non-executive
director.
29 years in this industry, and I am choosing my last board seats deliberately. One or two, done properly — for boards that want their cyber, IT and AI oversight from someone who has actually carried the pager, briefed the regulator, and signed the risk register from the other side of the table.
Questions asked before the incident, not after.
Most boards receive their technology risk second-hand: a slide from the CISO, a paragraph from internal audit, a reassurance from the CTO. The gap between what a board is told and what is actually true is where cyber governance fails — and it is precisely the gap a practising operator in a non-executive seat closes.
What your board gets is not another set of grey hairs nodding at the security update. It is someone who has written those updates — and occasionally had them fall apart under a real attack — reading yours with an operator's eye. When the executive says the backups are tested, I know the difference between tested and restored. When the CISO's dashboard is green, I know which greens are earned and which are configured.
The role is oversight, not interference. I do not want to run your security function; I ran security functions for two decades and I know exactly where a director's job stops. What I bring to the committee room is the ability to ask the second question — the one that follows the rehearsed answer — and the credibility with your technical staff that means they tell me the truth in the corridor that didn't make the pack.
The first 90 days, concretely
Reading before talking.
The last four board packs. The risk register, with dates of last movement. The most recent incident report, penetration test and internal audit findings. One-to-ones with the executive — not just the CIO and CISO, but finance and operations, where the real technology dependencies live.
A full committee cycle, quietly.
Observe how the audit or risk committee actually consumes technology risk. Trace one risk item from register to reality — if the register says "mitigated", go and look at the mitigation. Meet the people who would run an incident, and ask them what would actually happen at 3am.
A written note to the chair.
What I found. Which assurances the board can rely on, which it is accepting on faith, and the three questions I think this board should ask its executive every quarter from now on. In writing, because opinions that aren't written down have a way of softening.
The second question, every quarter.
Committee membership carried properly: testing the security narrative, keeping AI adoption governed rather than hoped about, supporting the CISO's growth (a board that only challenges its security leadership loses it), and being the director the executive can phone before something becomes a board matter.
The questions I ask that other NEDs don't.
A sample, honestly given — because a board considering me should know what it is letting into the room. The full argument is in Things I wish boards would ask.
Don't take the page's word for it.
Three ways to judge whether I can do this before we ever speak — the one-page board CV, a sample of the board papers I write, and the writing that shows how I think about governance.
The board CV
Roles, credentials, sectors, availability and the conflicts position — the one-pager a chair or search firm can circulate. No token gate, no email capture.
A sample board paper
A sanitised quarterly security briefing in the format I write them: what we know, what we don't, the risks honestly stated, and the decisions the board is actually being asked to take. Judge the craft directly.
How I think, in writing
Board-facing pieces from the desk:
The terms, stated the way I'd want them stated to me.
These are my last seats, and I am choosing them accordingly. I am not building a portfolio; I am picking one or two boards where the work matters and doing them properly — full preparation, committee work carried, available between meetings. A NED with twelve seats gives you a twelfth of their attention. You would get half of mine at minimum, and the half that has done this since 1996.
Conflicts, up front. I run UK Cyber Defence. I will not take a seat where that creates a conflict, and I will say so in the first conversation — and UK Cyber Defence does not pitch for work at companies where I hold a board position. If your incumbent security supplier relationship makes my day job awkward, I would rather we establish that in the first phone call than in due diligence.
Succession is part of the job. The best thing a technology NED can leave behind is a board that no longer needs one quite so much — an executive team that briefs better, a CISO who has grown into the room, and a risk conversation that survives my departure. I take that part seriously; it is, at this stage of a career, rather the point.
Chairs and search firms: start here.
Email is fastest and entirely welcome — or use the form, which reaches exactly the same inbox. Either way: the sector, the board's shape, what has prompted the search, and rough timings. You will get a considered reply within two working days, including a prompt "this isn't a fit" where that's the honest answer.
→ back to work · about · cyber essentials plus · things i wish boards would ask