peter bassill · operator
$ man ned --author="the operator"

non-executive
director.

29 years in this industry, and I am choosing my last board seats deliberately. One or two, done properly — for boards that want their cyber, IT and AI oversight from someone who has actually carried the pager, briefed the regulator, and signed the risk register from the other side of the table.

Specialisms · cyber & infosec · IT · AI governance CREST · European Council · IR Pan Europe Sectors · FS · defence · healthcare · CNI Status · open to the right conversation
$ cat what-your-board-gets
01 / The offer

Questions asked before the incident, not after.

Most boards receive their technology risk second-hand: a slide from the CISO, a paragraph from internal audit, a reassurance from the CTO. The gap between what a board is told and what is actually true is where cyber governance fails — and it is precisely the gap a practising operator in a non-executive seat closes.

What your board gets is not another set of grey hairs nodding at the security update. It is someone who has written those updates — and occasionally had them fall apart under a real attack — reading yours with an operator's eye. When the executive says the backups are tested, I know the difference between tested and restored. When the CISO's dashboard is green, I know which greens are earned and which are configured.

The role is oversight, not interference. I do not want to run your security function; I ran security functions for two decades and I know exactly where a director's job stops. What I bring to the committee room is the ability to ask the second question — the one that follows the rehearsed answer — and the credibility with your technical staff that means they tell me the truth in the corridor that didn't make the pack.

The first 90 days, concretely

DAYS 1–30READ · LISTEN

Reading before talking.

The last four board packs. The risk register, with dates of last movement. The most recent incident report, penetration test and internal audit findings. One-to-ones with the executive — not just the CIO and CISO, but finance and operations, where the real technology dependencies live.

DAYS 31–60OBSERVE · TEST

A full committee cycle, quietly.

Observe how the audit or risk committee actually consumes technology risk. Trace one risk item from register to reality — if the register says "mitigated", go and look at the mitigation. Meet the people who would run an incident, and ask them what would actually happen at 3am.

DAYS 61–90WRITE · COMMIT

A written note to the chair.

What I found. Which assurances the board can rely on, which it is accepting on faith, and the three questions I think this board should ask its executive every quarter from now on. In writing, because opinions that aren't written down have a way of softening.

THEREAFTERTHE STANDING JOB

The second question, every quarter.

Committee membership carried properly: testing the security narrative, keeping AI adoption governed rather than hoped about, supporting the CISO's growth (a board that only challenges its security leadership loses it), and being the director the executive can phone before something becomes a board matter.

$ grep -i "second question" board-pack.txt
02 / The questions

The questions I ask that other NEDs don't.

A sample, honestly given — because a board considering me should know what it is letting into the room. The full argument is in Things I wish boards would ask.

Q.01When did we last restore from backup, at production scale — not test the backup, restore it? What date, how long, who watched?
Q.02Which single supplier, if compromised this morning, hurts us most — and what did we last verify about them, beyond the certificate PDF?
Q.03Who is authorised to take the payment systems offline during an incident, and does that person know it's them?
Q.04What does our cyber insurance actually assume we're doing — and are we doing it, or did the form get filled in optimistically?
Q.05Where is AI in use in this company today — approved or otherwise — and whose data has gone into it?
Q.06If the CISO resigned this afternoon, what walks out the door that isn't written down anywhere?
$ ls evidence/ -l
03 / Evidence

Don't take the page's word for it.

Three ways to judge whether I can do this before we ever speak — the one-page board CV, a sample of the board papers I write, and the writing that shows how I think about governance.

$ cat terms-and-candour
04 / Candour

The terms, stated the way I'd want them stated to me.

These are my last seats, and I am choosing them accordingly. I am not building a portfolio; I am picking one or two boards where the work matters and doing them properly — full preparation, committee work carried, available between meetings. A NED with twelve seats gives you a twelfth of their attention. You would get half of mine at minimum, and the half that has done this since 1996.

Conflicts, up front. I run UK Cyber Defence. I will not take a seat where that creates a conflict, and I will say so in the first conversation — and UK Cyber Defence does not pitch for work at companies where I hold a board position. If your incumbent security supplier relationship makes my day job awkward, I would rather we establish that in the first phone call than in due diligence.

Succession is part of the job. The best thing a technology NED can leave behind is a board that no longer needs one quite so much — an executive team that briefs better, a CISO who has grown into the room, and a risk conversation that survives my departure. I take that part seriously; it is, at this stage of a career, rather the point.

$ contact --ned --direct
05 / The approach

Chairs and search firms: start here.

Email is fastest and entirely welcome — or use the form, which reaches exactly the same inbox. Either way: the sector, the board's shape, what has prompted the search, and rough timings. You will get a considered reply within two working days, including a prompt "this isn't a fit" where that's the honest answer.

What helps in a first message: the sector and size, whether the seat carries audit/risk committee membership, what the board currently does about cyber and AI oversight, and what prompted the search — growth, incident, regulation, or an honest gap.
EMAILcomms [at] peterbassill {dot} com
REPLYwithin 2 working days · en_GB · pgp on request
reaches me directly + a ping to my phone · nothing else sees it
anti-abuse check: waiting for the form…

back to work  ·  about  ·  cyber essentials plus  ·  things i wish boards would ask