The Advisors’ Advisors: CISOs to Watch in UK Professional Services and Consulting

Related

Share

Professional services and consulting firms occupy an unusual position in the security landscape. They are trusted to advise other organisations on strategy, risk, technology, and transformation, which means their own security posture is held to an implicit higher standard. A breach at a firm whose business is built on trusted advice does not just cost data. It calls the firm’s core credibility into question. The CISOs in this feature are protecting engineering consultancies, business advisory firms, technology consulting groups, and communications advisory businesses, and their programmes reflect the discipline required to secure organisations that other companies depend on for guidance.

Chris Lyth – Global CISO, Arup

Chris Lyth has served as global CISO at Arup since April 2024, having spent nearly nine years before that as global head of cyber security at the engineering and design consultancy. He built Arup’s cyber security programme from the ground up, establishing it as a key risk at board level and transforming a small operation into a fully functioning global team spanning every region the firm operates in. Before his security leadership roles, he spent five years as principal consultant in technology strategy and enterprise architecture at Arup, applying his CISSP and TOGAF credentials to client-facing consulting work before moving into internal security leadership.

His path to Arup included four years working for an NGO in Kabul, Afghanistan, where he served as IT and security manager and later regional director, managing a team of 70 national staff and a budget of half a million pounds while learning Dari to communicate effectively. That experience in an unstable, high-stakes environment shaped his approach to risk evaluation and decision-making long before he applied those skills to corporate cyber security. Nearly sixteen years at Arup, spanning consulting and security leadership, reflects one of the longer single-firm tenures in this feature.

Ben Bennett – CISO, Interpath Advisory

Ben Bennett has served as CISO at Interpath Advisory since June 2022, leading security for a business advisory firm. Before Interpath, he spent ten months as a cyber security senior manager at KPMG UK, helping organisations assess, assure, design, and deliver security controls aligned to their strategic goals. Before KPMG, he spent a year and a half as CISO at Isio, and more than four and a half years as a cyber security manager at PwC UK, where he was part of the firm’s National Cyber Security Practice helping clients build and assure their defences.

His earlier career included an undergraduate placement year as a data analyst at Goodyear Tire and Rubber and a role as senior business associate at NatWest Group in debt management and retail sales. That progression through three of the UK’s major professional services firms, PwC, KPMG, and now Interpath, before landing in a dedicated CISO seat gives him a grounded understanding of how consulting firms operate from both the advisory and the internal security side.

David Beardshaw – CISO, 3VRM

David Beardshaw has served as CISO at 3VRM, a vendor risk management consultancy, since November 2021. Before taking on that role, he ran Beardshaw Cyber, his own consultancy, for five years, and built an extensive track record delivering contract cyber programme and resilience leadership across major UK institutions, including cyber programme director engagements at Broadcom, Aviva, Symantec, and Sainsbury’s, cyber resilience programme director work at Virgin Money, and head of delivery for supply chain cyber risk at Lloyds Banking Group.

Before his consulting career, he spent more than three years as head of change for global information security at Barclays and five years as senior manager of cyber resilience at Deloitte UK, beginning his career as a consultant in technology security and risk services at EY. That breadth of contract and fractional leadership across banking, retail, and technology sectors, now consolidated into a permanent CISO role at a vendor risk management firm, gives him direct insight into the third-party risk challenges his current company exists to solve.

Sawan Joshi – CISO, FDM Group

Sawan Joshi has served as CISO at FDM Group since December 2025, leading governance, risk, and compliance operations across a leading global technology management consultancy, having spent the prior year as global director of information security at the same company. Before FDM Group, he spent a year and a half as CISO at Mitiga Solutions, providing information assurance through governance and privacy compliance for climate risk management solutions, and more than a year as director of information security, IT, and data protection officer at Cervest, the world’s first climate intelligence platform.

His earlier career includes information security and data protection leadership at Dext, FirstPort, London Luton Airport, and The Kennel Club, along with IT leadership roles at The Topps Company and ValuePartners. He is the founder of EasyGRC, a free white-label risk management platform for charities in England and Wales, and has authored a book on building a resilient information security career. That progression across climate technology, property management, aviation, and now consulting, culminating in a global technology consultancy’s top security seat, reflects a career built on adapting security leadership to a genuinely wide range of industries.

Keri Lewis – CISO, FGS Global

Keri Lewis has served as CISO at FGS Global, a communications and advisory firm, since August 2024. Before FGS Global, he spent nearly three years as BISO and head of IT risk at Gallagher, covering UK, EMEA, and international markets, and more than three years as CISO at AXA, having previously led information security strategy development across the AXA Group.

His earlier career spans international leadership roles at Juniper Networks, including director of the critical account programme for EMEA and vice president of customer service for Asia Pacific, general manager of security solutions at Datacraft Asia leading a regional security business across thirteen countries, and professional services management at RSA Security covering Asia Pacific. He also worked as a solutions architect at Baltimore Technologies on PKI and payment solutions across EMEA, India, the Middle East, and South Africa. That extensive international commercial and technical background across networking, security vendors, and insurance, now applied to a global communications advisory firm, gives him a genuinely global perspective on security leadership.

Salma Pervez – CISO and AI Continuous Compliance Leader, Capgemini

Salma Pervez has served as CISO at Capgemini’s Cloud Infrastructure Services since June 2023, responsible for implementing security controls and measures for organisations worldwide, having spent nearly two years before that as director of cyber and information security for Capgemini’s UK public sector and defence business. Her path to the CISO seat ran through more than twelve years at BT, where she progressed from global systems engineer through solution architect roles in global banking and finance and government and enterprise, before becoming head of security solution architecture and ultimately senior manager of global cyber security solution architecture, leading a team of 70 across five sub-functions supporting a client pipeline worth more than £500 million annually.

She built her first security solution architecture team of seven from scratch at BT after discovering an interest in cybersecurity partway through her career, having spent a decade in systems engineering roles beforehand. She is a committee member of Cyber Angels at Capgemini, an initiative empowering women in cybersecurity through mentoring and career development, and describes her 24-year journey from studying information and computing at Loughborough University during the early days of the commercial internet to her current CISO role as one shaped by continuous learning and adaptability. That arc from systems engineering through solution architecture into global CISO leadership at one of the world’s largest consulting and technology services firms reflects a career built on seizing opportunities in a field that, as she puts it, did not exist when she was in school.

Trust Is the Currency of Consulting

Every firm in this feature exists to advise, design, or manage risk on behalf of other organisations. That mandate only works if the firm itself demonstrates the same security discipline it recommends to clients. The leaders in this feature carry that responsibility, building programmes robust enough to protect not just their own firm’s data, but the credibility of the advice their firms are paid to give.

Discover more of the UK’s cybersecurity leaders:

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.