CISOAdvisory Group Send a confidential message
§ 03 · About

A practice built on two decades of doing the job.

CISO Advisory Group is a London-based cybersecurity practice serving boards in global financial services, critical national infrastructure, and regulated enterprise. We work quietly, at senior level, and on a small number of clients at a time.

We are not a consultancy that produces reports and moves on.

We embed. We hold the accountability. We attend the regulator's meeting, sit on the steering committee, and answer the questions a non-executive director needs answered before they sign.

The principal has spent over twenty years inside the security functions of global financial institutions and operators of critical national infrastructure — building programmes, reporting to boards, and standing in front of supervisors when it counted.

That experience is what arrives on day one of every engagement. Not a methodology, not a slide deck. A peer who has been where you are.

§ Principles

How we work.

01 / Accountability

We sign our name to it.

If we put it in the strategy, we will defend it to the board, the regulator, and the auditor. There is no senior partner behind the curtain to hand the difficult question to.

02 / Discretion

Quietly, by default.

NDA on day one. Your boardroom is not our case study. We do not list clients, publish logos, or trade on relationships you would prefer remain private.

03 / Plain speech

The board understands us.

We translate cryptography, posture, and threat into the trade-offs your directors are paid to make. Less acronym, more decision.

04 / Small footprint

Few clients, fully served.

We engage with a small number of organisations at any one time so that the people you hired are the people you get. No bench, no rotation, no associate sent to fill in.

§ Sectors

Where we have operated.

Global Financial Services

Tier-1 banking, asset management, capital markets, and insurance — including operating-model design for second-line security and supervisory engagement.

  • PRA · FCA · ECB
  • DORA · SOC 2 · PCI DSS 4.0
  • Third-party risk

Critical National Infrastructure

Programmes within sectors classed as essential under national regulation — where the threat profile, the regulator, and the cost of failure are all heightened.

  • NCSC CAF · NIS Regulations
  • NIST 800-53 r5 · CIS v8
  • Operational resilience

Regulated Enterprise

Listed and pre-IPO companies in regulated industries: pharma, energy, healthcare, professional services. Particularly suited to organisations scaling without an in-house CISO.

  • ISO 27001 · ISO 42001
  • NIST CSF 2.0 · NIST AI RMF
  • SC Cleared · M&A diligence
§ Capability

Twenty-two years, summarised.

2002 — 2008
Security engineering & architecture
Hands-on across identity, network, cryptography, and security architecture in tier-1 financial services. The technical foundation that everything else stands on.
2008 — 2014
Programme leadership
Owning multi-year transformation programmes — operating-model design, regulatory remediation, and post-incident rebuild — across global banks.
2014 — 2025
Executive cybersecurity
CISO and deputy-CISO roles inside global financial institutions. Board reporting, supervisor engagement, second-line accountability, and early adoption of post-quantum cryptography readiness and AI-accelerated threat advisory.
2025 — 2026
CISO Advisory Group
An independent practice bringing that experience to a small number of organisations at board level. Confidential, retained, and senior from day one.
The board does not need another report. It needs a person who will answer for it.
— The CISO Advisory Group operating principle

Have a quiet conversation, this week.

Send a confidential message