Shauli Zacks
Published on: November 17, 2025
SafetyDetectives recently sat down with Damien Cantelo, CEO of Apollo Secure, to discuss how his company is simplifying cybersecurity and compliance for growing businesses. Damien shared the story behind Apollo Secure’s creation, how AI is transforming administrative security tasks, and why proactive risk management—not just technical controls—will define the next major shift for small and mid-sized organizations.
Can you introduce yourself and talk about what inspired the creation of Apollo Secure and the problem you set out to solve?
Hi, I’m Damien Cantelo from Apollo Secure. When I started this business, it was actually based on an experience I had at my previous tech startup and we were on the receiving end of all of these security questionnaires from clients, and my background was in cybersecurity for a few decades, so we’d always been helping clients respond to them and uplift their security maturity.
But when you’re in the hot seat as a business owner yourself, there’s a lot of work to be done, and it’s hard on a tight budget with limited resources. I saw firsthand how hard it is to respond to those questionnaires—not just the process of responding, but actually doing the things that are asked of you, such as generating a full set of policies, doing your staff training, doing a vulnerability scan, running a risk assessment – all the things that you needed to do for the questionnaires.
I just thought, there’s got to be a platform to automate all of this stuff. This was a few years ago, and there wasn’t really anything on the market doing that.
I parked that in the back of my mind, and then fast-forward a couple of years, when friends at other startups asked for my help solving similar problems. I said, I’m not going to help you do it as a consultant; instead, I’m going to build a platform, and you can be my first customer.
So that’s where it really came from – firsthand experiencing the pain.
What are the flagship services offered by Apollo Secure, and who are your typical clients?
We’ve got a fairly broad Governance, Risk, and Compliance (GRC) platform. We can help with risk management and human risk management, and many other things. However, where we’re really getting a lot of interest at the moment is our security questionnaire automation. So this is, ironically, back to our initial use case that helped found Apollo Secure – where you get these security questionnaires from your large clients.
We’re using AI to respond to those questionnaires in an automated fashion. We’re working with tech companies and professional services organizations, mostly in the mid-market or scaling startups to scaleups, who have an aggressive sort of sales motion. If they’re getting a lot of those inbound questionnaires, we can help them streamline and automate them.
With so many compliance frameworks — from ISO 27001 to SOC 2 — how does Apollo Secure help organizations navigate and maintain compliance without getting overwhelmed?
It can be a bit of a minefield with all the different frameworks and standards. Of course, as part of our GRC platform, we do have Compliance Management – the “C” in GRC. So we help customers choose a framework or frameworks and then map their controls to those framework requirements.
Whether it’s ISO 27001, SOC 2, or any of the other frameworks out there, you can adopt one of those frameworks, work through the process and try to simplify it. What we do with the platform is try to break it down, because standards like SOC 2 have more than 300 control requirements. We break that down into manageable, bite-sized chunks and give clients the tools needed to deliver or meet those requirements with a lot of the features on the platform.
Some of the requirements are off-platform, especially if there are technical requirements, but we just try to make that as easy as possible. We can also help customers, either ourselves or with our partners, to guide them through the process because it can be a little bit daunting if you haven’t done it before.
Cybersecurity for small and mid-sized companies often comes down to education and visibility. What are the biggest misconceptions you see among small-business owners when it comes to protecting their data?
Specifically around protecting data, I think it’s this concept of data sprawl. Most people are running on platforms like SharePoint or Dropbox or another shared drive structure, and they implement access control on the files where they reside.
But, of course, as with most businesses, people start sharing those files. They may email them to each other or put them on a USB key and send them off to an event. I think data sprawl is one of the bigger risks, specifically around data privacy, because people always seem to find a way around the controls. For example, emailing customer lists out to the whole sales team, so all your personally identifiable information (PII) is going out the door and onto unmanaged devices.
Access control and reviewing those systems is really important—regularly auditing who has access to which folders, who’s sending it where, and what the controls around it are.
As CEO, how do you see AI and automation changing the way smaller teams manage cybersecurity in the next few years?
Everyone’s talking about AI and how it’s being used in cybersecurity. I think a lot of people are looking at security monitoring or analytics, which seems to be a good use case for it.
At Apollo Secure, we’re obviously using it for things like security questionnaire responses, so I think it’s more about the administrative processes. The boring stuff — filling in spreadsheets or writing up reports — is where we see AI driving the most efficiency.
I do think it’s super important to always have the human in the loop. I know that’s stating the obvious, but if you put too much decision-making control in the hands of AI, things can go wrong.
Automating the mundane is really where you want to see that happening. Then people can focus on expert thinking and threat modelling. Sure, it can be assisted by AI, but having humans provide logic and oversight ensures the right decisions are being made.
What do you think will define the next major shift in cybersecurity for small and mid-sized businesses?
AI is obviously the flavor of, let’s say, the decade, but outside of that, it’s probably moving beyond just implementing technical controls to looking at proactive risk management.
If you put it in the “war room” scenario, the first things that small to mid-size organizations should do include implementing antivirus software or Endpoint Detection and Response (EDR), having Multi-Factor Authentication (MFA) enabled, and ensuring firewalls are properly configured. These technical controls are super important, and they have to be in place.
Once you’ve moved beyond all of that — which hopefully most small to mid-size organizations have already done — it’s about being more proactive with your cyber strategy and asking:
- How are you managing risks?
- What are the information assets in the business?
- What’s the value attributed to that?
- The whole likelihood and impact assessment that you do around it
Having proper enterprise risk management thinking and applying it on top of the technical controls helps uplift cyber maturity and encourages a risk-based approach to all the decisions that are made.
