About · a CFCI group company
The fear was mostly the jargon.
Most cybersecurity firms were built by engineers, to fight attackers. We were built to fight something more common: the dread. The gap assessment nobody has opened, the tender clause nobody understands, the feeling that this subject was made for someone smarter. Clearing that, in plain English, is the entire job. We come from the Centre For Cybersecurity Institute, where turning confusing security into something people actually grasp has been the work for years.
Where we came from.
The Centre For Cybersecurity Institute was founded in 2021 to do one hard thing: take people with no security background, the career-switcher, the retrenched forty-something, the fresh graduate, and make them genuinely competent in cybersecurity. Years of that builds a specific skill. Not only defending systems, but stripping the fear out of a subject that intimidates almost everyone who meets it.
That skill turns out to be exactly what an SME needs. The fear lives in the acronyms, in the sense of being the only one who does not understand, in the suspicion that the expert is performing complexity to justify the invoice. We name the scary thing plainly, break it into days and steps, show the working, and never make anyone feel stupid for asking. That is a discipline, not a personality.
Heartwood applies that discipline to companies rather than individuals. Our consultants come up through the group’s own pipeline, not a certificate mill, so when we say a named human does the work, we mean a human we trained ourselves.
Visit the Centre For Cybersecurity Institute , our parent company.
What we believe.
We explain rather than perform.
The safest client is the one who understands what we did. So we explain rather than perform: we draw what is actually inside the standard, and we name the jargon and dissolve it in the same sentence.
Clarity is a security control.
Confusion is where SMEs get exploited, by vendors as much as by attackers. So we keep one accent per surface, one price in one sentence, and a register that never dresses a cheeky post and a grave notice in the same clothes.
Count what you claim.
In this business an inflated claim is a time bomb. So every figure on this site is countable and dated, and our seals cap at AUDIT-READY, because the certified moment belongs to the certification body.
AUDIT-READYHumans first, always, and visibly.
Our people come up through the group’s own training, not a certificate mill, and that pipeline is the moat. So our consultants are named and signed on every report, our illustration is drawn by hand, and nothing on this site is a chatbot pretending to be someone who has done this before.
You are early, not late.
More than 500 organisations held a CSA Cyber Essentials or Cyber Trust mark as at April 2025, against 345,100 enterprises in Singapore, about 99% of them SMEs. The trajectory tells the calmer story: 43 certified (Oct 2022) → 240+ (Mar 2024) → 500+ (Apr 2025). Almost everyone is still early. Being early is simply the calm way to do this. The deadlines on your tenders and your regulations are scheduling facts, not a countdown clock. There is still time to do this properly, rather than in a panic the night before.
Cybersecurity has spent twenty years shouting.
We just do the work. No surprises at the audit.
The people.
Every engagement carries a named consultant who signs the report. Not a logo, not a call centre queue, a person you can call back. Portraits and full team profiles land at launch; until then, this is an honest placeholder rather than an invented cast.
Plain answers
Are you part of CFCI?
Yes. Heartwood is a subsidiary of the Centre For Cybersecurity Institute. The institute and this consultancy stay separate disciplines, run separately, but they share one belief: a subject explained plainly stops being frightening.
What makes you good at audit preparation?
Audit preparation is pattern work: evidence shown, working shown, no surprises on the day. Our team has spent years turning messy, real-world security into something that stands up to exactly that kind of scrutiny, first for people entering the industry, now for companies facing certification. Same discipline, different room.
Do you take on clients outside Singapore?
Singapore first. We may work regionally later, and we will say so plainly on this page the day it becomes true, not before.
Talk to a real consultant.
Thirty minutes, no deck, no jargon. We explain until it makes sense, because that is the whole job.