Your fractional security team. Hands-on practitioners who work in your environment, not consultants who hand you a report and disappear.
You need a credible security posture — to satisfy enterprise clients, pass vendor assessments, meet regulatory obligations, or simply reduce real risk. But you don't need a full-time CISO to get there.
Get Security Clarity"A client sent us a 50-page security questionnaire. We have no idea how to answer half these questions."
"Enterprise clients want security documentation, but we don't have anyone who knows how to create it."
"Our IT person says 'we're fine' but I'm not technical enough to know if that's actually true."
"We know we should have security policies, but we don't know where to start or what we actually need."
"We're focused on running the business, not writing security policies that nobody will read anyway."
"We're too small to be targeted... right?" (That's not a strategy.)
What would actually help
Someone who understands security but doesn't need a full-time salary. Clear policies written in plain English. Vendor questionnaires that get answered properly. Straight talk about what you actually need versus security theatre.
In 2024, 22% of Australian SME owners reported their business was impacted by cybercrime — and SME owners experienced significantly higher rates of all types of cybercrime than other victims. When they were hit, they lost larger amounts of money. The average cost of a cyber incident for a small business is now $56,600 and rising — up 14% year on year. The ACSC received over 84,700 cybercrime reports in FY2024–25. That's one every six minutes.
The Cyber Security Act 2024, effective May 2025, introduced mandatory ransomware payment reporting for any business with annual turnover above $3 million. Seventy per cent of extortion-related incidents the ASD responded to in 2023–24 involved ransomware. Failure to report within 72 hours carries civil penalties — and the broader signal from government is clear: security is no longer optional for businesses at scale.
Directors can be personally liable for inadequate risk mitigation. "We're too small to be targeted" isn't a legal defence when something goes wrong. Enterprise clients — especially super funds and regulated industries — have legal obligations to ensure their suppliers meet security standards. They will audit you. Without proper documentation, you lose the contract.
A data breach doesn't just cost money in direct remediation — it costs client trust, contract opportunities, and staff confidence. Lost enterprise contracts because you couldn't answer security questionnaires. Regulatory fines. Reputational damage. And the operational downtime while you scramble to respond to something you could have prepared for.
Sources: Australian Signals Directorate Annual Cyber Threat Report 2024–25; Australian Institute of Criminology Cybercrime Survey 2024
You need someone who understands security, but you can't justify a full-time hire. We handle the security work so you can focus on the business.
Know exactly where you stand and what needs fixing. No security theatre, just straight assessment.
Security policies in plain English that you can actually hand to auditors, clients, or enterprise buyers.
Security evaluation of tools you're considering. Protection without unnecessary friction.
Answer client questionnaires, update policies, and provide security guidance when you need it.
Comprehensive review of user accounts, systems, access rights, current policies, and general IT security. You'll know exactly where you stand and what needs fixing.
Security policies you can actually hand to auditors, clients, or enterprise buyers. Written in plain English, not consultant jargon, tailored to your business.
Security evaluation of vendors and tools you're considering. Onboarding recommendations that protect your business without creating unnecessary friction.
Tech and data focused continuity planning with operational considerations. Backup strategies, disaster recovery procedures, and "what if" scenario planning.
Assess your posture against a named framework (Essential Eight, ISO 27001, SOC 2, GDPR) and produce a maturity score with gap analysis.
Surface-level code and configuration review to identify obvious security exposure.
When your clients (especially enterprise or super funds) send security questionnaires, we respond. You forward the email, we handle it.
Vendor security questionnaires, compliance assessments, audit responses
Outcome
Client security requirements handled professionally without taking your team away from revenue-generating work.
As your business changes, your policies need updating. We keep them current. Adding new tools? We'll assess security implications before you commit.
Policy maintenance, new vendor evaluation, quarterly security reviews
Outcome
Security posture that grows with your business without constant internal attention or falling behind on compliance.
We flag developments relevant to your environment so you're not caught out by regulatory changes or new threat vectors.
Outcome
Proactive awareness of what's changing in the threat and regulatory landscape, without having to monitor it yourself.
If something goes wrong, we're a first call. Not incident response (that's specialist work) — but informed guidance on what to do next and who to call.
Outcome
A trusted, calm voice on the end of the phone when things go sideways, with the knowledge to triage and coordinate the right response.
Most clients come to us with a specific task — a questionnaire they can't answer, a policy they need written, an audit they've been putting off. That task is our starting point.
We understand what you need, confirm the right entry point, and scope the first engagement.
ComplimentaryHands-on review of the specific area in scope. We work in your environment — evidence gathered, systems reviewed, interviews conducted as needed.
Day rate or fixed fee by scopeStructured report of findings with risk ratings and a prioritised remediation roadmap. You walk away knowing exactly where you stand and what to do about it — in plain language.
Included in assessment feeOptional continuation through the roadmap in 1–2 week sprints, each tied to a concrete outcome. Policy writing, tool configuration, access controls, backup procedures.
$500/day intro rateOngoing advisory and task completion. Drawn down as you need it, with priority response times.
Retainer — defined hours blockSecurity and compliance looks different depending on where your business is — but the underlying principle is the same: a realistic posture you can actually maintain is more valuable than a theoretically perfect one you can't operate.
You're probably not a prime target for a sophisticated cyber attack — but you are a prime target for credential theft, phishing, and data exposure through the tools you use every day.
The basics matter: proper password management, MFA on everything, understanding where your client data lives, and having a plan for when something goes wrong. We get your security foundations right without overcomplicating it.
Security debt compounds faster than technical debt. The access controls, data handling practices, and policies you set up now will either pass scrutiny when enterprise clients or investors do due diligence — or they won't.
We help you build credible security foundations early so you're not scrambling to retrofit them when a deal depends on it.
You've been told you should have security policies, but you don't know where to start. Enterprise clients are asking about your security posture. Your IT person says everything's fine. You suspect "fine" isn't the same as "auditable."
We give you honest assessment, policies written in plain English, and compliance support that lets you answer questionnaires confidently without hiring a full-time security person.
You're winning bigger clients, and bigger clients ask harder questions. SOC 2 compliance, vendor security assessments, formal policies — things that didn't matter at 10 people matter a lot at 50. Your team is growing fast, and user access, offboarding, and data governance can't stay informal anymore.
We provide fractional CSO services that give you executive-level security oversight without the permanent headcount.
You have security resources, but gaps remain — particularly around compliance documentation, vendor assessments, and the governance layer between your security team and the board.
We supplement your existing capability with specific expertise: framework scorecards, policy reviews, compliance questionnaire management, and independent posture assessment.
Directors can be personally liable when businesses lack proper security governance. You need confidence that the organisation's security posture is real, not just reassuring words from management.
We provide independent security assessment, board-level reporting, and governance frameworks that give you the visibility and documentation to fulfil your oversight responsibilities.
We work in your environment, build real things, fix real problems, and leave you more capable than when we arrived. We don't produce compliance theatre.
Our clients are business owners and executives, not security engineers. We translate security into decisions you can actually make.
A security posture your business can actually maintain is more valuable than a theoretically perfect one you can't operate. We build for the real organisation.
Where specialist expertise is required, we say so and make the right introduction. We don't overstate our capability.
As with all XBG work, we document what we build, transfer knowledge, and make sure you're not dependent on us to maintain your security posture.
No sales pitch. No obligation. Just a chat about what you're building and where the opportunities might be.
