What Is the Price of a Step Zero™ Report?

Summary:

Primarily offered through a network of trusted advisors, Step Zero™ report supports faster, data-driven business decisions about cybersecurity by shifting the estimate left, making Go/No-Go decisions possible in days rather than months. Our flat fee pricing has consistently been substantially less than the standard approach, minimizing sunk costs when the decision is No-Go while mapping the path ahead with high visibility for those organizations that give the project a green light

While Step Zero is a good fit for many cybersecurity project decisions, it’s not for everyone. We cover recommended thresholds for clients to realize solid value.

Like the Step Zero report itself, the price is customized to each situation, yet in this post we discuss what’s consistent across all our clients and which key variables bring the price up or down.

 

What is the Price of a Step Zero Report?

Just like your Step Zero report itself, the price is customized to each situation.

What’s consistent across all our clients is that we:

  • Charge a flat fee
  • Our flat fee has consistently been substantially less than the standard approach, minimizing sunk costs when the decision is No-Go while mapping the path ahead with high visibility for those organizations that give the project a green light
  • Strive to make our fee noise-level when compared to the value of the decision which the Step Zero report facilitates
  • Work primarily through a network of trusted advisors who are part of the process
  • Are open to a reasonable discussion of the proposed fee prior to report authorization if you don’t see significant leverage in the price you are quoted. Once the report is authorized, however, the price is firm and final.
  • Deliver the report with no strings attached. Your trusted advisor is your primary guide; we often come in as specialists to do a narrowly defined job.
  • Will provide your custom price quote to your trusted advisor promptly, usually after our first meeting under a mutual non-disclosure agreement. For M&A clients our service level agreement for this is within 48 hours after our meeting. For clients that qualify for the CMMC Data Exchange, it may take up to 3 days.

Key Variables

While we have some baselines, the final price quoted for your report will be adjusted for several variables. They are:

  • Mergers and Acquisitions (M&A) Environment factors
  • CMMC* Data Exchange
  • Demand Pricing
  • Situation-specific stresses (e.g., expedited timelines)

The Mergers and Acquisitions (M&A) Environment

M&A is a specialized context which is priced accordingly.

Step Zero was created to address the fundamental challenge that very little information about the target’s cybersecurity stance is available and even less can be trusted. Questionnaires which the target completes are consistently useless.

Step Zero was verified specifically to address the fact that the post-deal environment is almost always politically charged. Assuming action is taken to address the cybersecurity gap, the project costs are nearly always over- or under-reported to serve the political spin of the stakeholders involved.

Deal making is often a compressed cycle. Even when the deal at large may not have been rushed, cybersecurity is often an afterthought, making rapid report delivery an essential aspect of a useful contribution. We currently offer a 72-hour turnaround in most cases and our report authorization form is very specific about the delivery mechanism to ensure we live up to whatever commitment we make in your Statement of Work (SOW).

The specific service levels we can offer for your M&A Step Zero report will have all the details which are tied the quoted price.

The CMMC* Data Exchange Program

CMMC Data Exchange Program is a package specifically tailored to keep contractors and subcontractors for the Department of Defense (DoD) in business and profitable even as they face increased cybersecurity requirements.  SecuriThink and our senior practitioners have a special place for the companies of the Defense Industrial Base (DIB), especially the small and medium businesses.

The pressures of CMMC are widely expected to drive additional consolidation of the DIB. All company owners and leaders face tough decisions. In some cases, the decisions are heartbreaking.

We thought hard about what we could do and realized that the companies that move ahead with CMMC will, at the end of their journey, have something that’s of value to us but useful to very few others.

If you do CMMC, you’ll have your own data:

  • What did the project cost?
  • How long did it take?
  • What are the on-going maintenance costs?

The CMMC Data Exchange program, which is just for DIB clients of Step Zero, will give you the option to be paid for that project information once you have it, even though that could be as much as a year or more from the time you receive your report.

There are three differences for the CMMC program:

  • You give us valuable data. We’ll use that information to continue to expand the historical facts so you’re also helping us help others.
  • You may have slower delivery times compared to the speed at which M&A reports are processed.
  • You pay less. In addition to an initially reduced price, your total cost is further reduced with a rebate of up to $5,000 if you, at the end of your one-time CMMC project, give us a complete debrief, including detailed costs.

If you may be interested in the CMMC Data Exchange Program, we’ll talk about that when we meet with you.

Demand Pricing

As in many other markets, prices go up or down depending on the available capacity. Our SecuriThink team is a very specialized resource. In addition to requiring a deep level of experience which is intrinsic to the process, the engine which generates the Step Zero report is proprietary. Few team members have access. Each Step Zero report has a statement of work which captures the details we can offer at that time for that situation.

Not for everyone

While Step Zero is a good fit for many situations, it’s not for everyone and we’re sorry about that but we’d rather be straight about it up-front. We strive to make our fee noise level compared to the value of the decision we are supporting.

For the CMMC Data Exchange Program, our experience says an organization should have at least $25 million in DoD work to realize full value.

For M&A reports, our experience says a deal should be at least $35 million to get full leverage.

 

Want more?

All the posts about Step Zero are curated here

We invite you to contact us to explore if Step Zero is a good fit for your situation.

*Acronyms

  • CMMC = Cybersecurity Maturity Model Certification, U.S. Government program which requires third party assessments to ensure contractors and sub-contractors are implementing requirements. The Department of Defense is taking the lead in putting this is contracts
  • DIB = Defense Industrial Base, the contractors and sub-contractors that do business with the U.S. Department of Defense
  • DoD = the U.S. Department of Defense
  • M&A = Mergers and Acquisitions
  • SOW = Statement of Work

More about Step Zero™

Cost of CMMC: Conquer the Fear Of Finding Out

Cost of CMMC: Conquer the Fear Of Finding Out

What will CMMC (Cybersecurity Maturity Model Certification) cost your organization? Many Defense contractors have a Fear Of Finding Out (FOFO) due, in part, to the traditional approach where sunk costs add up before an estimate is produced. A SecuriThink Step Zero report answers the question with a verified level of accuracy in as little as 72 hours. Want to know how we do it?
(5 minute read)

read more
Step Zero™ Frequently Asked Questions (FAQ)

Step Zero™ Frequently Asked Questions (FAQ)

Step Zero™ is a field-tested cyber tool for business decision-makers which provides a financial estimate of the cost to achieve a cybersecurity stance reasonable for both risk management and most compliance requirements. The report, which can often be generated in 72 hours, has a verified level of accuracy.

read more
Step Zero™ Rapid Cybersecurity Cost Estimates

Step Zero™ Rapid Cybersecurity Cost Estimates

This unique approach, with a known range of verified accuracy, was first field-tested on 12 Fortune 500 Merger and Acquisition (M&A) deals yet it also supports data-driven investment decisions for cybersecurity compliance.

read more
Cyber Risk is a Top Business Risk

Cyber Risk is a Top Business Risk

In 2023, cybersecurity again ranks among the top of all business risks, as it has consistently done for many years.

We don’t expect the relative importance of cybersecurity on your Board or C-suite agenda to hinge on whether cybersecurity ranked #1 or #8 in some study. Our point is that in multiple studies which survey long lists of enormous risks facing our world and your business, cyber ranks predictably in the single digits and often the top 3-5.
(5 minute read)

read more
Intangible Assets are Driving Cyber Risk

Intangible Assets are Driving Cyber Risk

• Intangible assets are increasingly important in total company value.
• Intangible assets are in the crosshairs of cyberattacks.
This one-two punch is driving cybersecurity into a more critical role in protecting company value.

Evidence that the game has already changed is showing up in Mergers & Acquisitions (M&A), owner exit strategies, credit ratings, and cyber insurance.
(5 minute read)

read more
Avoid M&A Buyer’s Remorse from Cybersecurity

Avoid M&A Buyer’s Remorse from Cybersecurity

Cybersecurity is a significant driver of buyer’s remorse in Mergers and Acquisitions (M&A). That’s no surprise when more than half of all companies have poor cybersecurity.

What’s needed is a way to rapidly assess cybersecurity costs early in the deal process. Our unique solution has been field-tested on 12 Fortune 500 M&A deals.
(4.5 minute read)

read more
How We Know What Done Looks Like

How We Know What Done Looks Like

While cybersecurity standards and best practices advise what to do, they rarely define how much to do. It is critical to understand that cyber risk can never be eliminated and, at a certain point, there are diminishing returns on investment. Setting the goal for what is “good enough” is both a business decision and a judgement call by experienced security practitioners.

Our cybersecurity maturity journey is the story of “how we know what done looks like”. The SecuriThink team has already made the journey so we can show you the way.

read more