Security.Risk.Compliance.
25+ years of advising banks, telcos, energy operators, and governments on how to protect what they actually run — from boardroom posture down to the PLC.
Banking, Telecom, Insurance, Energy, Utilities, Media, Big 4.
Enterprise security architecture, risk assessment, and compliance work for regulated industries where failure has consequences measured in pounds, downtime, or lives.
United Kingdom, Europe, GCC, South and Southeast Asia, Africa, Australia, United States.
Adapts to each regulator — FCA in London, NESA in Abu Dhabi, SAMA in Riyadh, QFCRA in Doha — and to each operating culture.
IT and OT security, under one practitioner.
25+ combined years of enterprise IT security and industrial control systems — so the gap between the corporate network and the plant floor is closed by one person, not two vendors.
Five areas.
One practitioner across all of them.
At board, CISO, and programme level.
Executive advisory
CISO-as-a-Service and virtual security leadership for CIOs, CTOs, and boards that need an independent point of view without a standing hire.
Risk workshops & M&A
Executive risk workshops and security diligence for mergers, acquisitions, and carve-outs — before the term sheet, not after.
Operating model & strategy
Global security operating models and multi-year strategies for AI adoption, cloud migration, and operational technology convergence.
Programme & regulatory alignment
Assurance on multi-year transformation programmes. Aligning security investment with the regulator of record — FCA, PRA, NESA, SAMA, or SOX.
Securing the models, the pipelines, and the agents.
End-to-end model security
Threat models for LLM and generative-AI systems, from training data to inference. Risk assessments for autonomous agents and retrieval stacks.
Threat mitigation
Prompt-injection defence, model-level protection, and confidential computing for sensitive workloads.
Governance
AI governance aligned to NIST AI RMF and EU AI Act obligations — mapped to the controls you already operate.
Integration
Vector-database security, agent identity, and Zero Trust patterns for AI services inside cloud-native platforms.
Security designed into the transformation, not added after.
Strategic architecture
Target Operating Models on SABSA and TOGAF. Cloud, DevOps, and hybrid infrastructure secured against business objectives rather than a control checklist.
Operations
SOC, SIEM, and IAM architecture aligned to ISO 27001, NIST CSF, CIS, and PCI-DSS — built for banks, telcos, and critical infrastructure.
Transformation
Security-by-design through cloud migrations, digital modernisation, and organisational change — integrated into the programme plan, not bolted on.
Where safety, availability, and security meet.
Risk assessment
Identify vulnerabilities and exposure in OT and industrial control estates. Practical, prioritised, actionable for plant and corporate security alike.
Compliance & governance
ISA/IEC 62443, NIS2, and NERC-CIP programmes delivered as operating frameworks — not binders on a shelf.
Detection & response
Monitoring and incident response tuned for OT protocols and real-time constraints — Modbus, OPC UA, DNP3, Ethernet/IP.
Secure architecture
Defence-in-depth designs — segmented, resilient, and auditable — for SCADA, PLC, HMI, and DCS environments.
Regulatory readiness, region by region.
Risk frameworks
Enterprise risk frameworks with treatment plans that stakeholders can act on, not just acknowledge.
Third-party assurance
Vendor security assessment and diligence across global supplier estates.
Compliance strategy
ISO, PCI, GDPR, FCA, UAE NESA, Saudi SAMA, Qatar QFCRA, Kuwait CBK, DORA, NIS2, and SOX.
Operational assurance
Readiness reviews and operating-model design for sustained compliance.
The frameworks
behind the signatures.
Delivered, audited, or attested against — in banks, telcos, insurers, and critical infrastructure across the United Kingdom, European Union, and Gulf Cooperation Council.
Fluent across the stack.
Hands-on working knowledge — selected where they fit the problem, not the other way around.
Enterprise & cloud
OT / ICS & advanced
Education and certification.
Education
Certifications
Independent. Quiet engagements.
I advise at CISO and board level on cybersecurity, risk, and compliance — across banks, telcos, insurers, energy and utility operators, and Big Four practices.
My work sits between the boardroom and the plant floor: one practitioner who can speak to a regulator, a programme board, and a plant engineer in their own language. Engagements are small, direct, and accountable.
Reach out if there is a specific decision, programme, or assessment where that is useful.
“Security is a business discipline first and a technical one second. Treat it the other way around and you get a shelf of controls that satisfy an auditor and protect nobody.”
Start a conversation.
Send a short note about the engagement, the regulation, or the system in question. I reply personally, usually within two working days.