Hi, I am Sam Glynn

Sam Glynn

I advise regulated and risk-averse organisations on how to invest in cybersecurity so they have reasonable security in place to defend against the most likely attacks, without pouring money down the drain.

I spent 15 years working in corporate IT management roles within the regulated financial services industry and I have been providing independent advice since 2012. 

In my 25+ years of working with non-technical clients, I frequently see a disconnect between what a business wants & needs, and what IT providers are providing or proposing.

My mission (because we all have a mission, right?)

I am sick of seeing:

  • Business people being driven insane by tech jargon, just because IT and cyber are not their area of expertise
  • Good IT providers struggling to secure their clients because clients think they are just trying to upsell them security solutions that are not important
  • Bad IT providers getting away with terrible service and a complete lack of due care for their clients

My mission is to resolve these issues:

  • To enable ‘normal’ business people to ignore the noise and focus on the key actions that will defend their organisations against most cyber attacks.
  • To enable good IT providers to secure their clients and to be paid appropriately for doing so.
  • To enable bad IT providers to be shown the door.

What my clients say

Sam is really easy to work with. He is highly organised with good clear communication. He always uses plain English, and avoids IT-speak!! The structure he brought to the process made it much easier for us to go through this – It brought real clarity to our current situation and the steps required to get to where we want to be. Sam’s pragmatism is also very refreshing – Too many IT / Cyber Consultants that I have encountered in the past just pushed the party line and did not consider the audience or organisational situation that they were dealing with. It is great that Sam was always on our wavelength in terms of identifying what is practical/possible, given the size and capability of our organisation and the needs of our clients.
Rebecca McGee, Head of IT & Brand

Xcentuate partners with customers in the Financial Services, Agri, Pharma and Public sectors in EMEA and Asia-Pacific to transform their business operations. We know it is critical to get cyber security right so we can protect our customers and our business. We asked Sam to guide us.

From Day 1, I knew we had made the right decision. Step-by-step and always through plain English, Sam showed us how we could get from where we were to where we needed to be. His recommendations were always pragmatic and well-grounded. Every action was understandable,  achievable, and tied to a clear security benefit.

If you are confused about what appropriate security looks like, what’s important versus what’s just noise, I highly recommend that you ask Sam to define a clear path for your organisation.

IT isn’t our forte so we needed someone in our corner explaining in layman’s terms our current set-up, what needs to be done and how best to do it. Sam broke it down into a series of manageable steps and was willing to work as a liaison between our service provider. He translated IT language into language we could understand. The structure of his recommendations report ensured we were never overwhelmed by the task at hand. We would not have progressed to the point where we are without Sam – end of story. We can now respond to the Central Bank’s Risk Evaluation Questionnaire with a lot more confidence.
Marie Ainsworth, CEO, Mount Street Group
Sam is the only IT person I know who doesn’t talk out of his a**. He speaks like people speak!
Identity Protected!, Operations Manager of Regulated Financial Services Firm

What my paperwork says


CISM – Certified Information Security Manager

CDPO – Certified Data Protection Officer

CIPP/E – Certified Information Privacy Professional (Europe)

CIPM – Certified Information Privacy Manager

CCRS – Certified Cyber Risk Specialist


Association memberships

ISACA – Formerly the Information Systems Audit and Control Association (www.isaca.org

Compliance Institute – Formerly the Association of Compliance Officers in Ireland (www.compliance.ie)

International Association of Privacy Professionals (www.iapp.org)



2012 – Present: Cybersecurity & IT advisor and trainer. I use my cybersecurity, risk management, regulatory compliance, and data protection experience to ensure my clients’ systems, staff and IT providers are fit-for-purpose and provably secure.

2011 – 2012: IT Service Delivery Manager, leading the delivery of IT services by Bank of Ireland to Northern Trust and State Street Global Advisors.

2009 – 2010: IT programme manager in Bank of Ireland, leading a number of initiatives to try to upgrade and rollout various Microsoft technologies across what was a diverse organisation of 13,000+ staff.

1997 – 2008: IT manager for BIAM (Ireland’s largest investment manager at the time). I led teams of software developers and analysts working with client servicing, finance and risk & compliance teams. I was also the IT relationship manager to these business areas, ensuring their current problems and future needs were being addressed. This role included the design and development of numerous secure banking websites.


Academic qualifications

MSc Technology Management – 2008

Dip Psychology – 2001

BSc Computer Science – 1997


But enough about me

You have concerns

You are concerned about a cyber attack. But you are equally concerned about..

  1. Not knowing what ‘good enough’ looks like 
  2. Looking foolish because you do not know the techie jargon 
  3. Being bamboozled by IT providers 
  4. Spending too much money or investing in the wrong things
  5. Committing to cybersecurity improvements that will take too long or cost too much to implement, or which could be unsustainable in the longer term.

As a result of these concerns, you find it difficult to act. 

And you fear that this inaction will blow up in your face.

Because you know if you suffer an attack, not only will it cause financial loss, business disruption, and reputational damage, it could also bring on a world of other pain – Attention from a regulator; a deeper review by a key client or business partner. 

You have challenges

  1. You have little or no in-house IT expertise. Day-to-day IT is outsourced to an external IT Managed Service Provider (MSP). 
  2. While you are accountable for IT, IT is not your primary area of expertise. 
  3. You do not have the resources or budget to commit significant time or money to a major cybersecurity project or into expensive technology.

How I can help

I ensure you do not spend too much of your time, money or sanity implementing a reasonable level of cybersecurity.


1. We will identify an appropriate destination based on your business objectives, capabilities, and risk appetite.

2. We will identify where you are right now through a review of your current security measures.

3. We will formulate an appropriate roadmap to get you where you need to be.

I will advise and guide you to the right destination using an iterative approach that never commits you to significant, irreversible investments.

Step-by-step, we will make progress at a pace that suits your specific situation.


Who I work with

I usually work with risk-averse organisations – Typically, this means:

  • An organisation operating in the regulated financial services industry that is concerned about cyber risk and regulatory compliance, or
  • An organisation that handle sensitive data which would cause significant damage if it was ever breached.

I do not publish a full list of past or current clients but I would be happy to provide references if you need them.

My testimonials also give you a flavour of the types of organisations that I have helped in the recent past.

You may also gain a sense of who I work with by looking at my connections on LinkedIn.


You CAN invest too much in cybersecurity

Cyber attacks are a risk to all organisations.

But so is spending too much time chasing IT providers for answers, and implementing irrelevant or expensive cybersecurity defences.

There is a right amount to invest in your defences,
so you’re not an easy target for cyber criminals, and
not a cash cow for IT providers.

You are concerned that you are not doing enough, but you’re not sure. You’re an expert in your field, but technology is not that field of expertise.

You are concerned about spending too much. Because you’re not a techie, you are afraid that you spend too much time and money on solutions that may not be the right fit for you. 

These conflicting concerns are leading to inaction.

Your inaction could blow up in your face.

This could blow up because you get caught out by:

  • a cyber attack
  • an informed prospect or client (The larger ones love to read your responses to their multi-tab security questionnaires)
  • a regulator’s audit or thematic review (It’s not like they haven’t already told you what they expect)

Don’t waste time doing nothing about cybersecurity

Even if you don’t think you will be attacked,

are you really happy to put your professional reputation on the line?

Wouldn’t it be great to know you have taken reasonable steps to reduce the risk of a cyber attack?

To know that, at a minimum, you aren’t missing the simple defences that bring significant security benefits?

To know that you have sufficient security, so if anyone asks you to describe how you are managing the risk, you can answer with confidence?

And to know that, even if an attacker does get through, people won’t think you were asleep at the wheel?

Don’t waste time trying to do this yourself 

Everyone talks about needing to have ‘reasonable’ or ‘appropriate’ security in place.

But what is ‘reasonable’ security for you?

You can try to work this all out yourself. Or we can work on this together.

By working with me, you will be confident that you have a reasonable level of security.

  • You will understand the real cybersecurity risks that you face and what ‘reasonable’ looks like
  • You will know the steps that you and your IT providers must take to manage the risks
  • You will be able to demonstrate to your clients, prospects, board members and regulators that you have this nailed

Cybersecurity Without Insanity

I guarantee:

  1. No jargon. Just Plain English.
  2. No bull. Just actionable insight.
  3. No scenic routes. Just direct and to-the-point advice.
  4. No juniors. Just me.  


When can I help?

I can help if you are frustrated by:

  • Lack of confidence – You are very concerned about a cyber-attack – Not just because of the immediate financial loss and operational disruption, but because of the longer-term reputational damage. 
  • Lack of clarity – You read a lot about cybersecurity threats and attacks, but you don’t know what you should focus on so your organisation has sufficient level of security that aligns to your needs, capabilities and the expectations of your clients and regulators. 
  • Lack of plain English – You don’t care about firewalls. You care about risks, and the ways to reduce the likelihood and/or impact of these risks.
  • Lack of answers – Even if you ask your IT providers, you aren’t certain whether you asked the the right questions and if they have actually provided reasonable answers. 
  • Lack of momentum – You want to get this addressed, but there’s always something more urgent to do. It’s difficult to maintain momentum.
  • Lack of pragmatic advice – You are unable to find a way to solve this in a pragmatic way. You don’t have the expertise to do it all, but you also don’t want to engage a fleet of consultants who will flood you with fancy presentations and graphs that make you even more confused than before.


Am I the solution for you?

You need ‘good enough’, not perfection.

[Good enough] is better than [perfect]. 

Businesses in the real world seldom benefit from perfect solutions – They take too long and cost too much, and are impossible to sustain.

My guidance is reasonable and realistic, and tailored to your concerns and resources, and to the expectations of your clients and prospects.

We start by ensuring you have the right foundations in place. This may be good enough.

If it is not, I can then guide you through a structured process to identify what ‘good enough’ means for you, so we can then develop a structured, achievable roadmap that will get you there.

You need Plain English.

You are an expert in your field, but cybersecurity is not your area of expertise. 

You don’t want to be bamboozled by the latest techie jargon.

I use Plain English to explain the risks (i.e. likelihoods and impacts), and how to manage & mitigate these risks effectively. 

If you understand how to protect your home, you will understand how to protect your organisation.

You need a trusted advisor and translator.

Managing cybersecurity risks inevitably involves conversations and negotiations with IT providers and other third parties.

I will be your trusted advisor and translator, so you get what you need. 

It is ‘me’, not ‘we’.

If you want to work with a large team of consultants (or if you need the cover that a large consultancy firm will give you), I am not for you.

I do not have a bench of junior associates. I have many trusted and experienced 3rd parties who I call on if we need their specific skills.

But if you choose to work with me, it will be me.

You will be paying for my experience, not funding my team’s education.

You’ve got this far. Don’t stop now.

You don’t wait until you’ve been burgled before you secure your home and protect your valuables.

Don’t wait to be attacked before you get your cybersecurity defences nailed.

I only work with a limited number of clients at a time, so I can serve them well.

Please book your call at your earliest convenience, so we can get started as soon as I have a slot available.