Skip to main content
Case Study · Infrastructure & Energy · NSW Central Coast

Scaled security
without scaling
headcount.

Client
DeltaPAE
Sector
Mining & Energy
Location
NSW Central Coast, Australia
Organisation size
350+ employees
Services delivered
vCISO · Security Architecture · OT/IT Security · Vendor Assessment
200%
Effective increase in security team capacity — zero additional permanent headcount
100%
Major technology projects with Cliffside security input from architecture through delivery
$0
Additional headcount required to achieve enterprise-level security capability
The situation

New ownership. Aggressive transformation agenda. A two-person security team.

DeltaPAE is a coal mine and power station on the NSW Central Coast employing more than 350 people. When new ownership arrived, they brought an ambitious technology transformation agenda — cloud migration, new operational technology systems, and a modernisation programme running across multiple simultaneous projects.

The internal security team was two people. Enterprise-level security demands were arriving faster than a small internal team could address them. New ownership needed confidence that security was being embedded across every project — not checked at the end when it was too late to fix without expensive rework.

The challenge wasn't finding vulnerabilities. It was building a security function capable of keeping pace with a fast-moving transformation programme, without the time or budget for additional permanent headcount.

Three challenges at once
01
Speed of transformation
Cloud migration, OT modernisation, and infrastructure refresh all running in parallel. Security reviews couldn't keep pace with project timelines using internal resource alone.
02
OT/IT convergence risk
Mining and energy operations create unique OT/IT security challenges. Connecting operational technology to corporate networks introduces risks that standard IT security frameworks don't address.
03
Vendor accountability
Multiple vendors competing for transformation contracts. New ownership needed independent security assurance on vendor proposals — not assessments conducted by the vendors themselves.
"

Enterprise-level security capability — from day one of the engagement. A 2-person team operating with the reach and effectiveness of a function four times that size.

Outcome summary · DeltaPAE engagement
What Cliffside did

Embedded security office — operating as part of the team.

Cliffside became DeltaPAE's embedded security function — not an external consultant arriving with a report, but an integrated part of the team steering the transformation programme from inside it.

Every major project had Cliffside security input from architecture through to delivery. No surprises at go-live. No security findings that delayed projects. No expensive rework.

01
Security roadmap leadership
Took ownership of the security roadmap — prioritising initiatives against actual business risk, not generic compliance checklists. Gave new ownership the visibility and confidence to make security investment decisions.
02
Vendor pressure-testing
Independently assessed every major vendor proposal against technical requirements and security standards. Identified overpricing, underspecification, and security gaps before contracts were signed.
03
Cloud architecture security
Validated cloud migration architecture decisions across the transformation programme. Designed security controls into the architecture — not retrofitted after deployment.
04
OT/IT convergence framework
Developed a security framework specifically for DeltaPAE's mining and energy operational environment — addressing the unique risks of connecting operational technology to corporate networks.
05
Board-level reporting
Provided security reporting that gave new ownership clear, evidence-based visibility into risk posture — not a status dashboard, but decision-grade insight.
06
Staff security awareness
Designed and delivered a security awareness programme for operational staff — addressing the human risk factors specific to a mining and power generation environment.
What we delivered

Eight deliverables. Zero headcount increase.

  • Embedded security function operating as an extension of the internal team
  • Security architecture input across all simultaneous technology projects
  • Vendor assessment and pressure-testing for all major procurement decisions
  • Cloud migration security architecture and validation
  • OT/IT convergence security framework for mining and energy operations
  • Board-level security reporting and risk visibility
  • Security awareness programme for operational staff
  • 200% effective increase in security team capacity — zero additional headcount
The outcome

Enterprise security capability. From day one.

A 2-person security team operating with the reach and effectiveness of a security function four times that size — steering a multi-programme transformation without a single project delayed for security reasons.

New ownership had complete confidence that every technology decision across the transformation programme had been security-reviewed. Not after the fact. From the first architecture conversation.

The Cliffside difference

Most security consultants arrive with a predetermined solution and leave with a report. We became part of DeltaPAE's team. The difference shows in the outcome — not a compliance document, but a fundamentally more capable security function that the organisation still operates today.

Your team.
Our reach.

If your security team is under-resourced for the demands on it — whether that's a transformation programme, a compliance obligation, or rapid growth — the Lighthouse Assessment will tell you honestly what's achievable, what it takes, and what it costs.

Book Lighthouse Assessment → Virtual CISO Services
← All success stories