ThePenz is a specialist cybersecurity and GRC consultancy founded by people who've held the pager, sat in the audit committee, and know what good looks like when an auditor walks in. The page below is the full story.
Most cybersecurity consultancies are built around billable hours. They optimise for engagement length, not engagement outcomes. They send senior people to win the work and graduates to deliver it. They produce decks where artefacts should be. We started ThePenz because we were tired of being on the receiving end of all of that.
The firm was founded in 2020 by senior practitioners with careers inside FCA-regulated banks, building societies and fintechs — people who'd held the security pager, written the board narratives, sat opposite the auditor, and made the difficult calls. We started ThePenz to ship the opposite of consultancy theatre: lean ISMS libraries, accurate scans, training that moves measurable behaviour, and policies that match how the business actually operates.
"Build trust. Solve important problems."
We took our purpose statement directly from the kind of professional services firm we admire — firms that take their craft seriously, that hold themselves to the standard their clients are held to, and that treat each engagement as a relationship rather than a transaction. We've kept the bar high deliberately. ThePenz only takes engagements where we have the depth to deliver — and we say no to the rest.
Our principal consultants hold senior cybersecurity certifications including CISSP, CISM, CISA, CRISC, CDPSE, CCSK, CCAK, CEH, CFE, AZ-500, PMP — the specific stack that survives the scrutiny of FCA and PRA Skilled Persons reviews. We hold postgraduate degrees in Cyber Security, Digital Business, Law and Business Administration. We've worked across UK building societies, retail banks, challenger banks, payment institutions, healthtech firms and SaaS scale-ups.
What that combination means in practice: we sit comfortably in a CRO-chaired risk forum, talk fluently with a SOC analyst about lateral movement, draft a policy that survives FCA scrutiny, give a Skilled Persons interviewer the answer they actually want to hear, and ship working code when needed. There is no part of the regulated cybersecurity stack that is foreign to us — which is what allows us to operate as a single point of accountability rather than a thin coordination layer over multiple subcontractors.
We optimise for outcomes, not slide count. If a control isn't worth the cost relative to the risk, we'll say so — and we'll say so before you've spent the budget.
If we're not the right fit for the engagement, we'll say so and recommend who is. We've turned down work and we'll do it again. The relationship matters more than any single engagement.
We ship artefacts: working scripts, signed policies, evidenced controls, runnable scanners. Not just decks. The standard is whether your team can use what we've built after we've gone — and we test for that explicitly.
We translate cyber risk into pounds, regulation into priorities, and findings into board narratives. Whether the audience is a CRO, an audit committee, the FCA or the Bank of England, we write to that audience.
We've worked under FCA, PRA, BoE, ICO and PSR scrutiny. We know what triggers second questions, what survives a Skilled Persons review, and what doesn't. That awareness shapes everything we ship.
Vendor-neutral. No referral fees. No partner kickbacks. The recommendation we make is the recommendation we believe is right for you. Tooling reports always include the option of doing it yourself with what you already have.
The list of certifications and qualifications below is not for show. Each one was hard-won, expensive, and contributes a specific set of capabilities and credibility we deploy on engagements. Where regulators care about certifications — and the FCA and PRA do — these are the certifications that count.
We won't write a policy you can't operationalise. We won't sell scans whose findings we wouldn't act on ourselves. We won't take engagements where we don't have the depth to deliver. We won't pad a roadmap to extend a retainer. We won't accept a referral fee from any vendor we recommend. We won't put graduates on senior work and bill at senior rates.
If that sounds like the kind of consultancy your audit committee would actually want in the room — let's talk.
Book a 30-minute call. No sales rep, no qualification gauntlet. You'll speak directly with someone who would be on the engagement — and they'll tell you honestly whether we're the right fit.
