Our approach to cyber advisory.
We start where most advisers finish — with a clear understanding of your legal obligations. Everything else is built from there.
ABOUT
How we think about cyber risk.
Cyber risk is not a technology problem. It is a business problem with legal, regulatory, financial and reputational dimensions that interact with each other in ways that most organisations do not fully understand until they are in the middle of an incident.
Our advisory approach starts with that reality. Before we recommend a framework or a policy or an exercise, we want to understand your business — your sector, your risk profile, your regulatory obligations, the nature of the data you hold, the third parties you depend on and the decisions your leadership team will need to make under pressure. That context shapes everything that follows.
We do not sell off-the-shelf cyber frameworks. We do not apply the same assessment to every client. We build advice that is specific to your organisation, proportionate to your risk and grounded in the legal and regulatory reality you actually face.
Our Principles.
-
Every piece of advisory work we do is informed by our legal expertise. Incident response plans, risk frameworks, governance policies and board briefings are all reviewed and shaped by a lawyer who understands what your obligations actually are — not just what best practice suggests.
-
We work with organisations of different sizes, sectors and maturity levels. Our advice is calibrated to your actual risk profile and your capacity to act on it — not to an idealised standard that is impractical for your organisation to achieve.
-
Our clients work directly with Simone Herbert-Lowe. She has advised organisations through real incidents, given expert written opinion in Supreme Court proceedings, made submissions to Parliamentary inquiries into cybercrime and trained more than 10,000 Australians about cyber risk. That is the practitioner doing your advisory work — not a junior consultant working from a framework someone else built. For a GC or CRO engaging a specialist practice, that directness is part of what they are paying for.
-
We measure our advisory work by whether it makes your organisation more resilient — not by the volume of documents produced. Where clients need to prioritise, we help them prioritise. Where action is more valuable than analysis, we say so.
-
Our advisory work connects to our legal and training practices. If an advisory engagement identifies a legal issue, it is addressed through our legal practice. If it identifies a training need, we can meet it through our education programs. Clients benefit from an integrated response rather than a referral to another firm.
What engagement looks like.
Most advisory engagements begin with a structured conversation — sometimes a single session, sometimes a more formal assessment — that establishes your current position, your key exposures and the most important things to address.
From there, we agree on scope. Some clients want a comprehensive review of their cyber risk framework. Others need a specific deliverable — an incident response plan, a board briefing, a policy review. Others want ongoing retainer support that gives them access to advice as issues arise.
We are flexible about engagement models because cyber risk does not present itself in predictable ways. What matters to us is that our clients leave each engagement more prepared and better informed than when they arrived.
Ready to protect your business?
Whether you need legal advice, cyber advisory support or education for your team — we are ready to help.