A Pivot, a New Role, and Three Simultaneous Compliance Demands
In late 2024 the firm pivoted away from its commercial product strategy. The data engineers moved into client-facing consultancy work. The commercial product was sunset. The role that had been embedded security R&D work became a compliance and procurement role, working under the security controller alongside the wider cybersecurity consultancy team.
Three concurrent workstreams landed simultaneously: the firm's own Cyber Essentials Plus certification, CE+ readiness advisory work for three new consultancy clients, and procurement bid responses across multiple public sector frameworks. Each had its own stakeholders, evidence requirements, and commercial deadline.
What made this phase manageable was not the pivot itself. It was what had been built before it.
The shift-left security programme had produced a documented, validated control environment across the firm's Azure Databricks production environment. That environment remained in scope for the internal CE+ audit, and because the controls had already been documented in Jira and Confluence and validated before the pivot, the security controller had an evidence base ready rather than one he needed to reconstruct.
The client advisory work drew on the same foundation in a different way. Having designed and validated CE+ controls from scratch for the firm's own environment meant the gap analysis conversations with clients were not theoretical. The questions an auditor would ask, the evidence they would require, the gaps that typically surfaced: these were things that had already been worked through in practice, not read from a framework.
And for the procurement bids, the technical capability and security posture sections required claims that could be substantiated. Because the documentation already existed, the bidding team was not starting from scratch. That saved time and, more critically, meant the claims were grounded in real evidence rather than aspirational ones.
The through-line across all three workstreams was the same: ensure that what was being claimed could be substantiated. That principle had been the foundation of the previous two years of work. In this phase, it was tested under commercial pressure.
What Made This Phase Difficult
Three structural complications shaped this phase. Each one created the conditions for things to go wrong if compliance work was treated as a tick-box exercise rather than a substantive activity.
The Shape of the Response
The role operated across all three workstreams under the security controller's direction. Each required a different mode of working: operational evidence gathering for the internal audit, advisory engagement for clients, and bid contribution for procurement. The through-line across all three was the same: ensure that what was being claimed could be substantiated.
Of the three, the procurement work required the steepest learning curve. Public sector bid writing is a specialist discipline. Larger organisations have dedicated teams who understand the format, the evaluation criteria, and the register that buyers expect. Working without that infrastructure meant developing that judgement independently, under deadline, while running two other workstreams simultaneously.
That context is relevant to the MCF4 story in section 07. The judgement call made there was not made from a position of comfort. It was made under the kind of commercial pressure that tests whether compliance integrity holds when it is inconvenient.
The Firm's First Cyber Essentials Plus Audit
Evidence gathering across 15 employees and approximately 30 devices, validated through a single Teams channel
The security controller owned the audit preparation. The evidence gathering across all in-scope assets was owned separately. The asset inventory sat on SharePoint and was maintained continuously as evidence was collected and validated against CE+ technical requirements.
Communication ran through a single dedicated Teams channel for the audit. Cadence started weekly and tightened to daily in the week before the audit date. Each employee was contacted to verify operating system version, browser currency, multi-factor authentication enforcement, firewall configuration, and user permission level. Outliers were escalated to the security controller for scoping decisions.
Cyber Essentials Plus Readiness for Three First-Time Clients
Scoping, baselining, gap mapping, and roadmap development for first-time certification clients
Three clients were engaged for CE+ readiness during this phase, each preparing for first-time certification. The remit covered the front end of each engagement: scoping discussions to define what would and would not sit inside the assessment boundary, current-state baselining using the NCSC Cyber Assessment Framework, gap mapping against CE+ technical requirements, and remediation roadmap development.
Implementation and audit support sat with the security controller and the other cybersecurity consultant. On an ad hoc basis, the firm was represented in ongoing client check-ins when the security controller was unavailable — typically to address patching status, scheduling around employees on parental or sick leave, or other operational queries that came up between scheduled sessions.
Crown Commercial Service and Defence Supplier Bid Contributions
Drafting security posture and technical capability sections across six frameworks
Across this phase contributions were made to procurement responses for six public sector frameworks, including the Crown Commercial Service framework portfolio and a defence supplier portal. Combined contract values across the portfolio exceeded £1 million. The contribution was section-level: drafting the security posture evidence and technical capability narrative under the direction of the bid lead and the security controller.
This was structured, deadline-driven, evidence-based work. Each framework had its own question set, evaluation criteria, and supporting evidence requirements.
Each section required a clear-eyed assessment of what the organisation could legitimately claim. The security posture and technical capability sections of a public sector bid are not places for aspiration. They are places for evidence. Getting that right under deadline, without a formal review process, required the same discipline that had shaped the compliance work from the start.
The MCF4 Submission: A Judgement Call on Misrepresentation
One framework — MCF4, with a contract value of approximately £500,000 — was assigned as lead end to end. It was scoped as a standard selection questionnaire and was expected to be straightforward. The way it unfolded turned out to be the most consequential piece of judgement work of this entire phase.
How a routine questionnaire became a test of organisational integrity
The MCF4 framework was assigned as lead, with a colleague working alongside as a supporting contributor and a senior stakeholder set up as the escalation point but otherwise hands-off. Initial scoping suggested the questionnaire was standard — broadly the same questions filled in across other bids — and the colleague's early review estimated approximately two weeks of effort. The active work was scheduled to start three weeks before the submission deadline.
When drafting began in earnest, two mandatory requirements surfaced that had not appeared in the initial review: ISO 9001 certification with the ability to demonstrate compliance after contract award, and a published Carbon Reduction Plan linked from the organisation's website. The firm held neither.
The Carbon Reduction Plan was feasible inside the timeline. A template-based document, supported by data from the office landlord on energy use and from a senior stakeholder on forward-looking reduction commitments, could realistically have been drafted, signed off, and published within three weeks.
The ISO 9001 requirement was a different matter. Even with an external consultant engaged immediately, certification typically requires several months. Three weeks was not enough.
The issue was escalated to a senior stakeholder, who escalated further within the organisation. The directive returned was to state that the organisation held ISO 9001 compliance and engage a consultant in parallel — on the basis that Crown Commercial Service responses often take months to come back and that certification might be in place by then.
The decision sat with the submission lead. A risk-benefit assessment concluded that the reputational and contractual exposure of a misrepresented submission to a public sector body outweighed the upside of the contract, especially given the realistic probability that the response window would not align with the certification timeline.
The other framework opportunities in the active pipeline were reviewed. Several alternatives offered comparable revenue with materially more feasible compliance requirements. An alternative analysis was prepared and the position was taken back upward.
The conversation that followed involved senior stakeholders with decision-making authority. It was professional but not comfortable. After deliberation, the organisation took the decision not to submit the MCF4 response and to redirect resourcing toward the alternative frameworks. The risk-based judgement held.
The reputational exposure of misrepresentation to a public sector body outweighed the value of the contract. Redirecting to alternatives the organisation could substantiate was the only defensible position.
What I Would Do Differently at Scale
This phase combined operational evidence work, advisory delivery, and bid drafting under commercial pressure with limited internal assurance infrastructure. The work held up because the team was small enough to escalate clearly and judgement was applied at the right moments. The following is an honest assessment of what would change in a more mature setting.