Security

Three-week Security Posture Initiative

Architectural gap analysis against NIST CSF 2.0, mapped to your current environment. Risk register in financial terms. Prioritized remediation list with effort and risk-reduction estimates. Output formatted for both the CISO and the board.

Scope this initiative See full scope →

3 weeks15 working days

Fixed priceagreed at scoping

Report + deckdelivered on the date

Who this is for

A defensible security posture assessment, board-ready in three weeks.

CISO

You need a defensible posture document for board, audit committee, or cyber insurance renewal.

CIO

You inherited a security program and want an outside read on where the actual gaps sit before committing budget.

Board / Audit Committee

You want a third-party view on technology risk in plain financial terms, not a vendor pitch.

CFO

You need the security spend question framed in risk-reduction terms, not feature lists.

Scope

What this initiative delivers, and what it does not.

Scope is fixed at signing. Items tagged TOP are available inside the broader Technology Operating Partner retainer; the initiative alone does not include them. Items tagged with an outside source require a separate specialty engagement.

In scope

15 working days

NIST CSF 2.0 control-by-control gap analysis (or your specified framework: CIS v8, ISO 27001 Annex A, sector-specific)
Identity posture review (Microsoft Entra ID, on-prem AD authentication, conditional access, MFA coverage)
Microsoft 365 tenant scan via read-only Graph API where access is provided
Policy and documentation review (existing security policies, incident response, vendor risk)
Risk register populated and quantified in annualized loss expectancy (ALE) where data permits
Prioritized remediation list with effort estimates and risk-reduction signal
Board-ready summary deck

Out of scope

Available elsewhere

Penetration testing or red-team engagementSpecialty firm
Endpoint or network vulnerability scanningSpecialty firm
Implementation of any remediationTOP
Security tool selection or procurementTOP
Formal certification or attestationQualified assessor
Forensic incident responseSpecialty firm

TOP Available via Technology Operating Partner retainerSpecialty firm Engage a qualified third party

Inputs

What we need from you

Provided at kickoff. Missing inputs delay the initiative; they do not change scope.

Read-only access to your identity tenant (Microsoft Entra ID) and M365 admin center
Existing security policies, incident response plan, and prior assessment reports
Vendor risk register or third-party inventory if one exists
Two to four stakeholder interviews (CISO, IT lead, GC or compliance lead, optionally CFO)

Timeline

Week by week

Daily visibility throughout. Mid-initiative check confirms direction before the deliverable lands.

Week 1

Kickoff, access, tenant scans

Scope confirmation, access provisioning, document intake. Read-only Graph API scans and identity posture analysis. Policy and documentation review begins.

Week 2

Interviews and control mapping

Two to four targeted stakeholder interviews. Control-by-control gap mapping against NIST CSF 2.0. Mid-Initiative direction check with your CISO at end of week.

Week 3

Risk register, roadmap, walkthrough

Risk register quantified in financial terms where data permits. Prioritized remediation list. Board-ready deck drafted. Walkthrough call and deliverable handoff.

Output

What you walk away with

Written security posture report mapped to NIST CSF (or chosen framework), control by control
Risk register with each gap quantified in ALE terms where data permits
Prioritized remediation list (effort, risk reduction signal, dependency)
Board-ready summary deck (one slide per major theme)
60-minute walkthrough call

Honest framing

What this initiative is not

This Initiative produces an advisory document. It is not a penetration test, vulnerability scan, audit, or certification. The risk register is sized using industry-standard ALE methodology and your tenant data; quantification is directional and improves as more data is provided. Engage a qualified pen-testing firm for adversarial validation, and a qualified assessor for formal certification.

If you are a portfolio company

How the work calibrates to the PE-backed seat.

Companies inside a PE portfolio operate against constraints generalist enterprise framing does not cover. Each of these shapes how the Initiative is scoped and sequenced.

Board reporting cycle. Output is sized to land before the next quarterly board read, not the company's annual planning calendar.
Exit window math. Decisions made 12 to 24 months ahead of exit show up at the bid. Where applicable, findings are tagged for the exit-window timeline they affect.
Add-on integration tempo. Findings that pertain to acquisition integrations are surfaced separately so the deal team can either price them in or sequence the integration around them.
Cost discipline by hold position. Recommendations are calibrated to where the portco sits in the hold cycle. A company in early hold has different cost flex than one 12 months from exit.

Initiatives that pair with this one

FAQ

Questions buyers ask first

What is NIST CSF 2.0 and do we need to follow it?

NIST CSF 2.0 is the voluntary framework most US boards now expect their companies to align to. It is organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover. The 2.0 release added Govern as a top-level function, which is what put boards on the hook. Mid-market organizations typically target Tier 3 (Repeatable) within twelve months. The Security Posture Initiative produces the current Tier rating, the Tier 3 gap list, and the 90-day plan to close it.

How does a board cybersecurity dashboard differ from a CISO dashboard?

Board dashboards report in dollars and trends. CISO dashboards report in counts and events. The board dashboard should fit six tiles. Overall posture score with trend. ALE baseline with quarter-over-quarter change. Mean time to detect and respond. Third-party vendor risk summary. Compliance status by framework. Top three risks with the owner and the due date. Preside builds the dashboard once and runs it quarterly, so the board sees the same format every meeting.

What is the difference between NIST CSF and ISO 27001?

NIST CSF is a voluntary US framework organized around six functions and oriented toward risk management. ISO 27001 is an international certifiable standard organized around an Information Security Management System. Most mid-market organizations run CSF as the internal risk language and pursue ISO 27001 or SOC 2 when customers contractually require it. The Security Posture Initiative maps your controls to CSF first, then to whichever certification the sales cycle is asking for.

For your role

Where this initiative fits into the wider Preside view

For Boards and Audit Committees →

Where the board-ready dashboard, the SEC Item 106 oversight evidence, and the ALE risk-in-dollars view live.

For CEOs →

Where security becomes a CEO conversation: the dollar risk, the disclosure exposure, and the remediation plan you can take to the board.

Inside the broader program

When the initiative becomes the standing engagement

This Initiative is a one-time fixed-price engagement. The Technology Operating Partner relationship continues the work on a quarterly cadence at one of four Program tiers: the dashboard gets re-run, the savings get re-baselined, the architecture gets re-mapped, and the board gets the same format every meeting. Most clients begin with an Initiative like this one and decide on the tier after the deliverable lands.

Program Tiers & Pricing →Operating Partner overview →Inside the Program →

Ready to scope this

From red, yellow, green to risk in dollars. Three weeks, board-ready.

One email. Brief description of the situation. We respond within one business day with initiative confirmation or a recommendation of a better fit.

Scope this initiative Compare all initiatives

Not sure this is the right initiative for your situation? Take the four-question path-finder for a personalized recommendation.