Lead engagement
Data Exposure Review
The Assurance Paradox Review
Most organisations that have invested heavily in cyber security controls and passed their audits still carry a quiet unease: nobody is sure whether the controls in place are doing what they claim to do.
This engagement is typically relevant where:
- You have passed audit but still do not feel confident about real-world data exposure.
- You have rolled out Copilot or sanctioned GenAI and want a clearer view of the data exposure it creates.
- You are introducing AI capabilities and need a defensible understanding of how sensitive data moves through those environments before stakeholder, customer, regulatory, or board scrutiny arrives.
- Your board, audit committee, or regulator is asking questions you cannot yet answer with confidence.
- You want an independent read before a major control investment or programme reset.
"We have the tools, we passed audit, and I'm still not confident our data is protected."
Why this matters
AI tools frequently inherit the permissions, classifications, and access models that existed before they were introduced. The result is accumulated oversharing, inconsistent data classification, unreviewed access paths, and AI usage that sits outside existing controls.
This is the Assurance Paradox: a posture that is audit-ready but exposure-blind. The engagement identifies the exposure clearly and gives the accountable owner a defensible answer to the question they are increasingly being asked.
What the engagement produces
Four outputs, delivered over the engagement:
- Exposure Assessment. An independent exposure assessment across the principal data, identity, collaboration, and AI environments within scope. The assessment maps declared controls against actual exposure paths and identifies where the two diverge.
- Executive Prioritisation Roadmap. A prioritised remediation roadmap organised across immediate, tactical, and strategic actions, with indicative owning function and intended risk reduction per item. The roadmap is structured to support internal planning rather than to substitute for detailed effort estimation, which depends on environment-specific factors.
- Board and Regulatory Defensibility Statement. A concise executive statement covering current exposure, key assumptions, confidence level, and priority actions, in language suitable for board, audit committee, and regulatory conversations. The statement is mapped to relevant regulatory expectations including DORA, GDPR, NIS2, and sector-specific oversight where applicable.
- Executive Findings Workshop. A 90-minute findings workshop with the CISO, Head of Security Architecture, or nominated executive counterparts. The workshop covers the exposure findings, prioritisation rationale, and recommended next steps, with priorities adjusted in discussion against business and political context.
Outcomes it supports
How it is different
This is not a maturity assessment or a compliance gap audit. It is an independent diagnostic with a fixed scope, fixed fee, and delivered directly. The output considers the wider environment rather than a single technology domain and ends in a position that can be defended credibly with boards and regulators.
If your primary need is a vendor decision rather than a posture review, the Security Decision Review is likely the better fit. If you need a senior independent advisor to think alongside rather than a one-time diagnostic, see the Cyber Security Advisor retainer.
Commercials
Typically £18,000 to £25,000 for standard scope. Extended scope engagements, including multi-tenant, multi-geo, or post-M&A environments, are priced on request. Elapsed duration is typically three to four weeks, subject to stakeholder availability and access to required data. Scope, assumptions, and deliverables are confirmed in the proposal following the initial conversation.
Get in touch