The customer is responsible for all of the IT and cyber security strategy within their scale-up organisation. Within the constraints of budget they need to make the best possible decisions due to limited resource, and because some of the choices made at this stage will be foundational to the future of their company.

Act as an “external security brain”, as the customer has no peers with requivalent IT and/or cyber security knowledge within their organisation. While groups of equivalent staff exist, they are too informal for timely and directed advice.

While the customer is very familiar with the cloud-based technology landscape they use, it is a very volatile landscape, meaning that “best practice” is not established, and a less proscriptive approach to solution choices is required.

Act as an adversarial analyst, either confirming that they’ve made the best choices currently available, or highlighting previously unseen risks introduced by their decsions.

Help the customer resolve differences between their modern and forward-thinking approach, and the strict compliance regimes they operate under. The compliance regimes are usually updated at a slower pace than technological advances, requiring additional effect with auditors and due dilligence questionnaires.

Be available for consultation of varying lengths, from two days to one hour, at relatively short notice.

Deal with new products and solutions, and the integration of them, repeatedly. This requires working together to understand new services, and being unafraid to declare a lack of knowledge, or learn on the fly.

Provide industry insight into what solutions match their marketing, and how others have fared with the solutions this customer is considering.

The customer is more confident in their current decision making process, and their use of staff and budget. This enables them to move on from previous decisions.

The customer has not sought to recruit “unicorn” security staff, with the complete combination of skills they require, as those staff justifiably have salary demands to match their rarity, and introduce additional key person risk to the company. Instead they are making forward thinking decisions based on available resources, and with expectations of what they can automate in the short and medium term, and have additional budget for their technology stack.

There is no final result, this work is ongoing.

• cyber security