Clear, practical cybersecurity advice for New Zealand organisations
Independent advice from an experienced professional, not a product pitch from a large consultancy.
20+
Years Experience
CISSP
Information Security
CCSP
Cloud Security
CIPP/E
Privacy Professional
What we do
We work with organisations of all sizes - from five-person companies to government departments - and scale our approach to match. We help you understand where you stand, what needs attention, and what to do about it.
Security Reviews
We assess your organisation's cybersecurity risk, taking into account the regulations and obligations that apply to your sector. We look at how your data is protected, how access is managed, whether your systems are configured securely, and what would happen if something went wrong. A typical review takes four weeks. You receive a detailed report with prioritised findings, all written in plain language for senior management and boards.
vCISO Advisory
Ongoing security leadership without the cost of a full-time hire. Engagements typically range from four hours a month for smaller organisations to sixteen for larger or more complex environments. We ask the right questions of your IT provider, report to your board, and make sure the recommendations from your security review are followed through.
Governance and Compliance
Policy development, risk registers, data governance, and compliance alignment. We help you meet your obligations under the Privacy Act 2020 and sector-specific frameworks such as the Health Information Privacy Code, and RBNZ and FMA requirements, in language your team understands.
Start with a clear picture, then decide what comes next
The review identifies where you stand. Many clients then move to a vCISO engagement to make sure those recommendations are followed through - but a review on its own gives you everything you need to take action.
Start here
Security Review
Ongoing
vCISO Advisory
Supporting Services
Security Awareness Training
Seven interactive online lessons covering phishing, fraud, passwords, web security, privacy, and more. The course takes under an hour, works on any device, and staff can complete it at their own pace. Managers get a portal to track progress, and new staff can complete it as part of their induction.
View course detailsExternal Vulnerability Scanning
Regular scanning of your external-facing systems to identify misconfigurations and missing patches before attackers find them.
Incident Response Planning
An incident response plan and tabletop exercises so your organisation knows exactly what to do when an incident occurs.
We work alongside your IT provider, not instead of them
Your IT team keeps things running. But traditional IT security focuses on firewalls and antivirus - criminals target your business assets: documents, email, and processes like payment instructions. We make sure the right questions are being asked and the right controls are in place to protect what actually matters.
Understand
We speak with your management, staff, and IT provider to build a complete picture of your environment, operations, and the risks that matter to your organisation.
Assess
Our standard methodology covers the areas that matter most - policies, governance, third party risk, privacy, data management, and how your systems are configured and protected. We conduct external vulnerability scans and identify the gaps that present real risk. Where needed, we can also assess against frameworks such as CIS Controls v8 and NIST CSF 2.0.
Report
You receive a clear report with prioritised findings written in plain language. Every recommendation is practical, actionable, and written for senior management and boards.
Support
Many clients choose to work with us on an ongoing basis as their vCISO, so the findings are followed through and security improves over time. We report progress to your board along the way.
We work across sectors, but the approach is the same
Most of our clients do not have dedicated security staff - and that is exactly why they work with us. We understand your environment, assess what matters, and give you a clear picture of where you stand. Whether you hold patient records or client funds, the fundamentals do not change.
About Simon Thomas
I founded Secure Strategy to give New Zealand organisations access to experienced cybersecurity advice without the cost or complexity of a large consultancy. With over twenty years in the industry, I have worked with organisations across government, health, banking, legal, retail, and technology - from multinationals to small practices.
My approach is pragmatic. I do not sell hardware or software, so the advice I give you is solely for your benefit. Every finding I raise comes with a clear explanation of why it matters and a specific recommendation you can act on. I write reports for boards and senior managers, not for IT departments.
I work alongside your IT provider - not against them - to make sure the right questions are being asked and the right controls are in place. When something needs to be explained to a board, I translate the technical detail into plain language that supports good decision-making.
I spend most of my time in boardrooms and management meetings, not server rooms. The people I work with need to make good decisions about cyber risk, and my job is to give them the information to do that.
Certifications
CISSP
Certified Information Systems Security Professional
CCSP
Certified Cloud Security Professional
CIPP/E
Certified Information Privacy Professional - Europe (GDPR)
Frameworks & Legislation
Let's talk
A first conversation is straightforward. We cover where your organisation is today, what concerns you, and what a sensible next step looks like. No obligation, no hard sell.