I have an extensive background in traditional security. I can tell you about the differences between ARP and DNS poisoning attacks, cross-side scripting and injection, why Kerberos is so slick, and why signature-based antivirus is so easy to bypass. I know ISO 27001, CIS Top 20, PCI DSS, HIPAA, the AICPA Trust Services Criteria, the AWS Well-Architected Framework, CoBIT, ITIL, lots of OWASP, CSF, and have a special fondness for the NIST SP 800 series (63C is my favorite). I have built security programs at highly regulated manufacturing, retail, and financial service companies. I have led product rollouts, complete with PoCs, strict PMBOK-style or agile management, and millions in budget. I have had roles in management, advisory, organizational readiness, process analysis, architecture, and product ownership.

This big-business approach to security I know so well does not fit medium and small businesses. Most of the “best practices” recommended by the security industry only make sense at huge organizations. More importantly, doing them at small organizations results in almost no increased protection.

We fix that. I founded Simple Salt to provide helpful, credible security advice that does reduce the security risk of small and medium businesses.

Simple Salt advises you in the best ways to prevent internet crime, all at an unbeatable price.


No product sales

Most security consulting companies get a cut of whatever security tools they convince customers to buy. It takes consultants time to keep current on product features, represent them well, manage contracts, register deals, and listen to product salespeople. We don’t do that. Bonus: you don’t have to worry about getting a garbage product recommendation because it nets us 6 points in margin. We are solely invested in your best interest.

No sales staff

There are no account executives with monthly quotas calling you up every week. Prices are published and the same for everyone. When you want services, you sign up and talk with an analyst.

Not afraid to give you good news

Many consulting companies think that scaring their clients with long lists of bad practices will ensure future business. We do not. If you’re doing great, we don’t spend any extra time coming up with findings to justify ourselves to you. We strive for credible, accurate advice.

No lying to you

Many business consulting projects are for measuring the performance of some inhouse capability at a big company – the security team, for instance. This generates some goofy incentives:

  • The outside consultants want to prove their value to the leaders that hired them, so they need to find lots of bad practices and errors.
  • The team getting reviewed is judged by the consultant report. Favorable conclusions may lead to bigger bonuses, more staff, more budget, and more staff pizza parties. Bad ones lead to cuts, often starting with the person leading the team.

Teams getting assessed argue against any negative conclusions found by the consultants, and the consultants argue for as many negative conclusions as possible.

This last stage can be the most unpredictable and costly for consultants. We avoid these costs by not arguing, and you get the unvarnished truth.

Lean Process

We have developed a proprietary method to quickly and rigorously assess the practical security risk in small and medium businesses. You benefit from that focus: we are able to offer the Checkup service at a substantially lower cost than any similar security advisory on the market without compromising on rigor and quality.

- Dylan Evans CISSP, PMP

Founder, Simple Salt