Security and privacy advice you can actually act on.
Getting security and privacy right isn't about doing everything. It's about doing enough. Too little and you're exposed. Too much and you're paying for things you don't really need.
The tricky part is knowing where that line sits, and that's what we're good at. We work out how much your business actually needs, then build that and stop there.
Customers we've worked with
Our approach
How we think about security and privacy.
A few principles shape every engagement, whether it's a security programme or your data protection, and they're the reason our advice often looks different from the industry default.
Security should match the risk.
A 20-person SaaS company doesn't need the same programme as a bank. We recommend controls because they deal with a real risk to your business, not because they're on a generic checklist, and we keep them light enough that you can still run them six months later.
Risk comes before frameworks.
Standards like ISO 27001, and rules like GDPR, are genuinely useful. The trouble starts when an enterprise template gets dropped onto a small company unchanged. We start with how your business actually runs and handles personal data, build sensible controls around it, and map to the framework from there.
Fear isn't a strategy.
We won't open with breach statistics or worst-case scenarios. You already know this matters. The useful conversation is a practical one: what your customers are asking for, where the real risks to your data sit, and how much governance makes sense at your stage.
Sometimes the answer is "not yet".
Not every business needs ISO 27001, SOC 2, or a full-time security hire today. Often a smaller set of controls and a clear position is enough for the people asking. When that's true, we'll tell you, because it saves you money and keeps the focus where it counts.
The process
What working with us looks like.
From the first conversation to ongoing support, most engagements follow the same straightforward path.
A first conversation
We start by understanding what's prompted this, whether it's a customer questionnaire, an upcoming audit, investor due diligence, a data protection worry, or just a sense that the basics need tightening. No commitment, and no charge.
Scoping with your team
A short session with whoever owns this internally, often the founder, CTO, or operations lead. We agree what needs attention, what sits outside scope, and which deadlines genuinely matter to the business.
A clear proposal
Implementation is scoped with a fixed fee, defined deliverables, and a realistic timeline. Ongoing support sits under a monthly retainer once the initial work is done. You'll know exactly what's included before anything starts.
The same senior person throughout
You work with one experienced practitioner from start to finish. The person who scopes the work does the work, so there are no handovers and nothing gets lost along the way.
Day to day
Once we're up and running.
How the work actually gets done, week to week.
Senior people do the work
We fit around your week
Automation where it helps
Documentation people can use
A predictable rhythm
There when something comes up
Straight talk
We'll tell you the truth, even when it costs us work.
Plenty of firms are happy to sell you more than you need. We'd rather keep your trust. Things we say regularly:
"You probably don't need ISO 27001 yet. A smaller set of controls covers the scrutiny you're actually under."
"A fractional arrangement makes more sense than a full-time hire at this stage."
"Cyber Essentials is likely enough for what your customers are asking for right now."
"Your data protection obligations are lighter than you fear. Let's cover what's required, not gold-plate it."
"This one's outside what we do, but we can point you to the right specialist."
Where we stop
What we don't do.
We focus on governance, compliance, privacy, and the management side of security. A few things sit outside that, and we'd rather be upfront about them.
- Operate a 24/7 security operations centre
- Managed detection and response
- Penetration testing
- Deep technical incident response
- Redesign application architecture
- Rewrite source code
- Legal advice on contracts and regulations
When you need any of these, we'll recommend people we trust and help scope the work before it begins.
Measuring success
How we know it's working.
What success looks like depends on why you came to us in the first place.
Certification work
ISO 27001, SOC 2, and Cyber Essentials are achieved on schedule, and the reviews that follow happen without drama.
Ongoing vCISO and DPO support
Leadership understands the real risks, customer security and privacy questions get easier to answer, responsibilities are clear, and decisions stop relying on guesswork.
Security and privacy foundations
You have an honest picture of where you stand and a sensible baseline you can realistically keep up over time.
At every review, we ask the same question: is the business in a stronger, more manageable position than when we started?
Want to know if this is the right fit?
A short conversation usually makes that clear.
If we're not right for the situation, we'll say so, and point you somewhere more useful where we can.