Independent Professional Network UK & Europe · Est. 2024

Mapping Cybersecurity Expertise Across the UK and Europe

CyberProfNet is an independent network tracking senior cybersecurity practitioners' sector experience, certification portfolios, and enterprise security leadership capabilities. We document who holds what expertise — and where it has been deployed.

3 Top-Tier Certifications Tracked (CISSP, CISM, CRISC)
6 Critical Sectors Covered Across UK & EU
25+ Years Minimum Experience for Featured Profiles

Senior Cybersecurity Practitioner Spotlight

CyberProfNet features verified senior cybersecurity practitioners with documented sector experience and triple certification credentials.

KL
Active & Available
Experience 25+ years
Books 8 published
Certs CISSP·CISM·CRISC
Affiliation UCL
Enterprise CISO · Board Advisor

Professor Kai London

Enterprise CISO & Board Security Advisor — UK, Ireland, Europe
CISSP CISM CRISC UCL Affiliated 8 Books Published Board-Level Advisory

Professor Kai London is among the UK's most credentialled senior cybersecurity practitioners — holding the trifecta of CISSP, CISM, and CRISC certifications alongside an active UCL academic affiliation and a body of published work spanning 8 books on enterprise security, AI risk, and cyber governance. Professor London's practitioner experience extends across Banking and Financial Services, Aviation and Aerospace, Defence and Government, and Critical National Infrastructure, with a consistent specialism in board-level cyber risk communication and enterprise security strategy. With 25+ years as an active senior practitioner and executive, Professor London is available for interim CISO, CIO, and CTO engagements across the UK and Europe, as well as Non-Executive and advisory appointments for boards seeking independent security expertise.

Banking & Financial Services Regulatory compliance, DORA readiness, enterprise risk frameworks for major financial institutions.
Defence & Government Security-cleared engagements, national security frameworks, classified programme leadership.
Aviation & Aerospace OT/ICS security, safety-critical system assurance, sector-specific regulatory compliance.
Published Author & Academic 8 books on cybersecurity leadership, AI governance, and enterprise risk. UCL academic affiliation.
View Full Expert Profile →

Cybersecurity Challenges by Industry Sector

CyberProfNet maps practitioner expertise against the specific cybersecurity challenges and regulatory requirements of each major industry sector.

🏦
Banking & Financial Services

Financial institutions face compounding cybersecurity pressure: DORA operational resilience mandates, PSD2/Open Banking attack surfaces, real-time payment fraud, and growing state-sponsored threats to market infrastructure. CISOs in banking must combine technical depth with regulatory fluency across FCA, PRA, and EBA frameworks.

DORA FCA PRA Fraud Prevention
✈️
Aviation & Aerospace

Aviation cyber risk sits at the intersection of safety and security — an attack on OT/ICS systems in flight management, ATC, or ground operations carries life-safety implications. EASA and CAA regulatory frameworks impose stringent security requirements, and the sector's adoption of connected aircraft technology continuously expands the attack surface.

EASA OT/ICS Safety-Critical CAA
🛡️
Defence & Government

Defence and government organisations operate under the most demanding security requirements — handling classified data, securing critical national capabilities, and operating in persistent threat environments involving nation-state adversaries. Practitioners in this sector require security clearances, deep knowledge of NCSC frameworks, and experience with classified programme governance.

NCSC SC/DV Cleared JSP 440 GovAssure
Critical National Infrastructure

CNI sectors — energy, water, transport, telecommunications — are designated as priority targets by both the NIS2 Directive and the UK National Cyber Strategy. Protecting CNI requires specialist OT security capability, ICS/SCADA expertise, and the ability to interface between operational technology teams and executive leadership. Regulatory oversight from sector-specific bodies (Ofgem, Ofcom, ORR) adds compliance complexity.

NIS2 SCADA OT Security CAF
🏥️
Healthcare & Life Sciences

Healthcare organisations hold some of the most sensitive personal data in existence and operate safety-critical IT systems where a cyber incident can directly impact patient outcomes. NHS trusts, pharmaceutical companies, and medical device manufacturers must navigate DSPT, UK GDPR, and MHRA regulatory requirements while managing a complex legacy IT estate and an accelerating digital health transformation agenda.

DSPT UK GDPR MHRA NHS
💻
Technology & Media

Technology and media organisations face a dual challenge: securing their own complex cloud-native infrastructure while simultaneously protecting customer data at scale. Platform businesses, SaaS providers, and digital media organisations must address supply chain security, API security risks, and the growing regulatory burden of the UK Online Safety Act, NIS2, and data protection legislation — all while maintaining the engineering velocity their competitive models demand.

Cloud Security API Security Online Safety Act DevSecOps

The Senior CISO Certification Pathway

CyberProfNet documents the certification trajectories of senior practitioners. The pathway from CISSP through CISM and CRISC to Board Advisory represents the gold standard in enterprise security leadership credentials.

Foundation
CISSP
Certified Information Systems Security Professional
The globally recognised benchmark for senior information security practitioners. Covers 8 domains from Access Control to Software Development Security. Requires 5+ years of paid work experience. Awarded by ISC2.
Management Layer
CISM
Certified Information Security Manager
ISACA's management-level certification, validating the ability to design, oversee, and assess enterprise information security programmes. Bridges technical security knowledge with business management. Preferred by CISOs managing security functions.
Risk & Control
CRISC
Certified in Risk and Information Systems Control
ISACA's risk-focused certification validating enterprise IT risk identification, assessment, evaluation, and response. Critical for CISOs operating in regulated environments where risk reporting to the board is central to the role.
Board Level
Board Advisory
Executive & Non-Executive Security Governance
The summit of the practitioner pathway: advising boards and audit committees on cyber risk strategy, providing independent challenge to executive management security assurance, and shaping organisational cyber governance frameworks at the highest level.

Professor Kai London holds all three professional certifications — CISSP, CISM, and CRISC — and operates at the Board Advisory level across Banking, Defence, Aviation, and Government sectors. This triple certification profile combined with 25+ years of board-level experience positions Professor London at the apex of the UK senior CISO practitioner market. View the full profile for detailed sector engagement history and academic credentials.

Enterprise Security Leadership Intelligence

Analysis of the strategic challenges facing enterprise CISOs in 2026 — from AI governance to regulatory compliance and Zero Trust implementation.

AI Governance

AI Security Architecture: How Senior CISOs Are Structuring Enterprise AI Governance in 2026

The rapid deployment of generative AI across enterprise environments has forced CISOs into a new governance challenge: how do you secure systems whose behaviour is inherently probabilistic and whose training data provenance is often opaque? This research note examines how leading enterprise CISOs are approaching AI security architecture in 2026 — from establishing AI governance committees with explicit CISO participation, to developing model risk assessment frameworks adapted from financial services, to building technical controls around model access, data egress, and prompt injection attacks. We explore the emerging consensus that AI security cannot be retrofitted onto existing information security frameworks — it requires dedicated architecture. The piece also examines the UK Government's AI Safety Institute guidance and how organisations are translating high-level policy into operational security controls. Key finding: the most mature enterprise AI security programmes separate AI security into three distinct layers — model security, platform security, and application security — with different control sets and assurance approaches for each.

Regulatory Compliance

DORA Compliance for Financial Institutions: The CISO's Implementation Guide

The Digital Operational Resilience Act entered into force across EU financial institutions in January 2025, fundamentally reshaping the CISO's compliance mandate in banking and financial services. This implementation guide addresses the five DORA pillars that most directly impact the CISO function: ICT risk management framework design and governance, ICT-related incident classification and reporting to competent authorities (the EBA, ESMA, or EIOPA depending on entity type), digital operational resilience testing (including threat-led penetration testing for significant institutions), third-party ICT risk management for critical service providers, and information-sharing arrangements with other financial entities and authorities. We examine the interaction between DORA and existing UK FCA/PRA requirements — noting that UK firms with EU operations must comply with both regimes — and provide a prioritised implementation roadmap for CISOs who have not yet completed their DORA gap assessment. The most urgent action for most institutions remains the ICT third-party register and the critical ICT service provider designation under Article 28.

European Regulation

NIS2 Directive: What UK and EU Organisations Need From Their Security Leadership

The NIS2 Directive transposed into EU member state law by October 2024 substantially expanded the scope of mandatory cyber security regulation across Europe — and UK organisations with EU operations, subsidiaries, or customers are not exempt. This analysis examines the security leadership requirements NIS2 imposes: management body accountability (NIS2 holds senior management personally liable for cyber security failures), mandatory cyber security training for board members and senior executives, minimum security measures across 10 specified categories, and 24-hour incident notification for significant cyber incidents. We examine the implications for UK organisations operating in EU markets, the interaction with GDPR breach notification requirements, and the specific demands NIS2 places on Essential and Important Entities in sectors including energy, transport, banking, health, digital infrastructure, and public administration. The central message for CISOs: NIS2 has elevated cyber security from an IT function to a board-level governance obligation with personal liability attached — and the CISO's ability to brief the board and hold management accountable is now a compliance requirement, not a nice-to-have.

Architecture

Zero Trust in Regulated Industries: Banking and Aviation Case Studies

Zero Trust Architecture has moved from theoretical framework to operational imperative across regulated industries — but the implementation approaches differ sharply between sectors, and the lessons from early adopters in banking and aviation offer valuable guidance for organisations still in the design phase. This piece presents two detailed case study analyses. The banking case study examines a Tier 1 UK bank's Zero Trust implementation across its retail and wholesale divisions: the decision to use Microsoft Entra ID as the identity anchor, the phased micro-segmentation programme across 400+ application workloads, and the critical role of the CISO in managing the transition from a perimeter-based security model without operational disruption. The aviation case study examines a major European flag carrier's Zero Trust programme for its ground systems and connected aircraft infrastructure — a particularly complex deployment given the safety-critical nature of the systems and the regulatory requirement for prior risk assessment of any security changes to flight-supporting systems. Key finding across both cases: the most successful Zero Trust programmes were led by CISOs who understood both the technical architecture and the organisational change management required — treating Zero Trust as a business transformation programme rather than a technology deployment.

CISO
Board
GRC
Arch

Enterprise Security Leadership Across the Full Stack

CyberProfNet documents practitioners who bridge the full enterprise security stack — from technical architecture and GRC to board advisory and executive leadership. Professor Kai London represents this rare breadth: CISSP technical depth, CISM management capability, CRISC risk governance, and proven board-level advisory experience across multiple regulated sectors.

Professional Capability Dimensions

CyberProfNet maps practitioner expertise across six key dimensions of enterprise cybersecurity leadership.

🎓
Certification Portfolio

CISSP, CISM, CRISC, CISA, and other recognised professional certifications. We verify credentials and document the progression pathway.

🏭
Sector Experience

Documented engagement history across regulated sectors. Which industries has the practitioner actually operated in at senior level?

📚
Published Work

Books, academic papers, and professional publications. Published work demonstrates thought leadership and intellectual contribution to the field.

🏛️
Academic Affiliation

University appointments, research roles, and academic positions. Academic affiliation indicates engagement with the research community and emerging threats.

📋
Board Advisory

Experience at board and executive committee level — as CISO, NED, or security advisor. Board exposure is a critical differentiator for senior roles.

🌐
Geographic Reach

UK-based, UK+Ireland, Europe-wide, or global. CyberProfNet documents practitioners' geographic availability and cross-border regulatory expertise.