. “What’s in those records?”
“Customer names, addresses, email addresses, phone numbers, order history, and partial payment card data (the last four digits and card type). While you’re not storing full card numbers, which is good, there’s enough here to create significant problems.”
The pen tester then said the thing that changed Sarah’s entire perspective:
“Based on our research of similar breaches in your industry, here’s what this would likely cost you.”
He pulled up a single slide with a simple breakdown:
Breach notification costs: $85,000-$120,000 (required notifications to 50,000+ customers across multiple states, including mailing, call center, and legal fees)
Regulatory fines: $150,000-$300,000 (state-level penalties for data breach, based on recent precedents in your operating states)
Credit monitoring services: $200,000 (required offering for affected customers, industry standard is $25-30 per person for 1 year, but many affected might not sign up for it)
Legal costs: $100,000-$250,000 (class action defense, even if ultimately dismissed)
Revenue impact: $500,000-$1.2M (customer churn based on industry data showing 15-25% customer loss post-breach, calculated against your average customer lifetime value)
Insurance deductible: $50,000 (your current cyber policy deductible)
Total estimated cost: $1.085M – $2.12M
“And that’s assuming relatively quick containment and no operational downtime,” the pen tester added. “If attackers encrypt your order system with ransomware, add another $200,000-$500,000 in lost revenue during recovery.”
The room was silent.
The CFO Does the Math
Sarah grabbed her pen and started writing. She was doing the calculation that would drive her decision.
The penetration test cost $8,000. The recommended remediation (patching systems, fixing the authentication vulnerability, replacing default credentials, and improving network segmentation) would cost approximately $25,000 based on the CISO’s initial estimate.
Total prevention cost: $33,000.
Potential breach cost: $1-2 million.
Even in the absolute best-case scenario, where a breach only costs them the minimum (around $1 million), they’d be looking at a 20:1 return on security investment. More likely scenarios put it at 30:1 or 40:1.
Sarah had approved marketing campaigns with worse ROI.
“Walk me through the remediation plan,” she said.
From Skeptic to Advocate
The CISO pulled up his laptop, clearly prepared for this conversation.
“We’ve prioritized the findings into three tiers. Tier one addresses the critical path that the pen test demonstrated, the one that goes from the internet to the customer database. This is the $25,000 remediation we discussed last month.”
Sarah remembered that conversation. She’d pushed back on the cost, asking why they needed to spend so much when they already had security measures in place. The CISO tried to explain, but without concrete evidence of exploitability, she’d asked him to “defer this until next quarter when we have more budget flexibility.”
That was six weeks ago.
“Tier one includes patching the customer portal vulnerability, implementing multi-factor authentication, removing all default credentials across the environment, and improving network segmentation to isolate the production database. This work addresses the exact attack path demonstrated in the pen test. Timeline is four weeks.”
“Tier two addresses the high-severity findings that didn’t lead to database access but create other risks. Cost is approximately $30,000, timeline is about eight weeks, and can be scheduled after tier one completion.”
“Tier three addresses medium-severity findings and security improvements that weren’t directly exploited but increase our overall security posture. Cost is approximately $15,000, timeline is flexible.”
Sarah did more math. Total cost across all three tiers: $70,000. Still a tiny fraction of potential breach costs.
“Approve tier one immediately,” she said. “Let’s get that work scheduled for the next sprint. For tier two and three, let’s review after tier one is complete, but I’m inclined to approve both based on what we’ve seen today.”
The CISO looked stunned. He’d been fighting for this budget for months.
“Also,” Sarah continued, “I want this pen testing to become annual. Add it to next year’s budget at the same cost. And I want a brief report after tier one remediation that confirms the attack path has been closed.”
What Changed Her Mind
After the meeting, Sarah’s CISO asked what made the difference.
“I finally understood what we were actually risking,” she said. “Every budget request comes to me as ‘we need this for security,’ but nobody ever explains what we’re securing against or what it costs if we don’t.”
“When you showed me a direct line from ‘attacker on the internet’ to ‘all our customer data compromised’ and then translated that into actual dollars based on real breach costs? That’s a decision I can make. That’s ROI I can justify to the board.”
“The technical details matter for the people implementing fixes. But for approving the budget, I need to understand business risk in business terms. What’s the threat? What’s it worth to prevent it? That pen test debrief gave me both.”
The Follow-Up
Six weeks later, the tier one remediation was complete. The company brought the pen testing team back for a focused retest of the critical findings.
The retest confirmed the attack path was closed. The authentication vulnerability was patched. Default credentials were eliminated. Network segmentation prevented direct database access from compromised internal systems.
Sarah received a two-page summary showing the before and after: “Previously, an external attacker could reach the production database in 45 minutes. Currently, the attack path is closed, confirmed through retest.”
She approved tier two and three remediation that afternoon.
Three months later, during the cyber insurance renewal, the carrier noted the penetration testing and completed remediation. The premium, which Sarah had expected to increase significantly based on industry trends, barely moved.
Sarah added a line to her next board presentation: “Cybersecurity investments this year: $103,000. Estimated breach prevention value: $1-2 million. Estimated ROI: 20:1.”
The board approved an increased security budget for the following year without discussion.
The Lesson
Sarah’s story isn’t unique. CFOs aren’t resistant to security spending; they’re resistant to spending money on things they can’t evaluate.
When security conversations stay technical, financial decision-makers can’t make informed choices. They’re being asked to approve significant expenses based on trust rather than understanding.
But when security risks get translated into business impact (real costs, real scenarios, and real ROI), the conversation changes completely.
The pen test didn’t just find vulnerabilities; it also identified weaknesses. It provided the evidence and context Sarah needed to understand what was at stake. It reframed security from “IT expense” to “business risk management.”
And once she understood the risk, the decision became obvious.
MainNerve: Reports That Speak Both Languages
MainNerve structures penetration test reports and debriefs for both technical teams and business decision-makers.
Our reports provide IT teams with detailed technical findings and remediation guidance. This can give you a clear idea of the business impact.
Because security decisions require both perspectives: technical depth for implementation and business context for budget approval.
Ready for penetration testing that helps your entire organization make informed security decisions? Contact MainNerve to discuss testing that provides both the technical details and the business context your team needs.
Because the best security investments are the ones everyone understands.
