Andy Tillman UK

Independent judgement.
For defensible decisions.

Helping leaders make defensible decisions where cyber risk, governance, evidence and regulatory scrutiny intersect.

Confidence should be a consequence of good judgement, not a substitute for it.

Directors and senior leaders are increasingly expected to make important cyber decisions without being cyber specialists.

The papers may be reassuring.

The language may be technical.

The assurance may appear complete.

But the questions that matter are often much simpler.

What does this actually mean?

What should I be asking?

Can I rely on the assurance I've been given?

Would this decision still make sense if it were examined after an incident?

My role is not to make decisions for you.

It is to help you think clearly, challenge assumptions where necessary, and make decisions that remain coherent, evidence-supported and defensible when scrutinised later.

Before important decisions

When you need an independent perspective before approving a significant cyber, governance or assurance decision.

When something doesn't feel right

When the presentation is reassuring, but the evidence, assumptions or operational reality don't appear to align.

During scrutiny

When scrutiny intensifies and you need to understand what previous decisions, assurances and evidence actually demonstrate.

After an incident

When technical recovery is under way, but the more difficult questions about governance, assurance, accountability and previous decisions are only just beginning.

My work has been shaped by more than twenty-five years across investigations, intelligence, cyber risk, assurance and regulatory scrutiny.

Those disciplines have one thing in common.

They require good judgement when certainty is impossible.

Does the evidence support the assurance?

Are governance and operational reality aligned?

Would today's decisions still make sense under tomorrow's scrutiny?

Those questions often reveal far more than another framework assessment.

Regulatory Defensibility is the central concept behind my work.

It considers whether decisions, governance, evidence and operational practice remain coherent when examined later by regulators, auditors, investigators or boards.

The objective is not simply to demonstrate compliance.

It is to ensure that important decisions remain credible, explainable and defensible when they matter most.

Learn more about Regulatory Defensibility

A confidential place to ask the cyber questions that are difficult to ask elsewhere.

Perhaps you're preparing for a board meeting.

Perhaps you're trying to understand whether an assurance report genuinely tells you what you need to know.

Or perhaps you simply want an independent perspective before making an important decision.

"What does good actually look like?"

"Should I be worried about this paper?"

"Is our CISO telling me enough?"

"What should I ask at the next board meeting?"

"Do these assurances actually mean anything?"

"Am I personally exposed if this goes wrong?"

Cyber Sounding Board provides directors and senior leaders with a discreet, personal and confidential opportunity to discuss difficult cyber, governance and assurance questions with an independent perspective.

At present, availability is limited to members of the Institute of Directors and affiliated organisations, by invitation or on request.

Learn more

Good judgement develops through observation, evidence and curiosity.

My writing explores cyber risk, governance, assurance, investigations, leadership and regulatory scrutiny from the perspective of helping leaders make better decisions under uncertainty.

If you're dealing with a cyber, assurance, governance or regulatory question that would benefit from an independent perspective, I'd be pleased to have an initial discussion.