We’re pleased to welcome Ben Edwards to D2NA as our new Director of Security Assurance.
Ben brings deep experience in security assurance, and a strong understanding of the challenges organisations face when balancing robust security with the need to deliver at pace. In his role, he will lead and strengthen D2NA’s security assurance capability, ensuring our clients receive clear, pragmatic and value‑driven assurance across their digital and cyber programmes.
In this short interview, Ben shares his background, his perspective on the evolving security landscape, and what he’s looking forward to most in his role at D2NA.
Can you tell us a bit about your background and what led you into security assurance?
I’ve been a business owner and partner for over 25 years, so my route into cyber security wasn’t a traditional one. In my last business, we experienced a series of real-world attacks, persistent denial‑of-service activity against our website, and at one point a complete defacement where the site was replaced with extremist propaganda.
That experience was a turning point. It wasn’t theoretical risk. This directly impacted our ability to operate, our reputation, and our customers. I became deeply interested in ethical hacking and understanding how these attacks worked, initially to protect my own business and maintain service continuity.
That interest quickly turned into a career. I moved into cyber security professionally, working as a penetration tester before going on to run a penetration testing department. Along the way, what really stood out to me was how difficult it can be for organisations to understand the technical realities of cyber-attacks and what matters from a risk perspective.
My main driver has always been to help organisations avoid the pain points I went through myself, and I take real pride in bridging the gap between deep technical detail and clear, practical guidance on how businesses can protect themselves.
How will your appointment strengthen our overall cyber and digital assurance capability?
I’ve built and run security assurance and penetration testing teams, not just delivered individual assessments, so my focus is very much on capability, consistency and long-term value. At D2NA, that means strengthening how assurance is delivered end to end, from the way services are designed through to how findings are communicated and acted upon.
A key priority for me is aligning our methodologies so that D2NA is positioned to gain CHECK accreditation under the NCSC IT Health Check scheme. This will further enhance our credibility, particularly with public and regulated sector clients, and ensure our assurance work meets and exceeds recognised national standards.
Just as importantly, I take a very customer-centric approach to assurance. I want clients to feel supported and assured throughout the entire engagement, not just presented with a report at the end. That means clear communication, transparency, and helping clients understand what we are seeing as we go, so there are no surprises and trust is built over the whole journey.
Ultimately, I want our services to deliver clear, honest advice about the risks clients are exposed to, and what genuinely needs attention, rather than assurance that exists purely for compliance.
What excites you most about working with the wider D2NA team?
There are some very capable and highly skilled individuals at D2NA, but what really stands out is how well people work together as a team. There is a strong sense of collaboration and a shared commitment to doing the right thing for clients, which creates a solid foundation for effective assurance.
One of the big differences for me is our strong alignment with Microsoft technologies and, more importantly, the ability of our team to implement remediation, not just identify issues. Too often assurance stops at highlighting problems. At D2 there is the capability to see improvements through to delivery, which ultimately leads to better outcomes for clients.
That said, I am very clear that security assurance must not feel like marking our own homework. I will hold our protection and implementation teams to extremely high standards, and in many cases, I will be more demanding of them than an external testing team would be. That level of challenge is essential to maintaining trust and credibility, and it ensures clients can have confidence in the assurance they receive.
What sets our approach to security assurance apart from other providers?
The biggest difference is how customer focused our assurance approach is. For us, security assurance is not a one-off assessment followed by a report being dropped at the end. It is a continuous, transparent engagement where clients are kept informed and supported throughout the whole journey.
We place a strong emphasis on communication. Clients receive regular updates, clear explanations of what we are seeing, and full debriefs that allow for open discussion rather than surprises. Our reporting is designed to be well structured, easy to navigate, and focused on what matters most from a risk and decision‑making perspective.
We are also very disciplined in how we deliver. We are clear and rigid around timelines, scope and expectations, because reliability and trust are critical in assurance. Clients should know exactly what they are getting, when they are getting it, and how it supports their wider objectives.
We want clients to feel assured not just by the findings themselves, but how the service is delivered, the clarity of the outcomes, and the confidence that security is being treated as a priority throughout the engagement.
Why is independent security assurance becoming increasingly important for public and regulated sectors?
Cyber security is no longer just a technical concern. It is about service continuity, public trust and accountability. Leaders are being asked to stand behind decisions that have real consequences if things go wrong, often in highly visible and regulated environments.
Independent security assurance plays a crucial role in that. It provides an objective view of risk and resilience, separate from internal pressures, delivery timelines or organisational assumptions. That independence gives senior leaders confidence that they are seeing the full picture, not just what an organisation hopes is true.
In public and regulated sectors in particular, the impact of a security failure goes well beyond the organisation itself. It can affect citizens, essential services and confidence. Assurance helps boards and senior leaders demonstrate that risks are being properly challenged, understood and managed, rather than simply accepted by default.
Ultimately, good independent assurance supports better decisions. It helps leaders prioritise what really matters, understand where investment will have the greatest impact, and move forward knowing that security has been tested honestly and rigorously.
How do you ensure security assurance delivers real business value, not just compliance outputs?
It starts by understanding the client’s concerns as early as possible. Even at the scoping stage, we spend time understanding what the organisation is trying to achieve, what they are worried about, and where potential attack vectors are most likely to exist. That early context shapes the entire engagement and ensures assurance is focused on real risk, not generic testing.
From there, we take a risk-based approach that prioritises what genuinely matters to the business. Rather than treating security as a checklist exercise, we focus on how vulnerabilities could realistically be exploited and what the impact would be if they were. This allows leaders and delivery teams to make informed decisions about where to act and where risk is acceptable.
Ultimately, real value comes when security assurance builds confidence. When clients understand their risks, know where to focus effort, and can move forward with clarity rather than uncertainty, assurance has delivered far more than compliance.
If clients take one thing away from working with you and your assurance team, what should it be?
Confidence!
Confidence that their risks have been properly understood, not just identified. Confidence that the advice they receive is honest, proportionate and based on how attacks actually happen. And confidence that security is being handled in a way that supports their organisation, rather than slowing it down or adding unnecessary complexity.
I want clients to feel that they have been listened to, challenged where needed, and supported throughout the engagement. If they come away knowing where their real risks are, what to prioritise next, and why those decisions make sense, then we have done our job properly.
Quick Fire:
One word to describe effective security assurance? Trust
Best piece of advice you’ve been given in your career? Technology rarely fails on its own, people and process matter just as much.
Biggest misconception about cyber security? That buying more tools automatically makes you secure.
What motivates you outside of work? Learning, problem solving, and spending time with family.
Tea or coffee? Coffee, and lots of it.