Conflux secures organizational capability through Cyber Essentials Plus certification
Conflux has successfully achieved Cyber Essentials Plus (CE+), a UK government-backed certification that verifies an organization’s protection against common cyber threats. Unlike the standard self-assessment, CE+ involves a rigorous technical audit by a competent authority to prove that security protocols are effective and actively enforced. This achievement represents a significant ‘leveling up’ of internal capabilities and delivers peace of mind for our enterprise customers.
By Matthew Oglesby, IT at Conflux
We have passed a significant milestone at Conflux — one that confirms and validates our operational excellence and ensures we meet the rigorous security standards required to protect our organization and our customers. Cyber Essentials Plus is the government-backed accreditation that establishes a baseline for cybersecurity and formalized protocols to improve an organization’s posture against the threat of cyberattacks. Cyber Essentials Plus augments these with an independent audit conducted by a qualified external authority.
This achievement is a strategic step towards broadening the scope of work we can take on. While Conflux maintained strong security practices even before certification, we can now offer public-sector organizations and customers in highly regulated sectors such as automotive, pharmaceutical, and financial services additional assurance that we are invested in the safety of their data and are awake to the cybersecurity landscape we all operate in.
“Cyber Essentials Plus certification is all part of leveling up Conflux’s capability to take on more extensive and more challenging activities, to help organizations navigate compliance around cybersecurity effectively and humanely during substantial transformation.”
— Matthew Skelton, CEO/CTO of Conflux, co-author of Team Topologies
Securing a global network with a zero-trust approach
Approaching this goal posed challenges for Conflux. Due to our structure as a worldwide network of experts rather than a traditional consultancy, several people who work for Conflux are external independent consultants using their own devices. To help them do their best work, our digital infrastructure has to be as robust as the strategies we deliver.
Because of the distributed nature of our teams, imposing top-down restrictions or installing standardized images on personal hardware would be impractical. Instead, we adopted a zero-trust networking approach.
Zero-trust is a modern security model that assumes no device is implicitly trusted, regardless of location or connection method. By verifying every single device and user attempt to access our systems, we ensure security without overstepping privacy boundaries.
We tried a few different approaches to manage this and settled on using backend verification tools in Google Workspace, which provide a solid foundation for checking device and user context, coupled with improved policies and regular human audits. This combination allowed us to enforce security checks automatically and build a culture of effective device management among all users of our systems.
A people-first approach to IT through clear communication
Conflux team, Leeds office, United Kingdom
Conflux champions a humane work environment, and our approach to IT security reflects this. We recognize that IT can sometimes be seen as something done “to” users. Our goal was to shift that dynamic to something done "with" them.
Throughout the process, we:
Communicated openly about our strategy and upcoming changes
Consulted with our people to understand their individual digital landscapes
Provided guidance for more technical changes, or where user input was required
Took feedback at every stage to ensure we were continuing to move in the right direction, balancing compliance with user autonomy
While the initial work to establish new protocols was significant, we now maintain compliance seamlessly in our daily operations.
Cyber Essential Plus delivers key benefits for our partners
Our certification provides immediate and tangible value to our clients and partners:
Proven defense against common cyber threats and data breaches
Verified security capability for government and enterprise-level contracts
Zero-trust architecture securing a global, distributed workforce
Auditing and verification build trust
Self-assessment is a valuable starting point, but the ‘Plus’ in Cyber Essentials Plus indicates that a competent external authority has conducted a full technical audit of Conflux’s systems. This is important to us, as it proves we are making sensible choices and implementing them appropriately, and you don’t have to take our word for it.
This journey has also deepened our empathy for the challenges our customers face. Having navigated the complexities of compliance, audit trails, and data segregation ourselves, we are better equipped to help organizations navigate their own compliance hurdles during transformation initiatives.
Certification builds a platform for future success
Securing our foundations allows us to focus on what we do best: helping leaders drive efficiency and innovation through meaningful digital transformation.
By treating security as a partnership with our people rather than an imposition, we have strengthened our culture while hardening our defenses.
If you’re interested in creating a humane work environment where teams thrive, get in touch today.
