FOUNDED 2025 · INDEPENDENT UK PRACTICE
01Blog · dispatches

The Brief. Short-form dispatches on what is changing.

Where the insights library is evergreen, the blog is the working journal. Shorter pieces written week-by-week on current regulatory positions, supervisory expectations, and the questions clients are putting on the table. Distributed via The Brief and published on this site.

02Latest dispatch
JUST PUBLISHED 13 MAY 2026 FRAMEWORKS & STANDARDS 8 MIN READ

The Multi-Framework Crosswalk Every UK Security Leader Should Have on Their Wall

Most organisations are now reporting against three or four frameworks at once. The same controls show up in ISO 27001, NIST CSF, CIS Controls, DORA and NIS 2, but the language differs and the evidence requirements diverge in places that matter at audit time.

This dispatch sets out the single matrix we put on the wall in any new engagement, the questions it answers in week one, and the question we always ask first.

Paul Jolliffe
Paul Jolliffe
Founder
Read article
03Forthcoming dispatches
Publication schedule
PUBLISHED WEDNESDAYS
20 MAY 2026 CISO LEADERSHIP

The First 90 Days as a vCISO · What I Actually Do

Not a generic playbook. The structured approach used in the first three months of a fractional engagement, distilled from twenty years of senior security leadership across the public and private sectors.

6 MIN READ READ
SCHEDULED · 27 MAY 2026 PROGRAMME DELIVERY FORTHCOMING

Why Most Cyber Transformations Stall, and How to Ship Them

Lessons from a twelve-million-pound transformation programme. The five reasons large security programmes lose momentum, and the governance moves that get them moving again.

9 MIN READ READ
SCHEDULED · 3 JUN 2026 AI GOVERNANCE FORTHCOMING

AI Governance for Boards · Five Questions Every Director Should Ask

Practical board-level questions that separate AI hand-waving from real governance. Aligned to ISO/IEC 42001, NIST AI RMF and the EU AI Act high-risk Annex III obligations applying from 2 August 2027.

7 MIN READ READ
SCHEDULED · 10 JUN 2026 OPERATIONAL RESILIENCE FORTHCOMING

Important Business Services · The Naming Problem

Most firms have an IBS list that does not survive contact with their own COO. Why naming matters, what the supervisor is really testing, and a working approach to drawing the line in the right place.

6 MIN READ READ
SCHEDULED · 17 JUN 2026 REGULATION WATCH FORTHCOMING

What the FCA Asks in the First Thirty Minutes

A practitioner's read of the FCA opening line of questioning in supervision and Section 166 work. What gets asked, what good answers look like, and the prep work that earns the firm the benefit of the doubt.

5 MIN READ READ
SCHEDULED · 24 JUN 2026 INCIDENT RESPONSE FORTHCOMING

The Seventy-Two Hour Clock, Read Carefully

Three statutory notification clocks now sit on top of one another for many UK firms. How they interact, when each starts, and the practical drafting move that keeps internal counsel, the ICO and the regulator on side at the same time.

7 MIN READ READ
04The Brief · subscribe

One email, when there is something worth saying.

The Brief delivers each dispatch to subscribers' inboxes on the day it is published. No tracking pixels, no marketing automation, no upsell sequences. Unsubscribe in a single click.

Looking for long-form?

The insights library holds the briefing papers, field notes and white papers.

Where the blog is the working journal, insights is the evergreen reference. Multi-Framework Crosswalk, the vCISO 90-Day Plan, the AI Governance Board Pack, the DORA Reality Check, and more.

Browse the library