Security & Compliance
Your business needs security policies and someone to handle compliance, but you can't afford a full-time CSO. We'll be that person.
Sound familiar?
"A client sent us a 50-page security questionnaire.
We have no idea how to answer half these questions."
"We know we should have security policies,
but we don't know where to start or what we actually need."
"Our IT person says 'we're fine' but I'm not technical enough
to know if that's actually true."
"We're focused on running the business, not writing security policies
that nobody will read anyway."
"Enterprise clients want security documentation,
but we don't have anyone who knows how to create it."
"We're too small to be targeted... right?"
(That's not a strategy.)
You need someone who understands security, but you can't justify a full-time hire. We'll be your security deputy.
What we actually do
Comprehensive review of user accounts, systems, access rights, current policies, and general IT security. You'll know exactly where you stand and what needs fixing.
Security policies you can actually hand to auditors, clients, or enterprise buyers. Written in plain English, not consultant jargon, tailored to your business.
Security evaluation of vendors and tools you're considering. Onboarding recommendations that protect your business without creating unnecessary friction.
Tech and data focused continuity planning with operational considerations. Backup strategies, disaster recovery procedures, and "what if" scenario planning.
Regular Policy Updates
As your business changes, your policies need updating. We keep them current without you having to think about it.
Client Questionnaires
When your clients (especially enterprise or super funds) send security questionnaires, we respond. You forward the email, we handle it.
Ongoing Vendor Assessment
Adding new tools? We'll assess security implications before you commit. Quarterly check-ins to review your security posture.
What we don't do (and who we connect you with)
We're your security deputy, not your security team. For specialised technical work, we connect you with qualified vendors and partners.
Deep Penetration Testing
We refer to qualified security firms who specialise in finding vulnerabilities.
Technical Implementation
Complex firewall, VPN, or encryption setups go to technical implementation partners.
Employee Training Programmes
We recommend third-party training providers who specialise in security awareness.
24/7 Incident Response
Active incident response is vendor-led. We help you create the policies so vendors know what to do.
Where your needs are simple—especially policies, system setup recommendations, and vendor assessments—we handle it in-house. Where you need deeper technical expertise, we connect you to the right specialists. You get one trusted adviser who understands the whole picture.
Why this matters more than you think
Director Liability
Directors can be personally liable for inadequate risk mitigation, particularly for businesses above certain revenue thresholds. "We're too small to be targeted" isn't a legal defence when something goes wrong.
Enterprise Buyers
Large clients (especially super funds and regulated industries) have legal obligations to ensure their suppliers meet security standards. They'll audit you annually or bi-annually. Without proper documentation, you lose the contract.
The Real Risk
You're too busy running the business to plan for low-likelihood, high-impact events. But when they happen:
- • One data breach could cost more than years of prevention
- • Lost enterprise contracts because you couldn't answer security questionnaires
- • Regulatory fines that could put you out of business
- • Personal director liability when the business had inadequate policies
How it works
Initial Assessment
We review your current security posture—what you have, what you need, where the gaps are.
Recommendations
Clear priorities on what needs fixing immediately versus what's adequate for now.
Implementation
We handle what's straightforward in-house. For technical complexity, we connect you with qualified partners.
Ongoing or As-Needed
Choose retainer support for continuous updates or as-needed support when questionnaires arrive.
Flexible engagement models
Every business has different security needs. Let's discuss your specific situation and create a package that makes sense.
One-off Audit
Security audit, policy package, and recommendations for immediate implementation.
Ongoing Retainer
Monthly retainer for continuous policy updates, questionnaire responses, and quarterly reviews.
As-Needed Support
Hourly or day-rate support when specific security questions arise or client questionnaires arrive.
Ready for a conversation?
Let's discuss your security needs and create a plan that protects your business without breaking the budget.