Nicholas T. Martin
4/16/2026
2026 (Q2) Security Posture Proposal
BLUF: Due to the limited budget provided for network/information security, this memo aims to
provide senior leadership with technological and policy options that have been identified to have
the highest ROI while remaining within the parameters of the current budget.
The Human Factor

  • Recent industry research identifies human fallibility as a key source of vulnerability in
    any system.
  • Human employees are susceptible to social engineering and phishing attempts via many
    forms of communication, though primarily over email.
  • Regular and effective cybersecurity training can largely mitigate these concerns, though
    mistakes must still be anticipated.
  • For this reason, equally splitting the current security budget between employee training
    and technological applications will have the largest impact on hardening our current
    systems
    Training Proposal (~40-50%)
  • Quarterly Training – Having frequent and effective training focused on key risks (social
    engineering, phishing, device handling, etc.) with real-world scenarios will provide
    employees with the capability of identifying phishing attempts at the user level.
    Additionally, a training program has a quantifiable cost that is easy to account for.
  • Simulated Tests – Implementing simulated phishing attempts within the company is a
    near zero-cost policy that can highlight the effectiveness of current training models and
    allow for targeted training.
  • Report Campaigns – To fully understand the health of our systems, it is vital that all
    levels of the organization communicate any concerns. To this end, creating programs to
    encourage employees to report suspicious behavior and communications will folster a
    culture of transparency and cooperation.
    Technological Proposal (~50-60%)
  • Multi-Factor Authentication – The organization has already purchased our current MFA
    contract and has been utilizing it. By leaning on this already available technology and
    expanding its use, company portals and login credentials can be safeguarded for minimal
    costs.
  • Email Protection – AI-powered anti-phishing filters are a cost-effective way to minimize
    employee exposure to potentially malicious communications.
  • Endpoint Protection – In the event of a breech, it is vital to identify, contain, and expel
    any malicious software. For this reason, protecting company devices (laptops, tablets,
    routers, etc.) with endpoint protection software may be a more costly solution but will
    serve as an effective final security measure.
  • Log Monitoring and Alerts – Tracking potentially critical event logs and network traffic
    (SIEM applications) can prevent unauthorized breeches before the company suffers
    significant damages.
    Conclusion
    By taking a mixed security approach with the available funds (training/technology), we can
    account for human fallibility while still protecting our systems in the event of intrusion and
    breeches. Additional steps may be needed for a robust security stance, though the options
    provided above are budget friendly and highly effective.