Compliance as a Moat
Why genuine ISO 27001 compliance — not certification theatre — is one of the strongest competitive advantages an MSP can build.
Read article →Insights
Thought leadership on ISO 27001 compliance, M365 security, and the future of automated evidence collection.
The Compliance Industrial Complex
Why does ISO 27001 certification take 12 to 18 months when the standard itself isn't that complicated? 93 controls. That's it.
What Does an Auditor Actually Want?
The gap between what auditors need and what organisations prepare. Evidence over documentation. Demonstration over description.
First Principles: Why Are DevOps VMs in My Compliance Report?
Most compliance failures are classification failures, not security failures. The denominators in your compliance measurements are wrong.
Two Agents, One Platform: The M365 Compliance Map Nobody Drew
How an ISO 27001 audit agent and an M365 operations agent share infrastructure while serving different masters — and the M365 telemetry mapping that drove the split.
Anatomy of a Control: A.8.1 Endpoint Devices, Dissected
Twenty words in the standard. Seven rules to actually demonstrate it. A walk through one ISO 27001 control from first principles to evidence — and the architectural pattern it taught us for the other 92.
Risk Is Not a Register: 105 Ways Your Business Could Fail
Risk registers are where good intentions go to die. Here's what changes when you replace the spreadsheet with a structured, traceable, evidenced system — and why specificity is the whole game.
The Questions Nobody Asks: Challenging Compliance Orthodoxy
Six auditor questions that don't ask 'do you have this?' but 'why did you choose this, and how do you know it's working?' The hard ones expose gaps no documentation covers.
The Compliance Brain: What Happens When AI Meets Evidence
Building an AI system that understands compliance context — not just rules, but the reasoning behind them. Three agents, structured citations, and the design decision to let the system say 'I don't know'.
What Remediation Should Look Like
Detection without response is not a control — it's a report. A walk through the closed-loop remediation system: rule-level tickets, two-check auto-closure, and the audit trail that comes free with the architecture.
The Evidence Gap
What if compliance evidence were continuous? An unannounced auditor asks for endpoint compliance data — and you answer in sixty seconds with rules, thresholds, weights, and cryptographically sealed evidence collected daily.
Forging a New Security Frontier: Why Microsoft Sentinel's Data Lake Is a Game-Changer
Security teams face an impossible choice — maintain expensive log archives for compliance, or optimise for current operations while losing the historical data needed for deeper analysis. Microsoft Sentinel's data lake fundamentally restructures this dynamic.
The Digital Employee: Why AI Agents Need Governance, Not Just Guardrails
AI agents are smart enough to be convincing, even when they are wrong. When an agent makes a costly decision, whose name goes on the incident report? The accountability gap is where organisational risk hides.
South African Organisations Are Not Seeing AI ROI. The Reason Is Not the Technology.
Three claims. Three sectors. Same question. The technology is not failing. The organisations operating it are. The AI hype phase is over — accountability matters now.
Beyond Copilot: What Agentic AI Actually Means for the Enterprise
Copilot was the beginning. Autonomous agents that reason, plan, and act across systems are the next phase — but governance cannot be an afterthought.
Forging a New Security Frontier: Sentinel, Data Lakes, and Seven-Year Retention
Microsoft Sentinel's data lake architecture changes the economics of long-term security data retention — and POPIA's seven-year requirement finally becomes achievable.