Capability 02
Security & Compliance
Security as a delivery property, not a gate. Cipherer designs and runs cybersecurity programmes for organisations whose definition of failure includes regulatory action and reputational loss, not just data exposure.
What this discipline means at Cipherer
We do not separate security from delivery. The security posture of a platform is the posture of every commit, every pipeline, every IAM grant and every audit trail. Our work covers cybersecurity programme design at organisational level, regulated compliance frameworks (PCI-DSS, SOC 2, NIST), and the operational machinery that makes those frameworks real day-to-day rather than annually.
Approach
Defence in depth, designed not assumed
We design security controls in layers: identity, network, workload, data, audit. Each layer has explicit owners, explicit telemetry, and explicit failure modes. The point is not perimeter; the point is that no single failure exposes the whole system.
Compliance as code
PCI-DSS, SOC 2 and NIST controls are encoded as policy-as-code, validated continuously in pipelines and enforced at runtime where possible. Audit windows do not require a fire drill; the evidence is already there.
Cyber programme design at organisational scale
For large organisations we deliver cyber security programmes end-to-end: target operating model, tooling selection (CrowdStrike, SIEM, vulnerability management), team structure and operational cadence. The work spans several years and is judged by measurable risk reduction, not adoption.
Operating with national-security awareness
The principal consultant holds National Security Vetting at SC/IL3 and has delivered programmes inside Scottish Government cyber security. Government-grade controls inform how we design for private-sector clients with similar threat models.
Tools and frameworks
- CrowdStrike, Microsoft Defender, endpoint detection and response
- PCI-DSS, SOC 2, ISO 27001 alignment, NIST CSF, NCSC frameworks
- Policy-as-code: OPA, Sentinel, AWS Config, Cloud Custodian
- Identity: AWS IAM, Entra ID, Okta, federated access patterns
- Continuous compliance: AWS Security Hub, GCP Security Command Center
- Vulnerability management and SIEM integration