2. How can I measure ROI for the SE portion of pen testing?
This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.
#1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics.... "how do i know it's thing is providing value if I cant sow you it is working"
#2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks... show a sample of where you see these types of attacks (phish, clientside) hitting your network today. In addition create some VM's to do a demo. If I learned anything from my years of testing is that VIDEO WORKS! As a side note. Make a claim. "With this type of testing, we will show how to alter/change/delete information in the ""XYZ" system. This system runs our... *make it industry specific.. like EPHI data, financial data, intellectual property, source code... you get the point*" Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies... If there is no compliance... make it relevant to the business. XYZ system controls our $$ or how we make $$. If it gets hacked... we lose.
The whitepaper is a bit more eloquent... but u get the point.