Which type of cybersecurity assessment is right for you?
Cybersecurity assessments come in a variety of different flavors and names. Since cybersecurity is foundational to every IT system on the planet, most technology evaluation initiatives are heavily weighted toward identifying and reducing cyber threat risk.
Computers, managed IT, cloud, software, and the Internet (and everything connected to it) are synonymous with cybersecurity.
So “Technology Assessments” and “Cybersecurity Assessments” are often the same thing.
The most significant difference between a free and a paid assessment is the time and depth of discovery required to produce accurate, data-driven recommendations.
There’s one big “if” that applies: if you can get a thorough and meaningful assessment at no charge, go for it. However, the likelihood of this happening is relatively low.
What does a paid cybersecurity assessment typically include?
The following sample statement of work follows a National Institute of Standards and Technology (NIST) framework/methodology to assess gaps and deliver a detailed report and set of recommendations.
Onsite Hardware Audit – MSP commits up to a full day to evaluate your inventory, secure configurations, and access to hardware devices on the network, including but not limited to:
Onsite Software Audit – MSP invests up to a full day to evaluate your inventory, secure configurations, and access to software on the network, including but not limited to:
- Operating Systems
- Line of Business Applications
- Software Licenses
- Remote Access
- Backup & Disaster Recovery
- Security Software Analysis
- Security Information and Event Management (SIEM)
- Internet Content Filtering
- Email Security Gateway
- Multi-Factor Authentication (MFA)
- Mobile Device Management (MDM)
- Wireless Access Control
Dark Web Scan – MSP provides you with a report revealing whether any of your digital credentials appear on the Dark Web.
Executive Summary Report – MSP delivers a document with a list of gaps, risks, best practices, and solutions ranked by business impact: high, medium, and low.
The price for something like this is usually in the range of $1,200.00 to $1,500.00.
What does a free cybersecurity assessment include?
A free cybersecurity assessment may include everything described in the previous section.
But more times than not, this is unlikely. Thus, your search for the most appropriate assessment will be more effective if you embrace a healthy dose of skepticism. And ask pointed questions.
Most MSPs and other IT providers promote free assessments on their websites. It’s a marketing tool and somewhat of a cliché in our industry. These offers can take several different forms:
- A fifteen-minute conference call or Teams meeting to cover high-level IT concerns.
- A site visit with IT decision-makers followed by a quick peek into the phone closet.
- An evaluation of your IT documents: acceptable use policies, network diagrams, IT roadmaps, technology vendor contracts, hardware/software warranties, and renewals, service invoices, and project invoices.
Do you know exactly what you’re getting? Each of the endeavors mentioned above can tell you a lot about your cybersecurity gaps and readiness.
I’m not a system engineer or network architect, and I’m confident I could give you a host of high-impact qualitative takeaways. However, my efforts would not be in the same league as a vCIO, CISO, or anyone else with an alphabet list of security and cloud certifications.
I cover this topic in the following two articles: How to Conduct a Free Cybersecurity Assessment and Cybersecurity Checklist.
Many MSPs use the same network discovery tools to quickly deliver canned reports, many of which draw the same conclusions. Do you want something generic, or would you prefer a more profound analysis with unique, out-of-the-box insights?
MSPs with higher levels of operating maturity and a steady stream of new clients don’t have to provide comprehensive IT security assessments for free.
You may get a free and thorough security assessment, but a critical question may arise: how can this organization afford to perform this level of work without a commitment?
Lighter, free alternatives make sense under the following circumstances:
- You don’t have much infrastructure.
- You’re locked into an agreement you can’t terminate without a penalty, and you want a second opinion.
- Compliance requirements for your industry don’t keep you up at night.
- No significant incidents (breaches, data loss, etc.) have caused you to question the effectiveness of your security profile.
- You recently renewed your cybersecurity policy after confidently checking every box on their cybersecurity technology questionnaire.
- You have extensive IT experience and know as much or more than the MSP or MSPs offering you freebies.
- Companies that favor free assessments are usually getting free reviews from multiple parties. This scenario takes a lot more time to evaluate because the results don’t come packaged as a single source of truth.
Being clear on the reasons you need a security assessment will ultimately inform the direction you take.
If you have used free assessments to choose IT providers in the past, and you change IT providers frequently, it may be time to consider another approach.
Plus, sifting through a pile of free assessments is more complex and time-consuming than reviewing one in-depth analysis. Why not get a comprehensive analysis right out of the starting gate?
You get first-hand experience doing business with a provider before you make a more significant commitment.
And if you don’t like them, there’s no obligation. You can take their assessment and use it to select another provider.