About Good Security

Security people you'd actually want in the room

Good Security exists for New Zealand businesses that need clear ownership, credible reporting, and practical follow-through before customer scrutiny, insurer expectations, or privacy obligations turn uncertainty into cost.

Book a Free Consultation Take the 2-Minute Security Scorecard

Why Good Security exists

Most growing businesses are judged like mature organisations before they are staffed like one.

I started Good Security because I kept seeing the same problem: growing businesses getting asked security questions they couldn't answer, by customers, insurers, and their own leadership. They didn't need a full-time hire or an enterprise programme. They needed someone who'd been through it before and could get them organised quickly.

That's what we do. Structured security leadership, usable reporting, compliance support, and a practical way of working that survives real scrutiny. The aim is not theatre — it's to make the business easier to trust from the outside and easier to run from the inside.

Leadership background

Built across private sector, higher education, and central government.

Darren Castelyn's background spans Docuvera, Author-it Software Corporation, Massey University, the Ministry of Social Development, and NZTA.

Selected environments

Regulated SaaS, enterprise assurance, higher education, and central government delivery.

What that means here

Evidence that stands up to scrutiny, calmer governance, and clearer ownership when the stakes are real.

✓ At Docuvera, built and now operates a certified ISMS, led a clean SOC 2 Type II examination, and represented the business in customer audits for several top-20 life sciences and pharmaceutical companies.
✓ At ASC / Author-it, built the control baseline, response library, and audit operations used to answer enterprise scrutiny across financial services, aerospace, and industrial enterprise customers.
✓ At Massey University, led security across three campuses serving 30,000+ students and 3,000+ staff — including risk management, records, and major incident response.
✓ Earlier central-government roles at the Ministry of Social Development and NZTA built the structured way of working behind Good Security's delivery.

How the work is run

Built to stay useful once the scrutiny arrives.

The operating model is meant to survive real buyer questions, insurer expectations, and leadership attention, not just look tidy in a slide deck.

Commercially sensible

Security recommendations have to fit the budget, pace, and operating reality of a growing business.

Built to be used

Policies, registers, and reports should stay current and support real decisions.

Clear for leadership

Owners need plain-English reporting they can act on without becoming security specialists.

Built to pass inspection

The work is built so buyers, insurers, and auditors can see evidence when they ask for it.

Good Security

Client handover

Governance handover

Policy and Evidence Pack

The policy set, owners, and evidence trail buyers, insurers, and leadership teams usually ask for first.

Executive summary

The business now has a documented operating baseline, named owners, and a working evidence set that can be maintained rather than recreated under pressure.

Decisions

Approve the first review cycle for core policies and registers.
Use one evidence pack for customer, insurer, and audit requests.

Prioritised actions

Owners and dates for the next review cycle.

Leadership review cycle

Priority 1

Approve the policy suite with owner and review dates

Owner

Privacy lead

Due

20 Mar

Priority 2

Publish the evidence register for questionnaires and audits

Owner

IT manager

Due

27 Mar

Priority 3

Confirm incident and response plans with leadership

Owner

Security lead

Due

03 Apr

Issued as a working handover set for leadership, compliance, and customer scrutiny. Built for leadership, customer evidence, and assurance follow-up.

What trust looks like in practice

✓ NZ-owned business independently registered in New Zealand
✓ Principal-led delivery with written reporting and documented owners
✓ Evidence packs, policy suites, and leadership reporting designed to be reused under scrutiny

What engagement looks like

The first 90 days focus on getting the business organised quickly.

✓ Week 1-3: baseline, gap analysis, and first written priorities.
✓ Month 1-2: policies, registers, evidence pack, and core incident structure.
✓ Month 2: reporting starts and leadership gets a clearer view of open risks.
✓ Month 3+: ongoing programme rhythm, review, and follow-through.

What the business gets quickly

A clearer baseline

The business can see what matters first instead of reacting to each new question in isolation.

Usable evidence

Policies, registers, and reporting are built to answer buyers, insurers, and leadership without starting from scratch each time.

A repeatable rhythm

The work keeps moving after the first sprint because ownership, review dates, and reporting are already in place.

Need to know where to start?

Book a free consultation and get a practical view of what matters first, what can wait, and which level of programme fits.

Book a Free Consultation Take the 2-Minute Security Scorecard

"Brought the university into a much safer space — from potential targets 24/7 to a high level of protection." — Jane Johnson, Massey University