Cyber Risk Strategy & Advisory

Most organisations do not arrive here because they think cybersecurity is unimportant. They usually arrive because something feels unclear.

Policies may already exist. Cyber Essentials may already be in place. Staff may already have completed awareness training. An Ofsted inspection, safeguarding review, compliance conversation, client question, internal concern, or recent incident may have brought cyber risk back into focus. On paper, some of the right pieces may already be there, but the practical question remains: is this actually changing how people make decisions during normal work?

That uncertainty rarely comes from a complete absence of controls. More often, it sits in the space between what the organisation expects and what happens when work is live, busy, familiar, and moving quickly.

A request arrives that appears legitimate. A process is followed because it has always worked that way. A member of staff shares access, opens a link, sends information, approves a change, or continues with a task because everything about the situation feels reasonable in context. The decision makes sense because it supports progress, avoids delay, and fits the way the work normally gets done.

Cyber Risk Strategy & Advisory is designed for organisations that want to pause before choosing a response. It gives you a calm, practical way to look at how cyber risk is actually taking shape, so that any next step is based on clearer judgement rather than assumption, pressure, or a generic training recommendation.

What these sessions are for

These sessions are for moments where you need clarity before committing to anything larger.

You may be wondering whether your current training is enough. You may have Cyber Essentials but still feel unsure whether everyday behaviour matches the controls on paper. You may be preparing for, responding to, or reflecting on an Ofsted inspection where online safety, safeguarding, data protection, or staff confidence has come into focus. You may have had a near miss, a difficult question from a client, or an internal conversation that made cyber risk feel less theoretical.

In those situations, the decision is not always “we need training immediately”. Sometimes the better first decision is to understand what is actually happening.

The purpose of these sessions is to help you examine the gap between policies, controls, expectations, and real working behaviour. We look at where decisions are being made quickly, where routine creates confidence, where responsibility is shared, and where people may be relying on judgement without a clear structure around it.

The aim is not to find fault. It is to help you see the current picture more clearly, so the next step feels proportionate, practical, and easier to justify.

Free 15-minute advisory call

The free 15-minute advisory call is the easiest starting point if you are still working out what would be most useful.

This is a short, practical conversation about what has prompted the enquiry and where the uncertainty currently sits. You might be trying to understand whether training is needed, whether a specialist service would fit, whether a paid strategy session would be worthwhile, or whether your current approach simply needs a clearer direction.

The conversation usually begins with your context. That might be an Ofsted follow-up, a compliance concern, a recent cyber-related question, a leadership discussion, or a general sense that your current approach does not quite show what is happening in practice.

From there, we look briefly at where cyber risk may be appearing inside everyday work. In many organisations, it shows up in decisions that feel normal at the time: a message that fits the task, a request that appears to come from the right person, a process that everyone follows because it keeps things moving, or an assumption that feels reasonable because nothing obvious suggests a problem.

The call is not designed to solve everything in 15 minutes. It is designed to help you decide whether a deeper conversation would be useful, whether there is a clearer next step, or whether you already have enough direction for now.

There is no obligation attached to it.

1-hour Cyber Risk Strategy Session — £95

The one-hour Cyber Risk Strategy Session is for organisations that want a more structured view of their current position before choosing what to do next.

This is not a technical audit, a policy review in isolation, or a generic consultation. It is a focused discussion about what happens when cyber expectations meet real work, real pressure, and real decision-making across your organisation.

We look at how decisions are currently being made, where people are relying on routine, where verification may be inconsistent, where responsibility may be unclear, and where existing controls may not be translating into confident behaviour. The focus is not simply whether something exists on paper, but whether it works in the moments where people actually have to make decisions.

That distinction matters. A policy can say what should happen. Cyber Essentials can show that important controls are in place. Awareness training can confirm that people have received information. But real risk often forms when someone is mid-task, under pressure, and dealing with something that appears legitimate enough to proceed.

In the session, we can also discuss relevant compliance or assurance areas such as GDPR, Cyber Essentials, safeguarding expectations, or Ofsted-related online safety concerns where they are part of the picture. The conversation stays practical throughout. Compliance is considered in relation to how your organisation actually works, not treated as a separate checklist.

By the end of the session, you should have a clearer understanding of where exposure may be sitting, what may be driving it, and what kind of response would make the most sense. That might be a quick awareness session, a half-day workshop, a tailored programme, mentoring, onboarding support, or no immediate training at all.

If you decide to move forward with Cyber Rebels training within 30 days, the £95 session fee is deducted in full from your training investment. That means the strategy session becomes part of the journey rather than an extra cost placed on top of it.

Why this matters

Cyber risk rarely begins with someone deciding to ignore what they know.

More often, it begins inside ordinary work. A message arrives at the right time. A request appears to match a current task. A process is followed because it has been followed many times before. A decision is made to keep work moving because stopping feels unnecessary, awkward, or disproportionate.

In that moment, the action often feels sensible. The person is not thinking, “I am taking a cybersecurity risk.” They are thinking, “This looks right enough to continue.”

That is why uncertainty can remain even when organisations have policies, controls, training, and compliance evidence in place. Those things matter, but they do not automatically show how people respond when the situation is live and the decision feels routine.

Because these moments do not stand out, they can repeat across teams, systems, responsibilities, and working habits. Over time, the organisation may have a general sense that cyber awareness exists, while still being unsure whether people are making consistent decisions when it matters.

A strategy conversation helps bring that pattern into view before you choose a response. It gives you a clearer basis for deciding whether training is needed, what type of support would be useful, and how to make that decision in a way that fits the reality of your organisation.

Who these sessions are for

These sessions are particularly useful for SMEs, directors, HR teams, operations leads, education settings, safeguarding leads, and organisations that want clarity before committing to a wider programme.

They are also useful when cybersecurity has become part of a wider conversation. That might include Ofsted preparation or follow-up, safeguarding and online safety discussions, Cyber Essentials planning, GDPR concerns, staff confidence, client assurance, supplier requirements, or uncertainty after a near miss.

They tend to be most valuable in organisations where responsibilities are shared, decisions move quickly, and cyber risk does not sit neatly with one person or one department. In those environments, it is common for people to feel that something needs attention without being completely sure what the right response should be.

You do not need to arrive with a finished brief. The purpose of the session is to help shape the brief properly.

Choosing the right starting point

If you are still trying to understand what kind of support, if any, would be useful, the free 15-minute advisory call is the best place to begin. It gives you a simple way to explain what has prompted the enquiry, ask questions, and decide whether a deeper strategy session would help.

If you already know you want a more structured look at your current position, the one-hour Cyber Risk Strategy Session gives you more space to examine the situation properly. This is the better option if you want to explore behaviour, compliance, Ofsted follow-up, training fit, or organisational risk in more depth.

Neither option is designed to rush you into a decision. The aim is to help you make a better one.