About MRP

Born from a vision to transcend conventional GRC boundaries, the Morrisec Risk Platform (MRP) embodies our commitment to driving real change in the cybersecurity industry. Developed by security professionals for security professionals and our clients, MRP is our answer to the industry’s most pressing challenges.

Redefining Cybersecurity Management

In the creation of MRP, our journey was distinct from the outset. Unlike traditional GRC platforms conceived in the corridors of software development firms, MRP was born from the real-world challenges and frustrations experienced by security professionals and our clients trying to manage security day in and day out. Our development was not sparked by market opportunity alone but fuelled by a desire to redefine the value we deliver through our consulting practice.

At Morrisec, we recognise the criticality of focusing on what truly matters in governance, risk, and compliance management. The genesis of MRP was our response to the countless hours lost to the manual labour of spreadsheet management and the endless cycle of emails – a far cry from the strategic and impactful work that could significantly bolster an organisation’s security posture. Our platform is the culmination of decades of first-hand knowledge and experience, not just from a consulting perspective but from being on the client side of the equation. This dual vantage point has granted us intimate insights into the pain points that plague organisations: the inefficiencies, the mundane tasks that consume valuable time, and the areas ripe for optimisation.

MRP stands apart because it was engineered with the intent to elevate the consulting services we provide, allowing us to deliver exceptional value by automating the trivial and focusing our expertise on strategic tasks. Our platform is a testament to our commitment to not just navigate but to actively reshape the cybersecurity landscape by addressing the very issues we’ve encountered in our extensive careers.

We are not a software company that ventured into the GRC space to fill a gap; we are seasoned security professionals driven by the mission to enhance the operational efficiency and cybersecurity resilience of our clients. The Morrisec Risk Platform is designed for organisations and consultancies alike, empowering them to transcend traditional limitations and provide unparalleled value to their clients. With MRP, we offer more than just a tool; we provide a pathway to transformative cybersecurity management, rooted in the depths of practical experience and the heights of strategic vision.

Our Mission

Empowering organisations by providing simplified, cost-effective cybersecurity solutions designed to meet their specific needs.

Our Vision

The future of cybersecurity is one where all companies can utilise current and emerging technology securely, ensure their data is protected, enabling them to focus on their strategic goals.

Dr Sarah Morrison

Dr Sarah Morrison

Co-CEO

Sarah’s background in cybersecurity is both extensive and diverse. Commencing her career as a developer, Sarah has a background in Criminology, has served as an investigator in fraud and corruption for government agencies, managed IT and security risk as part of her tenure at one of Australia’s top 4 banks, provided cybersecurity services to a multitude of clients and managed teams responsible for GRC consulting. Most recently, Sarah served as the Chief Information Security Officer (CISO) at Australia’s largest ASX-listed cybersecurity company, where she successfully achieved ISO/IEC 27001 certification in under six months. In addition to her industry experience, Sarah has contributed to the advancement of the field through her university research and continued teaching in cybersecurity and data transformation as part of an MBA degree program.

With a PhD in Russian Information Operations, Sarah has a deep understanding of threat actors and their motivations. This knowledge, coupled with Sarah’s extensive real-world experience, spanning over two decades, gives her a deep understanding of how different types of threat actors can affect your business, their tactics, techniques and procedures (TTPs), and how to protect against them.

Sarah has been a trusted consultant to clients across all industries and verticals. She excels in comprehending the unique needs of each business, analysing their specific threat profile and risks, and tailoring a security strategy that is most suitable for their organisation.

Sarah’s mission is to decrease the cost, time, and effort invested in fulfilling cybersecurity demands, and help businesses mature their security posture, all while supporting business growth. Her passion for security has led her to serve as a trusted advisor to countless boards and Audit and Risk Committees (ARC), providing insight into the current threat landscape, risk profile, and security posture of clients who have compliance obligations, such as APRA’s CPS 234, organisations seeking ISO/IEC 27001:2013/2022 certification, and those with local and international privacy requirements.

David Morrison

David Morrison

Co-CEO

With a wealth of experience spanning more than two decades, David has established himself as a leading cybersecurity professional. His expertise and knowledge have proven invaluable in safeguarding organisations from cyber threats across a gamut of industries and roles. A key differentiator in David’s experience is having worked extensively across all key areas of cybersecurity, including governance, risk and compliance, penetration testing, threat detection and threat hunting, digital forensics, security training and education, exploit research and development, network architecture, and network security implementation and management. David’s wealth of knowledge and experience gives him a unique perspective and ability to assist organisations in managing cyber risks across any domain. Being able to prioritise risk mitigation activities based on real-world threats and the specific risk profile of each individual business is critical to progressing cyber maturity and resilience within defined budgetary constraints. David’s ability to communicate with highly technical personnel and then switch to engage with the C-suite on business risk and strategy within the same meeting is an incredibly distinct advantage when supporting organisations.

David’s extensive tenure in one of Australia’s leading universities, where he worked in a challenging and high-risk environment with limited budgets and resources, has afforded David the skills and experience to develop practical solutions that effectively minimise risks while remaining cost-effective. This has been especially beneficial to small and medium-sized businesses that are always constrained by limited budgets and resources. In addition to his experience client-side, David has also consulted with a multitude of organisations across all industries, assisting them in identifying both technical and procedural risks and reducing them according to their unique risk appetite.

David has an unwavering commitment to cybersecurity, having co-founded Australia’s first ‘hacker’ conference, Ruxcon, in 2003 with two other cybersecurity professionals. David has a deep-seated commitment to giving back to the industry he has dedicated half his life to, as well as a passion for teaching. He has taught network security and penetration testing at TAFE NSW, including the Certified Ethical Hacker (CEH) course. Simultaneously, he has mentored teams from various Australian tertiary institutions in Capture the Flag (CTF) contests. Recently, he has taught courses for one of Victoria’s largest universities, covering governance, risk and compliance (GRC), system administration and system hardening, programming, networking and network security, cryptography, cloud security, penetration testing, and digital forensics and incident response (DFIR).

David’s ultimate objective is to demonstrate that cybersecurity is not as daunting as it appears and that implementing effective controls to minimise risk does not necessarily require an exorbitant financial investment. To him, cybersecurity should enable businesses to thrive and achieve their full potential, not hinder processes and impede innovation. David firmly believes that there is always a way to decrease risk while still supporting the growth and success of the business.