Before important decisions
When you need an independent perspective before approving a significant cyber, governance or assurance decision.
Andy Tillman UK
Helping leaders make defensible decisions where cyber risk, governance, evidence and regulatory scrutiny intersect.
Confidence should be a consequence of good judgement, not a substitute for it.
Directors and senior leaders are increasingly expected to make important cyber decisions without being cyber specialists.
The papers may be reassuring.
The language may be technical.
The assurance may appear complete.
But the questions that matter are often much simpler.
What does this actually mean?
What should I be asking?
Can I rely on the assurance I've been given?
Would this decision still make sense if it were examined after an incident?
My role is not to make decisions for you.
It is to help you think clearly, challenge assumptions where necessary, and make decisions that remain coherent, evidence-supported and defensible when scrutinised later.
When an independent perspective helps
When you need an independent perspective before approving a significant cyber, governance or assurance decision.
When the presentation is reassuring, but the evidence, assumptions or operational reality don't appear to align.
When scrutiny intensifies and you need to understand what previous decisions, assurances and evidence actually demonstrate.
When technical recovery is under way, but the more difficult questions about governance, assurance, accountability and previous decisions are only just beginning.
How I work
My work has been shaped by more than twenty-five years across investigations, intelligence, cyber risk, assurance and regulatory scrutiny.
Those disciplines have one thing in common.
They require good judgement when certainty is impossible.
Does the evidence support the assurance?
Are governance and operational reality aligned?
Would today's decisions still make sense under tomorrow's scrutiny?
Those questions often reveal far more than another framework assessment.
Regulatory Defensibility
Regulatory Defensibility is the central concept behind my work.
It considers whether decisions, governance, evidence and operational practice remain coherent when examined later by regulators, auditors, investigators or boards.
The objective is not simply to demonstrate compliance.
It is to ensure that important decisions remain credible, explainable and defensible when they matter most.
Learn more about Regulatory DefensibilityCyber Sounding Board
A confidential place to ask the cyber questions that are difficult to ask elsewhere.
Perhaps you're preparing for a board meeting.
Perhaps you're trying to understand whether an assurance report genuinely tells you what you need to know.
Or perhaps you simply want an independent perspective before making an important decision.
"What does good actually look like?"
"Should I be worried about this paper?"
"Is our CISO telling me enough?"
"What should I ask at the next board meeting?"
"Do these assurances actually mean anything?"
"Am I personally exposed if this goes wrong?"
Cyber Sounding Board provides directors and senior leaders with a discreet, personal and confidential opportunity to discuss difficult cyber, governance and assurance questions with an independent perspective.
At present, availability is limited to members of the Institute of Directors and affiliated organisations, by invitation or on request.
Learn moreThinking
Good judgement develops through observation, evidence and curiosity.
My writing explores cyber risk, governance, assurance, investigations, leadership and regulatory scrutiny from the perspective of helping leaders make better decisions under uncertainty.
Contact
If you're dealing with a cyber, assurance, governance or regulatory question that would benefit from an independent perspective, I'd be pleased to have an initial discussion.