◆Cybersecurity advisory, architecture & engineeringAuckland, New Zealand
◆About
Built by an engineer and architect, comfortable in the boardroom
Antonio Spera leads Antan, and still writes the code as readily as he sets strategy, combining governance and quantitative risk with hands-on engineering and applied AI.
Security leadership grounded in engineering
For more than twenty-five years, I have worked with organisations where security failure carries serious operational, financial, and regulatory consequences: credit bureaux, critical-infrastructure providers, public agencies, and global technology companies.
Across all of them, one principle has held: security cannot become theatre. Controls have to reduce measurable risk, enable the business, and withstand operational reality. If they do none of those, they do not belong.
Executive strategy and technical depth
My work combines executive leadership with hands-on technical practice.
As a General Manager and Associate Director of Cyber Security, I have set security strategy, built and led teams across people, process, and technology, directed certification programmes, advised executive leadership, and translated technical risk into language boards and investors can act on.
As an engineer and architect, I have designed Security Operations Centres end to end, architected security for critical infrastructure, and built customised tools, using applied AI and machine learning, to solve real operational problems.
That combination matters: strategy and implementation stay connected, with nothing lost in translation between the boardroom and the keyboard.
Quantitative risk and AI security
I approach risk quantitatively.
I help organisations express cyber risk in financial and probabilistic terms, using methods such as FAIR-based modelling, Monte Carlo simulation, and scenario-based analysis. That lets executives make evidence-based investment decisions grounded in measurable uncertainty and business impact, rather than a colour on a heat map.
I work on both sides of AI and security. On one side, I help teams bring AI into security operations to strengthen detection, response, and automation. On the other, I help secure and govern the AI systems themselves, aligned to ISO/IEC 42001 for AI management systems, the NIST AI Risk Management Framework, and OWASP guidance for large language model security, covering threat modelling, prompt-injection resilience, and data-leakage prevention.
Ongoing study of machine learning, post-quantum cryptography, and emerging computational models keeps that approach current as the field moves.
Antan
Antan provides senior security advisory and delivery without the layers of a large consulting firm.
Clients work directly with an executive-level practitioner who can move between board-level strategy, security architecture, engineering, operational delivery, team development, and quantitative risk analysis.
The result is pragmatic security leadership, grounded in technical credibility and real operational experience.
◆ Operating beliefs// how I think about security
02
“AI will not replace security analysts. Analysts using AI will replace analysts who do not.”
03
“Automation accelerates both good decisions and bad ones. Governance determines which.”
04
“Intelligence without action is information. Action without intelligence is risk.”
05
“The goal is not to build a secure organisation. The goal is to build a resilient organisation.”
06
“Cybersecurity is the practice of managing inevitable failure.”
07
“Risk management is not about predicting the future. It is about preparing for it.”
Clearances
National defence clearancePreviously held
Overseas defence clearancePreviously held
Discretion is the baseline for the environments I work in, not a value-add.
Memberships
ISACA
OWASP - Co-founder, NZ Chapter
NZITF
PECB
Continuing development
Applied AI & LLM fine-tuning for specialised models
Machine learning & data science bootcamp
Secure application development
Quantum mechanics (online university course)
Quantum computing & post-quantum cryptography
Get in touch
Want the detail behind the summary?
Considering a vCISO, a security strategy and architecture, a SOC uplift, an AI assurance review, or a secure web build? Tell me where you are and where you need to get to.