This framework provides practical steps for organisations that want to harness the benefits of no-code development while managing the associated risks. It’s designed to add appropriate oversight without destroying the speed and accessibility that makes these platforms valuable in the first place.

Start with due diligence on the platform itself

Before you build anything, you need to understand what you’re signing up for. Read the terms and conditions – yes, actually read them. What can the platform do with your data? Can you opt out of having your inputs used for training their models? Where is your data stored, and does that meet your compliance requirements? For many organisations, discovering that their commercial data is stored in a jurisdiction they can’t work with, or that it’s being used to train someone else’s AI, is a deal-breaker. Find out early.

Key questions to answer:

• What rights does the platform have over data you input or generate?
• Where is data stored geographically?
• Can you opt out of data collection and model training?
• What happens to your data if you stop using the platform?
• Does the platform meet your industry’s compliance requirements?

Classify what you’re building

Not every application carries the same risk. A tool that tracks office coffee preferences is very different from one that handles customer payment information. Before anyone starts building, establish a simple classification system – perhaps bronze, silver, and gold tiers based on the sensitivity of data and the risk if things go wrong. This tells you how much oversight each project needs. Your coffee tracker might just need someone to glance at it occasionally, while anything touching customer data needs proper review at every stage.

Consider classifying based on:

• Data sensitivity: What type of data does the application handle? Personal data? Commercial confidential? Public information?
• User base: Who will use this? Internal staff only? External clients? The public?
• Business impact: What happens if this application fails or is compromised?
• Regulatory requirements: Does this application fall under specific regulations (GDPR, PCI-DSS, etc.)?

Assign technical oversight

This is the most important step, and the one that organisations most often skip. Nontechnical users can absolutely build with these platforms, but they need access to someone who understands the technical implications of what they’re creating. This doesn’t mean an engineer needs to write every line – that defeats the purpose – but they do need to be available to review security-critical features, advise on architecture decisions, and spot the holes that AI typically leaves. Think of it as having a technical advisor, not a gatekeeper.

The technical advisor’s role includes:

• Reviewing security-critical features before implementation
• Advising on architectural decisions and data flow
• Identifying when AI-generated code needs human review
• Being available for questions during development
• Conducting or coordinating final security reviews
• What the platform does well (UI, basic CRUD operations, integrations)

What if you don’t have anyone with appropriate technical skills? In this instance, you need to carefully assess the risk of, and impact from, the data you’re processing being made public. If you genuinely assess the risk to be something your organisation can accept, or there is literally no data being processed, then continue without this oversight. However, this is likely the minority of use-cases. My strong advice would be to seek this oversight. Ether by hiring a third-party, or better still, develop this skill in-house.

Train your citizen developers

Give people guidance on what these platforms do well and where they fall down. They’re brilliant at creating user interfaces and basic data operations, but they struggle with complex business logic, security boundaries, and error handling. Users need to know when to push forward and when to ask for help. They also need to understand that AI will happily do what
they ask, even if what they’re asking for is insecure or poorly designed.

Training should cover:

• What the platform does well (UI, basic database operations, integrations)
• Where it struggles (security, complex logic, edge cases)
• When to seek technical advice
• How to spot common security issues
• Your organisation’s classification system and what it means for their projects
• The approval and review process

Implement code review for anything important

For low-risk, non-critical applications, perhaps a quick look from someone technical is enough. For anything handling real business data or connecting to other systems, you need proper code review before it goes live. The engineer supporting your citizen developers should be checking that authentication works properly, that user permissions are enforced, that data validation is in place, and that sensitive information isn’t being logged or exposed. This isn’t about preventing people from building – it’s about ensuring what they build actually works safely. [Editor’s note: I’m keenly aware that this phrasing “This isn’t this – its’ this” is a key pointer that AI, particularly ChatGPT wrote it. But, in this case, it really didn’t. It’s entirely human written. Honest!]

Code review should verify:

• Authentication and authorization are properly implemented
• User permissions are enforced consistently
• Input validation prevents injection attacks
• Sensitive data is properly protected (encrypted, not logged)
• Error handling doesn’t leak information
• API keys and secrets are not exposed in code
• Data access follows the principle of least privilege

Conduct a Data Protection Impact Assessment (DPIA) where needed

If your application processes personal data in a way that’s likely to result in high risk to individuals, as a Data Controller, it is your responsibility to conduct a DPIA under GDPR and similar regulations. This isn’t just box-ticking – it’s a structured way to identify privacy risks and put measures in place to address them. Your no-code application that handles customer information almost certainly
needs one.

A DPIA helps you:

• Identify what personal data you’re processing and why
• Assess the necessity and proportionality of processing
• Identify risks to individuals
• Document measures to address those risks
• Demonstrate compliance with data protection law

The UK’s Information Commissioner’s Office has some good advice on DPIAs, covering what they are, why they’re needed, and how to do them.

Keep records of what you’ve built

Maintain a register of applications that includes what they do, who built them, what data they handle, who has access, and when they were last reviewed. This sounds bureaucratic, but when someone leaves the organisation or when you need to respond to a data subject access request, you’ll be glad you know what systems exist and what they’re doing. It’s also remarkably useful for identifying duplicate efforts or opportunities to consolidate.

Your application register should track:

• Application name and purpose
• Developer/owner
• Classification tier
• Data processed and stored
• User access list

The pattern

These platforms can genuinely empower non-technical users to build valuable applications, but that power needs to be balanced with appropriate oversight. Add that oversight and you get the best of both worlds – the speed and accessibility of no-code development, with the assurance that what you’re building is actually fit for purpose.

The framework outlined here isn’t theoretical – it’s based on practical experience of what works when organisations adopt no-code platforms. The key insight is that “no-code” doesn’t mean “no governance” – it means democratising development while maintaining the guardrails that keep applications secure, compliant, and effective.

There are a plethora of no-code platforms springing up. Platforms such as Lovable, Bolt.new, Bubble, Replit, and Cursor offer the ability for anyone who can write their desires into a chat prompt to create functional, good looking applications complete with databases, integrations with other applications, and all the features of a modern web application. These are deployed on the internet and within a couple of hours, a non-technical user can create and deploy applications that are seriously impressive. Not that long ago, this would have taken a software developer days or weeks of development time with all the associated costs.

It sounds too good to be true, so where’s the catch?

Well, there are indeed catches, and I would place them in two main categories: governance and technical.

The Hidden Costs of Moving Fast

When people hear the word “governance” they often think about legal documents, dull policies, and compliance. While these things can be true, really when we talk about governance, we’re talking about the process gaining assurance that the things you’re doing meet your organisational objectives. Assurance is a much better word than compliance – compliance is something you would not do otherwise have forced upon you; assurance is something of value that you do willingly.
In this context, good governance is asking questions like: Are the applications created secure? Where is my data stored? Is this company using my data for their own purposes?

Not only are organisations required by data protection legislation to consider these questions, it makes good business sense to!

When AI Writes Code, Who’s Checking Its Work?

The applications that these platforms produce can be tested to see if they provide the requested functionality by the user (does it allow me to see a list of recent orders, can I download a spreadsheet of data, and such like), but designing software is more complex than just the functional requirements that a typical user might define. Most people are not thinking about tenant isolation, user permission boundaries, floating point arithmetic, or the correct usage of boolean logic, to name just a few. As a non-technical user, how can you be sure that the code written by the AI is well architected and secure?

The Reality Check: What I Found

I’ve reviewed the output of some of these platforms, and the pattern is clear – in their current format, these platforms fall short in terms of both governance and security. Regarding governance, many of these platforms have terms that allow them to use any of the non-personal data you upload to them. Your commercial secrets can be utilised by these platforms as they see fit. The location of data processing can also be difficult to understand.

While specific terms vary by platform and change over time, it’s essential to carefully review each platform’s data usage policies before uploading any proprietary or confidential information.

From a security perspective, there are several major concerns. First, is the fact that without very strict guidance and monitoring, the AIs generally write poor code. This is for a number of reasons – to offer value for money, many of these platforms use cheaper models, but more importantly, the AIs are required to be helpful and do what you ask for above all else. If you tell it to make a function, it doesn’t ask the questions that an engineer would (who should be able to use this? how does it work with this other function?) and it doesn’t offer the challenge (this is a high-risk operation that should be handled differently). AI can do those things, but
only if specifically asked and used by a competent engineer. These platforms, when used by a non-engineer, produce generally poor quality code that, in my experience, would fail any security review.

Without careful and ongoing monitoring, there’s no way of telling whether any change made by the AI has smashed a hole through all your security and publicly posted you secrets to the world.

The Path Forward

From those concerns, you would be forgiven for thinking that my recommendation would be to avoid this platforms. However, that’s not the case. These platforms can be used safely and can provide the ability for non-technical users to access the power of custom software development previously only available to engineers.

The key is to ensure that you understand the risks you’re taking and can separate the marketing hype from the reality of protecting your data. This will add friction to any development process and slow things down, yes, but the result is that your applications will be more secure, more robust, and better fitted to your actual needs.

Making It Work Safely

The good news is that these platforms can be used safely and effectively – you just need to approach them with your eyes open. The key is implementing appropriate oversight without killing the speed and accessibility that makes these tools valuable in the first place.

This means ensuring someone technical reviews what’s being built, classifying applications by the risk they carry, conducting proper due diligence on the platform itself, and maintaining basic governance around who’s building what and where data lives. None of this is particularly onerous, but it does require organisations to think deliberately about how they adopt these tools rather than just letting them proliferate unchecked.

I’ve put together a detailed framework that walks through each of these steps practically – what to look for when evaluating platforms, how to classify applications by risk, what technical oversight actually looks like in practice, and how to maintain appropriate records without drowning in bureaucracy. You can find it here.

The pattern is straightforward: no-code platforms can genuinely empower non-technical users to build valuable applications, but that power needs to be balanced with appropriate oversight. Get that balance right and you get the best of both worlds – the speed and accessibility of no-code development, with the assurance that what you’re building is actually fit for purpose.

If you spend any time in the countryside, you’ll likely be familiar with the principle of “leave no trace”.  At its heart, this sets out the framework for ensuring that your presence does not cause a problem for others, and if you’re stealth camping it ensures you’re able to go undetected.

In the digital landscape, footprints can accumulate even faster than in the real-world and the traces you leave behind can become a nuisance for others and a security issue for you.

In this in-depth article, we’ll explore what digital footprints you might be leaving, how people can use this information against you, introduce you to some common and free tools, and provide actionable steps you can take to reduce your digital footprint.

Open-Source Intelligence

We hear a lot in the media about companies collecting our personal data and tracking us online. Whether it’s cookie consent or other aggressive trackers that follow you around as you browse the web, we’re increasingly aware that our personal activity is monitored by someone. But we may not be aware that this is also the case in our businesses too. Every time you create a new server, purchase a domain name, or even create a new email address, someone will likely notice and record that and make it available.

OSINT (Open-Source Intelligence) is the term used to describe the collection and analysis of freely available information. Even though you may not have heard the term, almost certainly you do this regularly – any time you look up a company or product, you’re performing OSINT. When researching a company you may read their website, checking out their social media presence, and look at their submissions to Companies House. That’s all OSINT.

A difference between that and what we’re going to explore is that in the above example, this is all information that the company controls and want to be in the public domain. But there’s a heap of information gathered and collected by other people that we have no control over and may not even know exists.

Domain name records

OSINT covers a wide range of information but, in this article, we’re going to focus on domain name records (DNS records). Why? Because we’re very good at creating things, and a lot less good a tidying up! Checking our DNS records is a great housekeeping exercise that can help us find infrastructure that we no longer need. Shutting these instances down reduces our footprint, improves security, and reduces cost. And that’s a win in anyone’s books!

A worked example

In a recent security review, we discovered an organization had a forgotten development API endpoint exposed to the internet. This endpoint, while seemingly harmless, contained production database credentials in its error messages. Despite the company’s otherwise robust security measures, this single oversight could have led to a significant data breach. Through a structured DNS audit like the one outlined below, they were able to identify and remedy this before any breach occurred.

We regularly find similar issues even in security-conscious organizations – from exposed internal documentation to development environments containing sensitive data.

This isn’t an isolated case. We regularly find similar issues even in security-conscious organizations – from exposed internal documentation to development environments containing sensitive data.

1. Enumerate domain name records

Whenever I’m conducting a security review for a client, subdomain enumeration is one of the first things I’ll perform. Two great tools here are Subdomain Finder (https://subdomainfinder.c99.nl), and SecurityTrails (https://securitytrails.com).

Both have their uses and a both free to use, but in this example, we’ll use Subdomain Finder as it has a simpler interface. SecurityTrails and Subdomain Finder often show different results, so it’s useful to explore multiple tools and SecurityTrails offers some extra features, such as being able to see a full DNS history.

Using Subdomain Finder, simply enter the top-level domain you’re wanting to check (such as google.com) and click Start Scan. Personally, I like to also check the “Private scan” option so as to not make the results of the scan publicly listed. If there are issues, you don’t want to shout about it!

Here’s a screenshot of what Subdomain Finder looks like after scanning google.com:

You can see a list of subdomains found, their IP address, and whether they are using Cloudflare (a popular DNS and security platform).

If you have multiple domains, you should perform this check for all top-level domains you own.

For each subdomain that is found, we will ask:

• Is this domain still needed?
• Does it need to be public?
• Is it up to date?
• Is it secure?

2. Is the domain still needed?

You may find that there’s old, forgotten domains that you no longer need. Once confirmed as no longer in use, these can be decommissioned and removed.

What are the risks?

Old, obsolete domains can harbour outdated software or unnecessary data. Outdated software may contain known vulnerabilities—serious security risks waiting to be exploited. Additionally, retaining old data can become a compliance issue, potentially breaching regulations like GDPR, which can result in significant fines and loss of customer trust.

Why has this happened?

Finding domains that are no longer needed usually means there’s a gap in your development lifecycle processes. A robust development lifecycle should include how to determine when a project has ended, and steps needed to decommission it.

What’s the benefit of fixing it?

• Improve security through reducing attack surface
• Improved compliance with data protection legislation and best practice
• Cost savings from switching off unnecessary services

Action plan

• Confirm with relevant teams that the domain is indeed obsolete.
• Back up any necessary data tied to the domain.
• Decommission services, remove DNS records, and cancel associated subscriptions.

3. Does it need to be public?

There are two aspects to this. First, does even just the name of this domain give away information that should be private? And second, should access to this domain be public?

What are the risks?

In some cases, the name of a domain can give away more information than you want to. You could leak:

• Details of your infrastructure – e.g. cisco.mydomain.com, or mysql.mydomain.com
• Confidential client information – e.g. clientname.mydomain.com

If the domain doesn’t require public access, it shouldn’t have it. For example, publicly accessible test or development environments may:

• run non-production or untested code which could be insecure.
• have extended debug information enabled which could disclose information about the software or infrastructure.
• have test accounts with weak passwords.

Why has this happened?

Usually this is because of an assumption that obscurity is secure enough. If your domain name isn’t publicized anywhere, then how can people know about it?

What’s the benefit of fixing it?

• Improved security through removing public access to private services.
• Improved security through reducing confidential or sensitive information from domain names.

Action plan

• Review the domain name for information disclosure.
• Check with all stakeholders whether the domain is required to be public.

4. Is it up to date and secure?

For the final steps, we are going to use a new tool, Shodan (https://shodan.io). Shodan is a search engine for information about internet-connected devices. If your server is connected to the internet and is publicly accessible, there’s a very good chance it will appear on Shodan. We will use it to check software versions that your servers are running and details of open ports.

For each subdomain, simply type the domain name or IP address into Shodan’s search box. If you’re using a proxy such as Cloudflare for your subdomains, search Shodan using your server’s real IP address. Shodan will return any information it has about what software your server is running and then cross-reference that with vulnerability databases.

What are the risks?

Any open port on your server is a point of weakness that can be attacked. Only ports that are essential should be open to the public. For a web server, these are usually 80 and 443. Any other ports should be closed.

Outdated software often contains security flaws that can be exploited. A serious vulnerability can fully compromise your server.

Disclosing unnecessary information about the software and versions that your server is running gives important information to attackers and offers you no benefit.

Why has this happened?

These issues point to ineffective policies and procedures, such as software hardening and patch management or poor change management control.

What’s the benefit of fixing it?

• Improved security through removal of vulnerable software.
• Improved security through reduction of attack surface.
• Improved security through reduction in information disclosure.

Action plan

• Review security policies and implement revisions as needed.
• Ensure regular software updates.
• Implement security baselines for all projects.
• Review open port requirements and close ports not required to be public.

Wrapping up

That concludes our first audit of your DNS footprint. This process may have uncovered some surprises and a fair few issues to address. If you find yourself with a lengthy checklist, don’t despair! The steps outlined here have equipped you with the knowledge to make meaningful improvements to your operational security.

Remember though, this initial audit is just the beginning. To maintain a secure environment, you should turn this process into a regular review.

For smaller estates, performing this audit quarterly might be sufficient. Organizations with larger footprints should consider automation tools or services.

Going deeper

While we’ve focused on DNS records, OSINT covers a lot more. I hope this article has highlighted how much information about our infrastructure is publicly available.

This type of audit should sit within a broader security and assurance program. That may seem a way off, but we’ve covered a lot of the basics here – setting policy, developing processes, gathering evidence of compliance, and making improvements based on findings is the core of many frameworks such as ISO 27001, CAF, and NIST.

A basic security program might start with:

1. Regular DNS audits (as outlined in this article)

2. Asset inventory management

3. Vulnerability scanning and patch management

4. Access control review

5. Security awareness training

Each of these components builds upon the others, creating layers of security that protect your organization. Whether you’re just starting your security journey or looking to enhance existing measures, the key is to begin with understanding what you have – which is exactly what this DNS audit provides. We’ll explore these other aspects in future articles.

When to consider professional help

While the tools and processes outlined here are valuable for initial assessment, certain situations may warrant expert assistance:

• If you discover multiple exposed administrative interfaces or sensitive data
• When your infrastructure spans multiple cloud providers or includes legacy systems
• If you’re preparing for compliance certification (ISO 27001, SOC 2, etc.)
• When resource constraints prevent thorough internal security reviews

Professional security consultants bring specialized tools, experience from diverse environments, and can often spot patterns that indicate deeper issues. Think of it like maintaining a car – while regular checks are essential, sometimes you need an expert mechanic’s perspective to spot developing problems before they become serious.

If you have questions about DNS auditing or would like to discuss how these findings apply to your organization’s security posture, we’d be happy to help – just get in touch.

The Cost to Businesses

Training doesn’t always have to mean expensive courses in external venues. Employees can acquire new skills and develop professionally through in-house initiatives. For instance, in one company I worked for, we established a coaching network accessible to everyone.  This network enabled people to receive support, improve their performance and overcome obstacles in order to achieve their work goals.

Mentorship is another valuable tool for team development. It helps people feel invested in, listened to and valued by the business. A close friend of mine works for a large UK optical firm who have a strong focus on their people (no wonders she’s been there 20 years) and are consistently ranked in the top 20 of the best companies to work for. Why? Well, there will be a number of reasons, but a key one is how much effort they put into professional development of their people. They have a programme that recognises up and coming talent, developing their team in house to build the managers and directors of the future. They see this as an investment—retaining talent reduces recruitment costs, onboarding efforts, and lost productivity. A study by Gallop in 2019 calculated the cost can range from half to 2 times their annual salary, depending on various factors. [i] As their article points out, the ripple effects of employee departures—like reduced morale and a weakened company culture—can also be costly.

Some training, such as health and safety or GDPR (for those handling personal data), is mandatory. Businesses can either create in-house programs or use online courses with post-training tests to ensure comprehension.

Other training is vital to safeguard your business. Employees unaware of cybersecurity risks can unknowingly become points of vulnerability. Without proper training, they cannot be expected to protect the organisation from threats effectively.

[i] https://www.gallup.com/workplace/247391/fixable-problem-costs-businesses-trillion.aspx

Recommendations

Create a Policy

A formal training policy demonstrates that you value your team and their development. It sets clear expectations and emphasises your commitment to their growth.

Establish a Mandatory Training Programme

Identify essential training topics and implement a program to address them. At a minimum, health and safety training is crucial for all employees, while GDPR training is essential for anyone handling personal data. Extending this training to the entire team is a good practice. There are various systems available to manage this, and we’d be happy to showcase ours if you’re interested.

Prioritise Security Training

To empower your team as guardians of your business, provide training on identifying risks and protecting your assets. Preventative measures are far more cost-effective than addressing security breaches, which can result in hefty fines, reputational damage, and resource-intensive repairs. Many businesses neglect security as a cost-saving measure, but this often leads to significantly higher costs later. Check out the enforcement actions taken by the ICO for real-world examples: ICO Enforcement. Don’t assume they are all rogue traders, read through and see how many have just been in breach of regulation they just weren’t aware of.

Tailor Job Specific Training

Analyse each role in your organisation and determine its unique training requirement. That might be in the shape of mentorship, as mentioned earlier, or specific training, such as project management. In one business we started training in house to provide employees with a foundational understanding of how we had applied methodology in our processes. In the second year we budgeted for external courses so people could apply the new learning to our business processes. This supported business transformation; as we transitioned from waterfall ways of working to Agile, our project managers attended Agile project management training rather than PRINCE 2 training, bringing relevant new skills into the business.

Always allocate a portion of your budget for training. This allows you to provide courses that may be hard to deliver in-house, such as mental health first aid or Lean Six Sigma certification.

Set Up Coaching and Mentoring

Consider creating an internal coaching and mentoring system. This approach not only prepares employees for management roles—saving on external recruitment costs—but also helps them develop valuable soft skills, like presenting or handling difficult customers.

The Impact of Training

When you implement a well-structured training plan supported by a clear policy, your business will thrive. You’ll cultivate a culture of growth and collaboration, where employees support each other. Investing in learning and development shows your team they are valued, improving retention rates. [i]  Skilled employees, in turn, will contribute to the security and success of your business.

In short, training isn’t just a cost—it’s a cornerstone of long-term business success.

[i] https://www.techuk.org/resource/navigating-attrition-unravelling-the-impact-of-learning-and-development-on-employee-retention.html

I know we are only in January, but before you know it we will be seeing new born lambs in fields, daffodils sprouting and leaves reappearing on trees. Oh, and then there’s the Data Security Protection Toolkit (DSPT) submission. To maintain compliance organisations are required to submit before 30^th June each year.

Changes

The 2024/25 period sees the reintroduction of category 2, which includes IT Suppliers and Operators of Essential Service (OES) Independent Providers. IT suppliers are companies that meet all of the criteria of 50+ staff, a turnover of £10m+ and supplies digital (either software and/or physical) goods and services to the NHS and/or care[1]

Interestingly, this year also sees the introduction of the Cyber Assessment Framework (CAF) for category 1 organisations. Both category 1 and 2 organisations will also need to complete an independent audit (this was voluntary for IT suppliers last year).

All category 1 organisations had to submit a baseline report by 31^st December to state how they are achieving each objective. Key to note here is the intention of NHS England to roll out CAF more widely over future submissions, so suppliers would be well advised to become familiar with it now.

[1] https://www.dsptoolkit.nhs.uk/Help/Org-Types#:~:text=If%20you%20are%20a%20company,Local%20Authority

What is CAF?

CAF stands for Cyber Assessment Framework and has been developed by the National Cyber Security Centre to help organisations assess how robust and resilient their cyber security is. We are seeing it becoming more profliic and is a common place acronym now in the security world.

CAF is not there as a set of rules telling you what to do, it’s there as a guide to decision making. There are 4 high level objectives and 14 principles.

Principles, contributing outcomes and IGPs

Each principle is broken down into lower level contributing outcomes; so essentially an organisation can see if they have attained the principle by how many of the outcomes they are achieving. To make it even easier, each contributing outcome has a set of Indicators of Good Practice (IGPs). All the IGPs have been put into tables; one table per contributing outcome, multiple contributing outcomes make up a single principle. There is then a RAG status (Red, Amber, Green) applied to each of the IGPs as to whether the organisation has achieved, partially achieved or not achieved the IGPs that make up that contributing outcome.

CAF assessment

There are 39 contributing outcomes so essentially there are 39 individual assessments based on the RAG status of each associated table of IGPs. Whilst the CAF has been designed to be applicable across the board, there are some instances that will mean a sector will make the CAF more specific for them, creating a CAF “profile”, which brings us back to DSPT.

DSPT and CAF

In 2023 the health and care cyber security strategy committed to adopt the CAF as the principal cyber standard. As a result the standard 39 contributing outcomes have been enhanced for health and care to include an additional 8 contributing outcomes that cover off “using and sharing information appropriately”, so there will be a total of 47 contributing outcomes in the health and care CAF. Organisations are not expected to be able to achieve all of the contributing outcomes; indeed there will be different CAF profiles dependent on the organisation type and by achieving the relevant profile they will be graded “standards met” on the DSPT.

Final thoughts

So, whilst not all organisations are required to meet CAF in the 24/25 DSPT submission it is coming down the tracks. We would strongly recommend reviewing the principles and outcomes so you can begin preparation, whilst improving your cyber security stature at the same time.

Introduction

In today’s increasingly digital economy, robust security practices and leadership are a genuine business enabler. Strong security governance doesn’t just reduce the risk of incidents, it opens doors to new business opportunities, builds customer trust, and drives competitive advantage.

Take a read of the UK Government’s Cyber Security Breaches Survey 2024 to see the staggeringly high number of organisations experiencing security incidents each year. Such statistics fuel the most common security narrative which focuses on fear of a breach or compliance with legislation. Yes, there are plenty of scary reasons why you should improve your security posture – but I believe this is far from the best reason to choose to invest in good security practices.

To see these benefits requires a holistic and strategic view of security across your organisation, and that is the role of the Chief Information Security Officer (CISO). However, highly-skilled and experienced executives are not cheap, and many growing organisations simply aren’t ready or able to make such a hire.

The role of the CISO

When security is cultural, it makes compliance with frameworks like ISO 27001 or NHS DSPT feel like a natural extension of your day-to-day work rather than a box-ticking afterthought.

At their best (and most poetic), a great CISO transforms cyber and information security from a business constraint into a catalyst for innovation and growth. They sit at the intersection of business strategy and security and governance excellence, creating programmes that turn compliance demands into competitive advantages and security controls into business enablers. They foster a culture where security best practice becomes the standard and demonstrate how good governance builds customer trust and streamlines business operations. When security is cultural, it makes compliance with frameworks like ISO 27001 or NHS DSPT feel like a natural extension of your day-to-day work rather than a box-ticking afterthought.

That is to say that the role of the CISO is a broad one. It’s not just firewalls and antivirus, phishing emails and training. Good security touches everything, from IT and operations, to HR policies and customer interactions.

As you might expect, an experienced CISO can be expensive, and smaller or less complex organisations may not have enough work to justify such an expense. Even larger or complex organisations may be reluctant to make such a hire. If only there was a way of getting the benefits of a CISO, while reducing the cost and risk…

Enter the Virtual CISO

The Virtual CISO, or vCISO, is a relatively new solution that’s similar in operation to the more common Fractional Finance Director.

Instead of committing to a single full-time hire, you pay only for what you need. This could be a short term, specific engagement, such as guidance through ISO 27001 audits, steering NHS DSPT compliance efforts, or providing targeted security input during critical product launches. Alternatively, it could be a long-term partnership focused on driving strategic and cultural changes.

Either way, with a Virtual CISO you benefit from the strategic input and experience of a senior security professional without the full-time salary and risk of an expensive hire. Plus, if you’re hiring the service from an organisation rather than a dedicated individual you can also benefit from the expertise of multiple high-level executives for the price of one.

How can a Virtual CISO help you?

I can hear you all saying “Kit, that sounds great, but how much of a CISO would I need to buy?”. Well, my imaginary reader, I’m glad you asked. Here are a few example scenarios that will hopefully help put this into a better perspective.

Foundational engagement (1-2 days per month)

If you’re just starting to think seriously about your security posture, a light-touch approach might be all you need. This engagement level is about laying the groundwork with essential controls and basic compliance such as:

• Establishing essential security controls
• Meeting basic compliance requirements
• Building customer confidence
• Creating efficient security processes

We’ll review where you stand against legislation and common frameworks – like UK GDPR and Cyber Essentials – and outline straightforward improvements that deliver both reassurance to your customers and a more efficient, secure operation. Maybe we’ll spot opportunities to streamline a vendor onboarding process or refine your data handling so that the next time a potential big client asks how you would keep their data safe you have an awesome response ready and waiting.

The real benefit here is peace of mind and a foundation that supports future growth. By focusing on quick wins, we not only fend off common threats but also start building trust with customers who increasingly expect their partners to have at least a basic level of security maturity. Even this modest investment helps you become a more attractive, credible choice in the marketplace.

Strategic engagement (1 day per week)

When you’re ready to step things up, a once-a-week engagement hits the sweet spot. Now we’re really getting into territory where security practices can help smooth the path to new business.

We’ll establish a broader security programme – improving policies, regularly assessing risks, and providing ongoing staff training. That might translate to easier compliance with bigger clients’ security questionnaires, more seamless integration with partners who demand strong security standards, or improved incident handling that keeps downtime to a minimum if an issue arises.

This level of involvement means security starts pulling its weight as a business enabler and delivers:

• Improved incident response capabilities
• Enhanced vendor management
• Strengthened customer trust
• Establishing robust change management processes

For instance, if you’ve got a SaaS product, tightening up your change management process and demonstrating secure coding standards can accelerate sales cycles by reassuring prospects that you’re on top of emerging threats. Regular staff training might help your support team respond more confidently to security-related customer queries, building trust and shortening time-to-contract. Over time, these benefits translate into smoother operations, stronger client relationships, and a reputation that sets you apart from the crowd.

Transformative engagement (2-3 days per week)

For organisations that need full-on security leadership, this more hands-on approach integrates security strategies deeply into your long-term vision. Here, security leaders aren’t just keeping the wolves at bay – they’re actively helping you compete and thrive. Whether it’s overseeing a major SIEM implementation to sharpen your threat detection and make your compliance audits a breeze, or orchestrating penetration testing that reveals where you can refine products and services to impress larger, more security-conscious clients, we’ll be right there with you.

At this level, your security programme:

• Is an enabler for entry into regulated markets
• Drives competitive advantage
• Supports rapid business growth
• Demonstrates security leadership

We can help you navigate new markets that demand robust security assurances – think about landing that contract with a healthcare provider who requires NHS DSPT compliance or impressing a financial services partner by showing off a well-managed ISO 27001 programme.

Regular reporting and proactive initiatives can also highlight to investors that you’re not just “secure enough,” but that you’re leading with security as a key differentiator. The result? More confidence from regulators, customers who see you as a safe bet in a risky world, and a competitive edge that makes it easier to close deals, expand your customer base, and move into regulated sectors with ease. In short, you’re no longer just managing security; you’re harnessing it as a driver of business opportunity.

Final thoughts

Whichever level of engagement feels right for your organisation – be it setting up a solid foundation, building toward operational alignment, or weaving security leadership into the fabric of your business – a Virtual CISO service model can be tailored to fit. By starting small and scaling up, organisations can transform what might feel like a costly overhead into a genuine asset that supports growth, attracts discerning clients, and drives long-term value.

If you’re interested in exploring what a Relatable Security Virtual CISO could do for your business – whether you’re looking for light guidance or full-on strategic leadership – get in touch and arrange a call. We’ll talk through your current situation, your aspirations, and how we can tailor a service that puts security at the heart of your organisation’s success.

This insight underscores a critical truth: data retention is something every organisation must take seriously. Whether driven by legislation or best-practice guidelines, you need to know what data you hold, why you hold it, and how long you intend to keep it. Moreover, you must have processes in place to ensure timely deletion of data that’s no longer required.

Creating a Data Retention Policy

Start with a clear and comprehensive Data Retention Policy. This document should outline:

• What data you collect.
• Why you collect it.
• How long you plan to retain it.

To make it user-friendly, include a table at the end that serves as a quick-reference retention schedule for employees.

Here are some key resources to guide you:

• Employee data: gov.uk outlines here what data an employer can keep about an employee
• Financial records: UK government guidelines for limited companies

Employee Lifecycle: What to Consider

Understanding data requirements throughout the employee lifecycle is essential.

• CV storage: If a candidate asks you to keep their CV on file, know the legal obligations and limitations.
• Onboarding: Be clear on the checks required for new hires and what information you need to retain.
• Employment records: Familiarise yourself with rules around storing employee data, such as maternity leave documentation, how long you need to keep data after an employee leaves and HMRC requirements.

Understanding GDPR and Subject Access Requests

Get comfortable with the seven principles of GDPR. These principles emphasise that you should only collect and store data you genuinely need, for as long as necessary, and ensure it is securely maintained.

Being GDPR-compliant also prepares you for handling Subject Access Requests (SARs), which give individuals the legal right to access their data. A robust Retention Policy will help you respond to these requests efficiently, as you’ll know exactly what data you hold, where it’s stored, and how long it’s kept.

In Summary

Data retention might feel daunting, but it doesn’t have to be. A simple, well-thought-out policy and clear processes can help you stay compliant, protect your organisation from unnecessary risk, and give you peace of mind. By managing your data thoughtfully, you’ll be better prepared for any eventuality, from audits to SARs.

Remember, data is only as valuable as your ability to manage it responsibly.

What are the key changes?

While the core clauses in the 2022 standard remain the same, additional subclauses and clarifying notes have been added in some areas. The most significant change is Annex A, where controls have been reorganised. Some controls have been merged, renamed or removed, while new ones have been introduced. Overall, there are fewer controls, now grouped into four categories: People, Organisational, Technological, and Physical.

How do I transition?

To begin, we recommend performing a gap analysis to assess how your current management system compares to the new standard.

From there, you can develop an implementation plan to address any gaps. Your Statement of Applicability (SoA) will need to be updated, and your risk assessment should be revised to reflect changes in the controls. For example, the introduction of the Threat Intelligence control might require team training or the implementation of new policies and procedures.

Next, conduct internal audits to verify that you’ve successfully addressed any gaps. If you don’t already have one scheduled, you’ll also need to conduct a management review to ensure leadership is informed and supportive of the changes.

Finally, we suggest scheduling your external audit as early as possible to avoid a backlog closer to the deadline. By planning in advance, you can better allocate resources and time.

How can Relatable Security help?

Transitioning can feel like a big task, especially when everyone has their regular responsibilities. You may recall the effort involved in achieving certification to the 2013 standard, and it can be challenging to find the time for this transition. That’s where we can assist.

We can conduct a gap analysis, provide a detailed work plan, and offer guidance throughout the process. Once you’ve completed the necessary changes, we’ll return to perform an internal audit to ensure everything is in place, helping you enter your external audit with confidence that you’ll maintain your certification.

Does your team bring every decision to you?
Are you constantly firefighting, dealing with issues and being reactive?
Is there a high turnover of staff?
Are staff happiness scores low, or worst, not even measured?
Is it sometimes easier just to perform tasks yourself?

If you answered yes to any of the above, your company culture is in need of an overhaul. A great culture will increase happiness and productivity, create a proactive environment and free you up to focus on strategic aims.

Feedback

Feedback within an organisation is a powerful tool. When individuals feel comfortable giving and receiving feedback, they open themselves up to growth and development. However, if someone is too afraid to provide honest and constructive feedback due to fear of retaliation, a culture of gossip
and frustration can emerge. When individuals sense that their feedback won’t be well-received, they may resort to indirect comments like, “Someone said this about you,” which breeds resentment and can damage relationships.

In contrast, honest, factual feedback, owned by the person giving it, can be gratefully received by the person inviting it. Feedback helps improve performance or affirms what is already being done well. The ability to give and receive constructive feedback is crucial for enhancing personal competency.

Moreover, feedback helps the organisation understand the needs and desires of its workforce. It’s easy to fall into the trap of believing that a few superficial perks, like bean bags in the breakroom or free beer on Fridays, create a positive culture. To cultivate an environment where the team can truly thrive and boost productivity, it’s essential to actively listen to their feedback and ensure that the right culture is in place.

Autonomy

Often, management fears granting autonomy because they doubt their teams’ ability to make sound decisions.

Establishing clear company objectives and effectively communicating them throughout the organisation provides the necessary clarity for teams to understand priorities and align with the company’s goals. Implementing competency frameworks and regularly reviewing these competencies with managers ensures that employees possess the skills required for their roles. This, in turn, empowers managers to step back from micromanaging every decision and action, allowing
them to receive concise updates from a team that operates with autonomy.

One to ones

Most people have heard things like, ‘We don’t have time for staff appraisals,’ or ‘I need to cancel our one-to-one; something urgent has come up.’ Yet, history teaches us through the success of leaders like Henry Ford and Bill Gates that when you invest time and effort into your team, productivity can actually increase.

When deadlines are looming or a crisis arises, it’s tempting to cancel meetings with team members. Psychologically, this is choosing immediate satisfaction over long-term rewards. The brain’s dopamine response—linked to pleasure and motivation—gives a quick boost when we solve an immediate issue. However, working with a team member to improve their skills over time doesn’t provide the same instant reward.

But supporting your team, helping them develop their skills, and listening to their concerns can have tremendous long-term benefits for your business. As team members become more competent, the quality of their work improves, leading to fewer mistakes and fewer situations that require your immediate attention. Regular one-to-ones also keep you informed about issues and developments, reducing the risk of unexpected problems. Instead of reacting to crises, you can coach your team to be more proactive.

Perhaps most importantly, taking the time to invest in your team makes them feel valued and heard. This boosts their happiness and motivation, which in turn increases their productivity.

Competency

A competency framework provides a clear set of guidelines for both team members and managers to work towards. It outlines expectations for performance, ensuring that during appraisals, everyone involved has a clear understanding of what constitutes competency in a given role. By eliminating uncertainties and aligning expectations, the likelihood of frustration and related personnel issues is significantly reduced.

Conclusion

Every team shares a common goal, but individual motivations can vary widely. This is why it’s essential to conduct regular check-ins with team members, establish a clear competency framework, and maintain a strong feedback loop. These practices help managers gain a deeper understanding of their team members, while also ensuring that everyone is aligned with the company’s vision and their role in achieving it.