Petr Pospíšil · Security Advisor

About Petr Pospíšil

Petr Pospíšil is a relaxed but direct security advisor helping European small and medium companies turn regulation, customer pressure, and scattered technical work into a practical security programme.

Read the story Intel / Blog

Before We Work Together

Why this page exists

A good security advisor is not just a badge list or a report factory. You should understand how I think, what I believe good security looks like, and whether my style fits the way your company makes decisions.

How I work

Direct advice, practical priorities, and security work that a founder-led SME can actually maintain.

What I write

Security analysis, regulatory explainers, and opinionated guidance written for people who make decisions.

Why trust me

Certifications and institutional work matter only if they improve judgement. I use that background to make risk clearer, not to hide behind acronyms.

Petr Pospíšil

Cybersecurity Architect & vCISO-style Advisor

How I Work

My approach

I prefer documented processes over quick fixes. Quick fixes are workarounds that quietly become problems later. When one is genuinely needed I will do it - then write it down and feed it back into the process. The working pattern is Plan, Do, Check, Act: agree it, run it, measure it, improve it.

Management owns the business risk. My job is to make it visible, reduce it with sensible controls, and help you decide what to accept, transfer, or fix first.

BEST FIT

European small and medium companies up to roughly 250 people. Headcount matters less than the size of the IT footprint supporting the business - facing ISO 27001 readiness, customer due diligence, or NIS2 scope questions.

STARTING POINT

Assessment first, then retainer if you need an ongoing rhythm for implementation and security decisions.

How I Work

My working rules

Independence is the difference between security advice you can trust and a sales conversation in disguise. These rules apply to every engagement, SME or enterprise.

Vendor-neutral

I do not take commissions, referral fees, or revenue share from tool vendors. If I recommend a product, it is because it fits your problem - not because someone is paying for the slot.

Open-source-first for SMEs

For an SME with limited security budget, an open-source tool that runs well for years is usually a better answer than a per-seat licence. Lower cost, no lock-in, and your data stays where you control it.

Commercial when it earns its place

Paid tools are recommended when they materially reduce risk or operational load - for example, where managed support, regulatory features, or scale make the licence cost worth it. Never by default.

Institutional Work

Affiliations and certifications

Alongside client work, I cooperate regularly with EU CyberNet and occasionally with UNDP and OSCE on international cybersecurity capacity-building.

EU CyberNet

Expert Member (2023+)

ENISA network member. Attended EU CyberNet Summer Schools in Berlin (2025) and Lisbon (2024).

UNDP

Expert Roster (2023+)

Vetted UN cybersecurity expert - cleared for global deployment on capacity-building programmes.

Certifications

Certifications matter less than judgement, but for some engagements they are the door-opener. Held credentials include:

CISSP - Certified Information Systems Security Professional
ISO/IEC 27001:2022 Lead Auditor (IRCA)
GIAC Cyber Threat Intelligence (GCTI)
GIAC Certified Detection Analyst (GCDA)
Certified Red Team Professional (CRTP)
CompTIA SecurityX
CompTIA Cybersecurity Analyst+ (CySA+)
CompTIA PenTest+
Certified Professional Penetration Tester (eCPPT)
Microsoft Security Operations Analyst (SC-200)
Splunk Core Certified User
Splunk Core Certified Power User
Splunk Certified Admin

Beyond the SME engagement

Enterprise-grade work

The main engagement is the SME retainer. Outside of that, I have led senior security work inside larger organisations: DevSecOps across the pipeline, building a Cyber Threat Intelligence function, threat hunting programmes, and major incident response.

This depth is relevant once an organisation runs a mature ISMS or operates around CIS IG3. If that describes you, the capabilities page lists where I can help.

See senior capabilities

Relevant only if your organisation is already operating a mature ISMS. Otherwise the SME retainer is the right place to start.

Latest Intel

Recent writing

2026-05-12

Your Enterprise Customer Will Not Wait Until Your Security Is Ready

Enterprise customers ask small software vendors for security evidence long before the company has a full security team. A retained security advisor helps close that gap steadily.

Read post

2026-05-12

Insider Risk for SMEs: You Don’t Have to Be Hacked to Lose Data

Employees, contractors, suppliers, and former staff can expose company data by mistake or misuse. Learn how SMEs can reduce insider risk with better access controls.

Read post

2026-03-31

EU AI Act for SMEs: What to Check Before August 2026

A short, practical guide to the EU AI Act for SMEs: prohibited AI, high-risk systems, GPAI duties, and the controls to review now.

Read post