NCC Group & Avertro launch managed cyber risk service

NCC Group has agreed to work with Avertro to deliver a managed governance, risk and compliance service for organisations seeking a more unified approach to cyber risk management.

The arrangement combines NCC Group's cyber security consulting with Avertro's CyberHQ platform, designed to turn technical cyber data into information business leaders and boards can use. The managed GRC service is intended to help clients assess controls, link cyber spending to risk reduction and improve reporting for senior decision-makers.

The move reflects a wider shift in cyber security spending as companies face pressure to show that risk and compliance programmes do more than satisfy audit requirements. In many organisations, compliance work remains tied to periodic assessments, manual evidence gathering and separate reporting systems, while security operations rely on live alerts, telemetry and system logs.

That gap has become a growing issue for Chief Information Security Officers and IT security teams, particularly in heavily regulated industries and critical infrastructure. Boards increasingly expect cyber risk to be presented in commercial terms, while regulators continue to demand evidence that controls are operating as intended.

Service focus

The managed service is intended to address fragmented cyber risk management by giving clients a clearer picture of how compliance, control testing and operational data fit together. The companies said this can support continuous oversight rather than a process built mainly around quarterly or annual reviews.

Its stated aims include better visibility into whether safeguards are being applied consistently, faster identification of problems and closer links between cyber programmes and business priorities. The service is also positioned as a way to help organisations explain technical security issues in terms non-technical executives can understand.

James Pearce outlined NCC Group's view of the offering.

"This solution represents a fundamental shift in how we help our clients manage risk," said James Pearce, VP, Global Consulting & Implementation at NCC Group. "By utilizing CyberHQ as a command layer, we can help leaders move away from tactical noise and toward a clear, financial understanding of their cyber posture. It's about giving them the visibility needed to make smart, strategic decisions."

Avertro presented the partnership as part of its effort to expand use of its platform among organisations in the UK and Europe. Its software is built to give security leaders a live view of compliance activity, control effectiveness and business exposure.

Ian Yip described the agreement as an important step for Avertro.

"CyberHQ is the platform built to help leaders command their cyber world. Our latest round of growth capital has provided the catalyst to scale our mission alongside industry leaders, with this NCC Group partnership representing a significant milestone in that journey. We are providing the platform that directs defense, helping organizations, especially those in the UK and EU, optimize their security-per-dollar while maintaining a state of defensible resilience," said Yip.

Broader trend

The partnership comes as governance, risk and compliance tools are being pushed beyond their traditional role as record-keeping and reporting systems. Security leaders are under pressure to show not just whether controls exist, but whether they are effective, how they affect business risk and where investment should be directed next.

That challenge has grown because many organisations already have policies, frameworks and tools in place but lack integration across them. Data often sits in separate systems, producing a backward-looking account of what has happened rather than a current view that can guide action.

For cyber teams, this creates an awkward divide between compliance functions that move in fixed cycles and operations teams that respond to threats in real time. Bridging that divide has become a central issue in the managed cyber services market, where providers increasingly promise to combine technical monitoring with board-level reporting and risk analysis.

NCC Group and Avertro said their combined approach is intended to aggregate information from assessments, control testing, incident analysis and findings across teams. In practice, that means using compliance data as an ongoing input into risk management rather than treating it as a separate exercise for auditors and regulators.

The companies also said the service is relevant for sectors where governance and operational resilience are closely scrutinised. These include critical national infrastructure and other regulated industries, where a weak link between compliance and day-to-day security operations can create reporting problems as well as operational risk.

Avertro said the aim is to help security leaders connect obligations, risks and control performance into a live view of security posture, organisational exposure and business risk.