top of page
White Background

Information Security Governance and Strategy Details

Security Team
Service Details
Embedded Security

1- Strategic planning and direction for technologies

We provide advice on upcoming technologies and terminologies as well as actively working with the client to ensure that strategic planning is linked to business objectives and those are inevitably successful so long as the technology choices are appropriate.

The security program for the organisation will help to drive some of the requirements and characteristics required in new tools or an uplift in existing tools. By understanding the fundamentals of the organisation's risk management practice and by having a firm grip on their policies we are able to write those up in terms of technical requirements to the business.

Cybersecurity Strategy
Cybersecurity Architecture

2- Security architecture patterns and design

We offer a comprehensive security architecture review of any solution ranging from high-level design advice to low level consultation on the components that makeup the overall scope. By matching enterprise patterns and requirements on security and privacy we can determine control gaps and uplift in security capabilities. An information security architecture review is essential and an integral part of the process of delivery. This provides structure and assurance that the design and implementation align to the agency's mission and strategic objectives.



Understand the risk appetite and key risks in your organisation

This will enrich each organisations process of identifying, analysing, evaluating and addressing the cyber threats and goals for the organisation. When we are talking to the business and service owners we ensure that we use business language and refrain from technical jargon as it dilutes the conversation and detracts from a coherent and comprehensive conversation.



Unify, standardise and collate risks across your organisation into one place



Create a sustainable process that your organisation can easily use



Weave risk management into key decisions and funding


3- Developing information security programs

When defining an information security program we ensure that it:

  • Establishes a baseline and point in time for the organisation to work against;

  • Is able to be measured and reported on continuously

  • Has senior stakeholder buy-in otherwise it is doomed to fail

  • Works with the business and not against it by tying it back into the strategic security objectives of the organisation

  • Is actionable in that the program is right for the organisation based on where their levels of maturity are currently sitting

  • Is aligned to the risk management and/or control framework being used by the organisation. If there is not one being used we will suggest one suitable for the enterprise

Cybersecurity program planning

We can enable and structure "Guard Rails" for your organisation to move fast in cloud environments. This combined with inherent knowledge of Well architected frameworks will have you running compliant evergreen workloads in weeks

4- Developing policy and governance


The policies that we create for our customers or our suggestions to improve policies, are around good practice that is achievable by the organisation in a reasonable amount of time with the possibility to demonstrate good progress as they conform towards the end goal. Policies are supplemented by standards, procedures and guidelines where necessary being mindful of the clients definitions of these and how they are currently consumed, formatted and styled. Risk management frameworks and appetites are considered as well as possible implications for when to decide not to implement a control Our approach ensures:

  • clear lines of accountability are defined

  • sound planning is in place

  • investigation and response practices are known and appropriate

  • assurance and review processes are developed and implemented

  • proportionate reporting is in place

Cybersecurity governance planning

This process then enables you as an organisation to effectively create meaningful commercial conversations in regards to security state. Understand who is the biggest supplier risk to your business and where to take steps to remediate this

5- Threat informed defence capabilities


We have specialists that have pioneered the usage of a new methodology of “Threat informed defence” from MITRE in New Zealand to augment your compliance, strategy, vulnerability and detection capabilities. This capability enables your security team to prioritise strategic decisions and proactively protect against changing threats.

We currently offer the following services:


Adversary Profiling

We will develop an adversary profile, that will provide, overview, TTPs, Detection rules, attack examples and IOCs

Threat informed defence NZ

Alternatively we can review training material and programs for adequacy with respect to business requirements and their impact on necessary knowledge, skills and ability.


Industry Threat Actor breakdown

Context collection on your organisation/industry that will orientate, OSINT, dark web and threat intelligence collection to build a catalog of threat actors. this will include the TTPs, Detection rules, attack examples and IOCs


Technology threat actor breakdown

Build the technology profile you are concerned for and using OSINT, dark web and threat intelligence to provide relevant threat actors, TTPs, Detection rules, attack examples and IOCs


Threat TTP detection pack

For core threat types like Ransomware, we can create comprehensive, TTP, detection rules, attack examples, IOCs and strategic approaches to protect,detect and prevent threats.


Threat based MITRE Att&ck assessments

Provide an in depth control effectiveness measurement assessments against key threats. Giving you quantifiable processes of understanding your susceptibility to key threats. We will also provide “choke point” analysis to recommend the core controls/detections required for identified threat actors in your organisation


6- vCISO

We sit on the outside of the day-to-day operations and provide sage advice to our clients on the more strategic elements of their information security. In this role we drive the creation and implementation of security programs, ours or otherwise, as well as other important aspects of the risk landscape such as the development of architecture and policy. The role will also embed as the likely certification authority for risk assessments.

bottom of page