Step Zero™ Rapid Cybersecurity Cost Estimates

Executive Summary

Step Zero™ shifts the cybersecurity readiness estimate left, making a data-driven Go/No-Go decision possible in days rather than months.

This unique approach, with a known range of verified accuracy, was first field-test on 12 Fortune 500 Merger and Acquisition (M&A) deals yet it also supports data-driven investment decisions for cybersecurity compliance.

Private equity firms, investment funds, holding companies, and business development teams are under pressure to create value under conditions of historically unprecedented uncertainty. Success depends on:

  • moving fast
  • moving strategically
  • finding leverage

As cyber concerns increasingly impact business values, a rapid, accurate assessment of cyber readiness and gap mitigation costs is essential to creating value throughout the hold period of the investment – from transaction to transformation.

However, the traditional process to estimate cyber readiness, illustrated by the blue arrows in the graphic, involves significant time and sunk costs before there’s a project schedule and budget. Step one of this process is a thorough gap analysis.

Step Zero saves significant sunk costs for deals that don’t close and improves forecasting accuracy for those that move forward.

What’s in a Step Zero Report?


  • One time spend and recurring costs
  • Spend detail by timing intervals to support financial forecasts
  • Spend detail to support expense versus capital cost forecasts
  • Spend detail by typical project milestones
  • Project duration

Verified Accuracy

  • Based on 12 Fortune 500 deals estimated over 8 years
  • Several deals were tracked to completion to verify the range of accuracy of the original estimate

What’s the Input for a Step Zero Report?

  • Our clients may choose estimates be based on minimal parameters; this is the “black box” input option. Sometimes publicly available data is all you’ve got and we make that work
  • Estimates may also be based on extensive client input or the “white box” option; each additional input increases accuracy and ensures the report is based as closely on the current situation as you understand it.

What’s the Cybersecurity Target?  What About Compliance?

While Cybersecurity standards and best practices advise what to do, they rarely define how much to do. Setting the goal for what is “good enough” is both a business decision and a judgement call by experienced security practitioners.

Without customization or tailoring, Step Zero is calibrated for a level of maturity at which implementation may reasonably be designed to include one or more goals such as:

  • Compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 r2
  • Compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which includes but has requirements beyond NIST SP 800-171
  • Compliance with the NIST Cybersecurity Framework (CSF)
  • Compliance with the expected requirements of the pending rule for Cybersecurity Maturity Model Certification (CMMC 2.0) Level 2 in DFARS DFARS 252.204-7021, which includes but has requirements beyond NIST SP 800-171
  • System and Organization Controls (SOC) types 1, 2, and 3 attestation
  • Compliance with the Health Insurance Portability and Accountability Act (HIPAA)

Why Step Zero™?

  • M&A Buyer’s remorse from cybersecurity
    A 2019 survey of over 2,500 senior M&A leaders2, with half in business and half in tech, reports:
    ‒ 65% of companies had regrets in making a deal due to cybersecurity concerns
    ‒ 80% found unknown or undisclosed cybersecurity issues during M&A integration
    ‒ 81% report putting more focus on the cybersecurity posture of the target
  • Intangible assets are 90% of the total asset value of S&P companies3; cyberattacks focus on these intangible assets4,5
  • Cyber risk is ranked the #1 business risk in 2024 and has been among the top 3 since 20176
  • Transferring cyber risk through cyber insurance policies is increasingly expensive and desired coverage levels are not always available7. Underwriting is heavily influenced by security controls
  • “As cyber risk has become a board-level management issue, it has become increasingly difficult for [Directors] & [Officers] to defend against shareholder actions following a cyber event.”8
  • This unique approach, with a known range of verified accuracy, was first field-test on 12 Merger and Acquisition (M&A) deals yet it also supports data-driven investment decisions for cybersecurity compliance.

    Why Securithink?

    • Unique basis of experience and historical facts which verify our range of accuracy, cutting through the under- or over-reporting of costs sometimes motivated by post-deal positioning
    • Rapid estimate delivery makes a data-driven Go/No-Go decision possible in days rather than months
    • Based on 12 Fortune 500 deals estimated over 8 years; several deals were tracked 12-36 months to verify
    • 12 years of experience on exactly this cyber and IT gap assessment and mitigation challenge with results that won awards and passed inspection by the Department of Defense (DoD)
    • 50+ years combined experience on Fortune 500 mission critical projects requiring both tech skills and business savvy
    • 30+ years combined experience creating the technology business case for owners, Boards of Directors, and CxOs

    Want more?


    Acquiring a company without proper cybersecurity due diligence is like buying a used car and taking the seller’s word it is in good condition.1

    You don’t just acquire a company – you also acquire it’s cybersecurity posture and a potential trojan horse.1

    What Else We Do

    Managing Up and Out™ Security Strategy and Education

    Managing Up and Out™ Security Strategy and Education

    Tap the 30+ years combined experience of our team to align stakeholders from Boards of Directors and C-suite to critical asset owners or front-line team members. Whether it’s a business case, strategy roadmap, or key presentation, we can cross-train, ghostwrite, or deliver on your behalf.

    read more
    CMMC Readiness

    CMMC Readiness

    Cybersecurity Maturity Model Certification (CMMC) is the evolution of cybersecurity contractual requirements from the Department of Defense (DoD) with which SecuriThink practitioners have been involved for over 10 years.

    Our journey satisfying these requirements is the story of “how we know what done looks like” for cybersecurity as we state on our website homepage.

    read more
    SecuriThink Field-Tested Data Classification Solution

    SecuriThink Field-Tested Data Classification Solution

    Get higher returns on your project investment with a field-tested data classification solution based on two Fortune 500 projects involving 12,000 and 50,000 team members, respectively.

    Our Data Classification Solution integrates technology with business transformation methods to manage factors too often left out of a security project. We leverage what’s already going well in your organization, while shifting to higher potential.

    read more
    Cultural Armour™

    Cultural Armour™

    Optimizing your company’s information security
    Takes more than the latest technology
    Or a staff trained to use it.
    It takes a shift in thinking.
    A shift in acting.

    read more
    Field-Tested Proactive Insider Threat Program

    Field-Tested Proactive Insider Threat Program

    Over 90% of most companies’ value now comes from intangible assets. In addition to Intellectual Property (IP), brand reputation, competitive advantage, supplier network, employee retention, and customer loyalty are measurably affected by cyberattacks. Research shows some of the most damaging losses coming from trusted insiders with malicious intent, also called Insider Threat.

    The biggest gains come from proactive attention to Insider Threat, that is, don’t chase after the horse that’s gotten away, keep it from leaving the stable.

    read more
    Supply Chain Cybersecurity

    Supply Chain Cybersecurity

    Threat actors are increasingly exploiting the path of least resistance in the supply chain to attack their real targets. While more large companies have built a reasonable cybersecurity posture, malicious actors still find easy ingress through abundant open doors in smaller suppliers.

    Supply chain attacks have skyrocketed to the point where targeted companies are motivated to manage their own risk by managing the risk hiding in their supply chain.

    read more