A team member left their computer screen visible in a photograph. Not readable. Not sensitive enough to constitute a breach. Just visible enough that our security review process flagged it. We spent four hours investigating a confirmed non-incident - and that is precisely how it should work.

The investigation that found nothing

The photograph showed part of a laptop screen in the background of an otherwise routine image.

After four hours of documentation and review, the investigation confirmed:

  • No client data was visible
  • No sensitive information was legible
  • The image was taken in a context where photography was expected
  • The team member had followed correct protocols throughout

The record goes into our incident register. Not because something went wrong, but because the process caught something worth checking - and that fact itself is evidence.

Why pursuing ISO 27001 changes your instincts

Working toward ISO 27001 does not just require controls. It requires evidence that those controls are functioning. That means documenting incidents including near-misses and non-incidents - to demonstrate that the system catches things.

A visible screen in a photograph is not a breach. But treating it as something worth investigating means our process would also catch an actual breach.

The investigation that found nothing is proof that the investigation process works.

The 8-12 hours and why we welcome it

Security protocols consume approximately 8-12 hours of team time every month. Access reviews. Incident documentation. Policy updates. Security awareness conversations. Audit preparation.

This is friction. It slows other work. It takes time that could go to client delivery.

We embrace it anyway, for two reasons.

It surfaces problems early. The small inconveniences - logging access, reviewing permissions, documenting anomalies - create visibility. Problems appear before they become breaches.

It builds instinct. When security reviews are routine, security thinking becomes routine. The team starts noticing things that would slip past if security were an afterthought. The visible screen in that photograph was noticed because we have trained ourselves to notice.

Frictionless security does not exist. Either you have deliberate friction you control, or you have catastrophic friction when something goes wrong.

The trust argument

Pharmaceutical consulting means handling sensitive commercial data. Customer lists. Competitive intelligence. Strategic plans. The kind of information that, if exposed, would be genuinely damaging to a client’s business.

Trust of that kind cannot be sustained by promises. It requires evidence of systematic protection. The security protocols that consume 8-12 hours a month are part of that evidence.

When clients ask about our security practices, we do not describe aspirations. We show documentation. Incident reviews. Access logs. Audit trails.

We have not had a client data breach. That is not luck - it is the accumulated effect of treating every potential issue as worth examining, including the ones that turn out to be nothing.

The computer screen that triggered a security investigation was not a problem. Our ability to catch it was the whole point.