What is a cyber security Non-Executive Director?

A cyber security Non-Executive Director (NED) is an independent board member who brings dedicated cyber security expertise to board-level governance. Unlike an executive CISO who manages day-to-day security operations, a Cyber NED provides independent oversight, challenges management on risk decisions, and ensures the board has the expertise to discharge its governance duties under FCA, DORA, NIS2, and investor obligations. The role is distinct from a board cyber advisor, who operates outside the governance structure.

Why do boards need a dedicated cyber security NED in 2025?

Regulatory expectations have shifted materially. FCA's PS21/3, DORA (effective January 2025), NIS2, and the SEC's cyber disclosure rules all create direct accountability at board level for cyber risk governance. Investors and institutional shareholders increasingly scrutinise whether boards have adequate cyber expertise. A Cyber NED provides a credible, independent answer to that scrutiny, one with technical depth, regulatory literacy, and boardroom governance experience.

What sectors benefit most from a cyber security NED?

Regulated financial services firms (banks, insurers, asset managers, payment institutions) face the most direct regulatory obligation. Critical national infrastructure operators, private equity-backed businesses preparing for exit, and listed companies facing investor scrutiny also benefit significantly. The common factor is a board that needs independent, credible cyber expertise to govern risk and satisfy external accountability requirements.

How is a cyber security NED different from a fractional CISO?

A Fractional CISO operates at an executive level, building and running the security function, managing teams, and producing deliverables. A Cyber Security NED operates at governance level, providing independent board oversight, holding management to account, and advising the board on strategy and risk. The two roles are complementary: a Fractional CISO strengthens the security function; a Cyber NED strengthens the board's ability to govern it.

Cyber Security NED

Cyber security Non-Executive Director for boards that need independent expertise, not another committee briefing

25 years of CISO leadership at FTSE 100 and regulated organisations. Former advisory appointments at the FCA, NCSC, and Lloyds of London. Independent board-level expertise that gives boards the capability to govern cyber risk, not just receive reports about it.

The Governance Imperative

Boards are now accountable for cyber risk. Most do not have the expertise to discharge that accountability

FCA's operational resilience rules, DORA (effective January 2025), NIS2, and investor expectations have collectively shifted cyber governance from a management concern to a board obligation. Boards must now be able to demonstrate they understand cyber risk, challenge management assumptions, and make informed decisions under pressure.

Most boards cannot do this. Not because they lack intelligence or diligence, but because cyber security is a specialised discipline and boards have rarely prioritised bringing that specialism into the boardroom directly. A Cyber Security NED closes that gap at the governance level where it matters.

FCA Operational Resilience (PS21/3)

Requires boards of regulated firms to take ownership of operational resilience, including cyber, with explicit accountability at the most senior level.

DORA (Digital Operational Resilience Act)

In force from January 2025. Creates direct board accountability for ICT risk governance in financial services across the EU and for firms operating into EU markets.

Investor and Shareholder Scrutiny

Institutional investors increasingly assess board cyber competence as part of governance due diligence. The absence of demonstrable expertise is a flag, not a gap to be explained away.

What This NED Brings

Six capabilities that differentiate a Cyber NED with genuine depth

Independent Board Oversight

The ability to interrogate management cyber reporting, identify the gaps between what is presented and what the risk picture actually is, and give the board independent, credible challenge. Built from 25 years as the person preparing and defending those reports.

Regulatory Fluency

Deep knowledge of the regulatory landscape, FCA, DORA, NIS2, PRA, from former advisory appointments at the FCA and NCSC. Not second-hand briefings. First-hand engagement with the direction regulators moved and continue to develop.

Incident Governance Experience

Boards are most exposed when an incident happens. Having a NED who has managed major incidents, managed regulators through breaches, and sat at the board table when the pressure is highest is a qualitatively different resource than a NED who has only read about these events.

AI and Emerging Technology Risk

Governance of AI risk is the next frontier for boards, and the regulatory direction at the FCA and NCSC is moving faster than most boards appreciate. An informed, independent perspective on AI governance at board level, before the rules fully crystallise.

Strategic Risk Framing

The ability to translate cyber risk into the language of strategy, capital allocation, and competitive exposure, so boards can make informed governance decisions rather than delegate everything back to management.

Cross-Sector Pattern Recognition

FTSE 100 retail, Lloyd's of London insurance market, financial services, critical national infrastructure, private equity portfolio, the breadth of sectors means the patterns of governance failure and success are well-established. Boards benefit from that pattern recognition applied to their specific situation.

Who This Is For

Boards and organisations where cyber governance is a board-level obligation, not a management option

Regulated Financial Services

Banks, insurers, asset managers, payment institutions, and FCA/PRA-regulated firms with direct obligations under PS21/3, DORA, and systemic risk frameworks. Particularly relevant for firms without existing board-level cyber expertise.

Lloyd's Market and Specialty Insurance

Managing agencies, syndicates, and insurance holding companies operating within the Lloyd's market, where cyber risk governance and underwriting risk intersect at board level.

Private Equity Portfolio Companies

PE-backed businesses building governance infrastructure for exit, where cyber risk is increasingly scrutinised by acquirers and where board maturity is a component of value.

Critical National Infrastructure

Operators in energy, utilities, transport, and telecommunications where NIS2 and CNI designation create explicit board accountability for resilience and security governance.

Listed and Pre-IPO Companies

Boards preparing for or managing the disclosure and governance expectations of listed status, where institutional investors and proxy advisors are scrutinising board composition for demonstrable cyber expertise.

Professional Services and Legal

Large professional services, legal, and accountancy firms carrying significant client data and regulatory obligations, where governance of cyber risk is a professional and reputational matter at partnership or board level.

"Cybersecurity is not a technical problem with a governance dimension. It is a governance problem with a technical dimension."

Ali Zeb

For Nomination Committees & Executive Search

Credentialed, available, and already operating at board level

Nomination committees and executive search firms conducting board composition reviews will find a candidate who brings rare depth: a practitioner background at FTSE 100 and regulated organisations, a strong former regulatory advisory background, and established governance credibility at the most senior levels of financial services and CNI.

Available for NED, senior independent director, board observer, and advisory board roles. Geography: UK primary, international considered. Sectors: financial services, insurance, PE-backed, CNI, professional services.

Former Advisory Roles

UK Financial Conduct Authority, ISCCG. National Cyber Security Centre (NCSC). Lloyds of London Market Cyber Risk Committee. EC-Council Global Advisory Board.

CISO Tenure

Former CISO at British Land (FTSE 100), MS Amlin (Lloyd's of London), Xoserve (UK gas CNI), and multiple financial services organisations. 25 years of operational leadership.

Credentials

CISSP. ISO 27001 Lead Auditor. University of Oxford, Saïd Business School executive education. Middlesex University BSc. Kingston University MSc.

Considering a Cyber NED appointment?

Board enquiries, nomination committee discussions, and executive search introductions are welcome. I respond to every enquiry personally.

Arrange a Conversation