Engagements where the security and governance problem was consequential and the response had to be right
Four engagement summaries from across 25 years of CISO leadership and senior advisory work. Private equity. Lloyd's of London. Critical national infrastructure. FTSE 100. Each with a distinct security challenge that required more than a standard programme response.
Cyber due diligence and security transformation for a PE portfolio company
Appointed by Advent International, a leading global private equity firm, to conduct independent cyber security due diligence and lead security transformation at Planet Payment, a payment technology business in their portfolio. The engagement covered pre-acquisition risk assessment, identification of material security gaps, and the design and execution of a remediation programme to address risk before exit.
The work identified structural security deficiencies that were not visible in the standard diligence process and that would have represented material post-acquisition risk. The transformation programme addressed those gaps, strengthened the security governance structure, and gave the board and investors a defensible, credible security posture at the point of exit.
Planet Payment, payment technology business. Appointed by Advent International, the PE sponsor, to provide independent cyber advisory and transformation leadership.
Payment technology businesses carry elevated cyber risk by nature of the data and transaction flows they handle. Standard financial due diligence does not surface the operational security gaps that drive that risk.
Material risk identified and remediated. Security governance structure strengthened. Board and investor confidence in the security posture rebuilt on a factual, defensible basis ahead of exit.
MS Amlin, a leading Lloyd's of London insurer and reinsurer. CISO appointment with responsibility for security across the Lloyd's market operation and international business.
Insurance organisations carry unique security challenges: large volumes of sensitive commercial and personal data, complex third-party ecosystem, and regulatory obligations at Lloyd's, PRA, and FCA level simultaneously.
Security function rebuilt with governance structure aligned to Lloyd's and regulatory requirements. Board-level reporting redesigned to give the board decision-quality information rather than technical summaries they could not act on.
Rebuilding security governance and board accountability at a Lloyd's of London insurer
As CISO at MS Amlin, a major Lloyd's of London insurer, the challenge was not just technical security but the governance model sitting above it. The board received security reports they could not usefully interrogate, the risk committee lacked the framework to set meaningful risk appetite, and the security function was operating without a clear mandate from the top.
The work rebuilt the security function from the governance layer down: reframing the board's relationship with cyber risk, redesigning reporting to give the board decision-quality information, establishing clear risk appetite, and aligning the security programme to the most consequential exposures, rather than the most visible ones.
Securing critical national infrastructure at the UK's gas network operator
As CISO at Xoserve, the central data services provider for the UK gas network and a designated critical national infrastructure organisation, the security challenge was operating at the intersection of OT/ICS security, regulatory CNI obligations, and the data systems that underpin the functioning of the UK gas market.
CNI security requires a different approach to risk prioritisation: the consequence of certain failure scenarios is not financial loss or reputational damage but national infrastructure disruption. Security decisions must be made with that consequence model at the centre, under active engagement with the NCSC and sector regulators. The work established the security programme and governance model appropriate to that context.
Xoserve, central data services provider for the UK natural gas network. Designated critical national infrastructure (CNI). CISO appointment with responsibility for OT, IT, and data security.
CNI security operates at a different risk scale to commercial security. Failure scenarios include national infrastructure disruption. The security programme must be designed and governed with that consequence model driving every priority.
Security programme and governance model established appropriate to CNI context. Active engagement model with NCSC and sector regulators. Board and executive capability to govern CNI risk built on a factual foundation.
British Land, a FTSE 100 UK real estate investment trust (REIT). Group CISO appointment with responsibility for security across the enterprise, including operational technology in managed properties.
FTSE 100 boards face investor, regulator, and governance scrutiny that smaller organisations do not. Security must be governed at a level that satisfies that scrutiny, not just managed at a level that prevents incidents.
Security function aligned to FTSE 100 governance expectations. Board and audit committee reporting built to support informed oversight. Security investment decisions made against a clear, board-approved risk appetite.
Building FTSE 100-standard security governance at a major UK real estate group
As Group CISO at British Land, a FTSE 100 property company, the work involved building the security function and governance model appropriate to a major listed company, one where the board, audit committee, and institutional shareholders have direct expectations of security governance quality.
At FTSE 100 scale, the governance dimension of security is as important as the technical one. The board must be able to demonstrate to investors, proxy advisors, and regulators that it governs cyber risk with the same rigour it applies to financial and operational risk. The work built that governance model: clear risk appetite, board reporting designed for decision-making, and a security investment framework connected directly to the risk profile of the business.
"Every consequential security failure I have seen had a governance explanation. Not a technical one. The technology failed because the governance that should have caught it had a gap."
Ali ZebA similar challenge at your organisation?
The details of every engagement are different. The governance principles that resolve them are consistent. Let's talk about your situation.
Arrange a Conversation