The deal you never closed
Enterprise deals have security questionnaires. This isn't new. What's new is how early they appear in the sales cycle and how binary the outcome is. If you can't answer them — with evidence, not promises — you don't make the shortlist. You don't get a follow-up meeting. You get a polite "we've decided to go in another direction" email.
Average enterprise SaaS contract value: €50K–€200K per year. Multi-year deals push that to €150K–€600K in total contract value. How many of those have you lost without knowing? You'll never get a rejection email that says "we chose your competitor because they had ISO 27001 and you didn't." But that's exactly what happened.
The pipeline you can't see is the most expensive one. Every quarter without a security baseline is another quarter of enterprise deals that never materialised — not because your product wasn't good enough, but because your security posture wasn't.
The breach math
Average cost of a data breach for companies under 500 employees: €2.98M (IBM Cost of a Data Breach Report, 2024). That's not the worst case. That's not the headline number for a Fortune 500 company. That's the average for companies your size.
The number includes forensics and investigation (understanding what happened), notification costs (telling affected parties), legal and regulatory response, lost business during and after the incident, and long-term reputational damage that suppresses growth for years. Most companies focus on the direct costs and ignore the lost business — which is typically the largest single component.
For a 50-100 person SaaS company doing €5M–€15M in ARR, a €2.98M breach cost isn't just painful. It's existential. Companies this size don't survive breaches at this scale without significant outside capital or years of recovery.
GDPR is not theoretical
Fines up to 4% of annual global revenue or €20M, whichever is higher. That's the maximum. But the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) issued €19.5M in fines in 2024 alone — and they're getting more aggressive, not less.
You don't need to be a large company to get fined. You need to have a breach that you can't demonstrate you took reasonable steps to prevent. "Reasonable steps" means documented policies, implemented controls, evidence of ongoing monitoring, and a tested incident response process. If you have none of those, any breach — even a small one — becomes a regulatory problem.
The regulatory landscape is tightening across Europe. NIS2 expanded scope. DORA added financial services requirements. The trend is clear: more companies in scope, higher expectations, and less tolerance for companies that treat security as optional.
Cyber insurance is getting harder
Three years ago, you could get cyber insurance with a basic application form. Today, insurers require evidence of specific controls before they'll issue a policy: MFA on all accounts, EDR on all endpoints, verified and tested backups, an incident response plan, and evidence of regular vulnerability scanning.
No controls means no coverage — or premiums so high they defeat the purpose. The controls insurers require are the same controls we implement during the 90-Day Accelerator Sprint. This isn't a coincidence. Insurers have done the actuarial math on what actually prevents claims, and these are the controls that matter.
If you're currently uninsured or under-insured because you can't meet the requirements, you're carrying the full risk on your balance sheet. Every day without coverage is another day where a single incident could end the company.
The compounding cost of delay
Security debt compounds like financial debt. Every month without a security baseline is another month of accumulated risk — but it's also another month of evidence you can't produce, another quarter of enterprise deals you can't pursue, another year closer to the incident you're not prepared for.
The companies that invest in security early don't just avoid breaches. They close larger deals faster, pass due diligence reviews without delays, secure better insurance terms, and build a competitive moat that their unprepared competitors can't cross. Security isn't a cost centre. It's a revenue enabler that compounds over time.
The longer you wait, the more it costs to catch up. Not just in implementation costs — those stay roughly the same — but in the deals you didn't close, the insurance you couldn't get, and the risk that accumulated while you were deciding.
What it actually costs to fix
The Clarity Assessment: €2,500. A diagnostic that maps every gap and produces a prioritised remediation roadmap. Credited in full toward the Sprint if you proceed.
The 90-Day Accelerator Sprint: €28,000. Fixed scope, fixed price. Every foundational control implemented, documented, and operational in 90 days. No ambiguity, no scope creep, no open-ended consulting engagement.
Ongoing managed security: from €95/user/month. Continuous monitoring, management, and maintenance of your security environment. The controls stay current, the evidence stays fresh, and you stay protected.
Compare that to one lost enterprise deal. One breach. One fine. One failed insurance application. The math isn't close.
"The most expensive security decision is the one you keep postponing."
Next step