Strategy · Service 06

Security Consulting

Senior advice without senior consultancy fees. Risk assessments, architecture reviews, incident response planning, and strategic security leadership on demand.

What this is

Most UK businesses don't need a full-time security team. They need the right advice at the right time.

Security consulting covers the work that doesn't fit neatly into a penetration test or a certification. The architecture decision being made under time pressure. The board presentation that needs to convey risk clearly without drowning in technical detail. The acquisition that's two weeks from completion and nobody has looked at the target's security posture.

Engagements range from a single day spent on a specific question, to ongoing fractional security leadership where we sit alongside your leadership team and represent security as a discipline across the business. All of it delivered at the senior level: the person you talk to is the person who does the work.

Engagements

What we help with.

01

Risk and gap assessments

Where are you actually exposed, and what should you fix first? We produce ranked, business-aware risk assessments that reflect your specific environment and obligations. Useful for boards, insurers, investors, and your own planning. Not generic checklists.

Business-aware risk rankingBoard-ready reportingInsurer and investor ready
02

Security architecture

Designing or reviewing the security dimension of your technical stack. Identity architecture, network segmentation, secrets management, data flow controls. Particularly relevant during cloud migrations, scale-up phases, or post-acquisition integration where security needs to be built in rather than bolted on.

Cloud migration securityIdentity architecturePost-acquisition integration
03

Compliance strategy

ISO 27001, SOC 2, the General Data Protection Regulation, sector-specific requirements including Financial Conduct Authority obligations, NHS Data Security and Protection Toolkit, and Ministry of Defence supply chain standards. We help you decide what's actually worth pursuing, in what order, and build a realistic programme to get there. For ISO 27001 specifically, see our dedicated ISO 27001 consultancy.

ISO 27001 programmeSector-specific requirementsRoadmap development
04

Incident response readiness

You don't want to be writing your incident response plan during an incident. We build runbooks for the most likely scenarios, run tabletop exercises to test them, and help you establish the relationships you'll need before anything goes wrong: legal, digital forensics, cyber insurance, and regulators.

Runbooks for likely scenariosTabletop exercisesPre-incident relationships
05

Mergers and acquisitions due diligence

Buying a business means inheriting its security posture, its exposure, its undisclosed incidents, and its remediation cost. We assess the cyber risk you're actually taking on before completion. Selling? We help you present a clean picture, identify what needs addressing before data rooms open, and pre-empt the questions that typically surface during due diligence.

Buyer-side risk assessmentVendor-side preparationPre-completion remediation
06

Fractional security leadership

For organisations that need senior security leadership but can't justify a full-time hire. We join leadership calls, lead board-level security reporting, manage the security programme, and represent you to clients, regulators, and prospective investors. Typically one to four days per month on a retainer basis. This is now a dedicated service: fractional CISO and Information Security Manager.

Board-level reportingProgramme managementRegulatory representation
How engagements work

Three ways to work together.

i

Day-rate

For specific pieces of work with a clear scope. Architecture review, board presentation preparation, pre-acquisition assessment. Fixed scope, fixed price.

ii

Fixed-price packages

Defined deliverables: gap analysis, architecture review, incident response plan. Scoped, priced, delivered. No hourly billing or scope creep.

iii

Retained advisory

Ongoing access to senior security input. Typically one to four days per month. Available for questions, reviews, leadership calls, and emerging issues without a new engagement each time.

Is this right for you?

When to consider security consulting.

Security consulting tends to come up at inflection points: when something has changed in the business, when something is about to change, or when something has gone wrong.

Common triggers

  • Your board is asking security questions you cannot confidently answer
  • You are entering a regulated market or a new geography
  • You have outgrown your existing setup and security was not built in from the start
  • You are preparing for due diligence: fundraising, exiting, or certifying
  • Something has gone wrong or nearly has, and you want to understand why and what to change
  • You need security leadership but a full-time hire is not the right answer yet