Managed Security Services and Penetration Testing have gained increased visibility and importance due to the increasing severity, damage, frequency, and expansiveness of large-scale cyberattacks. Enterprises in all spaces, but especially in SaaS and security-related services, are concerned about security penetrations and data breaches. Their planned investments in these categories are necessarily increasing. Aside from the reputational hit and disruption, such security failures can severely impact the value of the company, as well as cost considerable sums for remediation and potential claims.

Looking back to the 2013 Target data breach, it cost Target $18.5M[i] to settle the case. But the true cost was incalculably more, with some low estimates starting at $300M due to damage to their brand, as buyers, uncertain about the safety of their data, stayed away for a long time. More recent examples include Marriott (2018), Equifax (2017), and Yahoo! (2016), each of whom averaged costs of $347 million for legal fees, penalties, and remediation. Beyond just legal fees alone, Marriott uncovered the breach while seeking GDPR compliance and the company was fined $912 million under that rule.[ii]

Over the last two years, we have received an alarming number of reports of companies who have been hacked. Some were mere disruptions, for example, in a wholesale distribution business.  Conversely, for others in the SaaS and managed security verticals, the damage has been severe—almost end-of-life—for some companies. Mergers and acquisitions have been canceled because of security breaches. Company values have been severely damaged. We have even observed companies forced to consolidate or merge because of the damage that has been wrought.

In one example, the security team petitioned for more funding to invest in improving their security apparatus. Unfortunately, the request fell on deaf ears, based on their company’s budget priorities. Sadly, several months later this company was significantly damaged from an attack that might have been prevented had the original request for funding been approved. This attack caused enough damage that the company ended up being sold to another company, under a different brand. These potential issues are pervasive and can affect the future of these enterprises.

The heightened level of awareness has become even more acute with the highly-visible recent hacking activity that has affected myriad companies and governmental organizations like the US Commerce Department.[iii] [iv] Accordingly, enterprises are giving more attention to their security systems and reducing risks. However, all businesses have myriad competing priorities that also need to be addressed. So, while the problem is known, it is still a challenge to obtain appropriate funding in the face of competing priorities.

One possible solution that we’ve observed with many of our clients: As a result of the cost savings that AIQ projects deliver, many CFOs will reinvest a portion of the savings back into the business for critical initiatives, while also using the balance of the savings to improve the company’s EBITDA financial results. The portion reinvested into the company helps create better alignment with the business. For important cases such as reinvesting into security infrastructure, reinvesting savings is a reasonable measure that can be taken to improve your company’s security profile.  Even though the demand for increased penetration testing has been increasing, AIQ still finds significant opportunity to reduce the per unit cost for the service.  This is because there is an expansive list of qualified, well-recognized service providers who have an appetite to expand their market share.

Since AIQ predicts savings at a 95% confidence level ahead of engagement, AIQ projects enable the enterprise CFO to anticipate and budget for the savings that AIQ projects deliver. For example, by collaborating with AIQ, you could reduce your current per-unit cost for penetration testing—or any other ongoing service—without reducing quality or quantity, and reinvest the savings into improved security. Since it takes an enterprise a while to assess needs, plan, and execute, you can do that work ahead of time with the knowledge that you will have budget within a few months to invest based on “found money” from an AIQ savings project. Typically, AIQ produces savings of around 40% in over 100 categories of technology service-related spends. So, depending on your enterprise’s current expense, there may be significant latent savings, and therefore budget, available to improve your threat resistance. For example, you may be able to invest in additional testing or additional security systems, such that you can further secure your enterprise beyond what could have otherwise been supported with existing budgeting and investment limitations.

If you have any questions or you’d like to talk to AIQ, please do get in touch. Our contact information is below:

This article was authored by Brad B. Buxton, CEO, and Bruce A. Hallberg, Principal, of AIQ.CO

AIQ relied on data from the AIQ knowledgebase and first-hand knowledge for this article. AIQ is careful to only discuss market data and trends in the aggregate, engages exclusively under Mutual Non-Disclosure Agreements, and never discloses personally identifiable or client information.  © AIQ, 2021

[i] Reuters (2017, May 24). Target Settles 2013 Hacked Customer Data Breach for $18.5 Million. NBC News.

https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031

[ii] Zurkus, Kacy (2019, May 15). Companies’ Stock Value Dropped 7.5% after Data Breaches. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/companies-stock-value-dropped-1/

[iii] Fung, Brian and Marquartdt, Alex for CNN (2020, December 14). US agencies investigating hacking of government networks. MSN. https://www.msn.com/en-us/news/politics/us-agencies-investigating-hacking-of-government-networks/ar-BB1bTJjv

[iv] Bossert, Thomas (2020, December 16). I was the Homeland Security Adviser to Trump. We’re Being Hacked. New York Times. https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html?smid=em-share

SUMMARY KEYWORDS
savings, hacked, security, penetration testing, invest, investment, data, reallocate, M&A transactions, enterprise

Download PDF

https://platform.twitter.com/widgets/tweet_button.2f70fb173b9000da126c79afe2098f02.en.html#dnt=false&id=twitter-widget-0&lang=en&original_referer=https%3A%2F%2Fwww.aiq.co%2Fpenetration-testing-why-you-need-more-of-it-now-and-how-to-pay-for-it%2F&size=m&text=Penetration%20Testing%3A%20Why%20You%20Need%20More%20Of%20It%20Now%2C%20And%20How%20To%20Pay%20For%20It%20%7C%20AIQ%20%25&time=1705613557250&type=share&url=https%3A%2F%2Fwww.aiq.co%2Fpenetration-testing-why-you-need-more-of-it-now-and-how-to-pay-for-it%2F

Skip to content