About Coastal Cyber

A deliberately small practice. That's not a limitation - it's the model.

Mid-market businesses don't need a consulting firm with a resourcing bench and a billing target. They need practitioners who know the territory, give direct advice, and show up consistently.

Coastal Cyber was founded on the Sunshine Coast in 2026 with a simple idea: the quality of security leadership that large enterprises take for granted should be accessible to the organisations that actually need it most - without the overhead, the generalist bench, or the gap between who sold the engagement and who delivers it.

Daniel Johns - Founder & Virtual CISO

Thirty years in cyber security, across governance, risk, incident response, architecture, and executive advisory. Worked at the sharp end - building programs from scratch, walking boards through incidents they did not see coming, and translating risk into language that actually gets a decision made.

CRISC certified. Member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. Published author and regular media contributor on cyber security topics.

In 2026, after years inside larger firms, I established Coastal Cyber to do the work that matters most: giving mid-market businesses access to the kind of security leadership that has historically been available only to large enterprises - without the overhead, the overhead's overhead, or the junior consultant parachuted in after the proposal is signed.

Daniel Johns, Founder & Virtual CISO, Coastal Cyber

How we think about the work

Cyber security is not complicated because the technology is complex. It is complicated because organisations keep treating it as an IT problem when it is a business risk problem.

The frameworks exist. The guidance is published. The hard part is applying it without losing the plot - prioritising what actually matters, communicating it in terms your board can act on, and building something your team can maintain after we leave.

That is what we do.

Why independence matters

There is a real and documented conflict of interest when your Managed Service Provider also acts as your CISO. The MSP's commercial model is to sell services. The CISO's job is to hold those services accountable - including making recommendations that may not benefit the provider.

Coastal Cyber does not sell tooling, manage infrastructure, or hold reseller agreements with any vendor. Our advice is independent. It reflects your risk and your interests. Full stop.

Work we've done

Sector-representative examples. Client names withheld - available on request.

Financial Services - Case Study

Challenge

A non-bank lender with APRA regulatory obligations and no internal security function needed a security program built to CPS 234 requirements ahead of a self-assessment submission.

What we did

We scoped, built, and delivered a complete program including risk register, policy suite, and board reporting framework.

Outcome

The client submitted their CPS 234 self-assessment on schedule with no material gaps identified.

[Client name withheld - available on request]

Healthcare - Case Study

Challenge

A private healthcare provider operating across multiple sites had no documented incident response capability and a fragmented approach to patient data handling.

What we did

We conducted a Privacy Act compliance review, built an incident response plan, and implemented a risk register aligned to their operational environment.

Outcome

The practice is now notifiable data breach-ready and has a clear remediation roadmap.

[Client name withheld - available on request]

Ready to have a conversation?

No deck, no pitch. If we can help, we'll tell you how.

Talk to us