Points of View

Did Accenture Join the “Cyber Fight Club” with its FusionX Acquisition?

Aug 10, 2015

Accenture’s recent acquisition of cyber threat and risk management firm FusionX reinforces our position on the increased level of mass risk at scale threatening the global enterprise community in today’s increasingly digital business environment.


We are witnessing a shift from an analog (legacy) to digital (As-a-Service) economic model (see our new report on the shift to As-a-Service Economy). Fueled by rapid technology development and deployment (cloud, mobile, #IoT…), and the adoption of more dynamic and agile business models, massive amounts of data are being placed online—data that is increasingly at risk of cyber attack.


As both individuals and organized (read “sponsored” or “nation state”) groups deploy progressively sophisticated and creative threats, enterprise organizations have sought to identity vulnerabilities in advance of outside attack.


One emerging approach involves the simulation of true real-world threats. Accenture’s acquisition of FusionX (a private firm, founded in 2010 and based in the Washington, DC area) is intended to bolster the service provider’s capabilities in this area:


  • FusionX provides real-world stress (read “cyber attack”) testing of enterprise security systems across both physical and digital mediums.
  • The FusionX approach involves identifying and mimicking the motivations and tools associated with organized attacks.
  • FusionX launches a series of focused, unannounced, attacks over a period of months to years that exploit the same weaknesses and zero-day threats an enterprise is likely to face on its own.


FusionX services around 70 top-tier clients, including the elite tier of US financial and global oil & gas industries, and an exclusive group of high net worth individuals who utilize its “active threat” consulting services.


From Accenture’s perspective, this acquisition (the first of several we anticipate over the coming 12-36 months) brings a new element of cyber security expertise to Accenture and significantly strengthens their value to Managed Security Services clients,  


From an industry perspective, this is not a game changer itself—we don’t expect any significant/rapid changes to the ongoing operations of the team, and anticipate a very controlled ramp within the Accenture Security practice. But, we do expect competitive service providers to begin highlighting and/or expanding their own “risk” services in this area.


Three keys to value for Accenture include:


  • Expanding its security services offering beyond the existing, somewhat overlapping, FusionX client base (this type of “hands-on” service may not scale rapidly),
  • Leveraging the ongoing intel gathered by FusionX on emerging threats (and counters) to benefit Accenture’s core managed security services clients (this could be a major value-add if they identify exploits and vulnerabilities in advance of the general market), and
  • Articulating the value, and cost justification, of this program in a highly competitive market (while security-related spend appears to be rising, we are also seeing a split of budget money across enterprise stakeholders as business units continue to fund and launch their own online initiatives and assume cost responsibilities tied to their operational requirements).


Enterprise security is only as strong as its weakest (and often unknown) link. Organizations should understand the rationale behind this acquisition and the value of simulating real-world threats that place their business and customers at risk.


From an enterprise perspective, we further recommend they:


  • Recognize, and properly value, the total business risk associated with a loss of consumer’s digital trust in the event of a serious breach.
  • Re-assess the security risks associated with low-value networks/data/devices that may allow access to high-value information.
  • Utilize the role of chief risk officer to ensure a cross-silo emphasis on behavioral and technology-based security.
  • Leverage an element of “real-world” security stress testing as part of a comprehensive digital trust and security strategy, with an emphasis on third-party testing to supplement internal operations.