Corporate IT makes most people's eyes glaze over, but without it, you'll be walking into eye-wateringly big fines.

Imagine then: routers running on default passwords, guest Wi-Fi with the same access as the private network, easy access to a Windows box stuffed with sensitive financial data discoverable with a basic port scan. That nightmare was our reality 6 years ago. Yet today, we're rated 99/100 on Security Scorecard—top 1% globally. We resolve incidents 48% faster than the industry average, and we've processed over £2 billion in transactions with zero breaches whilst still deploying 250,000+ times a year.

Here's how our small expert team built IT and Security that didn't just protect the business—it kept us moving fast.

The Team Behind the Numbers

When I joined loveholidays, cybersecurity was what you'd expect from a fast-growing startup—functional but fragile. The founding team had built a market-leading business, but security was reactive rather than strategic.

Our security team began what can only be described as a masterclass in patient engineering. Every system they touched, they left more secure. Every process they inherited, they improved incrementally. Every crisis became a foundation upgrade.

Good security is like plumbing: invisible until it fails. The difference here is—it never fails.

Take our transition to PCI DSS Level 2 compliance. When we hit 5 million transactions—a milestone that typically requires months of preparation and dedicated project teams—one person handled the entire certification. Not because they're superhuman, but because they'd been building compliance into everything.

Or consider the flood that hit our comms room when a pipe burst. Turns out the room was mostly empty—nothing critical was at risk. The team had long since moved everything important to managed cloud services, anticipating exactly this scenario.

These weren't lucky breaks. They were compound interest on thousands of quiet decisions.

The People

The difference isn't the process, it's the people. Colleagues with grey hair and battle scars make intelligent, real-time decisions.

Their entire approach is exemplified by something as simple as the IT cupboard. Lost another power cable, forgot your headset, or broke your mouse? Just pick it up from the IT cupboard and get back to your day. No forms in triplicate, no approval chains.

They embody the principle that IT and Security should help the organisation move faster, not slower.

The Systems

Instead of separate projects, they baked security into development. Instead of bolt-on processes, they made existing ones secure. Instead of a fortress, they built continuous Zero Trust.

Their proactive approach extends beyond our systems.

Through our threat-detection programme with ZeroFox (yes they actually did call their product that...give it a moment if you don't get it), they've identified and taken down 295 malicious attempts to impersonate our brand since November 2023. Most companies only discover these threats after customers complain.

Someone actually bought one of our stolen laptops from "a guy down the pub" and brought it to our office, asking us to unlock it or if we wanted to buy it back.

Putting aside the state of society...It was useless to them from the moment it was purchased.

These systems aren't accidents. They're the result of colleagues who think 3 steps ahead and have the experience to know which risks matter and which don't.

The Lesson Others Can Steal

Bake it in quietly, everywhere—and hire people with the scars to know what actually breaks.

Maintaining the Soul

They've achieved enterprise-grade security whilst preserving our startup agility. Our teams still move fast and take calculated risks. Our culture continues to value autonomy and innovation.

Our developers don't wait weeks for approvals—they ship daily with security baked in.

Their Zero Trust architecture exemplifies this approach. Traditional perimeter security would slow us down—every new integration becomes a security review, every new office requires VPN setup, every remote worker needs special configuration. Instead, our cloud-native Zero Trust model means security travels with our people and systems automatically.

Central to maintaining this balance is a fundamental shift in language: our security team rarely say 'No'—they say 'How?'. This isn't being weak; it's strategic. 'No' just creates shadow IT as teams find workarounds. 'How?' builds trust and collective ownership, bringing colleagues into the understanding that security is everyone's responsibility.

This philosophy is supported by our Information Security Risk Committee, which serves as the foundation of organisational risk knowledge. It ensures that when we ask 'How?', we're enabling informed experimentation and advancement rather than stifling innovation with uninformed restrictions.

The result? When regulatory requirements like NIS2 emerge across the EU, we're already compliant. When ISO 27001 certification becomes necessary for enterprise sales, the groundwork is in place. Expanding into new markets? We're already attested.

The Recognition They Deserve

Last month, I presented our cybersecurity approach to the board. As I walked through our metrics—the 99/100 Security Scorecard rating, the 48% faster incident resolution, the millions saved through proactive architecture—I felt something worth calling out: pure pride in working alongside people who make excellence look effortless.

These aren't the people who often get their names in the company all-hands or featured in case studies. They're just working quietly in the background, making everyone else's job easier whilst protecting everything that matters.

It looks effortless because it's been built with care. When our systems handle record traffic without security incidents, when compliance audits pass without drama, when new markets open without security delays—that's not luck. That's hundreds of careful decisions made by people who understand that the best security is invisible.

Our upcoming cybersecurity tabletop exercise might be messy at the executive level as we test our communication protocols. But the technical response? That will be flawless. Because the team has been preparing for it for years, building the capabilities we need before we need them.

They haven't just protected our data and systems. They've protected our ability to move fast, take risks and maintain the entrepreneurial spirit that makes loveholidays successful. They've proven you don't have to lose your soul to gain enterprise security.

That's worth celebrating.

(Well, until they remove admin rights on everyone's Macs and the dev team revolts 🤫)

Security that makes you faster feels like a paradox. If you've cracked it, I'd love to hear how.