I have an extensive background in traditional security.  I can tell you about the differences between ARP and DNS poisoning attacks, cross-side scripting and injection, why Kerberos is so slick, and why signature-based antivirus is so easy to bypass.  I know ISO 27001, CIS Top 20, PCI DSS, HIPAA, the AICPA Trust Services Criteria, the AWS Well-Architected Framework, CoBIT, ITIL, lots of OWASP, CSF, and have a special fondness for the NIST SP 800 series (63C is my favorite).  I have built security programs at highly regulated manufacturing, retail, and financial service companies.  I have led product rollouts, complete with PoCs, strict PMBOK-style or agile management, and millions in budget.  I have had roles in management, advisory, organizational readiness, process analysis, architecture, and product ownership. 

This big-business approach to security I know so well does not fit medium and small businesses.  Most of the “best practices” recommended by the security industry only make sense at huge organizations.  More importantly, doing them at small organizations results in almost no increased protection.


I fix that.   I founded Simple Salt to provide helpful, credible security advice that does reduce the security risk of small and medium businesses.  

Simple Salt advises you in the best ways to prevent internet crime, all at an unbeatable price. 


No product sales

Most security consulting companies get a cut of whatever security tools they convince customers to buy.  It takes consultants time to keep current on product features, represent them well, manage contracts, register deals, and listen to product salespeople.  I don’t do that.  Bonus: you don’t have to worry about getting a garbage product recommendation because it nets me 6 points in margin.  I am solely invested in your best interest

Not afraid to give you good news

Many consulting companies think that scaring their clients with long lists of bad practices will ensure future business.  I do not.  If you’re doing great, I don’t spend any extra time coming up with findings to justify myself to you.  I strive for credible, accurate advice

No lying to you

Many business consulting projects are for measuring the performance of some inhouse capability at a big company – the security team, for instance.  This generates some goofy incentives:

  • The outside consultants want to prove their value to the leaders that hired them, so they need to find lots of bad practices and errors.
  • The team getting reviewed is judged by the consultant report.  Favorable conclusions may lead to bigger bonuses, more staff, more budget, and more staff pizza parties.  Bad ones lead to cuts, often starting with the person leading the team.  

Teams getting assessed argue against any negative conclusions found by the consultants, and the consultants argue for as many negative conclusions as possible.  This part of the job can be the most unpredictable and costly for consultants.  I avoid these costs by refusing to argue, and you get the unvarnished truth. 

No sales staff

There are no account executives calling you up every week.  When you want an assessment, you sign up and talk with a security analyst. 

Lean process

I have developed a proprietary method to quickly and rigorously assess the practical security risk in small and medium businesses.  You benefit from that focus.  



 - Dylan Evans CISSP, PMP

Founder, Simple Salt