NED

How to engage me as your NED

A step-by-step guide to the engagement process. Designed to be predictable, fair to both sides, and fast enough that good appointments don't fall through the cracks of indecision. From first call to first board meeting in 4-8 weeks, all going well.

Last updated: 10 May 2026.

Before you reach out

It saves us both time if you have rough answers to the following before the first call:

  • Why now? What has changed that has put a NED on the agenda — a regulatory deadline, an incident, a fundraise, an acquirer's diligence, an investor's request, an internal audit finding, a CEO succession, or just board maturity?
  • What's the brief? Cyber NED, AI NED, technology NED in the round? Risk-committee chair? Technology-committee chair? Audit-committee member with cyber expertise? The shape matters.
  • What's the term and the time commitment? Three years, six years, open-ended? One day a month, three days a month, more during incidents?
  • What's the fee envelope? See the cost page for ranges; you will save us both time by being clear about what's available before we explore fit.
  • Who else is on the board? A NED's effectiveness depends heavily on the chair, the rest of the board, and the executive team. Knowing who's already there matters.
  • D&O insurance — is a policy in place, or will the company commit to putting one in place before signing?

If the answers are vague at this stage, that's fine — part of the first call is sharpening them. But the more clarity going in, the more efficient the process.

The process, end to end

Step 1 — Initial call (free, ~30 minutes)

An exploratory video call to discuss the brief, the company, the board, and the role. No fee, no commitment, no NDA at this stage. We will both come out of it with a clearer view on whether there is a credible fit. I will tell you, plainly, if I think the company doesn't need a NED yet, or doesn't need this kind of NED, or that I am the wrong person for the brief.

Roughly 1 in 3 first calls leads to a step 2.

Step 2 — Mutual due diligence (1-2 weeks)

If both sides want to continue, we do mutual due diligence. From your side, you check my references, my credentials (the list is here — happy to provide direct contacts at any of the awarding bodies), my professional standing, and any current commitments that might create conflicts. From my side, I do the same on the company:

  • Read the most recent statutory accounts and Companies House filings.
  • Read the last 12 months of board packs, risk registers, and audit reports (under NDA).
  • Speak to the chair and at least two other board members independently of the CEO.
  • Speak to the CISO and head of AI (or equivalent) one-to-one.
  • Review the company's current cyber and AI posture at a working level — not as a paid engagement, but as the basis for forming a view on whether I can credibly add value.
  • Check for conflicts: current Hedgehog Security customers, direct competitors, ongoing legal disputes.

If anything turns up that gives either of us pause, this is the right point to walk away.

Step 3 — Chemistry meeting with the board (1 day)

Either an in-person or video meeting with the chair, the CEO, and ideally one or two existing NEDs. The point of this is for the existing board to form a view on whether they want me in the room — and for me to form the same view about them. Chemistry matters more at NED level than almost any other appointment, because the relationship is long, the cadence is sparse, and disagreements are inevitable. If the room doesn't feel right to either side, this is when we discover it.

Step 4 — Letter of appointment

Once we've agreed to proceed, we move to a written appointment. The letter covers:

  • Term — typically 3 years, with a review at the end and a possible 3-year renewal.
  • Time commitment — minimum days per month, expectations during incidents, scope of committee involvement.
  • Fees — base fee, committee uplift if applicable, day rate for additional work, expense policy.
  • Notice period — typically 3 months on either side, with carve-outs for fundamental breach or governance failure.
  • D&O insurance and indemnity arrangements.
  • Conflict-of-interest provisions and the protocol for managing emerging conflicts during the term.
  • Confidentiality arrangements.
  • Specific committee memberships at appointment.

I use the IoD-published model NED letter of appointment as a starting point, modified for cyber- and AI-specific clauses. Either side's lawyers can review; usually one round of comments and we're done.

Step 5 — Onboarding (first 30 days)

The onboarding plan is something I bring to the appointment, not something you have to write for me. In a typical first 30 days I will:

  • Read the last 18 months of board packs, risk registers, audit-committee minutes, and any external assessments (penetration tests, AI model assessments, regulatory correspondence, ICO incident notifications).
  • Have one-to-one introductory meetings with every board member and every member of the executive team.
  • Visit the head office and at least one operational site, where applicable.
  • Spend time with the CISO and the head of AI in their day-to-day environments — see the SOC, the tooling, the team — not just the slide-deck version.
  • Meet the company secretary and understand the board administration cadence in detail.
  • Review the company's external advisors — auditor, lawyers, lead insurance broker, CISO consultancy if engaged.
  • Form a private one-page view, by the end of week four, of where I think the priorities are and where the board's attention isn't currently landing.

Step 6 — First board meeting

By the time the first board meeting comes around, I am familiar enough with the business to be a useful contributor on day one. I will not, however, make my first meeting about me — for the first two board meetings I am there to listen, learn, and contribute selectively. The "what does the new NED actually think?" conversation is one I bring forward properly at meeting three.

Step 7 — Steady state

Once we are in steady state, the rhythm is the rhythm: pre-reading, board meetings, committees, one-to-ones, ad-hoc, incident response. The first annual review at month twelve is when we both formally check that the appointment is still working.

Things that will end the conversation early

I'd rather we both knew up front:

  • No D&O policy and no commitment to obtain one. Non-negotiable.
  • A board pack culture that is genuinely opaque or evasive about risk. If the diligence shows that the board has been led to believe everything is fine when it manifestly is not, I cannot help you fix that and the company is not yet ready for the appointment.
  • An ethics flag I can't get comfortable with. Active regulatory enforcement that has not been disclosed; pending litigation involving director misconduct; a recent culture incident that has not been dealt with seriously. I can be helpful with cyber and AI; I cannot be helpful with executive integrity issues that the existing board has not first chosen to face.
  • An expectation that I sign documents I have not read. Not happening; not at any fee.
  • A "rubber stamp" brief. If what is wanted is a credentialled name without genuine challenge, I am the wrong NED.

Confidentiality and discretion

The existence of an exploratory NED conversation is itself usually confidential — it can affect investor sentiment, employee morale, and competitor intelligence-gathering. By default, my side of every conversation in this process is confidential without an NDA from day one, and I will sign your NDA before reading any board pack or accessing any non-public material. I do not name client boards on my website unless they explicitly ask me to.

How to start the conversation

The fastest route is the contact form with "NED enquiry" in the subject line and a few sentences answering the "before you reach out" questions above. I will reply within two working days with a proposed slot for the initial call.

For sensitive conversations — for example, where the company is exploring NED options around an unfolding incident, an active regulatory engagement, or an undisclosed corporate event — please use one of the channels on the encrypted contact page instead.

Ready to start? Use the contact form with "NED enquiry" as the subject. I aim to reply within two working days.

See also: What is a NED? · Benefits · Cost · Credentials · Encrypted contact.