peter bassill · operator
$ ls -l /etc/services --sort=priority

work.

One board seat at a time, taken seriously. A Non-Executive Director who still reads the logs — cyber security, information security, IT and AI oversight from someone who has actually operated all four. Plus a small amount of ad-hoc advisory work where the problem is interesting.

Base · United Kingdom Day job · CEO, UK Cyber Defence CREST · European Council · IR Pan Europe Status · open to NED conversations
$ man ned --section=board
01 / Non-Executive Director

The NED who has carried the pager.

Most boards get their cyber security oversight second-hand — a slide from the CISO, a paragraph from the auditors. A board with an operator in a non-executive seat gets it first-hand, in plain English, with the follow-up questions asked before the meeting rather than after the incident.

I'm open to Non-Executive Director positions with UK boards where cyber security, information security, IT or AI is a material part of the risk register — which, in 2026, is most boards; the difference is whether they govern it or hope about it.

What I bring to a boardroom is the combination: twenty-eight years as a practitioner, a decade at executive level, current CREST European Council and IR Pan Europe seats, and a working knowledge of what regulators, insurers and incident rooms actually ask for. I can challenge an executive's security narrative because I have written those narratives, and occasionally had them fall apart under a real attack.

SPECIALISM · 01

Cyber & information security

risk oversight · incident governance

Security posture the board can interrogate: what the risk register should say, what the CISO's report leaves out, what an incident will demand of directors — and whether the recovery plan survives contact with an actual Tuesday-morning breach.

CREST · EUROPEAN COUNCIL
SPECIALISM · 02

IT & technology

strategy · resilience · spend

Technology oversight from someone who still builds: whether the platform bet is sound, whether the resilience claims are tested or theatrical, and whether the IT budget is buying risk reduction or shelfware.

OPERATOR · SINCE 1998
SPECIALISM · 03

AI governance

adoption · risk · policy

The newest line on the risk register. Where AI genuinely helps the business, where it quietly leaks its data, and what the board must be able to evidence — UK GDPR, the EU AI Act where it reaches, and the questions insurers have started asking.

AUTHOR · AI SECURITY STARTER KIT
Fit & candour: I run a UK cyber defence firm, so I will not take a seat where that creates a conflict — and I will say so in the first conversation, not the fourth. Audit and risk committee work welcome. One or two seats, done properly, rather than a portfolio.
$ ls -l /etc/services | grep adhoc
02 / Ad-hoc advisory

Short engagements, specific problems.

Alongside board work I take a small number of consultative engagements — typically days or weeks, not retainers. The common thread: situations where the standard playbook doesn't quite fit.

ASSURANCEDAYS → WEEKS

Cyber Essentials Plus, when it isn't simple.

complex estates · air gaps · large networks · awkward legacy

Most firms can walk through Cyber Essentials Plus with a checklist. Some can't: mixed legacy estates, OT on the network, air-gapped labs, BYOD that grew organically, subsidiaries on three different stacks. I untangle the scope, sequence the remediation, and get you certified without pretending the mess isn't there. Six case studies in the deep dive →

AIDAYS → WEEKS

AI adoption with the security built in.

implementations · agents · governance

Bringing AI into the business without leaking it out: usage policy and data rules, securing agents and their connectors before they touch production, vendor and contract review, and the board briefing that explains what you did and why. The starter kit is free; this is the version with me in the room for the complicated parts.

CYBERSCOPED

General cyber security, board to console.

briefings · IR readiness · second opinions

Board and executive briefings in plain English. Incident-response readiness reviews and tabletop exercises. A second opinion on a security roadmap, a supplier's claims, or a post-incident report that reads too cleanly. If it needs a team and a SOC, that's UK Cyber Defence; if it needs one experienced person and candour, it's this.

HOW IT WORKSPLAIN TERMS

Engagement, without the theatre.

direct · scoped · en_GB

No discovery funnels, no account managers. Write to me with the situation; if I can help, you get a scope, a price and a start date. If I can't, you get told quickly and, where I know one, pointed at someone who can. Replies within two working days.

$ contact --work

Start the conversation.

For NED approaches: the sector, the board's shape, and what has prompted the search. For advisory work: the situation and rough timescale. My full background is on the CV — token-gated, ask if you need one.

replies within 2 working days · en_GB · pgp on request · no agency intros

back to home  ·  about  ·  writing  ·  ai security starter kit