Where the numbers come from.
Every benchmark, regulatory mechanic, initiative outcome range, and framework on this site is anchored to a primary source. This page lists each anchor with the source link and how Preside applies it. Other pages cite specific anchors here instead of repeating the disclosure inline.
If you find a claim on this site that does not trace back to one of these anchors, email info@PresideInsight.com. We update this page when the underlying sources update.
Honest framing
What this page is not.
A list of frameworks Preside cites is not a list of frameworks Preside has built or owns. Preside applies these standards; the standards themselves are maintained by the regulators, standards bodies, and researchers credited under each entry. Source links point to the canonical home of each artifact.
Experience anchors
How we describe what we have run.
Preside is an operator-led firm. The experience claims on this site reference engagements across the founders' careers prior to and including Preside, in roles spanning embedded Microsoft Enterprise Strategy Consulting at a Fortune 1 retailer, large-enterprise IT leadership, post-close integration, and corporate restructures across financial services, life sciences, healthcare, retail, and technology. Specific client names are not used.
-
"100+ organizations" reference (career aggregate)
The "100+ organizations" framing refers to the cumulative count of organizations across the founders' careers in advisory, embedded consulting, post-close integration, and operator roles. It is not a count of Preside engagements alone. Specific organizations are not named because most engagements operated under confidentiality.
Relevant to: buyers evaluating operator depth. Use the qualifier "across careers, not Preside-only" whenever the figure appears in a high-stakes context.
-
No portfolio-company callouts (policy)
Preside does not claim PE portfolio companies as Preside clients on this site, even when the underlying engagement happened. PE engagement is typically subject to GP confidentiality and downstream LP reporting constraints. The site uses generic deal-stage language (entry, hold, exit) rather than named situations.
Relevant to: GPs, operating partners, and diligence teams expecting discretion.
Initiative outcome anchors
The recovery, success, and failure-rate ranges we cite.
Every initiative page on this site quotes an outcome range. Each range comes from a named third-party benchmark. Preside operates inside the conservative end of these ranges.
-
15 to 25 percent recoverable IT spend in year one
The Three-week Cost Optimization Initiative and the Two-week Vendor Rationalization Initiative cite this range. It is the conservative end of published consolidation and rationalization benchmarks for mid-market organizations. Year-one recoveries above 25 percent occur but require either deep SaaS sprawl or a pre-existing renewal cliff.
Sources: Forrester research, BetterCloud State of SaaSOps, Zylo SaaS Management Index.
-
20 to 30 percent SaaS spend reduction from consolidation
Mid-market companies typically run between 100 and 250 SaaS applications depending on whose benchmark you trust (BetterCloud puts mid-market at ~106 apps; Zylo's 2025 SaaS Management Index puts the 501-to-2,500-employee range closer to 255). Consolidation alone (before contract renegotiation) recovers in this range.
Sources: BetterCloud State of SaaSOps 2024-2026, Zylo 2025 SaaS Management Index, Productiv State of SaaS.
-
~30 percent of digital transformations meet target value
Cited on the Three-week Change Readiness Initiative page. Boston Consulting Group research consistently puts the success rate near 30 percent. The remaining 44 percent produce limited value and the remaining 26 percent produce none. The cause is almost always change management, not technology.
Source: BCG: Flipping the Odds of Digital Transformation Success.
-
88 percent of AI POCs never reach production; 95 percent of GenAI pilots produce no measurable ROI
Two separate measurements of the same pattern. IDC and Lenovo report that 88 percent of AI proofs of concept never reach production. MIT NANDA's 2025 research found 95 percent of generative AI pilots in their sample produced no measurable ROI. Both are cited on the Two-week AI Technical Readiness Initiative page. Root cause is usually data readiness, not model quality.
Sources: IDC + Lenovo AI research, MIT NANDA.
-
83 percent of organizations plan agentic AI; 29 percent feel ready
Cited on the Six-week AI Security and Compliance Initiative page. Cisco's 2026 State of AI Security report is the source. The gap is controls (identity, scoped permissions, action logging, kill switch).
Source: Cisco State of AI Security 2026.
Financial framework anchors
Where the Tech P&L and IT spend benchmarks come from.
-
TBM Council Taxonomy v4 (industry-standard IT-finance taxonomy)
The Technology P&L sample on /for-cfo/ is structured against the TBM Taxonomy v4 (towers: End User Computing, Infrastructure & Cloud, Business Applications, Data & Platform, Security/Compliance/DR, IT Management & Delivery, Telecom & Connectivity, Strategic Initiatives). TBM is the industry standard for technology business management used by CIOs and CFOs to align IT spend to business outcomes.
Source: TBM Council Taxonomy.
-
Avasant IT Spending Benchmarks 2024-2025 (annual)
Used for the "% of revenue" benchmark column on the /for-cfo/ sample P&L. Avasant publishes per-industry IT spending ranges across roughly 40 industry chapters. The CFO sample uses Chapter 40 (IT Services and Consulting). Avasant is one of two industry-standard sources for IT spend benchmarking (Gartner is the other).
-
Gartner IT Key Metrics Data 2025 (annual)
The companion benchmark to Avasant. Cited on /for-ceo/ for the run-cost-trajectory dimension on the quarterly view. Gartner IT Key Metrics Data is a paid Gartner publication; the document ID is 5970339.
Source: Gartner Document 5970339.
-
Vertice SaaS Benchmarks 2025 (annual)
Used for the "vendor concentration" analytical note on the /for-cfo/ sample P&L (top three software vendors as a percent of software spend; industry median ~55 percent).
Risk methodology anchors
How dollar-denominated risk is calculated.
Preside expresses technology risk in financial terms on every board-facing deliverable. The methodology and the underlying frameworks are public.
-
Annualized Loss Expectancy (Hubbard & Seiersen)
ALE = Single Loss Expectancy (SLE) multiplied by Annual Rate of Occurrence (ARO), with each number expressed as a defensible range rather than a point estimate. SLE is grounded in asset value and exposure factor. ARO is grounded in industry incident data and the organization's own history. The methodology, applied throughout the Security Posture, Board Governance, and AI Security Initiatives, is documented in Doug Hubbard and Richard Seiersen's How to Measure Anything in Cybersecurity Risk.
Source: How to Measure Anything in Cybersecurity Risk (Wiley, 2nd edition).
-
NIST Cybersecurity Framework 2.0 (February 2024)
NIST CSF 2.0 is the voluntary framework most US boards now expect their companies to align to. Organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover. The 2.0 release added Govern as a top-level function, which put boards on the hook. Used as the structural backbone for the Three-week Security Posture Initiative.
Source: NIST Cybersecurity Framework.
-
NIST SP 800-131A Revision 2 (March 2019)
"Transitioning the Use of Cryptographic Algorithms and Key Lengths." Used as the authoritative reference for cipher deprecation (notably RC4) across the RC4 readiness briefings, compliance violation analyses, and any cryptographic control discussion.
Source: NIST SP 800-131A Revision 2.
-
NIST SP 800-53 Revision 5 (September 2020, updates through 2025)
"Security and Privacy Controls for Information Systems and Organizations." Used for FedRAMP-adjacent assessments and for the SC-13 (Cryptographic Protection) finding language in the RC4 compliance briefings.
Source: NIST SP 800-53 Rev 5.
-
NIST SP 800-171 Revision 3 (May 2024)
"Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Maps directly to CMMC Level 2 requirements (Requirement 3.13.8 for cryptographic protection during transmission, 3.13.10 for cryptographic key management).
Source: NIST SP 800-171 Rev 3.
AI methodology anchors
Frameworks behind the AI Readiness and AI Security Initiatives.
-
NIST AI Risk Management Framework (AI 100-1, 2023, with GenAI profile 2024)
The structural backbone for the AI Readiness and AI Security Initiatives. Four functions: Govern, Map, Measure, Manage. Readiness scoring maps to Govern; data and use-case assessment maps to Map; control posture maps to Measure; operational posture maps to Manage.
Source: NIST AI Risk Management Framework.
-
OWASP Top 10 for LLM Applications (2025 edition)
Used as the prompt-injection-surface taxonomy for the Six-week AI Security and Compliance Initiative. LLM01:2025 (Prompt Injection), LLM02 (Sensitive Information Disclosure), and LLM06 (Excessive Agency) are the three most commonly cited risks against agentic deployments.
Source: OWASP LLM Top 10.
-
EU AI Act (Regulation (EU) 2024/1689)
Articles 9 to 15 cover high-risk system obligations. Article 50 covers transparency. Cited on the Six-week AI Security and Compliance Initiative and the AI Governance briefings.
Source: EU AI Act, Official Journal.
Regulatory anchors
The compliance mechanics every board, CFO, and CCO page cites.
-
SEC Item 106 of Regulation S-K and Item 1.05 of Form 8-K (Final rule December 2023)
Item 106 requires the annual 10-K to describe the board's oversight of cybersecurity risk and the management process for assessing and managing material risks. Item 1.05 requires disclosure of material cybersecurity incidents within four business days of the materiality determination. The clock starts at the materiality determination, not at incident detection. Cited on /for-board/, the Three-week Board Technology Governance Initiative, and every CISO-altitude page.
Source: SEC Final Rule 33-11216.
-
Delaware Caremark doctrine (Sorenson 2021, Bingle 2022, current jurisprudence)
Directors of Delaware corporations have a fiduciary duty of oversight over mission-critical risks. Pure cyber-failure Caremark claims have mostly lost at the pleading stage: the Delaware Court of Chancery dismissed the SolarWinds derivative suit in Construction Industry Laborers Pension Fund v. Bingle (Sept. 6, 2022) and the Marriott derivative suit in Firemen's Retirement System of St. Louis v. Sorenson (Oct. 5, 2021). Exposure has shifted toward cases where the company issued materially misleading statements about its cybersecurity and the board cannot show a process to verify those statements. Cited on /for-board/ and the Three-week Board Technology Governance Initiative FAQ.
Source: Harvard Law CorpGov Forum analysis.
-
HIPAA Security Rule (45 CFR Part 164, with NPRM December 2024)
Cited on the Four-week Compliance Readiness Initiative and every RC4 healthcare briefing. The existing rule treats encryption as an addressable specification under 45 CFR § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii). The HHS December 2024 NPRM would move encryption from addressable to required for ePHI at rest and in transit, and would add a compliance-audit standard at least every 12 months.
Sources: 45 CFR § 164.312; HHS HIPAA Security Rule NPRM.
-
PCI DSS 4.0 (mandatory March 31, 2025)
Cited on the Four-week Compliance Readiness Initiative. As of March 31, 2025, the 51 future-dated requirements that were optional best practices in 4.0 are mandatory. Requirement 4.2.1 mandates strong cryptography for cardholder data transmission. Requirement 8.3 covers authentication. Requirement 12.3.3 requires a documented cipher inventory and remediation plan.
Source: PCI DSS v4.0 Document Library.
-
NYDFS 23 NYCRR Part 500 (Second Amendment, phased through November 2025)
Cited on /for-board/ for the CISO attestation language. The board or senior governing body must have sufficient cybersecurity understanding to exercise oversight, require management to maintain the program, and review the annual CISO program report.
Source: NYDFS cybersecurity guidance.
-
CMMC (Cybersecurity Maturity Model Certification)
Cited on the Four-week Compliance Readiness Initiative for defense-contractor briefings. CMMC Level 2 and Level 3 requirements map directly to NIST SP 800-171 and NIST SP 800-172. CMMC certification is a contract requirement for many DoD contractors.
Source: DoD CIO CMMC program.
-
FFIEC IT Examination Handbook (Architecture and Operations booklet, updated 2024)
Cited on /for-board/ for OCC, Fed, and FDIC-supervised institutions. The board approves IT strategy aligned to risk appetite, receives regular Architecture, Infrastructure, and Operations governance reports, and is educated to review performance.
Source: FFIEC IT Handbook.
How to use this page
If you came here from a footnote.
Other pages on this site link to specific anchors above via in-page IDs (for example, /methodology/#risk-ale for the ALE methodology). Each anchor names the source, the version or date, and how Preside applies it. Click through to the source. If the source has updated and we have not, email info@PresideInsight.com and we will fix this page.
Want to see how this lands in a working artifact?
The initiative pages show the methodology in motion.
Each Preside Initiative applies the frameworks above to a concrete deliverable in two to six weeks. Fixed scope, fixed price.
Not sure which Initiative fits? Take the four-question path-finder for a personalized recommendation.