The Security Partner
Your Board Can Trust.
Independent security advisory & project lead services for boards and executives in financial services, SaaS, and regulated industries. From operational resilience and DORA compliance to AI governance.
Our Clients
Services Built for Organisations
That Take Security Seriously
End-to-end cybersecurity consulting; from strategy to certification.
Our approach: strategy before tools.
Board-Level Advisory
Your Board Speaks Security Fluently
Fractional CISO and executive advisory that translates cyber risk into board decisions and accountable governance.
Security Strategy
A Roadmap That Survives the Boardroom
Multi-year security vision and roadmap built around your business objectives, not a generic framework.
DORA & Regulatory Compliance
DORA-Ready Before Your Regulator Arrives
End-to-end DORA readiness: gap analysis, control maturity, remediation programme, and board reporting in the Dutch financial sector.
AI Governance & Strategy
AI That's Governed Before It's Deployed
AI risk frameworks, AI register, and a acceptable-use policy, built before regulators define them for you.
ISO 27001 · SOC 2 · ISAE 3000
Certified. Verified. Defensible.
Guided certification support from gap assessment through audit, including concurrent multi-standard programmes.
GRC & Risk Governance
Governance That Holds Under Audit
Control frameworks and policy architecture built on ISO 27001, NIST CSF or DNB Good Practice; designed to hold under audit.
Not a framework vendor.
A practitioner who stays.
NovaSec is the independent practice of senior cybersecurity executives with decades of experience in IT and CISO leadership across financial services, FMCG, SaaS and regulated enterprise environments. An Industrial Engineering background means security programmes are designed like systems: measurable, sustainable, and independent of ongoing external support.
How We Work
Diagnose
Current state assessment: control maturity, regulatory obligations, architecture, governance, and gap analysis against ISO 27001, NIST, or DNB Good Practice.
Design
Target state and security strategy: target operating model, governance framework, KPIs, and multi-year roadmap aligned to business objectives.
Prioritize
Risk-weighted improvement backlog: quick wins separated from structural investments, with executive alignment and a defensible business case.
Deliver
Transformation execution: leading security projects, coordinating stakeholders, managing dependencies, and driving change across IT and the business.
Assure
Control effectiveness testing, independent risk opinion from the Second Line, and board-level reporting to close the loop and sustain compliance.
Effective security isn't about technology; it's about enabling your business objectives while protecting what matters most.
Engagements That Delivered
Measurable Results
Real outcomes from our engagements across sectors and company sizes.
SaaS; ISO 27001; ISAE 3000; SOC 2
ISO 27001, ISAE 3000 & SOC 2; first attempt, zero major non-conformities
Greenfield ISMS to Triple Certification
Designed and implemented an ISO 27001-compliant ISMS from scratch, including continuous and automated control monitoring. Led the organisation through successful external audits for ISO 27001, ISAE 3000, and SOC 2 simultaneously; managing external auditors and all internal stakeholders end-to-end. Also directed the AI governance programme, including AI risk assessment framework and technology register.
Series A SaaS Platform, Netherlands
Financial Services; DORA
DORA remediation program achieved measurable DORA compliant control performance
DORA-Ready just before the Regulatory Deadline
Led the Information Security function as Second Line of Defence at a regulated Dutch investment broker. Performed a DNB Good Practice gap analysis, defined the information security strategy, and directed the DORA remediation programme across multiple concurrent security projects. Delivered bi-weekly risk sessions with CTO and CFRO, and monthly board-level security reporting.
Regulated Investment Broker, Netherlands
Crypto & Web3; Application Security
Certik Score 95.18%; ranked #1 most secure altcoin, behind only BTC & ETH
World's Most Secure Altcoin by Certik Score
Created a Web3 cybersecurity strategy with board approval and built a global remote security team focused on product and application security. Launched a $1M bug bounty programme and implemented security measures across the platform that achieved a Certik Security Score of 95.18%; at the time the world's highest-scoring altcoin.
Global Web3 Entertainment Platform
FMCG; Policy House Renewal
ISMS migrated to NIST; Full policy house renewed in 12 months
Security Strategy Across 160+ Operating Companies
Co-defined a global information security strategy with the CISO, aligned with senior stakeholders across business and IT. Led enterprise security programmes spanning cloud, application security, and GRC. Converted the ISMS from ISO 27001 to NIST Cybersecurity Framework, renewed the entire policy house within one year, and conducted 300+ security assessments across all operating companies worldwide.
Fortune 500 FMCG Enterprise, Global
Banking; Third-Party Risk Assessments
300+ security assessments; introducing a new global Third-Party risk assessment methodology
Security Strategy Across 160+ Operating Companies
Co-defined a global information security strategy with the CISO, aligned with senior stakeholders across business and IT. Led enterprise security programmes spanning cloud, application security, and GRC. Converted the ISMS from ISO 27001 to NIST Cybersecurity Framework, renewed the entire policy house within one year, and conducted 300+ security assessments across all operating companies worldwide.
Fortune 500 FMCG Enterprise, Global
Perspectives From
the Engagement Front
Practical thinking on security strategy, governance, and board oversight.
Why Your ISO 27001 Certificate Is Not a Security Programme
Certification proves a documented management system exists. It says nothing about whether that system is actually protecting the organisation. Here is how to close the gap between audit readiness and operational resilience.
Read ArticleThe Questions Your Board Should Be Asking the CISO; But Isn't
Most boards receive security updates without the context to challenge them. We outline the five questions that shift board oversight from passive acknowledgement to active governance.
Read ArticleDORA Is Not an IT Problem. It's an Operation Risk Problem.
The Digital Operational Resilience Act places direct accountability on senior management; not IT departments. Understanding what DORA requires from your governance structure, ICT risk framework, and incident reporting before your regulator does is the only defensible position.
Read ArticleEvery serious security programme begins with an honest conversation.
Tell us about your security challenges in a confidential setting. We'll respond with a direct answer, not a sales pitch.