What is a Cybersecurity Posture Assessment and Why Do You Need One?

When developing or remodeling an Information Security Defense Plan, conducting a cybersecurity posture assessment is the best place to start. The purpose of this non-technical assessment is to determine the condition of your operational resilience and cybersecurity practices. Doing so enables you to implement the best defense strategy for both acceptable risk and return on investment. In addition to helping you understand where you’re at and what you’re missing, a security posture report provides a roadmap to building the security your business needs for health and continuity into the future.

How to begin with assessing your cybersecurity risks and needs

Where do you start, after making the commitment to doing an assessment? There are literally thousands of documented standards specific to industries and locations, with special best practices and legal requirements for data protections of different kinds of data. You can do it yourself with publicly available resources as published by a multitude of government and non-profit agencies. Check our library for links and downloads to public resources.

You may also choose to hire a cybersecurity professional to manage your assessment process. Publicly available cyber assessment tools are a great place to start, but a qualified expert can help you choose and customize the right tools for your unique situation. Assessment frameworks are written for broad audiences, and generally, some personalization and fine tuning can remove factors that are not relevant to your organization, saving time and providing greater clarity. You may have an IT Department, with or without Cybersecurity professionals, who can conduct the assessment, but this creates additional risk of blind spots being missed compared with having a third party cyber defense professional as the project manager for your assessment. Additionally, hiring an outside expert to guide you through the process, especially if it is the first time you have conducted this level of in depth security review, can provide more accurate results and free up your in house professionals for improved ongoing monitoring and change management. We don’t want to discourage you from conducting a DIY cyber assessment, and encourage you, if you choose to do so, to give it your highest level of care and attention. Please use our resources if they are helpful for you. And, we are happy to answer questions on broad or specific topics in our free 30 minute consultation.

Identifying the Next Best Steps for your Cybersecurity Action Plan

After the data has been gathered, your project manager will analyze the current strength of your organization’s security structure and assess the current posture against both basic cybersecurity health requirements and your needs as identified in the assessment process. Your project manager may have more questions during the analysis phase and may ask to meet with you and other members of your team to fine tune our recommendations for your next best steps. We will also evaluate your needs against your security budget.

Actionable Recommendations are Detailed in Order of Priority

After identifying your areas of risk, we provide 5-10 recommendations of specific steps to prioritize for action. We prioritize based on several factors, including urgency, ease of implementation, cost benefit analysis and projected return on investment. We also provide additional recommendations for building your cybersecurity resiliency into the future.

Our Project Management Process for Cybersecurity Posture Assessments

The first thing that happens after you schedule a security risk assessment with us is a personal connection. You are matched with one of our certified cybersecurity professionals who will work with you from beginning to end as the project manager for your assessment. You and your project manager l work together as partners to identify crucial data points. We use several tools and frameworks built and developed by various agencies of the US Government, the SBA, not for profit cybersecurity foundations and enterprise solutions providers. These are the best of the best, but at the same time, they are built for a broad user base. We bring them one step closer to you by customizing standard questions sets for your industry, size and other relevant factors. This helps make the process run more smoothly, while creating a stronger focus on aspects most relevant to your organization. Questions are customized for your industry, the size of your organization, your network architecture and more, with clear wording that leaves out obscure acronyms and jargon. If you have questions during the process of gathering your responses, your project manager is an email or phone call away. During the data gathering phase of your posture assessment, we work with you to clarify how your security is structured and to identify your most important risks. You gather the information from your documentation, staff and vendors. Identifying those questions where you are uncertain of the answers is as much a part of the process as providing the answers you know.

What Changes Will You Make?

Our clients tell us the recommended list of prioritized steps is one of the best benefits of working with their project manager. You may have 50 recommended actions after completing a risk assessment, and it can be overwhelming when trying to prioritize changes. Some changes are definitely more important than others, and assessments will often identify changes to consider that may not be your best investment at this time. A cost benefit analysis is always a factor in all recommended cybersecurity updates. The level of security an organization needs and the right amount to spend are unique to each situation, and the models often don’t clearly identify where to start and what can more safely be scheduled for future budgeting cycles. Some solutions can be very expensive, and there may be simpler, more affordable ways to meet specific needs, especially if you build your security plans to take advantage of and fully use your existing resources.

Before you can even sell pencils to the US Federal Government, you have to pass a cybersecurity maturity audit. We use many of the same tools built by the Department of Homeland Security and the DOD for use by businesses preparing to pass government approved security audits. Whatever your business, we can help you achieve government contract worthy cybersecurity.

How long does it take to conduct a cybersecurity posture assessment?

Generally, we schedule the process so as to send you a full report with all steps completed in 30-45 days or less. We provide a suggested timeline to you for gathering your information, and allow a couple of extra weeks as needed for clarifying questions. Of course, this timeline can always be altered as fits your needs. For example, if you are required to pass an audit for eligibility to fulfill a government contract, you may need a shorter, more intensive schedule. We can discuss your preferred timeline in our consultation meeting. It is advisable to contact us as soon as possible if you are seeking a project manager to help you pass an audit so we can schedule you at our earliest availability.

For your part, your time commitment largely depends on the size of your organization and the depth and complexity of your network. We communicate with you through email, over the telephone and via Teams or Zoom meetings, at your preference. Generally, it is most effective to work with multiple people from your organization so as to gather the best data from a variety of departments. We base our cyber risk posture assessments on frameworks developed by NIST, the US Department of Defense, the US Department of Energy and other reputable public sources. Our goal is to help you develop a clear understanding of your network, systems and operations, allowing you to focus your defenses on prevention, rather than having to react after a breach happens. By proactively implementing protections that stop worms, viruses, ransomware, and other malicious software before they infect your network, you help ensure your business continuity and profitability.

How much does it cost to hire a cybersecurity risk assessment project manager?

The cost for project management is dependent on the size of your organization, network topography, number of users on your network (including people and devices), and in some cases, on your industry. Prices start as low as $1,500 for smaller networks. There is no charge to discuss pricing as it pertains to your network, and we always provide up front pricing for services. Give us a call or connect with us above to schedule a free consultation!

Connect:

Have questions? Let’s talk! Please tell us a little bit about your organization and where you are in the process of conducting a risk assessment. We’ll get back to you within 48 hours. We offer free 30 minute consultations and we’re happy to answer questions and provide recommendations for risk assessment frameworks. If you are seeking a project manager for your posture assessment, we offer up front pricing based on organizational size. You’re also welcome to call us at the number above to schedule a consultation.

Name

Phone number

Message

We do not sell your personal or de-identified information and use best practice precautions to protect your data. By submitting this form, you agree to our Terms of Service and Privacy Policy. You further agree that we may contact you in response.

Please send me occasional industry critical information updates and cybersecurity alerts.