Listen to learn how much cybersecurity services generally cost and how to reduce compliance assessment costs.
It can be difficult to build cybersecurity into your budget and receive approval from senior decision makers.
Lee Pierce (Director of Sales Operations for SecurityMetrics) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the factors that affect costs of various cybersecurity services.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited here today to talk to you, with one of my colleagues, Lee Pierce.
Before we get started, I wanted to let you know that we recently had a live event here at SecurityMetrics called Summit. There's, links on the the website. I'm sure you can go find them. Just search SecurityMetrics Summit.
And there are a lot of really good talks from some of my colleagues. Lee and I are on it as well, about various security topics that you probably and compliance that you'll probably find, useful. So I hope that you take a minute to go look at that.
Let me tell you a little bit about Lee. Lee has been with SecurityMetrics for sixteen years, focusing on enterprise sales, customers needing audits, pen tests, and forensic work. He is also a liaison with banks in helping them understand how to better help their merchants with PCI compliance, validation, and solving problems.
So, Lee, welcome.
Thank you. It's an honor to be here.
Let's talk a little bit about budgeting.
Why is it hard to build budget for compliance and security needs? Why why is it so hard to receive approval from the decision makers?
Great question. Kinda loaded with all kinds of answers. One of the problems is, and I hate using this because you hear it a lot these days, but you don't know what you don't know.
Mhmm.
So as people are trying to figure out their budget, they're trying to grasp all of the ramifications of what it is they need to do. And if they don't fully understand, that such and such has an impact on their budget because it's connected some way, they need first, they need to educate themselves on on what the scope of things really is. And then they need to communicate with the people that are holding the purse strings. And a lot of customers that I've talked to, they see the need. They see the understanding of of the awareness is dawning on them of what they need to do. But then they need to bring the decision makers in that that are actually signing the checks and agreeing to it.
We recently had a a company call us just this last week that said that they've been for years trying to get budget to do security things. And then some changes occurred in legislation in their state where they had to the municipalities they worked with had to have, security companies that only had cyber insurance. And for them to get cyber insurance, they had to meet certain bars of standards of compliance in order to even qualify for the insurance. And, boy, everybody was on board then. It was like, okay. Let's get serious. So it's a matter of educating them on the cost of not doing security as well as, the regulations they may not be aware of.
And and we like to have conversations with them. You know, they can get on the phone and beat us up a little bit about this. Why is this really necessary? Mhmm.
And, honestly, there is a little bit of venting that needs to happen as people work through the problems. Like, why? Why does this cost so much? We're just trying to sell widgets and what's its and why are you doing this to us?
And and yet the the world of cyber, threats is just a moving target all the time.
So That's and it's unfortunate. Especially the first year that people try to get a third party assessment. Because, as an assessor, what I see is they don't really understand the scope, of what they're trying to protect. Mhmm.
And if you don't have a good grasp of that, then not only is it hard to get a good solid quote, then the quote that you do get might change once the assessor goes in and sees, hey. You have massively more systems connected to what's in scope than you thought you did. And so that can be a a disconcerting thing, but it can go the other direction. Right?
Sure. Absolutely.
It it can actually go down in price as we help them simplify Right.
As well as we discover that maybe they brought in some things that weren't really necessarily in scope.
Yeah. I've seen that as well, especially the, in in PCI specifically. But it applies across the board is, you know, whatever you're looking at to assess, if you can segment that off from a larger network so that you have, like, a protected network that that you're considering for the assessment, there are it takes much less time for the assessor. It takes much less time to review the settings and the configurations. It takes much less time for to write about it. And so if you work with an assessor during, the first compliance, test Mhmm.
And find out ways to reduce that scope, then the next year, you have a way to say, alright. So how do we reduce the costs as well? But but, again, like you said before, you you don't know what you don't know. And sometimes it takes really getting into it before you have a sense of that.
Yeah. And and, you talk about, segmentation and how that will help them. Well, there's a cost involved in creating that segmentation to protect it. And I've had those conversations too where they'll say, well, show me in PCI where I have to segment. And I'll say, well, you won't find it.
Yeah. You don't have to.
It's encouraged because anything that's in scope introduces more complexity Mhmm. And more risk. And so, yes, firewall work, segmentation, additional boxes, staff to run it. Those things cost, but you sleep at night Yeah. And your budget does go down.
In fact, we've had customers that started off, and these are big, big organizations, but several hundred thousand dollars for their work in one year. And then eight, nine years down the road, the cost is more than half off now. I mean, because we've helped them reduce. They they have multiple reports on compliance they need to do.
Well, we help them figure out that some of these, could just be self assessments. If they talk to their bank, figure out their merchant IDs, figure out how to simplify their processes, their compliance validation requirements go down, so does their cost. Kinda working ourselves out of a job. Right?
Like a good dentist. Right?
Actually, I did lose an entire customer once because I convinced them to put in p two p e, and then their bank said, you don't have to assess anymore. And then I was sad because they were so good. But at the same time, save the money, and then it it made them more secure.
Mhmm.
So, I'd really would like to talk about hard costs even though I don't like it.
But but Do I sound like I'm avoiding it?
But, no, I am avoiding it. It's I think that there are people listening who wanna know, look. I know what kind of a s a q I do. Mhmm. I know I'm gonna have to get a third party to help me assess this because I've reached a point where the bank says get a third party. What do they do? How can they is there is there an estimated cost, or does it really depend on on too many factors to really give them a good swag at it?
Well, yes and yes. So, I mean, that doesn't sound right, but you can pretty much get a swag at it. But you need to understand that there there are ramifications that could could sway that a little bit.
I've got some numbers here that I can share with you. So if you're a simple ecommerce merchant, you may do tons of transactions.
But if you are a ecommerce merchant that is doing fewer than a million transactions a year, your level two merchant, you can get an assisted SAQ.
And let's say you do an iframe where you've got a third party doing all the heavy lifting for you, and you've done it right. You've implemented it properly.
Your audit on that on that environment could be as low as twelve thousand dollars. Yeah. Ten to twelve thousand dollars depending on the complexities going on there. So just a SAQA, you know, very feasible.
Yeah. I've actually worked with customers who didn't have a simple iframe where they were leveraging third party, where they they were doing a lot more of the work themselves.
And it started off being a much bulkier assessment.
And then when they realized that they could leverage third party, that the numbers lined up to reduce, secure, you know, potential threat and also reduce their costs that they switched over to having a third party help them.
Yeah. And I'd have a word of advice for you if you're kind of shopping around looking for a way to reduce your costs.
Unfortunately, I've I've had customers come on board saying, okay. We're all geared up. Everything is in place, and we're good to go. We're set with our SAQA.
Mhmm.
And then we start looking at it.
We go, it's it's not SAQA. Yeah. It's not at all. So what you need to do is really do your homework with these providers that are that are signing up to do this work for you to to take away the pain.
Make sure that you've got clear cut examples of what their work actually does. And then make sure you talk to your bank too because the bank is the one that really signs off on the validation requirement.
Yeah.
So you gotta be careful there.
And it might be worth a little bit of consulting hours Absolutely.
To double check everybody else's, you know, give a gut check on.
Mhmm.
Because sometimes I mean, I'm not saying that that, all these third parties are out to sell you something you don't need. I I'm sure that sometimes it's just a misunderstanding or or, Sure. You know, you don't go far enough.
Nobody's trying to, you know, that's a rare thing.
Yeah. I think so. I think it's more I think it's more, misunderstanding of what what is needed.
Mhmm.
And so just making sure that you've got all your ducks in a row. Sometimes a third party who does PCI all the time Mhmm. Is going to be helpful.
Yeah. And we do sell consulting packages, and I can't tell you how many times customers have come back and said that was the best money we ever spent.
Yeah.
Because rather than spending thirty five, forty thousand dollars on a lot of complex work with audits and pen tests, we first really dialed it in, looked at our network diagrams, looked at the processes, looked at all the third parties involved in helping us, and we really were able to clean it up.
Mhmm.
Then we were ready for a much cleaner assessment and a much smaller scope on our pen test too.
And and I wanna be very clear with the people listening. I am not trying to sell you something.
The last thing Lee probably is. But the last thing I wanna do is to try and say these are the things that you should purchase. I I care a lot about security and and meeting their needs, but I don't wanna be out there going, you need to buy these things. So I want people to recognize what we're talking about. This is not unusual.
This is how all the major companies tend to do it. Mhmm. Right? You you you have a lot of options out there for people who can help you through your security and compliance needs.
And and I wanna make sure that you that you know that we are not the only ones and you get the ones that are right for you. So whatever we say, this is not special sauce. This is not magic. You know, this is not only we do it.
This is this kind of standard is how people take a look at things throughout the industry.
Yeah. And and I wanna also add that in our our sales team, I've been here for quite a while, we emphasize getting the right stuff to the right people. And if that means we don't recommend something that we do because of what we've learned about the particular environment of a customer that's a potential buyer Mhmm. We don't sell that.
Yeah. You know? And we've we literally make our money the other way because they recommend us to other people. So, you know, we we try to establish a really trusted relationship based on what they really need.
And, frankly, we do try to talk them down from the complexity to help them have greater success, which doesn't always mean dollars for us. Right?
Yeah. Well, it doesn't. But, I mean, in the end, everyone's in business, and and you don't wanna put yourself out of business by by not serving the needs of the customer.
Exactly. It's a simple thing.
So we talked about SAQA's.
Mhmm.
And I my impression is that if you have kind of a standard company size, kind of a standard volume Mhmm. That your that your SAQs are gonna be right around the same cost because they take about the same amount of effort Mhmm. From from business to business.
Yeah.
But what are the some of the things that can increase that cost that might be unexpected?
So the validation type is a big deal. Like SAQA, we're just looking at that very much outsourced environment.
Jump all the way up to SAQD. Mhmm. You're looking at all the requirements. It's just you will save a little money if you're a level two merchant doing a a QSA assisted self assessment.
Mhmm. And that means you'll you'll cut out the report writing that is required on the report on on compliance. Mhmm. So the report on compliance costs money.
It's a lot of work. You know? I don't know like you know.
It's so much writing.
Mhmm. And referencing. You gotta point back to this.
And you have to remember what you're talking about the entire time.
Yeah.
It's focus. Yeah.
It's it's, yeah, it is It could take scores of hours.
Scores of hours.
Yeah. So so big difference.
You you save a lot of money if you're a level two merchant and you're doing an SAQD with a QSA Mhmm.
Site along with you and signing off saying, yes. I've seen. I've hefted, and I agree with these findings. Yeah. Saving a lot of money there. But still, you do have how many requirements for SAQD?
All of them.
All of them.
So so the only the only real difference between SAQD and a report on compliance, you're looking at as an assessor, you're looking at all the same evidence. You're doing all the same on sites. You're having all the same interviews. The only real difference is how you fill out the report.
Mhmm. The SAQD, you get to check some boxes after you've assured everything and you have all your working papers in place. The report in compliance, you're writing about it so that you're saying comprehensively, this is what I saw. Not just that I saw it, but this is what I saw, how I saw it, who I talked to, what the what the supporting evidence is.
And so that writing process is the thing that really makes the difference in time between an SAQD and a report on compliance.
Mhmm. And now I'm getting back to that second part of your question was, can you really dial it in, or is it just too complicated to to tell? Is there a swag there?
And when you get into the more complex environments with the SAQD, you have so many more options Mhmm.
Like multiple segments, multiple locations Yeah. Different services, different service providers that are assisting you with everything that you're doing that we have to help make sure all those connections are are safe.
Penetration testing, we'll go into that a little later.
But Okay.
About the, even an SAQD jumps up quite a bit from, you know, the ten to twelve thousand dollar mark I was talking about with SAQA.
An SAQD for a merchant would be, you know, on rare occasion and I always have to be careful when I give the low number because that's the reason why they write that down.
You said. But but for SAQD, on rare occasions, it'd be, like, eighteen thousand dollars. But, typically, we're looking at more like twenty four to thirty thousand dollars for SAQD.
And then, you know, if you have to have a report on compliance, not an SAQD, you know, tack on, you know, another ten thousand dollars or so, because you're bigger, you're more complex, you might be a level one merchant, or you might be a service provider that has no option but to have a full assessment.
Right. And then from an assessor's point of view, if work translates to money or cost, which I imagine it does Mhmm.
The more complex an environment is, the more costly that's going to be. So if you have, all of your devices are built off of a the same image and and you're using the same operating systems, you're using the same devices, all of your network devices are are configured in the the same ways. And and you can really demonstrate that you have centralized logging, a centralized, antivirus. You have central like, everything is really managed from one central location and you don't have really manual processes, then then that's going to be about as simple as it gets. But then on the other hand, you might have some organizations, and there's tons out there that that do this where you have certain things in Azure and other things in AWS. And then you've got this colo over here. And then you have actually, you know, a data center that you're running right there at your at your headquarters.
The more different environments you have, the more complex it is for someone to assess it.
And and think of the the crazy wild, wild west that we live in right now where everybody's acquiring everybody.
Yes.
And so you get these acquisitions, and and it's very typical where a company will will be working with for three years will say, oh, we bought this other company. And the first year, we're gonna have you assess them separately, because we can't just absorb all of that yet. We have to write new code and bring in that that business. And then we get into the second year, and they go, we're not ready.
We're still gonna have you assess that separately. So there's a lot of complexity that you just you can't always predict. Yeah.
I'm happy to say that I work with a bunch of people here, including you, that we're always looking for ways to simplify. Yeah. And and and let's let's slow down a minute and make sure we understand what this animal really is Yeah. And and figure out the best way to approach it.
Yeah. Yeah. For sure. The the, one of the, things I think is helpful is when we actually have somebody call and say, alright.
I'm ready to talk to a salesperson about what this will cost. And they're not even looking at having, an assessment done for months or even a full year before they actually jump into it. But they start ahead of time knowing what those costs are going to be so they can start putting into the budgeting cycle so they can really, take a comprehensive look at it. That's very different from them. On the other hand, where we get someone who's like, I need to be PCI compliant in two weeks, then you go, okay. I don't know how it's gonna work, but we'll give it a shot.
Yeah. People that do that that get way out ahead of it, they don't have to think that they gotta hire a brand new guy just to handle all this.
Yeah.
If you get out ahead of it, you're taking just a little bit of time Yeah.
Occasionally, every month. And then as you're building new systems or writing new code, you don't have to backtrack and rewrite it later or tear something out that you put in because you're getting a little bit of guidance all along the way from guys guys and gals that have done that have done these assessments forever and seen all kinds of environments. And I and I wish I could invite you into our Monday morning meetings where we have all of our auditors around a great big table, and they're sharing what they're learning. Hey.
What happens when this goes on? Just last week, we spent, what, twenty minutes on on one customer. All of our auditors were sitting there talking together about one customer. How do we simplify this?
And and and is this even scope? I mean, how do you even count that as scope? I think it was with a mobile application Yeah. That they were talking about.
Yep. And, you know, you got a real brain trust here. If you take advantage of that with some consulting way ahead of time let's say you're you're ready to roll out something ten months from now. Talk to us now and spend just a little bit of money, and and you'll you'll get the feeling early on that we're not trying to push you into more and more money.
We're just here to help you. And then you will be set. You'll understand your costs going forward. You'll be able to budget better and maybe be able to reduce your scope and figure out how to how to pay less for for what needs to actually happen.
Do you ever get people who are just like, why do I even have to do this in the first place?
All the time.
Do you do?
All the time. Yeah. Absolutely. And and sometimes they just wanna be heard. You know? They just they want to bounce that insanity off somebody else.
They're like, I didn't sign up for this. I I just sell this little product that me and my brother decided to create. Mhmm. And now all this.
We're not these guys. Why are you doing this to us? And it's really there's a lot of bad actors out there Yeah. Constantly trying to steal what you've got.
You know, just you can't even open your emails anymore.
Oh, yeah.
It could even look legitimate from somebody you know without wondering about the link. You gotta roll over the link now and see what's actually appearing in the hyperlink. You can't just click it.
And even even just rolling over a link can get you infected sometimes.
It's like, unplug everything.
Yeah. So I see it's a it's a crazy world, and you need help. And and there you may need the help. Let's say you're a small shop, but you do a lot of volume.
You may need help from a boots on the ground company. We know people like that. We have partners industry that are great. They come on board.
They help you build things up. They help you fingers on the keyboard. They help you figure out those issues too, and we can make recommendations with that. Yeah.
So, yeah, it's good.
I haven't talked as much about money as we wanted to.
Oh, I'm sorry.
Okay. Well, that's good.
I mean, let's talk about pen testing for a minute.
Okay. Is that okay? Yeah.
Penetration testing is often a shock Mhmm.
To how much it costs. Yep. And and I think, that it's different levels of cost depending on what you're looking at. For example, if you just have a network and you don't, develop your own code, network layer pen testing is not that bad. Mhmm. It's actually not super expensive depending on how many external IP addresses you have.
Yeah. Right? And And services running.
And services running. So there are things that can increase the cost. So the more complex your network, the more expensive a network layer pen test can be. Mhmm. Right? And if you store cardholder data, which you should never do that unless it's actually your business to store it, just because of the cost and the you know, there's so many reasons. But, you know, the internal layer pen test.
Mhmm.
That might be something that, that you have to do. But we start getting pricey when we talk about application layer pen test. Can you speak to costs on application layer pen test? Sure.
Yeah. First of all, you know, a pen test is gonna cost a a decent pen test. And sometimes we we come up against competitive bids Yeah. And and they'll say, oh, these guys are gonna charge me, three hundred dollars a day.
And we're like Okay.
Alright. We can't compete with that.
This high school's brother is doing that.
Yeah. But a pen test is gonna cost over two thousand dollars a day. I'd say, on average, twenty four, twenty six hundred dollars a day for a pen test. Now an application layer test is gonna cost, probably, typically, two to four days worth of pen testing.
And it goes crazy. We have some customers we're pen testing for, like, two months.
Yeah.
Like, forty days of testing. So that's not that's not typical. The typical merchant, the typical smaller business is, you know, two to four, five, six days is is kind of the realm there.
And, again, that's only if they're developing their own code.
Right. Yeah. And people will call us sometimes and say, yeah. I need I run QuickBooks. I need that pen test. You know? It's like Yeah.
You don't need to pen test it.
If you can't fix the problem as the developer, it's not your problem. You need to you know, when it's shrink wrapped and sent to you, there there's other certifications that are happening before that application gets to you.
Right.
So you don't you don't need to worry about that. Internal pen testing, it's same same rate.
And often, it's it's not an application. So it's a simple task. There's some complexity there, and I'm gonna take a side note if you don't mind.
Oh, yeah.
Yeah. Note is you gotta prepare in advance enough. If if I could say anything that trips up the customer more than anything else, it's that they haven't given enough runway of time preparatory for their pen test before their audit, validation date is due. So I'd say get to work on your pen test ten months out.
Absolutely.
Get to work on that environment. Consult with somebody about it. We'd love to be those guys.
But we'll look at your diagrams, talk to you about it. This should be included. This doesn't need to be included. Or if you were to change the process here, that would no longer need to be included. We can help you with that. Right.
Pardon me? You need that ramp up time, not for a couple of reasons. One is that to get into the schedule, to get the test done, and to to prepare your environment to get that test. But also what happens if you have a finding?
Exactly.
You can't just have a finding and then the assessor goes, oh, you could. You did a pen test with a finding. No.
You have to remediate be a perfect world.
You actually have to remediate remediate and retest.
Mhmm. Yeah. And and our model is to retest as long as you need it, you know, for, ninety days, I believe. Is it sixty days? But, that therefore, you need plenty of time. If your if your validation date's the end of December, you should have already had your test in October at the latest. So that's important to remember as well.
The, as I was saying with the internal test, what we're doing is if you have segmentation going on in there, we need to test and make sure that the internal segments are doing exactly what you intended them to do. And so that's where the internal test comes in.
There's also segmentation checks Mhmm.
Where you need to prove that they don't talk to each other. That is a really simple test. And, segmentation checks cost about seven hundred fifty dollars. Mhmm. If you're a service provider, you need to do that twice a year. And And so that's another important thing to make sure you have on your calendar is those segmentation checks.
Mhmm.
And then you need to document very carefully what it is you do. Because if there's turnover in your staff, the new person walks in and goes, what do I need to do? Yeah. But if it's already documented well and and laid out, then you already know what your budget's gonna be, and you know what the calendaring of it is. Yeah. So that's great too.
So all of those things are important.
Exactly. Here's a hot tip for people who are big enough and have enough, staff to have, segregation of duties, separation of duties.
You can actually do your own segmentation penetration test. That's not that's not the same as a lot of the penetration tests. The segmentation penetration test just says the out of scope systems cannot speak at all to the in scope systems.
Mhmm.
And if you have, enough staff who have enough experience, you have the ability to do that yourself and save yourself some money.
Most organizations don't have that, though.
Right. So And and that that you have to be independent too.
You have to be independent. Yeah. Separation of duties, you can't you can't be the one testing it and fixing it because then that's that's no good.
That's why we don't do, yeah, we don't do, hands on work and and hands on support Yeah.
Because we wanna make sure we have that separation of duties in place.
Exactly.
Yeah. So these costs do add up, and you need to kinda take note of what needs to happen. It may prompt you to change your business model a little bit.
Mhmm.
Some people decide, you know, I can't play this game every year. I need to outsource more.
Yeah.
You know? And that if you choose the right outsource partner, you've made a good move, that'll help. Like Jen said, if you go to point to point encryption and you implement it properly, you you've really reduced scope there.
Definitely.
The important thing to remember, though, is, you might still have a lot of open holes in your network, and you're concentrating on just the credit card flow. Well, you probably ought to concentrate on your brand name and your good name out there and not the ability to do business.
Yeah. Just because they can't steal your credit card data doesn't mean they can't ransomware the rest of your systems.
Yeah. Who did they shut down recently? Some bad guys, they were out for days. They couldn't run a register.
Are you are you oh, I thought you're talking about Colonial Pipeline who I beat up on here all the time.
Yeah. I mean, you you may not have anything to do with with your actual card flow, but if it if it shuts down your your Internet, it shuts down your computer system so you can't see your inventory. Yeah.
There's a lot of reasons for good security.
You're still PCI compliant, and also your credit card data is secure. You can't do business. Sorry.
This is actually a conversation that as an assessor, I have all the time with, customers because they'll say, well, is this, you know, pushing back on? Is this in scope? Does do we have to do this? And and then the answer is always, PCI says this.
This is the specific answer for that for cardholder data. But can we also talk about the threats to what you are not putting in scope? There's always a little bit of that conversation more. You know, sometimes more, sometimes less because I care most about security.
And compliance is great, but only if it actually increases security. So I would feel horrible if I said, oh, credit card data is great, but all of your business is shut down. Yeah. Right?
And and and what it was that called? The Internet of things now with with all those problems that can be accessed through a different server and do some, lateral jumps into your goodies.
So Exactly.
So there's yeah. This you shouldn't skimp on this.
No. I feel like I did a little bit of a side quest there. Oh, we do.
I wanna return to Mhmm.
The application penetration test. Mhmm. Because I know that those can be more extensive depending on, how many roles there are, right, in an application, and what other things can increase the cost?
Well, first, let's talk about roles. So sometimes people will come, and they'll they'll expect a budget bigger than they need to because they'll give us every role they have. And And we don't necessarily test every role. We need to test all functionality, and we need to test the ability to escalate privileges beyond the role that is granted.
So lots of times, we'll test the full admin or we'll test the the the simple user role. Now if it's multi tenant, then that brings a little more complexity in where your customers are allowed to make changes administratively inside of your application for the scope of what they do. Of course, it's, you know, sandboxed away from anything else that your service provider is doing or what you're doing for your customers. Your customers can can zero in on creating users for their own company.
Mhmm.
It gets a little more complicated.
And and, on a side note, authentication is important because allowing us to authenticate into your application without trying to guess is because we're saving you money by doing that. Otherwise, we have to guess. We try to crack. You know, we can try that. And sometimes people will send us a black box penetration test request. That's great. But it just costs a lot more money.
Because you're spending so much more time figuring out those basic things where, if you can shortcut to the to the the, white box, basically. Mhmm. If you already know what these, account credentials are and can try and escalate from there, then you assume that the the hacker has done a lot of things up until then to get into your systems Yeah. That then you know? But like you said, it's a cost thing.
Yeah. And be careful on budget pen tests because some pen tests out there, like I said, can be three hundred dollars a day and Yeah. Yeah. Go. But it's really just glorified necessa scan.
They're doing a Nessa scan and a couple of other tools, and it's not really a a pen test. And I know because I've read some of them, and I've just thought, oh, this doesn't I don't think this gives you the assurance that you want in your environment.
Right. Exactly.
Funny story. The head of our pen testing was telling us the other day. He had a customer that was having a hard time getting budget, and he finally persuaded the people giving him the budget for the pen test. It was kind of a big pen test, big environment.
The guy was thinking they could budget. Maybe they could train their own pen testers. It just wasn't working for them. And he finally persuaded them.
Yes. This is what you need. Well, that customer happened to have the head of our pen testing's cell number. Ten o'clock one night, he gets a call, and he goes, please tell me you guys are actively inside my environment right now because I'm getting flags going.
Oh, no.
And so he says, well, I'll get right back to you.
So he hangs up, calls a pen tester and says, what's going on?
He says, well, I popped seven of their boxes, and I'm in their database.
And or seventy. I'm sorry. Seventy of their boxes.
News is it was us.
And the bad news is we own all your base.
Yeah. Yeah.
And so imagine having a bad guy tell you that Yeah. And they're ransoming you versus the doctor. I like to think of a good trusted penetration tester as your doctor. And the doctor says, this is what we found, and this is what you've gotta fix in order for us to not find it again.
And then when the retesting rolls around Mhmm.
We come to the locked door and we go, you did it. You you fixed the the breach. Yeah. You fixed the problem.
And then you don't have to go there. So with the application testing, don't skimp on that. The authentication needs to be thorough. If you have APIs, we really need your documentation.
Yeah.
And and sometimes customers, we don't like doing this because when we're from our perspective, we can't do it as well as you could with your specialist, but we end up having to write the API documentation in order to test it well. And that's just not the way to do it.
That seems like not the best use of our time.
Yeah. Or or your money.
Yeah. Exactly.
And so, yeah, you don't wanna do that. So these things can cost, you know, a complex application, and and there are multiple applications.
And by the way, we don't need to test each application if they have the same code. Mhmm. So if you just have kind of a cosmetic difference to your application, we test one application. Yeah. And, same thing going back to the audit. You know, we don't have to test every location if it's cookie cutter.
Yes.
And we've proven it through sampling. So there's a lot of ways to save money on that.
Yep. Yep. For sure. Alright. We've talked about, third party audits. We've talked about penetration testing. Forensics.
Forensics.
Tell me about cost when it comes to forensics.
Okay. This is where you don't wanna talk to us.
You don't wanna talk to about about forensics, but sometimes you have to.
Something has already gone wrong, or some people actually put us on retainer.
That's what I was just gonna say.
Really smart.
Yeah. We are now seeing people more than ever get out ahead of forensics. Mhmm. So they will hire us for forensics consulting to help them tell me what the bad guys are actually succeeding at doing. That's one of the reasons why our audit team is so good because we share the wing in our audit team with our forensics team.
Yeah.
And we're talking.
All of the time.
This is what's happening out there. This isn't theoretical. This isn't some, you know, monthly magazine talking about look out for this. This might be happening. This is what is happening. Mhmm. This is our analysis on the very data we're collecting.
Yeah.
And, the forensics, they are three hundred dollars a day or an hour. Sorry. I'm back to Pentecost. Three hundred dollars a day.
My cousin Billy, he'll take a report.
That's what you're saying. No.
But the yeah. The the forensics is three hundred dollars an hour and, very thorough.
There's there's evidence acquisition. There's just so many reasons to not wanna get into a forensics position, and that goes back to everything we've talked about up until now. Mhmm. But if you are faced with a forensic, it's three hundred dollars a day. You need to preserve your your logs, your data. You don't wipe things out. You only get away with that if you're a politician.
Oh my goodness. Great. Now we can't hear this. From this. We're gonna cut that part.
Anyway but, no. You have to retain the evidence for for the analysis. So there's so many reasons.
Because if you don't know what went wrong Yep.
You don't know how to fix it. Yeah. And I think that's one of the real values in forensics is sometimes people get told they have to do forensics by their insurance company, by their card brands, by there's various groups, you know, regulatory. Mhmm.
They might have to do forensics in in certain, cases. But but you want to, like, especially if you don't have a team that can tell you what went wrong. Mhmm. Because then how do you repair the damage?
How do you fix it so that they don't come back and Yeah. And recommit that crime?
Oh, yeah. And we've seen that. We had a customer that, unfortunately, they had a big forensic. It involved a lot of locations.
We found the problem.
And they had some guy come in and and redo the machines after everything was done. All the evidence had already been gathered and analyzed, but they just reimaged what they already had, and they just imaged right back in the problem they had in the first place. We saw them seven months later for another forensic.
And I I have to tell you, I'm sorry to say they went out of business.
Yeah. So when you are involved in a forensic, you need to pay close attention to what's being told. And if you can't fix it, if if what the recommendations come to you suggest you're you're not of the you don't have the staff to help you fix it, get help fixing it. Because it means everything. It you're at that point where, am I gonna be in business next month, or am I not? Yeah. And you gotta get it fixed right so that so that you don't have that problem just lurking right back in through the problem.
We don't want people to go out of out of business because of cyber criminals. That's, that's devastating. So alright.
Next thing. So so those are some of the standard things that everybody talks about. Mhmm.
But I thought maybe we should talk about a couple of our specific products.
Mhmm.
Please forgive me if you find that, like, not not helpful. But I just wanna make sure that we have actual money talk out there. Right? And one of them that we talk about regularly now is called shopping cart monitor because it is so cool Mhmm. Because it does take care of, like, a lot of the JavaScript skimming and and these issues that we're seeing in shopping carts. And we've got a a really cool new thing.
But how pricey is it?
Well, it depends on the frequency and the number of websites you need scanned. The shopping cart monitor is all about ecommerce, of course. Mhmm. And, it can be as low as, fifteen thousand dollars to a hundred and fifty thousand dollars depending on how many some people want scans just all the time. Mhmm. That's gonna cost a lot more money.
Sure.
And, basically, shopping cart monitor is truly finding out what can't be found out with just file integrity monitoring or other things going on. It's literally seeing who is riding along with your transaction inside your shopping cart.
Right.
And, shopping cart monitor is is a big deal. Because when when the chip came along and EMV came into full adoption in the United States, the hackers went after shopping carts a lot more. Right. It's a it's a it's a hard hard fast target going on right now. And, so shopping cart monitor, yeah, if you have a a simple website and you wanna check, like, once a month, you know, then it's fairly affordable for what you get because you're getting the assurance.
And and first, we we like to do a shopping cart inspect first. And the shopping cart inspect is, like, three thousand dollars.
Mhmm.
And what that does is it it lays the baseline of what's happening inside your shopping cart at the time of the inspection. Mhmm. And then we kind of consult with you and look at it and say, okay. We're seeing this and this and this and these adware services and all of that. Does this look like what you signed up for?
Mhmm.
Is it what you expected to see? And sometimes they'll go, you know, I have no idea what that's about. And plus, it's pushing it's pushing data that I don't know what the data is to an IP address somewhere not here.
And so we're gonna kill that. Flag. So yeah. So they'll kill that, clean it up, and we'll we'll create and call that the snapshot baseline.
Mhmm. So that then our shopping cart monitor going forward will say, this is what we're expecting to see. These are the changes that we saw. And you'll come back and say, oh, well, yeah.
That's right. Because I signed up for this new service because I wanted to advertise here. Okay. That makes sense.
Yeah. Are you we're we're showing you the IP addresses where this where the feed is going out. Does that make sense? Yes.
Okay. Great. New baseline. Keep going. And we're kinda your partner in determining whether something under the hood is happening that you're not aware of that you don't want.
Yeah. I had someone ask me, well, isn't that just like an ASV scan? And it's not. It's not the same as a vulnerability scan because, as as a lot of people, this can get a little nerdy for a second.
As you build the DOM, then the, the state of the page changes during the activities that go on for shopping carts to take your take your payment, take your check you out. The whole checkout process is what I'm trying to say. Mhmm. Changes the page slightly each time, and the vulnerability scan doesn't look at those changes when it's being run.
It looks at out here, but all of these things in here are possibly where negative things are happening.
Yeah. Exactly.
That's right. What you want the the shopping cart monitor for.
Yeah. Not at all like a vulnerability scan. Yeah. Mhmm.
And, the inspect is a great way to start, like I mentioned. You may do the inspect and decide that your environment's super simple, and you don't even wanna go with shopping cart monitor. Okay. But you did get a good baseline and a good analysis of what's going on in your shopping cart.
We have banks call us and say, we're trying to figure out where the card leaking is going on. We've done everything. We've checked everything. The customer says it's not them.
And and we'll do a shopping cart inspect on them, and we'll go, yeah.
It's them.
Oh, no.
It's going on inside the shopping cart, and here's how it's happening. And then the customer goes, oh my heck. I had no idea. Yeah.
And they'll go in and they'll clean it up. And guess what? The leaking stops. The card leaking stops.
So another curiously, in this crazy world, needed service Yeah.
If you go shopping cart.
For sure. Okay. I think we have time for one last product, and that is Pulse.
Okay.
What can you tell me about Pulse?
Okay. Pulse is a product that has been developed here at SecurityMetrics. It is generally for smaller businesses, not too terribly complicated.
Five, ten, fifteen locations, for example. And what Pulse is all about is it's a centralized gathering of the data coming through your firewalls from all your locations.
We saw the need as we talked to several people that said, I can't keep up with all my locations. And then Larry over there is changing the firewall because he needed to do something. I'm not seeing that till I go there and look at it. What we're helping you with with Pulse is we're pulling in that data into one location.
And then we also have another service where we can analyze on a high level basis and then dig in as much as you want us to to give you an idea of changes that are happening, that that you shouldn't have going on. Like, you might have ports open that you weren't even expecting to have open because somebody needed to do maintenance. They forgot to close the ports or or whatever it may be. Mhmm.
Because it's always moving, always changing. So, I would say pulse is good.
It it's probably not a good fit for everybody, but it's a good thing to investigate and check out. If you find yourself constantly going from location to location to location, trying to figure out what's going on and you never can stay on top of it, Pulse might be a good fit for you. The cost of that, that's where we were going with that. Am I a salesman?
You are Oh my goodness. A salesman.
Pulse pulse is about a hundred and fifty dollars per device per month, and it's constantly gathering the data. So if you have ten locations, fifteen hundred dollars a month.
Right. And so that's for the for just gathering and shipping the raw data. Mhmm. But then if you wanna inspect do a deep dive inspect, then that's kind of a different or an add on service.
There are add on services if you want us to. Some customers just want us to collect it for them, and they'll do their analysis. Mhmm. And other customers want us to do analysis and get back to them and in real time and say, this is what we're seeing going on with the firewall at store number five.
Okay.
And so that there are additional costs for that.
Right.
And I I honestly don't know what that is, but we do have that on our website.
Okay.
And we can we can learn more about that. And speaking of which, with going back to shopping cart inspect, we have some really good data on there that can make it a little bit more understandable.
You can share that with people in your company to On the website? On the on our website.
So and we have more stuff that we're developing right now to to teach more about shopping cart.
Okay.
Monitor, shopping cart inspect.
Alright. Terrific. Well, any other ideas about that we should share about costs before we wrap it up today?
Yeah. Another one might be, when you're developing your policies and procedures. Mhmm. We have templates for that, and we include that in our services as part of our audits.
Yeah.
But on your side, you might want to budget for the right people to get in and dig in and really understand it. Lots of times, we'll send a template to people, and they'll go, great. And then they'll open it up and they'll say, this doesn't look like my company.
Right?
Needs to be modified.
Yeah. You gotta modify it. This may not apply, or this might remind you of something that isn't in the standard template that you need to add. Right. So that might require a little bit of staffing time. And you got a budget for research.
You might wanna rewrite, re redevelop, and redefine your network diagrams. Mhmm. That's a cost. Mhmm.
Sometimes you need to bring, somebody in to help you analyze and crawl your network and and better define it. And when you have your network diagram, you need to have a good process flow description that the two reference and talk to each other so that it actually makes sense. Because if we look at a network diagram, it's just a bunch of pretty boxes with lines without good explanations and good rules and good understanding there. Where's the firewalls and stuff?
That kind of work can cost you money too. Just especially if you can't do that yourself, you need to hire somebody to help you do that. Yeah. There's vulnerability assessment scanning.
That's one thing that, there's vulnerability assessment scanning. That's one thing that can't be sampled.
So requirement eleven point two requires every public facing Mhmm. In scope IP address or domain name, to be scanned, and you can't just sample. Right. So if you have tons of stuff, you might consider remapping things so you have less of a public exposure on your IP addresses. And that can save you money.
So Well, very good. That's a good thing to to end on is saving money. Yeah. Alright. Lee, thank you so much for joining me today.
Pleasure.
I appreciate as always, thank you for joining us, and I hope to see you next time. Remember, please do subscribe, share.
I I don't know all of the things, but whatever platform you're on, figure out how to make, this more valuable by getting the word out to other people. Take care.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
