Welcome!

Our company's name is based on our founder Chirag's books that provided thoughts, ideas and actionable advice that have helped organisations and leaders all over the world  find a smarter way to be cyber secure. This thought leadership has led to the creation of the 7 Rules Cyber framework.

The 7 Rules Cyber Framework can be summarised as below: 

Rule 1: Develop a Business-Aligned Mindset

Cyber Security exists to enable business. After all, without the business of an organisation, there is no need for a security function. Therefore, understanding your business is the key to developing appropriate context and prioritisation for your security efforts. Effectively understanding key business processes, products and objectives are vital to building and validating critical asset list of crown jewels for the organisation. These then help to scope security controls and implement proportionate and reasonable measures. Practical advice is to follow the money. Understand what brings in the revenue and constitute critical services for your organisation. Engaging with business stakeholders effectively will enable you to accomplish this.

The nature of the business can also help inform the relative importance of the confidentiality, integrity, and availability triad. For example, confidentiality might be a higher priority for IT and digital systems, while availability might be a greater priority for operational technology, OT, systems.

Rule 2: Recognise that Cyber Security is a Risk Management Exercise

Cyber Security is fundamentally about managing risks. Furthermore, Cyber Security is not just a technical risk, it is a business risk and the approach to any control – technical, operational or policy needs to reflect the business risk appetite and context clearly. The language of risk and finances is what resonates with senior business stakeholders. Developing an understanding of key assets through Rule 1 serves as input for effective risk analysis through appropriate threat and impact consideration. The goal is to build a defensible cyber risk program, and decisions. Sensible adoption of cyber risk quantification techniques can also play a key role in informed decision-making.

Rule 3: Measure It

Effective metrics and measurements are key to demonstrating progress and challenges to ensure adequate management. However, metrics must be tailored to the right audience. Highly operational metrics such as number of vulnerabilities do not resonate with boards and senior leadership. They need to be aligned to critical business applications with clarity of impact and maturity. For example, a good strategic metric could be a percentage of critical internet-facing applications that have critical patches applied in a timely manner. If this critical application is a key payments platform, there is a material implication on cash flow, which, when quantified, can offer useful insights to leadership. Approach to good measurements should account for both leading and lagging indicators.

Rule 4: Address the Human Factor

With majority of incidents and breaches exploiting the human factor, it is clear that cyber security is a human issue at its core. Furthermore, technology exists for and by humans. Relying on the fear to influence human behaviour and embed secure practices is not an effective strategy. We need to align our cyber message and controls to aspirational aspects such as business goals and personal safety. Leveraging effective gamification, humour, and positive competition e.g., leaderboards can be really useful to influence secure behaviours. It is useful to recognise that human instinct is to resist change because change introduces the unknown. Effective engagement and change management can address this resistance and promote adoption of security controls.

Rule 5: Understand the Design and Execution of Cyber Security

Cyber Security controls need to be applied with consideration of business and technology strategies along with relevant threats and compliance obligations. Security domains such as network security, endpoint protection, identity and access management, etc. do not exist in isolation. They need to be accounted for in the overall enterprise security architecture and control framework that informs their design and applicability. Defined security architecture principles can also guide the selection and implementation of the right tools and technologies to manage risks. Factors such as clarity of sourcing and operating models (including roles and responsibilities), along with sequencing and prioritisation of initiatives, enable ongoing efficacy of security controls.

Rule 6: Master the Art of Differentiating Skills

Differentiating skills such as emotional intelligence, presenting actionable options succinctly, effective communication and storytelling play a vital role in building trust within an organisation and enabling professional excellence. Emotional intelligence plays an effective role where you can read the room and empathise with stakeholders regarding their concerns. Just presenting technical reports to a business audience will not get sufficient buy-in. This is where contextualising information in simple terms with a mindset of active listening can really help achieve the right outcome.

Rule 7: Build an Authentic Brand

Your security function should build a brand that is grounded in being a trusted advisor to the business. Ongoing effective engagement through various organisational channels and a pragmatic mindset will solidify your team’s brand. This will also help achieve executive buy-in and support for your initiatives to improve the security posture. Purposeful networking and actions to inform, educate and enable your organisation on various aspects of security considerations will put you in good stead. Ensure you celebrate and promote wins – no matter how small. Every win inspires confidence and is a step on the ongoing journey of cyber security improvement.

Our founder Chirag Joshi is a globally respected cyber security leader with extensive experience spanning financial services, government, critical infrastructure, energy, healthcare, Not for Profits, and higher education. Through his pragmatic approaches, Chirag has earned a reputation for transforming complex security challenges into actionable, business-focused strategies.

A multi-award-winning executive, Chirag was honoured with the Excellence Award and named Cyber Security Consultant of the Year (SME) at the 2024 Australian Cyber Security Awards. His leadership has secured him a place on the prestigious CSO30 list of Australia’s top cyber security executives for three consecutive years (2022, 2023, 2024). As the National Ambassador for Critical Infrastructure ISAC Australia, Chirag plays a pivotal role in strengthening resilience across essential sectors.

Chirag is the author of two bestselling books—7 Rules to Become Exceptional at Cyber Security and 7 Rules to Influence Behaviour and Win at Cyber Security Awareness—widely acclaimed for their practical, real-world insights. As a sought-after keynote speaker, he shares his expertise at premier conferences around the world and regularly advises Boards and senior executives on navigating strategic cyber risk, governance, and resilience. His thought leadership is featured by leading organisations such as the Australian Institute of Company Directors and the Governance Institute of Australia.

In addition to his advisory work, Chirag serves as a Board Director and Vice President of ISACA Sydney, where he champions the professional growth of cyber, risk, and technology leaders while promoting resilient security practices across Australia and the broader region. His pragmatic approach to cyber security bridges the gap between technical complexity and business objectives, ensuring security investments deliver tangible, measurable value.

Chirag’s expertise extends across IT and OT environments, with a strong track record of leading large-scale cyber transformation initiatives, managing cyber security through mergers and acquisitions, and shaping comprehensive cyber strategies. Known for his ability to influence executive decision-making and foster a culture of security, Chirag continues to shape the future of cyber security through innovation, strategic foresight, and an unwavering commitment to excellence.

Chirag holds multiple industry-recognised certifications, including CISA (Certified Information Systems Auditor), CISM(Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), and CDPSE (Certified Data Privacy Solutions Engineer). He also holds a Master’s Degree in Telecommunications Management and a Bachelor’s in Electronics and Telecommunications Engineering.

As a well-known keynote speaker, Chirag continues to exhibit thought leadership in the industry through presenting at numerous events, conferences, and forums globally on varied topics such as strategic cyber leadership, communicating with Boards and Executives,  bridging the gap between cyber security and business, strengthening the human factor in cyber security, building effective cyber strategies, and addressing the evolving cyber threat and risk landscape. 

Through Chirag’s podcast series titled “The Art of Cyber Security”, he is collaborating with various industry experts globally to provide valuable insights into the essential aspects of cyber security leadership such as effective communication, storytelling, strategic career growth, entrepreneurship, journalism, law, and adapting to changing demographics. 

Chirag has extensive experience with a wide range of standards, frameworks, and regulations, including NIST Cyber Security Framework, APRA CPS 234, Australian Energy Sector Cyber Security Framework (AESCSF), ACSC Essential Eight, SOC 2, PCI DSS, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001/2.