Skip to content
CZ

External cybersecurity architect services

Three ways I can help your organization. Pick based on where you are today - or let us find the right mix in an initial consultation.

Three packages for different situations

Compliance Sprint

Quick start to legal compliance

For companies newly hit by the act who need to meet obligations as soon as possible.

One-off project, typically 2–4 months

  • Gap analysis against Act 264/2025 and decrees 408–410/2025
  • Identification of regulated services and asset classification
  • NÚKIB registration and communication with the authority
  • Design of organizational and technical measures with prioritization
  • Core security documentation set (policy, directives, risk plan)
  • Roadmap for implementation within the 1-year window
Free consultation

Architect-as-a-Service

Permanent custom architect role

For companies without their own architect who need the role staffed long-term with proper qualifications.

Retainer agreement, agreed monthly hours

  • Formal appointment to the cybersecurity architect role
  • Participation in the cybersecurity steering committee, board reporting
  • Architecture reviews of new projects and changes
  • Maintenance of security standards and reference architectures
  • Regular update of risk analysis
  • Communication with NÚKIB, audits, inspections
  • Mentoring of an internal employee for future role handover
Free consultation

Advisory & Sparring

Second opinion and expert support

For companies with their own architect or CISO who need an independent assessment, threat modeling, or peer review.

Hourly or hours bundle

  • Architecture review of a specific solution or change
  • Threat modeling of key systems (STRIDE, attack trees)
  • Security review of contracts and supplier requirements
  • Consultation on specific topics (cloud, IAM, OT, cryptography)
  • Preparation for an audit or NÚKIB inspection
  • Mentoring and sparring for the internal security team
Free consultation

What I actually do

A detailed breakdown of activities I cover across all packages.

Security architecture

  • Target architecture and roadmap
  • Reference architectures for typical scenarios (cloud, on-prem, OT, hybrid)
  • Architecture principles and patterns (zoning, segmentation, IAM, cryptography)
  • Security opinions on new projects

NIS2 / Czech Act compliance

  • Gap analysis against the act and decrees
  • Classification of regulated services and assets
  • Measure design with prioritization by risk and cost
  • Security documentation (policy, directives, plans)
  • Assistance with NÚKIB registration and incident reporting

Risk management

  • Risk analysis methodology (decree + ISO 27005)
  • Initial risk analysis and ongoing maintenance
  • Threat modeling (STRIDE, attack trees)
  • Measure design and residual risk monitoring

Supply chain

  • Supplier categorization
  • Security requirements for contracts
  • Supplier assessment and review
  • Significant supplier evaluation under the new act

Security in the lifecycle

  • Security by design in projects
  • Security requirements for RFPs and tenders
  • Recommended security testing (SAST, DAST, pentest)
  • Acceptance security criteria

Incident response & continuity

  • Incident management processes, escalation, NÚKIB communication
  • Tabletop exercises for management
  • BCP / DRP - design, testing, updates
  • Cooperation with CSIRT teams

Education

  • Workshops for the board (NIS2 mandatory training of statutory bodies)
  • Training for IT teams and users
  • Mentoring of internal employees
  • Creation of internal materials

Audit & inspection support

  • Preparation for audits and NÚKIB inspections
  • Cooperation with internal and external auditors
  • Management of corrective actions
  • Regular self-assessments

Frequently asked questions

Can the cybersecurity architect role be performed externally?

Yes. Neither the act nor the decrees require the role to be staffed by an internal employee. What matters is documented professional competence, formal appointment, and independence from the audit function.

What is the difference between a cybersecurity architect and manager?

The cybersecurity manager runs the information security management system as a whole (processes, governance, reporting). The architect is responsible for the technical design of security measures and solution architecture. Under the higher obligations regime, these are two separate roles.

How many hours per month is typical for an external architect?

It depends on company size and phase. A typical mid-sized company needs 16–40 hours per month after measures are in place. The implementation phase usually requires more. We agree based on your real needs.

I already have an internal cybersecurity manager. Why would I need an architect?

Manager and architect are two different roles with different skills. The manager is typically not a deep technical expert in cloud architectures, IAM, cryptography, OT security, etc. An external architect complements your manager with technical depth.

What if the act does not apply to us yet?

Security is an investment, not a cost. Even unaffected companies benefit from architecture reviews, threat modeling, or preparation for being pulled in via supply chain requirements.

Do you work under NDA?

Always. I sign NDAs before any substantive discussion. For state entities and critical infrastructure suppliers, I am ready to undergo stricter vetting processes.

home.finalCta.title

Free 30-minute consultation. We assess your current state and propose concrete steps to reach your target state.

Free consultation