Executive Summary

Step Zero™ shifts the cybersecurity readiness estimate left, making a data-driven Go/No-Go decision possible in days rather than months.

This unique approach, with a known range of verified accuracy, was first field-test on 12 Fortune 500 Merger and Acquisition (M&A) deals yet it also supports data-driven investment decisions for cybersecurity compliance.

Private equity firms, investment funds, holding companies, and business development teams are under pressure to create value under conditions of historically unprecedented uncertainty. Success depends on:

• moving fast
• moving strategically
• finding leverage

As cyber concerns increasingly impact business values, a rapid, accurate assessment of cyber readiness and gap mitigation costs is essential to creating value throughout the hold period of the investment – from transaction to transformation.

However, the traditional process to estimate cyber readiness, illustrated by the blue arrows in the graphic, involves significant time and sunk costs before there’s a project schedule and budget. Step one of this process is a thorough gap analysis.

Step Zero saves significant sunk costs for deals that don’t close and improves forecasting accuracy for those that move forward.

What’s in a Step Zero Report?

Estimates

• One time spend and recurring costs
• Spend detail by timing intervals to support financial forecasts
• Spend detail to support expense versus capital cost forecasts
• Spend detail by typical project milestones
• Project duration

Verified Accuracy

• Based on 12 Fortune 500 deals estimated over 8 years
• Several deals were tracked to completion to verify the range of accuracy of the original estimate

What’s the Input for a Step Zero Report?

• Our clients may choose estimates be based on minimal parameters; this is the “black box” input option. Sometimes publicly available data is all you’ve got and we make that work
• Estimates may also be based on extensive client input or the “white box” option; each additional input increases accuracy and ensures the report is based as closely on the current situation as you understand it.

What’s the Cybersecurity Target?  What About Compliance?

While Cybersecurity standards and best practices advise what to do, they rarely define how much to do. Setting the goal for what is “good enough” is both a business decision and a judgement call by experienced security practitioners.

Without customization or tailoring, Step Zero is calibrated for a level of maturity at which implementation may reasonably be designed to include one or more goals such as:

• Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 r2
• Compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which includes but has requirements beyond NIST SP 800-171
• Compliance with the expected requirements of the pending rule for Cybersecurity Maturity Model Certification (CMMC 2.0) Level 2 in DFARS DFARS 252.204-7021, which includes but has requirements beyond NIST SP 800-171
• System and Organization Controls (SOC) types 1, 2, and 3 attestation
• Compliance with the Health Insurance Portability and Accountability Act (HIPAA)

Why Step Zero™?

• M&A Buyer’s remorse from cybersecurity –
  A 2019 survey of over 2,500 senior M&A leaders², with half in business and half in tech, reports:
  ‒ 65% of companies had regrets in making a deal due to cybersecurity concerns
  ‒ 80% found unknown or undisclosed cybersecurity issues during M&A integration
  ‒ 81% report putting more focus on the cybersecurity posture of the target
• Intangible assets are 90% of the total asset value of S&P companies³; cyberattacks focus on these intangible assets^4,5
• Cyber risk is ranked the #1 business risk in 2022 and has been among the top 3 since 2017⁶
• Transferring cyber risk through cyber insurance policies is increasingly expensive and desired coverage levels are not always available⁷. Underwriting is heavily influenced by security controls
• “As cyber risk has become a board-level management issue, it has become increasingly difficult for [Directors] & [Officers] to defend against shareholder actions following a cyber event.”⁸
• This unique approach, with a known range of verified accuracy, was first field-test on 12 Merger and Acquisition (M&A) deals yet it also supports data-driven investment decisions for cybersecurity compliance.

Why Securithink?

• Unique basis of experience and historical facts which verify our range of accuracy, cutting through the under- or over-reporting of costs sometimes motivated by post-deal positioning
• Rapid estimate delivery makes a data-driven Go/No-Go decision possible in days rather than months
• Based on 12 Fortune 500 deals estimated over 8 years; several deals were tracked 12-36 months to verify
• 12 years of experience on exactly this cyber and IT gap assessment and mitigation challenge with results that won awards and passed inspection by the Department of Defense (DoD)
• 50+ years combined experience on Fortune 500 mission critical projects requiring both tech skills and business savvy
• 30+ years combined experience creating the technology business case for owners, Boards of Directors, and CxOs

Want more?

• Read our Field Note: Avoid M&A Buyer’s Remorse from Cybersecurity
• Read more about the Step Zero cybersecurity maturity target here.
• We invite you to contact us to explore if Step Zero is a good fit for your situation.