When “someone’s job” stops working
For the first few years, it was obvious whose job everything was. Sarah handled customer onboarding. James owned infrastructure. When […]
Growing up without losing your mind
Most growing organisations don’t fail because they’re reckless. They fail because the ways of working that once felt sensible quietly
People don’t ignore policy. They optimise around it.
This isn’t a training problem. It’s a design problem. When someone bypasses a security control, the instinct is to assume
Attendance is not competence
Your training dashboard shows 96% completion. Your audit report notes that mandatory security training is complete for the year. Your
Why annual training is security theatre
Every November, it arrives. The email. The reminder. The twelve-month countdown has expired, and it’s time once again to complete
Awareness doesn’t reduce risk – Behaviour does.
Most security failures aren’t caused by missing controls. They’re caused by ordinary people making understandable decisions under pressure. This isn’t
Good-enough supplier assurance for SMEs
Most guidance on supplier risk management was written for enterprises with procurement teams, dedicated vendor risk managers, and budgets for
A supplier’s certificate doesn’t protect you
Your supplier sends their ISO 27001 certificate. Professionally formatted, issued by an accredited body, clearly showing they’ve been assessed against
Why supplier questionnaires collapse under growth
Supplier questionnaires start with good intentions. Someone realises you should probably check the security of platforms handling your customer data.
You Don’t Outsource Risk – You Inherit It
Every SME uses suppliers. Most use dozens. Hosting, email, payment processing, CRM, accounting, HR systems. The list grows every quarter.