A Non-Executive Director with cyber and AI expertise

Why your board needs a NED — and why it needs to be one with cyber and AI

Every board carries a duty of care it cannot delegate. In the UK, the Companies Act 2006 puts the responsibility for the company's risk posture on its directors collectively, not on its CISO, not on its head of AI, not on the CTO, and not on the management team in any other configuration. The board is on the hook, and the regulators (FCA, PRA, ICO, Ofcom under the Online Safety Act, the EU's AI Office for any business operating in the EEA) are increasingly interested in whether the board has the technical literacy to discharge that duty.

For most boards I have spoken to, the honest answer is "not really". The audit committee has a finance background, the compensation committee has an HR background, the chair has an executive-leadership background, and somewhere on the agenda is a thirty-minute slot once a quarter for the CISO to walk the board through a heat map. That works exactly until it doesn't.

An independent, technically literate Non-Executive Director changes the dynamic. The CISO and the head of AI stop being the only people in the room who understand what they are saying. The board gains a peer who can ask the unanswerable questions — the ones the executives won't ask each other because they are too senior, and won't ask their reports because they are too junior. The risk picture sharpens. The investment decisions sharpen. And when a real incident lands, you have someone on the board who has been in incident rooms before, has seen what regulators actually want to see, and knows what "good" looks like from the inside rather than from a slide deck.

I have been working in cyber security since 1996, in roles spanning offensive testing, detection engineering, incident response, regulated-industry CISO work, and the founding and running of Hedgehog Security. I have sat on the management side of board reporting (as a CISO at Gala Coral Group); on the supplier side of board engagement (running incident response for organisations under attack); and on the practitioner side of standards committees (peer-elected co-chair of the European Incident Response Group at CREST). I have been Chartered Engineer, Fellow of the BCS, Chartered IT Professional, and a CISSP, since 2011 or earlier in each case. The full list is on the credentials page.

What's distinctive about the offering, in the context of NED work, is the combination of cyber and AI in a single seat. Most boards looking for governance maturity in either area today recruit two people to do it — one for cyber, one for AI. That is expensive, it doubles the integration effort, and it splits an area of risk that is rapidly converging into two governance silos that don't talk to each other. AI systems have cyber-security risk profiles. Cyber-security tooling is increasingly AI-driven. The regulators are converging too — the EU AI Act explicitly cross-references the NIS2 directive; the UK approach to AI governance under the Department for Science, Innovation and Technology is being designed in lock-step with the cyber-resilience regime. A single NED who has done both areas in production is, today, the more capable and the more cost-effective answer.

On AI specifically: I have built and deployed AI systems in security operations (the EmilyAI work between 2016 and 2018 was, by some accounts, one of the first production autonomous-SOC platforms in Europe), and I have advised on the governance of AI systems being used by other organisations to do everything from credit-scoring to claims-handling to medical-image triage. I am opinionated about both the upside and the downside, and I am sceptical of both vendor pitches and ethics-washing.

I take on a small portfolio of NED roles each year. I am selective about the boards I join — chemistry and ethics matter — and I bring the same selectivity to bear on whether a board should hire any NED at this stage of its life, never mind me specifically. The first call is free, exploratory, and explicitly scoped as "I will tell you if I think you do not need me yet".