A written security posture before procurement asked
A six-week NIST CSF-scoped assessment for a mid-market services firm fielding enterprise security questionnaires faster than its IT lead could answer them.
- Client
- Professional services firm, ~600 employees, multi-office, US.
- Duration
- Six weeks
- Practice
- Cybersecurity
The firm was closing larger enterprise customers. Each new customer arrived with a two-hundred-question security questionnaire and a five-business-day turnaround. The firm's IT lead — a competent generalist wearing three other hats — was spending evenings filling in questionnaires from a working document that contradicted itself across vendors. Two prospective customers had been delayed in procurement; the firm was not sure how many had walked away without telling them.
- Identity, access, and authentication posture, including the firm's M365 tenant and the production SaaS stack
- Data-handling review for customer material, with a written threat model written for the firm — not for generic enterprise IT
- Vendor and sub-processor mapping against the data each vendor actually touches
- Incident-response readiness, including a tabletop exercise against an insider-threat scenario
- A bound security posture document calibrated to enterprise procurement questions
Week 0 was a thirty-minute scoping call with the VP of engineering and the firm's IT lead, producing a signed scope document the same day. Weeks 1–4 were quiet, structured review against NIST CSF, calibrated to the firm's actual threat model. Findings were ranked by exploitability with a remediation cost estimate for each. Week 5 was the tabletop — three hours, the leadership team in one room, working through a scenario that exposed two assumptions the firm had been operating under without realising it. Week 6 delivered a thirty-six page bound posture document the firm could hand to procurement on a Tuesday morning.
The next enterprise questionnaire the firm received — 187 questions — was answered in a half-day of administrative time by referencing the bound document. The firm now keeps the posture document on a quarterly review cadence with a named owner. Three of the eight remediation items have been closed in-house; the other five are scoped for a follow-on implementation engagement, on the firm's timeline, not under deal pressure.
The argument that wins inside a firm is rarely "what does a breach cost." It is "what are we paying right now to operate without this in place." In this engagement, the answer was three lost evenings per questionnaire and an unknown number of deals that quietly went elsewhere.
We respond within two business days. Scoping calls are obligation-free and run thirty minutes.