The definitive guide to who shapes cyber policy in Whitehall, and how to work with them.
Continue reading
Cyber Across UK Government: Departments, Programmes, and Policy Players
Leave a Reply
Tag Archives: NCSC
Inside the UK Cyber Ecosystem: A Strategic Guide in 26 Parts
An extensive guide mapping the networks, policy engines, commercial power bases, and future-shapers of British cybersecurity.
Continue reading
The Insider’s Guide to Influencing Senior Tech and Cybersecurity Leaders in the UK
Influencing senior leaders in cybersecurity and technology is no small task, especially in the UK, where credibility, networks, and standards carry immense weight. Whether you’re a startup founder, a scale-up CISO, or a policy influencer, knowing where the key conversations happen (and who shapes them) can make the difference between being heard and being ignored.
Continue reading
When a Parking Permit Becomes a Cyber Risk: Understanding Indirect Supply Chain Threats
While applying for a parking permit, I discovered an expired SSL certificate on a council website, highlighting how small oversights in public services can expose broader cybersecurity risks. This real-world example shows why organisations must take indirect supply chain risk seriously, particularly in regions critical to national security.
Continue reading
Did We Influence DSIT’s Cyber Governance Code of Practice?
This article compares my practitioner response, the IET’s institutional submission, and the final Cyber Governance Code of Practice published in April 2025. It shows where our ideas carried through (supply chain oversight, continuous process, assurance), where they were partly adopted (SME proportionality, professional recognition), and where they were ignored (incentives, legal duties). The conclusion: yes, we influenced the Code — but the hardest issues remain unresolved.
Continue reading
Cyber Governance Code of Practice 2024: What Government Finally Published
The UK’s Cyber Governance Code of Practice, published in 2025, sets out five principles for boards: risk management, strategy, people, incident response, and assurance. It places cyber in the boardroom and makes directors personally accountable, but stops short of embedding duties in company law. While clear and structured, the Code lacks incentives, SME pathways, and professional recognition — making uptake uncertain.
Continue reading
Professionalising Cyber: Reflections from Conway Hall
A first-hand reflection on the UK Cyber Security Council’s recent “The Journey to Professionalisation” event at Conway Hall, exploring the ongoing professionalisation of the cyber security sector. Highlights include the expansion of recognised specialisms, the development of the UK Cyber Skills Framework, and discussions on AI, early-career challenges, and the need for a more inclusive, realistic skills framework to support a growing cyber economy.
Continue reading
Scaling Cyber: A Startup Founder’s Journey from Idea to Exit
This virtual book is a guide to the entrepreneurial journey, drawn from real-world experiences in cyber startups. It distils insights from my time on the NCSC for Startups accelerator (cohort 13, 2023), the DSIT Cyber Runway Scale programme (2024/2025), and my mentoring on DSIT’s Cyber ASAP programme. It’s a collection of lessons, reflections, and hard-earned knowledge from the founders, investors, and industry leaders I’ve met along the way. Thanks to Marcel Duchamp you can think of it as a “ready made”, a curated work built from my blog articles, assembled to help you navigate the path from startup to scale, and beyond.
Continue reading
Overview, Summary, Thoughts, and Recommendations on the NCSC Cyber Security Risk Management Guidance
This article evaluates the NCSC’s Cybersecurity Risk Management Guidance, highlighting its strengths in broad coverage and practical tools but identifying key weaknesses, including the lack of an integrated end-to-end framework, inconsistent depth, and limited audience-specific tailoring. It recommends strengthening the framework’s integration, providing accessible tools, addressing organisational resistance, and incorporating strategies for emerging technologies and black swan events. These enhancements could elevate the guidance to a truly comprehensive standard for diverse organisations.
Continue reading
Masking and Personality Typing: An Asperger’s Perspective
This article explores how masking, often necessary for those with Asperger Syndrome, complicates the accuracy of personality typing systems. Drawing from personal experiences in a challenging post-war inner-city environment, it critiques the limitations of these systems in truly capturing one’s authentic self and offers insights into the interplay between identity, masking, and neurodiversity.
Continue reading
Cyber Governance at a Crossroads: Responding to DSIT’s Consultation
This framing article summarises a set of responses to DSIT’s Cyber Governance Code of Practice consultation in Jan/Feb 2024. It highlights practitioner and institutional submissions, alongside thematic deep dives on law, assurance, incentives, and professionalism. The message: DSIT asked the right questions, but the hardest answers were still missing.
Continue reading
Professionalism and Accountability: Why Cyber Needs Recognition like Law and Engineering
This article argues that DSIT’s Cyber Governance Code of Practice must embed professional recognition for cyber experts, just as directors rely on lawyers, accountants, and engineers. Without a register of recognised professionals, directors risk being accountable without credible support.
Continue reading
Incentives, Not Just Obligations: Driving Real Uptake of Cyber Governance
This article argues that obligations alone will not drive the adoption of DSIT’s Cyber Governance Code of Practice. To succeed, the Code must be backed by incentives — tax relief, insurance benefits, procurement levers, and reputational recognition — that make governance valuable to boards. Obligations can enforce compliance; incentives will create commitment.
Continue reading
From Cyber Essentials to Corporate Governance: Raising the Bar
Cyber Essentials has value as a baseline, but reaches only 0.3% of UK organisations and says little about governance. This article argues that DSIT’s Cyber Governance Code of Practice must raise the bar, from compliance to accountability, from self-attestation to credible assurance, and from one-off certificates to continuous governance. Cyber Essentials is the floor; governance must be the ceiling.
Continue reading
Why Self-Attestation Doesn’t Work: Lessons for the DSIT Code
This article argues that self-attestation has failed as a credible assurance mechanism, citing Cyber Essentials’ low uptake and ISO 27001’s limits. It warns that if DSIT builds the Cyber Governance Code of Practice on self-assessment, it will fail. To succeed, the Code must mandate independent, accredited assurance that directors, investors, and regulators can trust.
Continue reading
Directors and Cyber Responsibility: Towards a New Company Law
This article examines DSIT’s 2024 proposal to embed cyber responsibility into company law. It argues that directors should carry legal duties for cyber resilience, as they already do for finance and health and safety — but only if those duties are proportionate, professionalised, and practical. The consultation did not change the law, but the direction of travel is unmistakable.
Continue reading
Directors and Cyber Governance: My Practitioner’s Response to DSIT’s Consultation
This article revisits my practitioner-led response to DSIT’s 2024 consultation on the Cyber Governance Code of Practice. It highlights key issues I raised: supply chain risk, flaws in self-attestation, tool overload, lack of incentives, and the need for continuous governance. The argument is simple: cyber resilience belongs in the boardroom, but only if policy is grounded in practice.
Continue reading
Before the DSIT Cyber Governance Code of Practice: What the Consultation Proposed
The DSIT Cyber Governance Code of Practice consultation (Jan 2024) proposed five principles for boards: risk management, strategy, people, incident response, and assurance. But it left key gaps: no incentives, little for SMEs, no professional recognition, and weak thinking on assurance. This article argues the consultation was historic, but incomplete — a foundation that required sharper, practitioner-led input.
Continue reading
Comparing SaaS GitHub and Self-Hosted GitLab: An In-Depth Analysis of Pros and Cons with Alternatives
On the penultimate day of the NCSC For Startups programme, there was an ad hoc discussion on code repositories and DevOps tooling. A couple of the cohort were long-time GitHub users, while we use a self-hosted version of GitLab. One of the teams had just moved from the latter to the former, while the final team used Azure DevOps. I thought it would be nice to write up an objective look at the first two options, along with alternatives, as well as summarise our decision. I didn’t want to cover Azure DevOps as I’ve just spent two years using it and I’m grateful to have escaped its clutches. Learn more here.
Continue reading“What’s Causing a Rise in Seed-Stage Valuations?”: Analysis, Key Takeaways, and Advice
In response to Beauhurst’s article “What’s Causing a Rise in Seed-Stage Valuations?” on seed-stage valuations, this critique offers a concise analysis, highlighting strengths, areas for improvement, and key takeaways. We delve into the complex landscape of seed-stage valuations, exploring the factors behind their rise and assessing the article’s contribution to the discussion.
Continue reading