Services

---

Short, unintrusive and focused on what you need, I perform investigative projects tailored to your availability and budget.

Each of my discovery initiatives, one way or another, are concentrated on building an understanding of where you are and where you want to go in your cybersecurity journey.

I take a comprehensive approach to all my security assessments and discovery processes, incorporating consideration of (among other things) your technology, people, procedures, policies, culture, power dynamics, business needs, and more. 

My broad but also highly detailed investigative approach underpins my ability to find out where and how I can make the greatest improvements to your security posture as quickly as possible.

I prefer to start work with my clients through a discovery exercise of some kind, primarily because I almost always end up needing to do one anyway to make sure that my services are tailored to the unique context of your business, and to keep everything I do aligned precisely and exclusively with what your business needs.

I also perform more formal discovery and investigative assessments (e.g., 'Gap Analyses', 'Risk Assessments', 'Security audits' etc.).

I always provide a document summarising (in more or less detail as required) what I find in clear, accessible language. You need to be able to understand what I have found before you can decide on if and why you need to take further action.

Note: Unlike with other organisations or providers, any work I do for you within the discovery phase is done as a project in and of itself with zero obligations or expectations on you to continue on with additional steps. 

I pride myself in delivering substantial value via my discovery programs - if you are thinking about trialling the capabilities I have to offer, then this is an ideal way to get started.

Over 90% of all cyber and information security vulnerabilities, risks and incidents are attributable to the broad category of 'human error'. 

This means that for every business, regardless of size, the single greatest means of reducing cyber risks is not technological, but instead, behavioural!

With a PhD in sociology and years of experience as a cyber-sociologist, I specialise in the design and implementation of uniquely effective human risk reduction solutions.

This is not just 'security awareness training', although this is, of course, another service I offer.

in my experience, securing a business always starts with identifying  behavioural and decision-making tendencies that present the greatest risks, and then taking targeted steps to achieve change.  

The dominant assumption in the security industry is, tragically, that people are just 'the weakest link', and are an immovable problem around which security solutions must be deployed. I take pride in having established a reputation for demonstrating that these assumptions are false with my proven ability to effect behavioural changes that increase security and business throughput at the same time.

I leverage behavioural science and an array of techniques and tools to cultivate motivation to engage in cyber secure behaviours that transform your employees into your most valuable layer of  defence against cyber threat actors.

As a specialist in Human-Centric Cybersecurity (HCCS), I relish every opportunity to discuss the topic - if you would like to explore how a human risk reduction program can benefit your business, or even if you just want to talk about human risk, don't hesitate to contact me.

Whether it's just to meet a compliance obligation or because your staff are making up the rules as they go at your expense, I can help you get some structure in place (and yes, I can and will write your policies, procedures, registers etc. for you).

Some, but not all, of the artefacts that I can help you to develop, or create from scratch, include:

• Cybersecurity Policies.
• Incident Response Plans (IRPs).
• Business Continuity Plans (BCPs).
• Disaster Recovery Plans (DRPs).
• Bring Your Own Device (BYOD) Policies.
• Acceptable Use Policies (AUPs).
• Artificial Intelligence (AI) Acceptable Use Policies (AUPs). 
• Information Security Policies.
• Information Asset Registers.
• IT Asset Registers.
• Risk Registers.
• Third Party Risk Management (TPRM) policies.
• Documentation relevant to DISP certification.

There is a near infinite list of policies, standards, regulations, compliance requirements and corresponding security and governance frameworks. With that in mind, if the exact GRC item you are looking for is not listed here, please either contact me directly or send me a message via the contact page - Chances are that, whatever it might be, it is something I can help you with.

For those who have been accosted with demands to become compliant with (or meet maturity levels corresponding to) specific cyber or information security frameworks, some (but not all) of the frameworks and standards with which I have experience include:

• APRA CPS 230 & CPS 234
• NIST 2.0
• ACSC/ASD Essential 8
• ISO/IEC 27001
• ISM
• PSPF
• DSPF

In my experience with security software configuration, installation and management, I often find that small businesses will already have important cyber security solutions in their  possession that have yet to be properly or fully deployed. 

Similarly, other organisations might have Endpoint Detection and Response (EDR) solutions already configured and installed, but have been left to work out how to use those tools themselves, perhaps armed with a manual that requires one to have a computer science degree before it will become  intelligible.

Whatever the case, I offer:

• Firewall configuration.
• Data encryption.
• Patch management.
• System security configuration.
• Antivirus & Antimalware installation and configuration.
• Installation of EDR solutions.
• Configuration of EDR solutions.
• Support and Guidance in the use of EDR solutions.
• Creation of custom instructional guides for using EDR solutions.

My focus is always to work with what you have, but if there are any domains where I find that there is need for something new, it's in the EDR department. I am not a vendor, but I do know what kinds of solutions are available on the market, and better still, I know how to access enterprise-grade EDR solutions for outrageously low prices. 

If you would like to learn more, contact me, and we will organise a time to talk.

This is an area of cybersecurity of unique importance to small businesses that is also often overlooked.

Whether it's through the use of deception (i.e., social engineering tactics), technical tricks of the trade (e.g.,  portable multi-purpose access control subversion devices such as the "flipper zero"), or plain old brute force (you do have a security alarm, CCTV and an appropriate data retention system in place, right?), it is imperative to the safety and wellbeing of you,  your staff and the security of your data that you have a robust mix of security controls that serve to prevent, deter, delay and recover in the event of a cyber incident.

It's not just locks and cameras either...

When I talk about 'physical security', I employ 'adversarial thinking' to quickly find where and how a would-be threat actor would (or could) gain access to your business to wreak havoc, compromise your systems for future malicious activities, steal valuable data (e.g., account records, PII, IP, financial information etc.), or worse...

The same as it is across all areas of cybersecurity, there are usually a handful of simple actions that you can take that will shift a threat actor's cost-benefit calculus back in your favor. 

This is a complex topic that is highly specific to the context of your business, but even with a 5 minute conversation, I should be able to get you started.

Directly or in dialogue with my network of SMEs, I am able to offer an exceptionally broad range of immediate, short and mid to long-term risk reduction solutions/initiatives to do whatever is needed to protect your network and keep your data secure.

With my focus on implementing practical and resource efficient controls and initiatives, I typically focus on:

• Mitigating common hardware and software vulnerabilities associated with weaknesses in your network infrastructure (when did you last check if there were updates available for your  router?).
• Network hardening through implementation of access controls, configuration of firewalls, network scanning etc.
• Implementation of password management strategies and Multi-Factor Authentication (MFA).

There are countless network security-related issues, risks and vulnerabilities encountered by small businesses every day, of which only a handful are listed here. If you have concerns, I want to hear them, and I urge you to contact me at your next opportunity.

With extensive experience delivering security awareness programs and training as a university lecturer as well as through years of consulting, I am an accomplished security educator. More importantly, I know what works, and even more importantly, I know what does not work.

I offer a very broad range of solutions and strategies, of which all are accessible, have a high rate of retention and comprehension, and are tailored to the context of your business. 

I have a personal issue with large providers of 'security awareness training', primarily because they typically force businesses into subscribing for content that is, at the end of the day, just another knowledge transfer and assessment exercise designed to tick a box for an inflated price. 

All those videos, 'interactive' modules and the rest of what's displayed on the websites of capability purveyors have a success rate of <15%. I can and will help you and your business save money in this area, and where necessary, support you in your negotiations with existing providers. 

Although I offer my own tailor-made security awareness training programs that I can deliver through seminars, workshops, presentations etc., I am also proud to share that I have found and partnered with a single provider of software that is affordable and of a standard worthy of the name 'security training'. Again, I am not a vendor, but if you ask me where to get the best quality and value, it's going to be the same answer every time. 

Sound interesting? Contact me and we can discuss further.

My experiences working with Managed Service Providers (MSPs), software vendors and other service providers have shown me two things:

1. Products and services are built to a cost, not to a standard.

2. If given the chance, every MSP, vendor or service provider will try to exploit their customer.

This might sound harsh, but in  fairness to the service providers, they are just trying to make a profit, and are probably no more mercenary than any other business vertical.

In any case, I have encountered so many challenges faced by my clients that have to do with obstacles presented by third parties that I have learned to go into an engagement with the assumption that I will be doing battle with at least one vendor/provider. 

To that end, I offer support with:

• Contract negotiation.
• Ensuring provider service agreements are met.
• Strategy and preparation for renewal and other high-pressure meetings.
• Serving as a representative or advisor on behalf of the client, up to and including participating in or communicating on behalf of the client with the provider.

Providers like to mystify and obfuscate cybersecurity, and it just so happens that technical translation is one of my strongest skills. 

Don't let your providers get in the way of your business' security - contact me today so we can make sure you are getting what you paid for.

Cyber and Information Security are very broad disciplines/industries, and it is just not practical for me to list every service and capability I have to offer.

Instead, the preceding summaries are what I have found to be some of the most "popular" areas of cyber and information security for which my services have been sought.

So, I wish to emphasise here that if you are unsure how your business needs fit into the categories listed here, and especially if unsure where and if your business has a need for security services at all, then I ask that you consider contacting me so that we can, at no cost to you, see if and how I can support you and your business.

Additionally, I would be remiss if I did not also mention that I do offer conventional security consulting services (albeit at a much more  affordable rate), and when engaged as such, I view myself as part of a partnership based on mutual trust and a shared objective (i.e., meeting your security needs as quickly as possible using as few resources as possible). I have found such engagements rewarding personally, and my clients have found my flexible (and fair) ad-hoc supply of advisory services to be very much aligned to the needs of small businesses.