Loading...
Loading...
A fixed-fee 6-12 week engagement that produces your 24-month cybersecurity strategy, prioritised investment plan, and board-ready execution roadmap.
A security roadmap engagement is fixed-scope, output-oriented strategic consulting. It runs for a defined number of weeks, produces a specific set of decision artefacts, and concludes when those artefacts are delivered and reviewed with your leadership team.
It is distinct from a vCISO engagement, which is ongoing fractional security leadership — continuous strategy execution, policy ownership, and steering-committee presence that does not terminate at a deliverable. The roadmap defines what needs to be done; a vCISO owns the doing.
It is also distinct from a point-in-time gap assessment, which produces a finding list against a standard. A roadmap engagement uses the gap assessment as one input but goes considerably further — it translates findings into a prioritised, budgeted, dependency-mapped initiative list aligned to your business strategy, with a board pack ready for approval and funding. A finding list without a plan is rarely acted upon. The roadmap is the plan.
All engagements are delivered by nCrypt's CREST-certified consulting bench, with direct experience across Malaysian regulatory environments including RMiT, PDPA, ISO 27001, PCI DSS, and NACSA NCII designation requirements.
Every deliverable is transferred to you in full. No platform subscriptions, no ongoing licence fees — your strategic documents remain accessible without nCrypt.
A scored, evidence-based assessment of your current security posture mapped to CIS Controls v8 and NIST CSF 2.0. Produces a maturity heatmap across all five CSF functions — Govern, Identify, Protect, Detect, Respond, Recover — so leadership can see exactly where the organisation stands today.
A documented 24-month security architecture vision aligned to your business strategy, growth trajectory, and regulatory obligations. Not a generic template — scoped to your industry, asset profile, and the regulatory regimes that apply to your organisation.
A structured gap analysis between current and target state, translated into a ranked initiative list. Each initiative is risk-weighted, effort-estimated, dependency-mapped, and tagged against the compliance frameworks it satisfies — so prioritisation decisions are defensible to auditors and board alike.
A Year-1 and Year-2 budget model with CapEx vs OpEx split, build-vs-buy recommendations, and indicative vendor categories for each initiative. Suitable for inclusion in annual operating plans, budget submissions, and pre-procurement business cases.
An explicit mapping of every prioritised initiative against the regulatory and standards obligations applicable to your organisation — RMiT, PDPA, ISO 27001, PCI DSS, and NACSA NCII designation requirements as relevant. Simplifies audit evidence assembly considerably.
A 12-slide executive deck and a one-page summary brief suitable for AGM presentation, board risk-committee tabling, or shareholder disclosure. Written in plain language. Designed to enable a non-technical board to understand, approve, and fund the roadmap without requiring a consultant in the room.
A structured, repeatable delivery model that adapts to your organisation's complexity — compressed to 6 weeks for a single business unit, or extended to 12 weeks for multi-entity regulated engagements.
Weeks 1–2
Structured stakeholder interviews with IT, security, risk, compliance, and executive leadership. Document review covering existing policies, standards, audit findings, and previous assessments. Technical posture review of the network boundary, identity architecture, endpoint estate, and cloud footprint.
Weeks 3–5
Maturity scoring against CIS Controls v8 and NIST CSF 2.0, with evidence referenced for every score assigned. Gap analysis between current state and target state. Peer benchmarking against organisations of comparable size, industry, and regulatory profile in Malaysia and the region.
Weeks 6–9
Target-state architecture design. Prioritised initiative list with risk-weighting, effort estimates, and dependency mapping. Investment modelling — Year-1 and Year-2 budgets, CapEx vs OpEx split, build-vs-buy guidance. Compliance alignment matrix across applicable frameworks.
Weeks 10–12
Board pack drafting and review cycles with your communications or legal team. Executive read-out session with the leadership team. Formal hand-off to your internal security function or, for organisations without one, optional transition to nCrypt's vCISO service for ongoing execution ownership.
The roadmap engagement is structured for organisations at an inflection point — facing a regulatory milestone, a growth transition, or a board-level security decision.
Facing RMiT 11.x renewal or a new examination cycle. The roadmap produces the structured artefacts — maturity evidence, investment plan, initiative register — that BNM examiners expect to see documented and board-approved.
Facing NACSA designation under the Cybersecurity Act 2024 or operating in a sector where NCII obligations are anticipated. The compliance alignment matrix maps every initiative to NCII obligations alongside ISO 27001 and PDPA.
Organisations that have decided to pursue ISO 27001 certification and need a credible, scoped roadmap to get there — with a realistic budget and timeline, not a boilerplate gap report.
Organisations that have outgrown ad-hoc security decisions and need a formal security function — but are not yet ready for a full-time CISO hire. The roadmap defines exactly what that function needs to do, what it needs to own, and what it will cost.
Indicative starting prices. Final scope and cost depend on the number of entities, applicable regulatory frameworks, and depth of stakeholder interviews required.
6 weeks · Single business unit
From RM 45,000
10 weeks · Full enterprise
From RM 85,000
12 weeks · Multi-entity / regulated
From RM 150,000
All fees are exclusive of SST. HRDF/HRD Corp SBL-Khas claims may be available where the engagement includes structured training components — confirm at scoping stage.
Fractional CISO leadership to execute the roadmap after delivery — ongoing strategy ownership without a full-time executive hire.
Specialist Bank Negara RMiT advisory — exam-cycle preparation, gap remediation, and examiner-facing evidence packs.
End-to-end ISMS design and certification support — builds directly on the roadmap's compliance alignment matrix and initiative register.
Common questions about cybersecurity roadmap engagements in Malaysia.
A security roadmap engagement is a fixed-fee, fixed-scope, time-bound project. It begins, runs for 6-12 weeks, and ends with a set of strategic deliverables — the maturity assessment, the initiative list, the investment plan, and the board pack. You own those artefacts permanently. A vCISO engagement is ongoing fractional leadership: strategy execution, steering-committee presence, and security decision-making week after week. Many organisations use the roadmap to define what needs to be done, then engage a vCISO to own the execution. They are complementary, not competitive.
A gap assessment is a point-in-time finding list — it tells you where you fall short against a given standard. A roadmap engagement uses the gap assessment as one input, but goes further: it produces a prioritised, budgeted, dependency-mapped plan for closing those gaps over 24 months, a target-state architecture to close them towards, and a board-ready presentation to get them funded. A finding list without a plan is rarely acted upon. The roadmap is the plan.
All strategic and technical work is delivered by nCrypt's senior consulting bench, all of whom hold active CREST certifications relevant to their specialisation. The engagement lead is a practising security architect or senior consultant with direct experience in Malaysian regulatory environments — RMiT, PDPA, ISO 27001, and NACSA. We do not sub-contract roadmap engagements to junior analysts or offshore teams.
Yes. Every deliverable — the maturity assessment workbook, the target-state architecture document, the initiative register, the investment model, the compliance matrix, and the board pack — is transferred to you in full at engagement close. There are no licence fees, no platform subscriptions, and no ongoing dependency on nCrypt to access your own strategic documents. The artefacts are yours.
Where the engaging entity is registered with HRD Corp (formerly HRDF) and the engagement includes structured training components — such as security awareness workshops, technical team briefings, or executive education sessions — a portion of the engagement fee may be claimable under the SBL-Khas scheme. Speak to your HR team and confirm with nCrypt at scoping stage to ensure the engagement structure supports a valid claim.
You receive the full artefact set and own the execution decision entirely. Some organisations assign an internal resource to drive the initiative register. Others use the roadmap as a procurement guide and begin tendering for capability gaps. Organisations without a dedicated internal security function often transition directly to nCrypt's vCISO service, where the roadmap consultant becomes the ongoing fractional CISO responsible for executing the plan they helped design. We can scope that transition at any point during or after the roadmap engagement.
A 30-minute scoping call is enough to establish the right tier, confirm the regulatory frameworks in scope, and agree on a start date. No obligation.