Independent advisor • UK-based

Cyber risk and investigations in complex systems.

UK-based independent advisor. I help organisations make clear decisions under pressure, with integrity, not theatre.

Message me on LinkedIn

Available for the right work in the UK and internationally.

This site is intentionally simple. No forms. No tracking. Clear language. Work is scoped, consequence-led, and evidence-driven.

Andy Tillman
Andy Tillman Cyber risk • investigations • regulatory scrutiny

What I Do

Decision support in real conditions

I work with organisations facing regulatory exposure, public accountability, and complex operational constraints. The focus is not performative compliance. It is whether decisions are reasonable, evidenced, and defensible.

Evidence-led investigations where it matters

When scrutiny follows an incident, the details matter. I support evidential reconstruction and technical analysis where it affects accountability, credibility, and regulatory outcomes.

Regulatory Defensibility

Defensibility, not theatre

I focus on regulatory defensibility rather than compliance checklists or breach-prevention claims. Incidents happen. Damage escalates when decisions cannot be credibly defended afterwards.

Much of the risk sits in the gap between documented process and operational reality. The question is simple: “If a regulator examined this tomorrow, could you defend it?”

Scrutiny is not framework enforcement

Regulatory scrutiny is not a tidy audit of your chosen framework. It tests reasonableness, evidence, accountability, and consistency. It asks what was known, what was decided, and what can be shown.

I help organisations understand where they are exposed, what would stand up, what would not, and how to bring reality back in line with what’s claimed.

Simulated regulatory scrutiny

A structured simulation of scrutiny following plausible incidents — focused on whether decisions, controls, and evidence would withstand examination after the fact.

  • Reasonableness and proportionality under real constraints
  • Evidence quality, traceability, and accountability
  • Consistency between policy, practice, and recorded decisions
  • Where explanations would fail when challenged

How I Think / How I Work

Calm under pressure

I don’t amplify noise. I reduce it. You get a clear picture of what matters, what can be evidenced, and what needs to change.

Forensic, not performative

I’m interested in what is true, what is provable, and what is reasonable. If something is non-defendable, I will say so plainly.

Independent by design

No vendor agenda. No theatre. I work directly with accountable leaders and teams, and I keep the scope tight.

Services

Concise, scoped engagements. Not a brochure.

Regulatory Defensibility Review

An independent review to identify practices that would not withstand scrutiny, and the evidence gaps that make them difficult to defend.

Simulated Regulatory Scrutiny (Cyber and Digital Risk)

A structured simulation following plausible incidents to test whether decisions, controls, and evidence would stand up under examination.

Post-Incident Regulatory Analysis

Independent analysis after an incident to clarify regulatory exposure, what evidence will matter, and where explanations are likely to fail.

Support During Regulatory and Audit Scrutiny

Targeted support when scrutiny is active or imminent — stabilising defensibility, shaping evidence, and helping teams stay aligned to what is reasonable and provable.

Who I Work With

Organisations with regulatory exposure

  • Regulated organisations and critical services
  • Public bodies and delivery organisations
  • Large organisations with complex supply chains
  • Teams handling sensitive, high-impact data

Work that benefits from judgement

  • Ambiguous situations with competing constraints
  • Gaps between policy claims and operational reality
  • Evidence problems: missing, weak, or inconsistent
  • Decisions that may later need defending publicly

When to Contact Me

Good timing

  • You suspect you’re not defensible if challenged tomorrow
  • You need an independent view before a decision is locked in
  • Scrutiny is likely, and evidence is not where it needs to be
  • An incident has happened, and you need consequence-led clarity

Not a fit

  • Box-ticking exercises designed to look busy
  • Work where truth is optional
  • Sales-led vendor comparisons dressed up as risk

Contact

LinkedIn DM only.

Message me directly

If you’re dealing with real scrutiny, real accountability, or a complex decision under pressure, send me a short note on LinkedIn.

Message me on LinkedIn