David Whitelegg is a UK-based cybersecurity professional with over two decades of experience in control effectiveness, assurance governance, and operational resilience. His work focuses on the gap between reported security posture and operational reality — and on building practical frameworks that close it.
David founded Provable Cyber Resilience as an independent research and assurance platform examining how organisations demonstrate — rather than assume — that their controls actually work. The platform's AI Labs and Pro Labs tools have been built to bring that question into practice, allowing security leaders to test control effectiveness, model exposure, and challenge assurance assumptions under realistic conditions.
→ Explore AI Labs.
The Book
David is completing a book on cybersecurity assurance — examining why the gap between reported and real control effectiveness persists, and what measurable, evidence-led assurance looks like in practice. The intended audience is CISOs, risk leaders, audit professionals, and board members who need to move beyond compliance posture toward demonstrable security performance.
The manuscript is in its final stages. For publishing enquiries, please use the contact page.
→ More about the book
Research and Writing
Did has written on cybersecurity assurance, control effectiveness, and governance for over seventeen years. Published work includes technical and practitioner articles for IBM Developer, covering GDPR application design, privacy engineering, and IoT security. The IT Security Expert Blog, established in 2007, remains one of the UK's longest-running independent cybersecurity commentary platforms.
→ IT Security Expert Blog → Articles and published work
Speaking and Commentary
David has spoken at industry conferences and events on cybersecurity assurance, control governance, and the challenge of translating technical security posture into credible executive reporting. He has provided commentary and analysis on cybersecurity topics for media and industry publications.
For speaking or media enquiries, please use the contact page
Background
David holds experience across complex international control environments spanning financial services, technology, and regulated sectors. His professional focus has consistently been on the integrity of cybersecurity assurance — how it is measured, how it is reported, and how it is validated independently of the teams responsible for delivering it.
He is based in the UK.
→ Connect on LinkedIn
→ Follow on X
