Module 1: Evaluating the Current State - Know Where You Stand

 Cyber security strategy and budgeting guide

Cyber security strategy and budgeting guide

We are embarking on our cybersecurity for mid-sized companies program! If you missed our introduction, consider reading the Cybersecurity Strategy & Budgeting Guide overview before proceeding further.

ARG’s program is designed to assist you in understanding the types of security threats you need to manage. We will also discuss how to go about identifying a service provider to fill your need. Most of the mid-market IT professionals we talk to do not have a clear idea of how much security solutions should cost. We will help you understand the cost models of various approaches along the way.

Before you start any program, it is usually a good idea to examine your current state. Once you understand your current security posture, you can develop a strategy and begin to assemble the assets to accomplish your goals.

To get a handle on your current state, we suggest conducting up to four separate evaluations of your cybersecurity posture. Not all four evaluations may be required for your specific business, so conduct the evaluations most appropriate for your situation. The evaluations can be done simultaneously and by the same service provider if they possess the appropriate tools and expertise. We do not recommend using your current IT or cybersecurity vendor for these assessments. Your current vendors may be your trusted advisors, but they have an unavoidable conflict of interest when evaluating solutions which they have implemented. Use an independent third-party to test and evaluate your current measures in order to avoid bias.

Let us warn you that these evaluations are a lot like going to visit a doctor for the first time in a long while.  You may feel fine, but you are likely to experience some apprehension on what you will learn. Feeling apprehensive is perfectly natural. We all know people who postponed that first doctor’s visit longer than they should have. Let’s get moving before it is too late!

ARG Recommended Core Evaluations:

1. Active Threat Assessment

You may think that there is nothing unusual going on in your network today, but can you be sure? A threat assessment is a real-time scan of your environment to determine if you have current data flows to known malicious IP addresses. A threat assessment will compare IP addresses coming into and out of your network against known bad actor databases. You will be immediately aware of security issues and receive recommendations on how to remediate the unauthorized activity.

A threat assessment may also alert you to less harmful, but still unwanted, misuses of the network such as streaming content, excessive use of social media or unauthorized installed services. An active threat assessment should not be skipped. You will want to eliminate any current security breach activity while you work through the rest of the planning and execution of your larger strategy.

An active threat assessment can be done periodically or subscribed to as a service for real-time notice of activity as it commences. A one-time assessment can run up to $3,000. However, a few service providers will do a free active threat assessment for the right to propose their ongoing service. Ongoing monthly active threat assessment services start at $2,000 per month for up to 64 IP addresses monitored.

2. Security Assessment

A security or vulnerability assessment can be thought of as an audit. Audits are designed to determine whether measures currently in place are up to industry standards and whether additional measures may be appropriate to address the full spectrum of threats to the organization. A security assessment is opening your environment to an expert so they can examine, test, survey and evaluate existing security measures. The result is a report on your current security posture and a list of potential improvements that you might consider undertaking. The security assessment is a key component to building your security strategy and should not be omitted from your assessment of the current state unless you intend to build a new security structure from the ground up. A security assessment will typically run $4,000 to $15,000, depending upon the environment being evaluated. The assessment includes a detailed report identifying areas that you should consider addressing.

3. Penetration Test

A penetration test is the opposite of a security assessment. In a penetration test, you do not invite the expert in. A penetration test involves contracting with an ethical hacker to see if they can break into your network. The ethical “white hat” hacker may conduct surveillance or reconnaissance of the organization, attempt various attack strategies and even test human vulnerabilities. Penetration testing is a real-world simulation of a hack attempt to validate that the security measures deployed are operating as intended. The results of a penetration test will be a report on the information acquired through reconnaissance, attack vectors utilized, and the results observed. Additionally, penetration tests provide recommendations on measures you can take to improve your security profile.

Penetration tests are usually one-time events and can cost from $5,000 to $20,000, depending upon the number of IP addresses to be tested and the depth of surveillance activities.

4. Compliance Evaluation

Today, most companies have some sort of compliance requirements. For example, companies that accept credit cards are required to be PCI compliant. Many Washington DC organizations must comply with the variety of standards promulgated by the National Institute of Science and Technology (NIST) if they work for or on government projects. Those in the medical vertical, and an increasing number of law practices, must be HIPPA compliant. A compliance evaluation will identify the specific compliance requirements that impact cybersecurity and identify changes, if any, required to bring your organization into compliance. A compliance evaluation typically consists of a substantial review with a comprehensive report that will generally cost between $15,000 and $25,000 for a mid sized organization.

core evaluations.png

The results of these four evaluations will provide the foundation for your strategy development. To get started with a security evaluation, contact us today:

As always, our consulting is free of charge. If you'd like to engage with our experts to validate your 2018 security budget, please contact ARG directly at 703-770-2400 or at

ARG works objectively with over 350 service providers across disciplines such as: cybersecurity, cloud computing, backup and recovery, unified communication as a service, mobility, conferencing and collaboration, data center, bandwidth and voice and data networks. We can find the right service provider to meet any need.

Your business runs on technology. Protect your business.