A 50-person biotech had grown from founding team to commercial-stage without dedicated security staff. Their IT lead was splitting time with facilities — resetting passwords between fixing the HVAC.

Security decisions were made ad hoc. They had a password manager, but half the company wasn't using it. MFA was on for Google, but not for AWS. Policies existed somewhere in a Google Doc from 2021 that no one had touched.

Leadership knew they'd eventually face investor diligence or a customer security questionnaire. They wanted to get ahead of it rather than scramble when a deal was on the line.

ShieldedCyber structured a phased engagement over six months — slow enough that the IT lead could keep up while still doing his actual job.

We started with a risk assessment. Turns out they had 11 admin accounts in Google Workspace when only 3 people needed admin access. AWS had root credentials shared in a Slack channel. The "security policy" was a half-finished template someone had downloaded.

We prioritized what would actually matter in diligence: SSO, MFA everywhere (not just some places), endpoint protection, and cleaning up the admin sprawl. The IT lead pushed back on some of the access reviews — said it would slow down the research team. We found a middle ground with quarterly reviews instead of monthly.

Policies were rewritten to reflect what they actually do, not what a template said they should do. We set up a lightweight quarterly check-in the IT lead could run without us.