work.
One board seat at a time, taken seriously. A Non-Executive Director who still reads the logs — cyber security, information security, IT and AI oversight from someone who has actually operated all four. Plus a small amount of ad-hoc advisory work where the problem is interesting.
The NED who has carried the pager.
Most boards get their cyber security oversight second-hand — a slide from the CISO, a paragraph from the auditors. A board with an operator in a non-executive seat gets it first-hand, in plain English, with the follow-up questions asked before the meeting rather than after the incident.
I'm open to Non-Executive Director positions with UK boards where cyber security, information security, IT or AI is a material part of the risk register — which, in 2026, is most boards; the difference is whether they govern it or hope about it.
What I bring to a boardroom is the combination: twenty-eight years as a practitioner, a decade at executive level, current CREST European Council and IR Pan Europe seats, and a working knowledge of what regulators, insurers and incident rooms actually ask for. I can challenge an executive's security narrative because I have written those narratives, and occasionally had them fall apart under a real attack.
Cyber & information security
Security posture the board can interrogate: what the risk register should say, what the CISO's report leaves out, what an incident will demand of directors — and whether the recovery plan survives contact with an actual Tuesday-morning breach.
IT & technology
Technology oversight from someone who still builds: whether the platform bet is sound, whether the resilience claims are tested or theatrical, and whether the IT budget is buying risk reduction or shelfware.
AI governance
The newest line on the risk register. Where AI genuinely helps the business, where it quietly leaks its data, and what the board must be able to evidence — UK GDPR, the EU AI Act where it reaches, and the questions insurers have started asking.
Short engagements, specific problems.
Alongside board work I take a small number of consultative engagements — typically days or weeks, not retainers. The common thread: situations where the standard playbook doesn't quite fit.
Cyber Essentials Plus, when it isn't simple.
Most firms can walk through Cyber Essentials Plus with a checklist. Some can't: mixed legacy estates, OT on the network, air-gapped labs, BYOD that grew organically, subsidiaries on three different stacks. I untangle the scope, sequence the remediation, and get you certified without pretending the mess isn't there. Six case studies in the deep dive →
AI adoption with the security built in.
Bringing AI into the business without leaking it out: usage policy and data rules, securing agents and their connectors before they touch production, vendor and contract review, and the board briefing that explains what you did and why. The starter kit is free; this is the version with me in the room for the complicated parts.
General cyber security, board to console.
Board and executive briefings in plain English. Incident-response readiness reviews and tabletop exercises. A second opinion on a security roadmap, a supplier's claims, or a post-incident report that reads too cleanly. If it needs a team and a SOC, that's UK Cyber Defence; if it needs one experienced person and candour, it's this.
Engagement, without the theatre.
No discovery funnels, no account managers. Write to me with the situation; if I can help, you get a scope, a price and a start date. If I can't, you get told quickly and, where I know one, pointed at someone who can. Replies within two working days.
Start the conversation.
For NED approaches: the sector, the board's shape, and what has prompted the search. For advisory work: the situation and rough timescale. My full background is on the CV — token-gated, ask if you need one.