Home > NewsRelease > Why Companies Don’t Test Their Readiness For Cyberattacks More Often—But Should
Why Companies Don’t Test Their Readiness For Cyberattacks More Often—But Should
Edward Segal, Crisis Management Expert Edward Segal, Crisis Management Expert
Washington, DC
Tuesday, December 7, 2021


Commentary From Crisis Management Expert Edward Segal, Author of Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies (Nicholas Brealey)

When it comes to protecting companies and organizations against the rising number of cyberattacks and threats, there is no difference between having safeguards they don't use and having no safeguards at all. 

As much as businesses would like to protect themselves against cyberattacks, limited budgets and penetration testing inefficiencies means few organizations can actually perform as many of those tests as they want or need.  That's according to Andrew Obadiaru, the chief information security officer at Cobalt, a cybersecurity penetrating testing company which recently released their "ROI of Modern Pentesting" report.  

The market for so-called "pentesting" is large and growing, and could exceed $3 billion by 2027. 

Major Survey Results 

According to Cobalt's research:

  • 83% test critical assets only annually—leaving notable gaps in their security posture for malicious attackers to exploit. 
  • 74% of IT security professionals believed their organizations would test their systems more frequently if the traditional pentesting process (via a consulting firm) was more efficient or required less management. 
  • 71% agreed that the cost of pentesting limits the ability of their organization to test more frequently. 

Cobalt surveyed 600 IT security professionals and conducting an in-depth study of six seasoned security leaders.

In their report, the company said it found that, "traditional threat detection (via a consulting firm) is no longer cutting it. Now more than ever, organizations must invest in modern, innovative security measures like PtaaS [penetration testing as a service] to avoid becoming the next big attack headline."

The company claimed that a service-based approach can save organizations a substantial amount time and money. The average estimates from the panel of experts, "indicate that when retesting fees are added in, the total cost of [a] PtaaS project is on average $22,900, which is 56% lower than the consulting engagements," according to Cobalt's report.

Cyber Vulnerabilities And Trends

In July, Cobalt released their annual report examining corporate cyber vulnerabilities and identified the trends and hazards that impact the cybersecurity community. The data was collected from the company's proprietary platform that connects ethical hackers with organizations that need security testing and collaborates on finding and fixing security vulnerabilities, according to Caroline Wong, chief strategy officer at Cobalt.

"Unfortunately, the high-profile cyberattacks that have occurred in the past few years —Equifax, Solar Winds, Colonial Pipeline, JBS —are not fundamentally different from the kinds of attacks that we've observed over the past couple of decades," Wong observed.

Advice For Business Leaders 

Growing Pressure To Prioritize

Obadiaru noted that, "Cyberattacks have been growing in frequency and severity over the past 10 years, and have increased exponentially since the onset of widespread remote and digital work. The pressure is on for organizations to prioritize building and implementing a comprehensive security strategy to avoid becoming the latest cyberattack headline."

Undetected Vulnerabilities

He warned that, "... cybersecurity vulnerabilities are going undetected because pentesting hasn't made its way to the 21st century—and this is a big problem.  Pentesting is vital in today's cyber threat landscape," he observed. "It is a proactive, preventative security control that organizations can use to protect themselves from cybercriminals. The objective is to find and fix security vulnerabilities in applications, networks, and cloud configurations before it's too late."


Edward Segal is a crisis management expert, consultant and author of the award-winning Crisis Ahead: 101 Ways to Prepare For and Bounce Back from Disasters, Scandals and Other Emergencies (Nicholas Brealey). He is a Leadership Strategy Senior Contributor for Forbes.com where he covers crisis-related news, topics and issues. Read his recent articles at https://www.forbes.com/sites/edwardsegal/?sh=3c1da3e568c5.

News Media Interview Contact
Name: Edward Segal
Title: Crisis Management Expert
Group: Edward Segal
Dateline: Washington, DC United States
Direct Phone: 415-218-8600
Main Phone: 4152188600
Cell Phone: 415-218-8600
Jump To Edward Segal, Crisis Management Expert Jump To Edward Segal, Crisis Management Expert
Contact Click to Contact