FROM: Joe Michael, Chief Information Officer
SUBJECT: Selection of Cybersecurity Auditing Firm to Perform Comprehensive Cybersecurity Assessment and Services
RECOMMENDATION:
title
Recommend that the Board approve a three-year Professional Services Agreement with Symosis Security at an annual cost of $96,000.
body
BACKGROUND:
On April 15, 2025, SBCERA staff issued a Request for Proposals (RFP) for Comprehensive Cybersecurity Assessment and Services. The RFP was made publicly available on SBCERA’s official website and promoted through social media to ensure broad outreach to qualified independent firms. In total, SBCERA received twenty-one proposals in response.
An internal evaluation committee was formed to review and assess the proposals. The committee was comprised of Joseph Michael, Chief Information Officer; Hugo Alvarez, Information Security Manager; and Daniel Mejia, Information Security Engineer. Proposals were evaluated using a weighted set of criteria that included the firm’s experience and expertise, the clarity and comprehensiveness of the proposed audit methodology, the qualifications of the proposed audit team, the pricing structure, and the inclusion of value-added services.
Of the twenty-one proposals reviewed, four were found to either lack a complete understanding of the RFP requirements or presented unrealistically low pricing structures, raising concerns about potential change orders during the engagement. Five additional proposals were priced significantly above the average, without offering a meaningful increase in deliverables or quality of service. The remaining twelve proposals met the RFP criteria; however, one firm, Symosis Security, distinguished itself through the relevance of its submission.
Symosis Security demonstrated a well-defined and rigorous methodology for conducting comprehensive cybersecurity assessments, reflecting both industry best practices and a clear understanding of SBCERA’s operational environment. Their proposal articulated each assessment phase with specificity and included a structured engagement timeline that, while ambitious, conveyed a disciplined approach to project execution.
Importantly, their proposed schedule established a firm end date for the engagement and did not presume an automatic continuation from one audit cycle to the next, which reflects an understanding of the importance of focused, standalone audit engagements.
In addition, Symosis Security offered a cost-effective pricing structure that prioritized critical security components and designated supplementary services as optional, allowing SBCERA to control scope and budget as appropriate. Their previous experience working with 1937 Act systems further enhances their suitability for this engagement.
Based on a thorough evaluation and comparative review of all submitted proposals, staff recommends that the Committee recommend to the Board the approval of a Professional Services Agreement with Symosis Security for an initial term of three years and a base annual contract amount of $96,000. Should staff opt to add additional services in years two and three, staff will either bring that back to the Board for additional consideration, or the Chief Executive Officer may be able to execute the change order if it is under her signature authority, with the concurrence of Chief Counsel.
A Copy of Symosis Security’s proposal and a list of all responding firms are attached as Exhibits A and B, respectively.
BUDGET IMPACT:
Costs for this item are included in the current year administrative and/or non-administrative budget.
STRATEGIC PLANNING GOAL/OBJECTIVE:
Operational Excellence & Efficiency
STAFF CONTACT:
Joe Michael
ATTACHMENTS:
Exhibit A: Symosis Security Proposal
Exhibit B: Listing of Received RFPs