Track record

25+ years of security & privacy advisory.
In the sectors that matter most.

A representative selection of engagements across financial services, insurance, public transit, government, and technology. Client identities are kept confidential in line with our standard practice — descriptions are specific enough to be credible, and general enough to protect our clients.

25+

Years in independent advisory practice

5+

Regulated sectors served

$250M+

In payment transactions secured (fare payment system)

8M+

Ontario residents served by government platforms we advised on

Client confidentiality. All engagements are described using anonymized sector descriptors rather than client names. This is our standard practice — the same discretion we apply to every client relationship. Specific client references are available on request, subject to client permission.

Selected engagements

Client work across regulated industries

Engagements are listed with the most recent first. Each represents a distinct advisory scope — some are multi-year relationships, others targeted project engagements.

Filter:

Public Transit · OT/IT

Major Canadian Public Transit Authority

May 2025 – Present

OT/IT Security Risk Advisory

Cybersecurity advisory across IT and Operational Technology environments

Providing cybersecurity advisory for a major urban public transit authority spanning both Information Technology and Operational Technology environments. OT security is a specialized domain — safety-critical infrastructure requires a fundamentally different risk lens than enterprise IT, and this engagement bridges both worlds.

Security risk assessments across IT and OT environments
Third-party risk management advisory
Governance compliance policy and standards development
Cybersecurity advisory for infrastructure initiatives
OT securityRisk assessment GovernanceSafety-critical infrastructure

Financial Services · Credit Union

Credit Union

October 2022 – April 2025

Fractional CISO Risk Advisory

Fractional CISO advisory for a regulated financial institution

A 2.5-year Fractional CISO advisory engagement for a credit union. Provided ongoing strategic security guidance while the client retained full decision-making authority — advising on framework development, roadmap planning, supplier risk, audit preparation, and regulatory compliance across the engagement lifecycle.

NIST CSF-based security framework development and maintenance advisory
Security initiative roadmap planning and updates
Third-party supplier security questionnaire and risk program
IT and security audit preparation advisory
Incident response plan development guidance
Regulatory compliance advisory throughout
NIST CSFRegulatory compliance Incident responseThird-party risk Audit preparation

Electric Vehicle Manufacturing · USA

US-Based EV Start-Up

May 2023 – February 2024

Fractional CISO

Fractional CISO advisory for a US-based electric vehicle start-up

Provided Fractional CISO advisory to a US-based electric vehicle start-up — advising on security controls and the adoption of the NIST Cybersecurity Framework at an early stage of the company's growth. Demonstrates our cross-border advisory capability and experience working with founder-led companies building connected products.

Strategic and tactical cybersecurity advisory to IT leadership
NIST CSF control identification and adoption guidance
NIST CSFUS clientSecurity framework

Banking

Major Canadian Bank

Multiple engagements, 2019–2022

Security Architecture

Security architecture advisory across application security, cloud, and IAM

Three separate advisory engagements at one of Canada's largest banks over a three-year period — each addressing a distinct security architecture domain. Multiple engagements at the same institution reflect the quality and trust built through the work. Scope spanned vulnerability management processes, cloud architecture review, IAM modernization, and network security documentation.

Application security vulnerability management process development
Cloud architecture security review — Azure and AWS
IAM architecture guidance — mainframe to Active Directory migration
Security architecture documentation for VPN, SSL decryption, web content filtering
RBAC/ABAC future-state access model recommendations
Mainframe access permission review and rationalization
Cloud securityIAM Vulnerability managementNetwork security RBAC/ABAC

Public Transit

Major Transit Authority

August 2017 – January 2018

Security Architecture

Enterprise Security Architecture development incorporating SABSA principles

Advised on the development of an Enterprise Security Architecture for a major transit authority — documenting the as-is environment, defining the to-be architecture, and creating a security capability diagram mapping technologies to capabilities to identify gaps. Worked with the PCI Compliance team and participated in Security Operations Centre requirements definition.

As-is / to-be enterprise security architecture development
Security capability diagram and gap identification
SABSA principles integration into architecture
Security Operations Centre requirements advisory
SABSAEnterprise architecture Capability mappingSOC advisory

Insurance

Major Canadian P&C Insurer

April 2016 – April 2017

Security Architecture Privacy & Risk

Enterprise security architecture integration and claims platform security

Advised on integrating security capabilities into the Enterprise Architecture Framework — applying SABSA principles and ISO 27002 to establish a coherent security architecture across the organization. Produced a Data Encryption Standard, security architecture for the Claims Technology project, and API security controls for third-party connectivity modernization. Actively fostered collaboration between the Enterprise Architecture team and the Privacy Office.

Security capabilities integrated into Enterprise Architecture Framework
Data Encryption Standard — data at rest and in transit
Claims technology platform security architecture
API security controls for third-party connectivity
Threat modelling integration into EA tooling
Privacy Office and Architecture team collaboration
SABSAISO 27002 API securityClaims platform Encryption standard

Public Transit · Payment Systems

Fare Payment System

December 2015 – April 2016

Risk Advisory

PCI-DSS compliance advisory and threat risk assessment program

Developed and applied Compliance Impact Assessment and Threat Risk Assessment tools and templates across multiple projects, initiatives, and third-party engagements for a fare payment system. Managed the Service Integrator's obligations to maintain PCI compliance and provided advisory on compliance exception management.

Compliance Impact Assessment tool and template development
Threat Risk Assessment methodology and execution
PCI-DSS compliance advisory for internal stakeholders
Service Integrator PCI compliance obligation management
PCI-DSSCompliance impact assessment TRA methodologyThird-party management

Retail

Major Canadian Retailer

July 2015 – December 2015

Security Architecture Privacy & Risk

Security and privacy architecture oversight and SABSA framework advisory

Provided security and privacy architecture oversight and guidance to project teams across a major national retailer — ensuring security controls were in place and identifying requirements for new controls. Promoted the SABSA Enterprise Security Architecture framework and advised on payment security for credit card transactions involving the retailer's financial services division.

Security and privacy architecture oversight for project teams
SABSA Enterprise Security Architecture advisory
Payment security architecture for financial services division
DevOps security process advisory
SABSARetail security Payment architectureDevOps security

Provincial Government

Provincial Government — Multiple Ministries

Advisory engagements 2000 – 2011 — multiple ministries and mandates

Security Architecture Privacy & Risk

Over a decade of security and privacy advisory across provincial government

The longest-running sector relationship in the practice — spanning multiple ministries and mandates from 2000 to 2011. Work ranged from enterprise security architecture and privacy-by-design for citizen-facing platforms to PCI-DSS advisory for government payment adoption. A flagship engagement within this relationship was a full re-architecture of a two-tier ministry application into a secure three-tier, multi-data-centre solution — enabling it to be adopted as a shared service across ministries and serving 65,000 internal government users and 8 million members of the public.

Enterprise security architecture across multiple ministry mandates
Platform re-architecture at scale — 65,000 internal users, 8M public users, adopted as shared service
Privacy-by-design for citizen-facing digital services
PCI-DSS advisory for government payment solution adoption
ISO 17799-aligned security solutions for enterprise government systems
Government architecturePrivacy by design PCI-DSS advisoryMulti-DC architecture ISO 17799Shared services

Sector coverage

Industries we have served

Deep domain knowledge in regulated industries — built through sustained advisory relationships, not surface-level exposure.

Banking & Financial Services

Major Canadian banks, credit unions, payment processors. Application security, cloud architecture, IAM, vulnerability management, financial regulatory compliance advisory.

Insurance

Property & casualty insurers. Enterprise architecture integration, claims platform security, encryption standards, API security, regulator alignment.

Public Transit & OT

Major urban transit authorities, fare payment systems. OT/IT security architecture, PCI-DSS for fare payments, SIEM, safety-critical infrastructure advisory.

Provincial Government

Enterprise security architecture, privacy-by-design, privacy compliance, citizen-facing platform security.

Retail

National retailers with financial services divisions. PCI-DSS compliance architecture, payment security, DevOps security, SABSA framework advisory.

Technology

Canadian and US-based technology and manufacturing companies, including early-stage start-ups. NIST CSF adoption, security framework development, connected product security, and compliance preparation.

Work with us

Ready to add your organization to this list?

A 30-minute strategy session is the right starting point — no obligation, no pitch. Just a focused conversation about your security situation and whether we are the right fit.

Schedule a complimentary strategy session Send a message