The organisation has invested in security tools and can point to a policy document, but nobody at board level can answer what the actual exposure is, what it would cost if realised, or which of it has been consciously accepted rather than simply not noticed. Or a board is being asked to sign off spend it cannot independently assess.
An assessment of risk posture against actual exposure, not against a generic framework. Reviewing where controls are proportionate, where they are theatre, and where a real gap sits unaddressed. Translating technical risk into terms a board can weigh against other priorities — because a risk nobody at that level understands is a risk nobody is actually managing.
A written risk posture assessment stating what is exposed, what it would cost, and what is currently being accepted rather than managed. A prioritised set of recommendations sized to actual impact, not vendor enthusiasm. Board-ready reporting that survives being asked a direct question.
Security spend gets justified against real exposure rather than fear or fashion. The board can state, in its own words, what risk it is carrying and why.
Former CISO, Capita Consulting. Security strategy experience across government, justice, and financial services. Thirty-seven years in technology across 20+ sectors, from computer operator to Group CTO.
Ready to start a conversation?
Most engagements begin with a single conversation. No obligation — the right fit matters more than the right brochure.
Book a meeting Download the one-pager (PDF)