Skip to main content
All CollectionsS2PARTNEROther
Frequently Asked Questions
Frequently Asked Questions
Kevin avatar
Written by Kevin
Updated over 5 months ago

How do we use S2Org to set up a consulting practice?

Begin with an assessment of your client. We’ve created 3 assessment levels so you can meet your client where they are at. Once you have the diagnostic work done, you can review the discovered risks and build a roadmap to help your client prioritize resources. Assign tasks and meet with your client periodically to keep them on track. Completed tasks have an immediate impact on the risk score, and over time, you can move your client to a stronger risk position. Our built-in charting will showcase the relationship between resources spent and improvements in your client’s security posture.

What should we charge for an assessment project?

The cost of a validated assessment varies between $5,000 and $60,000 depending on the amount of time an analyst spends onsite, travel expenses, and other consulting services provided. Organizations with multiple locations and/or sub-entities will naturally have a larger, more expensive scope of work.

The pricing above is for a validated Level 3 assessment. Your pricing will likely vary depending on assessment level and self versus validated assessment.

What clients should do what level of assessment?

LEVEL 1 (L1): Small organizations that are not governed by compliance or regulation requirements, and medium organizations without an existing security program.

LEVEL 2 (L2): Medium organizations with an existing security program that are in need of maturation.

LEVEL 3 (L3): Medium and large organizations that are regulated or have compliance requirements.

As your client progresses, you can easily move them to the next level up, opening up additional controls that go deeper.

How long does it take to do each level of assessment?

This answer varies depending on your level of familiarity with the assessment and your client’s level of technical expertise. Below are estimates based on 3 types of engagement.

  • To Assist - Partner hours helping the client, who completes the assessment

  • To Complete - Partner hours when leading the project (combined partner and client)

  • To Validate - Assumes the validator/partner was not involved in the original assessment.

Assessment
Type

To Assist
(Hours)

To Complete
(Hours)

To Validate
(Hours)

Core Assessment

1.5

1.5

N/A

S2Org - L1

4

8.1

13

S2Org - L2

5.1

13.5

24.3

S2Org - L3

9.25

37.8

71.5

S2Vendor
(Per vendor)

0.1

0.5

N/A

S2Team
(Per employee)

0.1

0.28

N/A

TIP: Optimize your client time by collecting and reviewing documentation ahead of time and giving the client a list of personnel that you will need to talk to when you are on-site. Depending on your client’s skillset, you might expose the assessment to the client ahead of time so that they can take the first pass supplying responses before you check that the controls are actually in place.

How long should we spend updating the assessment?

This answer varies depending on the level of assessment and the client’s technical expertise. Estimate more time for clients that require handholding as these meetings will be much more involved.


LEVEL 1: 1.5 to 3 hours
LEVEL 2: 3 to 5 hours
LEVEL 3: 6 to 10 hours

TIP: Remember that the roadmap only shows the false responses from the assessment. Assuming this is where you want to focus, you can start your update by reviewing evidence for the "done" tasks. If you agree that the control was implemented in satisfactory way, then leave the task as is. Then move to "in progress" tasks and then to "not started" tasks. If you believe controls to be implemented already for these, then add a note, attach evidence, and move these items to the done column.

How often should we meet with clients?

A good rule of thumb is to update your client’s assessment quarterly. This keeps the current assessment reasonably up to date reducing the catch up time you will need. 3 months is also a good increment of time for task completion on your client’s side.

How involved should client users be?

Client involvement is all about expediency. If your client has a low level of technical expertise, there may not be a lot of utility in having them try to fill out the assessment without your handholding. That would prove an exercise in frustration. Additionally, they may not be savvy enough to process the assessment results or to complete tasks in the roadmap. This type of client presents an opportunity for a partner to build a close-knit relationship based on trust.

For clients with a high level of technical expertise, the roadmap can be configured so that client-partner meetings become check-ins to review and mark off assigned items. This type of client is highly independent and requires less of your time.

Why is S2Org client-facing?

S2Org is built on the premise of assessment transparency. The more exposure your client has to the expected controls (and where they fall short), the easier your task will be in explaining what is needed to secure their information. Remember that client buy-in is important for maintaining a secure program when you are not around to oversee it. More practically, remember that resource allocation relies on them perceiving the assessment to be accurate and improvements to be worth their investment.

Do clients need their own user licenses?

There are two different types of client licenses.

The first license is read-only. This is very limited and can only be used to present assessment results to the client. The read-only license is suited for one-off projects that have a distinct start and end date.

The second license is for premium client users who will play a role in the management of their information security program. This license empowers them to make assessment changes, build a roadmap, and track changes on the dashboard. The premium license is well suited for ongoing work that requires client involvement over time.

How thoroughly should we spot check self-assessments?

Self-assessments are not validated assessments. They are a self-diagnostic exercise that works to inform the client on their current information security posture. That being said, exaggerated or inaccurate responses in a self-assessment can still be very damaging. It can hide risk, leading to a misappropriation of resources. In some cases, it can ultimately lead to non-compliance if the self-assessment was conducted in preparation for a particular audit.

The standard for self-assessment should be that if called upon, you can defend the response and provide evidence to support it.

What type of evidence should we require? How long will reviewing evidence take?

The type of evidence required is completely dependent on the control being assessed. For example, if you are assessing security policy then a copy of the security policy would be adequate evidence. If you are assessing firewall configurations, then a screenshot of the configuration would be adequate evidence.

We advise all partners to spend time building a shortlist of required documentation that can be passed to the client ahead of the assessment. This allows the client adequate time to find these resources, and saves the analyst time while on-site. This documentation can be stored in the Documents tab or attached locally in the assessment.

In general, you will want to ask for any security policies they have, especially in the following areas:

  • Acceptable Use

  • Risk Management

  • Governance

  • Security Committee Charter

  • Asset Management

  • PCI

  • Access Controls

On average, the review of evidence takes between 2 and 3 hours. We advise analyst to review evidence before and after collecting assessment response.

For assessment updates, the review of evidence takes between 45 minutes to an hour. You will want to verify any changes in policy that the client reports.

Do I need any other tools?

S2Org ingests Nessus, Qualys, Nexpose and Nodeware vulnerability scans but the vulnerability scanner itself is not included as part of the subscription. You will need to have your own license with one of those systems. If you choose not to do vulnerability scanning, you can disable this requirement inside the assessment.

How do we do vulnerability scans?

The scan files can be uploaded, and the results will calculate directly on screen. Over time, updated scan files can be uploaded to show improvements.

*See scan instructions here

Do you do/have other partners that can-do vulnerability scans for us?

Yes. We have a short list of partners that specialize in doing vulnerability scanning. Several of them regularly work with other partners to collaboratively deliver a whole assessment to one client.

What are the various project/service offerings for partners?

Partners can deliver a variety of projects and services with the S2 Platform.


Project-based: These are usually one-off validated assessments or scans with recommendations for improvement or additional projects/services.
Retainer-based: These are usually a longer, ongoing types of engagements that can include scheduled assessments/scans, validated assessments, accompanied by remediation work, vCISO services, trainings and other ongoing security offerings.

S2Org can also be used for specialty or hybrid engagements. Some examples are below.

EXAMPLE 1: Strategic remediation. Advise the organization on work effort and prioritization.

EXAMPLE 2: Quarterly updates/scans. Check in periodically to update an assessment done previously.

EXAMPLE 3: Budget requests. Use the assessment to diagnose your client’s current risk position, and build-out a roadmap to demonstrate what various levels of investment will do for improving their risk position.

What is your pricing model?

Contact sales@securitystudio.com for the most updated information.

Do you have training certification for analysts?

SecurityStudio built the Certified virtual Chief Information Security Officer (CvCISO®) program to establish the industry standard for vCISO quality and qualifications. If you aspire to become a vCISO, be a better vCISO, and/or want to start or grow a legitimate vCISO practice, this is the path for you.

For more information, see the Academy page here.

What level of information security background to I need to be successful?

To conduct a self-assessment, you need a foundational understanding of the security basics.

To act as a consultant or to validate an assessment, you should have at least 3 years of security experience or have the ISA and/or the ISV certification from SecurityStudio. You need to be able to understand the controls, explain them to your client, and advise the client on how to meet the controls’ requirements.

In general, the more information security experience you have, the more successful you will be in the partner role.

What are realistic expectations for improvement for a poorly funded client program?

Surprisingly, what most organizations need to improve most are safeguards that require more time than money. It is realistic to see good improvement even at low funding levels so long as there is buy-in from leadership and willingness from the team to improve.

What are realistic expectations for improvement for a well-funded client program?

A well-funded program with appropriate support from leadership should expect to see a large amount of improvement.

Did this answer your question?