InfoSec & IT Risk Consulting

The Security Partner
Your Board Can Trust.

Independent security advisory & project lead services for boards and executives in financial services, SaaS, and regulated industries. From operational resilience and DORA compliance to AI governance.

Security Strategy & Leadership
Fractional CISOs
Security Project Leads
IT Risk Management
AI Risk Management
Technical Project Management
DORA & NIS2 remediation
ISO27001 · SOC2 · ISAE3000 Certification
Scroll

Our Clients

Top Tier BanksBanking · Investment · FinTech
Fast Moving Consumer GoodsFMCG · Manufacturing · Retail
Financial ServicesBanking · Insurance · Investing · FinTech
SaaS & Cloud vendorsB2B Platforms · Digital Products · Real Estate
Blockchain platformsCrypto · Web3 · NFT · Gaming · Music · Film
Global EnterprisesFMCG · Manufacturing · Retail
Regulated FinanceDNB · AFM · Regulated Brokers
Tech StartupsFinTech · ESG · Real Estate
Top Tier BanksBanking · Investment · FinTech
Fast Moving Consumer GoodsFMCG · Manufacturing · Retail
Financial ServicesBanking · Insurance · Investing · FinTech
SaaS & Cloud vendorsB2B Platforms · Digital Products · Real Estate
Blockchain platformsCrypto · Web3 · NFT · Gaming · Music · Film
Global EnterprisesFMCG · Manufacturing · Retail
Regulated FinanceDNB · AFM · Regulated Brokers
Tech StartupsFinTech · ESG · Real Estate
What We Do

Services Built for Organisations That Take Security Seriously

End-to-end cybersecurity consulting; from strategy to certification.

Our approach: strategy before tools.

Board-Level Advisory

Your Board Speaks Security Fluently

Fractional CISO and executive advisory that translates cyber risk into board decisions and accountable governance.

Fractional CISOBoard ReportingRisk Governance

Security Strategy

A Roadmap That Survives the Boardroom

Multi-year security vision and roadmap built around your business objectives, not a generic framework.

Multi-Year RoadmapPrioritisedSecurity Initiatives

DORA & Regulatory Compliance

DORA-Ready Before Your Regulator Arrives

End-to-end DORA readiness: gap analysis, control maturity, remediation programme, and board reporting in the Dutch financial sector.

DORA Gap AnalysisBoard ReportingDNB Good Practice InfoSec

AI Governance & Strategy

AI That's Governed Before It's Deployed

AI risk frameworks, AI register, and a acceptable-use policy, built before regulators define them for you.

AI Policy DesignAI RegisterAI Risk Assessment

ISO 27001 · SOC 2 · ISAE 3000

Certified. Verified. Defensible.

Guided certification support from gap assessment through audit, including concurrent multi-standard programmes.

Gap to CertificationISMS improvementsAudit-Ready

GRC & Risk Governance

Governance That Holds Under Audit

Control frameworks and policy architecture built on ISO 27001, NIST CSF or DNB Good Practice; designed to hold under audit.

ISO 27001NIST CSFPolicy Architecture
Who We Are

Not a framework vendor.
A practitioner who stays.

NovaSec is the independent practice of senior cybersecurity executives with decades of experience in IT and CISO leadership across financial services, FMCG, SaaS and regulated enterprise environments. An Industrial Engineering background means security programmes are designed like systems: measurable, sustainable, and independent of ongoing external support.

How We Work

01

Diagnose

Current state assessment: control maturity, regulatory obligations, architecture, governance, and gap analysis against ISO 27001, NIST, or DNB Good Practice.

02

Design

Target state and security strategy: target operating model, governance framework, KPIs, and multi-year roadmap aligned to business objectives.

03

Prioritize

Risk-weighted improvement backlog: quick wins separated from structural investments, with executive alignment and a defensible business case.

04

Deliver

Transformation execution: leading security projects, coordinating stakeholders, managing dependencies, and driving change across IT and the business.

05

Assure

Control effectiveness testing, independent risk opinion from the Second Line, and board-level reporting to close the loop and sustain compliance.

0+
Years IT Experience
Software Development · Cloud · IT Risk Management · Agile Coaching
0+
Years Cybersecurity Leadership
Enterprise · Small/Medium Size Businesses · Scale Ups · Start Ups
0
Industries
Banking · FMCG · Finance · Real Estate · SaaS · Crypto · Web3
0+
Security Assessments
Suppliers · Software · Cloud · Physical · Mobile Apps · IoT

Effective security isn't about technology; it's about enabling your business objectives while protecting what matters most.

Client Outcomes

Engagements That Delivered Measurable Results

Real outcomes from our engagements across sectors and company sizes.

SaaS; ISO 27001; ISAE 3000; SOC 2

ISO 27001, ISAE 3000 & SOC 2; first attempt, zero major non-conformities

Greenfield ISMS to Triple Certification

Designed and implemented an ISO 27001-compliant ISMS from scratch, including continuous and automated control monitoring. Led the organisation through successful external audits for ISO 27001, ISAE 3000, and SOC 2 simultaneously; managing external auditors and all internal stakeholders end-to-end. Also directed the AI governance programme, including AI risk assessment framework and technology register.

Series A SaaS Platform, Netherlands

Financial Services; DORA

DORA remediation program achieved measurable DORA compliant control performance

DORA-Ready just before the Regulatory Deadline

Led the Information Security function as Second Line of Defence at a regulated Dutch investment broker. Performed a DNB Good Practice gap analysis, defined the information security strategy, and directed the DORA remediation programme across multiple concurrent security projects. Delivered bi-weekly risk sessions with CTO and CFRO, and monthly board-level security reporting.

Regulated Investment Broker, Netherlands

Crypto & Web3; Application Security

Certik Score 95.18%; ranked #1 most secure altcoin, behind only BTC & ETH

World's Most Secure Altcoin by Certik Score

Created a Web3 cybersecurity strategy with board approval and built a global remote security team focused on product and application security. Launched a $1M bug bounty programme and implemented security measures across the platform that achieved a Certik Security Score of 95.18%; at the time the world's highest-scoring altcoin.

Global Web3 Entertainment Platform

FMCG; Policy House Renewal

ISMS migrated to NIST; Full policy house renewed in 12 months

Security Strategy Across 160+ Operating Companies

Co-defined a global information security strategy with the CISO, aligned with senior stakeholders across business and IT. Led enterprise security programmes spanning cloud, application security, and GRC. Converted the ISMS from ISO 27001 to NIST Cybersecurity Framework, renewed the entire policy house within one year, and conducted 300+ security assessments across all operating companies worldwide.

Fortune 500 FMCG Enterprise, Global

Banking; Third-Party Risk Assessments

300+ security assessments; introducing a new global Third-Party risk assessment methodology

Security Strategy Across 160+ Operating Companies

Co-defined a global information security strategy with the CISO, aligned with senior stakeholders across business and IT. Led enterprise security programmes spanning cloud, application security, and GRC. Converted the ISMS from ISO 27001 to NIST Cybersecurity Framework, renewed the entire policy house within one year, and conducted 300+ security assessments across all operating companies worldwide.

Fortune 500 FMCG Enterprise, Global

Insights

Perspectives From the Engagement Front

Practical thinking on security strategy, governance, and board oversight.

Security Strategy6 min read

Why Your ISO 27001 Certificate Is Not a Security Programme

Certification proves a documented management system exists. It says nothing about whether that system is actually protecting the organisation. Here is how to close the gap between audit readiness and operational resilience.

Read Article
Board Advisory5 min read

The Questions Your Board Should Be Asking the CISO; But Isn't

Most boards receive security updates without the context to challenge them. We outline the five questions that shift board oversight from passive acknowledgement to active governance.

Read Article
Regulatory Compliance7 min read

DORA Is Not an IT Problem. It's an Operation Risk Problem.

The Digital Operational Resilience Act places direct accountability on senior management; not IT departments. Understanding what DORA requires from your governance structure, ICT risk framework, and incident reporting before your regulator does is the only defensible position.

Read Article
Start the Conversation

Every serious security programme begins with an honest conversation.

Tell us about your security challenges in a confidential setting. We'll respond with a direct answer, not a sales pitch.

We use Resend to process contact form submissions. No tracking cookies are set. Privacy Statement