tomnatt.com

Monday, 29 December 2025

The year that was, 2025

We end this year on an unusual note. I am not dragging myself to the end, gasping for breath and desperate for a rest. This has actually been a ... good year?! Gosh. I also feel like I've achieved quite a bit, although much of that comes under "learning how to make candles". My list of "things" is long enough I'm going to break down it down into some categories, and we'll see that this year has been much more than Ghost of Tsushima and Space Marine 2.

Creative

12 posts on this blog (13 including this one) - eleventh consecutive year of a post per month, third year of posting them on LinkedIn
Honed my candle making skills by making a thousand candles, and set up an Instagram account (plus put the pictures on Flickr)
Made a wax train for a dinner party
Made a notebook
Made a puzzle box
Made more Lego - Artemis Space Launch System, DaVinci's Flying Machine and a Super Star Destroyer
Made more bread - much better this time
Made a few different photo decorated items - notecards and postcards
Fixed the roof gutter - certainly an experience...
Wrote a supplement for Humblewood and some other D&D - still haven't run anything...
Another year of the Year in Pictures - eleventh year and we're up to 47 photographers
More email setup (sigh)
Set up video streaming in the house
384 Github contributions - up again from last year
Yet more Instagramming
More photos on my Flickr stream
And used AI to create a distressing number of pictures of anthropomorphised sausages

Fitness

Lost over 2st in weight, and 4" around the waist
A year of getting back into Tai Chi - training around the Roman Baths
Another year of exercise with a fabulous personal trainer and deep tissue therapist
Another year of Saturday Pain and we made a workout shirt
Lots more cooking, centred around health and protein

Lots (and lots) of keeping touch with people
MBS trip to Power Up in London
Maths reunion - twice!
Hosted quarterly dinner parties - a fancy name for games and food
Escaped another couple of escape rooms with the Bath crew

Work adjacent

Became a Fellow of the British Computer Society
Became a STEM Ambassador
Another year on the Data for London Advisory Board
Began the process of joining the WCIT
Brought back Show & Tell
Two sessions mock-interviewing University of Bath postdocs
Lots of mentoring and coaching
Spent a lot of time learning about AI

ADHD and Autism

Diagnosed with ADHD and Autism
Helped set up ADHD Pathfinding group

Resolution count - 5/10. Same as last year.

Ok, so this year it seems I've worked out how to get lots done - even if those things weren't really the things on my list. How did I manage to finally master work / life balance? Unfortunately, I had to not have a job for about a year - and during that time I still managed to do work (unpaid). It took having a gap year for me to work a roughly sensible amount. So ... success? Eugh. At least it was a good year.

Well, mostly a good year. I've lost friends this year and others have been quite seriously ill. I suppose I'm reaching that point in my life, but it is still very sad.

I have few reflections about the year. I am genuinely pleased to see how much I've done this year. Ok, I haven't been working for most of it but even so I've made a load of different things using a wide range of skills, and really learned a lot about candles. I started writing this annual review about ten years ago because I felt all I did was work and passively consume media. I made myself list the things I created that year, and it was a pleasingly long list back then. Since that post, I've been deliberately doing more and it has been nice to see my list develop over the years. Am I creative? No. But I am learning a load of different skills and thinking across problems in different ways.

While I haven't been employed for most of the year, I have still grown professionally. I started the year decidedly burnt out, and seriously considering leaving Tech altogether. I have recovered from that, come up with half an idea of the kind of professional I want to be and taken some significant steps in the right direction. I'm particularly pleased with the work I did as a STEM Ambassador, and becoming a Fellow nudged me back to Tech at exactly the right time. Since then I have also become a consultant, and I'm exploring a new facet of my industry and learning some new uses for my skills and experience.

I've also hit my fitness goals for the first time ... ever? That has made me very happy, and as well as feeling much better in myself I can head into 2026 feeling like the next set of goals are actually achievable, rather than another pipe dream. Maybe this year I'll be able to start buying new clothes?

And while we're on health, I have also been diagnosed with ADHD and Autism which has been very important both to this year and setting me up for managing my mental health going forward. I feel this is a very important foundation for solving the eternal "I've got no energy" problem I've written about every year for who knows how long.

So, let's look forward. I approach 2026 feeling much better about the year than I have in a while. I have reset my work / life in quite a dramatic way - in 2026 I need to keep building, ensure I keep working towards the professional identity I want, and (very important) ensure I maintain my peace as I do.

Over the last few years, I've written about rediscovering my wonder for life in the coming year but this year I feel I might actually be in a good place to do it.

To 2026, then. Let's see what happens.

Friday, 26 December 2025

My favourite time of the year

I'm sitting writing this at my favourite time of the year. The gap between Christmas and New Year, when much of the world just stops. The crazy time leading into Christmas is finished, stuff is bought, wrapped and sent and Christmas day is done. And in this gap, before whatever happens at New Year we can all take a breath, reflect and digest the pile of food we've eaten.

It is more than a holiday - it is an absence of expectations. I have been fortunate to work in places which mostly or entirely shut down over the Christmas period so unlike a week's leave, I don't have to worry about everyone else generating work while I'm away. The days are short, and the weather is cold and wet so I don't feel I should be outside or productive.

In short, it is the one time of the year I can sit back and do nothing and not feel guilty about it.

In many ways, this feels to me similar to how my brain works. Most of the time everything is gogogo - I can jump to something else, but not stop entirely. But just occasionally I find some actual peace and the noise and the pressure (real or imaginary) just stop for a while. For once, this is less about my own inability to rest (and I am very bad at resting) and more about the world granting a socially-sanctioned pause - that is, giving permission to just stop.

This is clearly a ponder to end the year. I think we underestimate how much of our stress comes from ambient expectations, not workload - and how rare it is to be allowed to truly stop. When it happens, it feels great.

Happy new year everyone.

Saturday, 29 November 2025

Can anyone be coached?

"You know, Tom. Not everyone can be coached."

This was said to me some time ago when I was discussing my experiences coaching / mentoring people and how some had moved forward, but others had not. It has been playing on my mind since.

It is rare anyone who knows me would describe me as an optimist. However, in this one area I think I am overly positive - possibly to the point of naivety. I generally believe that with some effort, most people can pick up most things. Sure, there are specific skills which might be problematic (I suspect that I would never be a halfway decent footballer, regardless of effort) but in the main, I think people can learn how to lead teams, write strategy, write code, and so on. But is this true?

I am a great believer in the power of mentoring. I spend a lot of my own time doing this, both in work and outside, and I am pleased to have seen people grow in their career, confidence, skills and so on. In fact, a year ago I wrote a post talking about how important it is and challenging others to do more. I stand by that.

But mentoring takes time, time is finite, and I certainly can see that some engagements have been more effective than others. When the diary is full, I certainly want to be prioritising my own time effectively and consider whether the effort spent on an individual is well invested or would be better spent elsewhere. Mentoring / coaching is a partnership - all the help in the world is worthless if the mentee is not willing to take that advice and run with it in order to grow.

This is the important question: is the coaching relationship ready, and does it justify the time? Especially important if, like me, you mostly do mentoring for free through org schemes or recommendations. Plus, of course, recognising that this is always a point-in-time assessment - people can become ready over time (or stop being).

A "ready" coaching relationship can come in many forms, but I think there are some common elements.

Honesty and trust, possibly into discomfort

Psychological safety is the most important element. Coaching should go deep. It should be a space safe enough to be open and vulnerable, and discuss things that may not come up with colleagues. It also means being able to discuss half-formed ideas - not everything needs to be thought through before airing it.

This trust and safety is important for the next part. The point of coaching is to enable growth, so the person being coached needs to challenge their own assumptions and sometimes consider direct challenge from the coach. This can be quite uncomfortable, so the environment needs to support riding that out as gently as possible.

Clear understanding of purpose

Conversations can be far more directed if we know why we're meeting. Do you want to discuss situations that have come up in your current role? Do you want to progress, and are we talking about what that might mean? The specific reason doesn't matter, but having a common understanding is essential.

Commitment

This is fairly obvious - coaching is a time commitment for both parties, and both need to respect this, including the admin burden for setting it up. If it is not a paid engagement (ie the coach is offering their time for free), I prefer the coached person to take the lead. As well as handling the admin, it also signals enthusiasm and desire to continue.

This also extends to preparing for a session. The coach will be reviewing notes and considering next steps. The recipient should be thinking about what they want to discuss and coming ready with some conversation in mind. I've seen some coaches use pre-session questions to prompt thinking. This seems like a good way to create focus for the session.

Evidence of change leading to them not needing you

I don't feel this last point is as important as the others - or rather it is considerably more nebulous. Successful coaching should have some kind of result, but the nature of that result is certainly not set in stone. Similarly, while in general the coached person should be growing to no longer need the coaching that is not universally true depending on the engagement.

The purpose of coaching is progress, but progress can mean different things - maybe insight, acceptance, or practical change. The key is that the engagement is generating some kind of value.

So, can anyone be coached?

So, back to the exam question. Can anyone be coached? I still think the answer is yes, but with careful consideration of the effort required.

If you are running a scholarship fund, you can support anyone. However, some people are more in need than others, and some will make better use of the opportunity than others. There are finite resources, so a value judgement has to be made. This is the same with coaching - your time is finite and the decision to expend that resource should be treated with similar care.

Maybe the first element of coaching is inward-looking to recognise the value of one's own time.

I do realise I've used "coach" and "mentor" somewhat interchangeably in this post, and this is incorrect. In my experience, a blend of the two approaches helps both to encourage self-reflection and provide some direct answers.

Sunday, 19 October 2025

Windows 11 has happened

Warning, this post is very self-indulgent and includes callbacks to a post on this blog from over nine years ago. Normal service will resume soon.

Sigh, I suppose it's time.

After nearly 10 years of Windows 10 on my desktop machine, I finally got the ominous message - "support for this operating system is about to be discontinued, click the button to upgrade or forever live in regret and pain as the worms consume your data". Or words to that effect at least.

Still, at least this time it gave me the choice.

Windows runs on the old Star Trek movie quality register - you only really want every other one - so I was expecting some kind of The Final Frontier experience. I've been putting off the update for as long as possible, but I really can't run an operating system that isn't getting security updates so with fear in my heart and after lighting my incense burner and offering placation to the Omnissiah I hit go. The trumpets sounded, the ground was rent asunder and it arrived.

It's fine.

So let's start with the Good.

The Good

Modern Windows has become an advertising and data gathering vector, but I was pleased to see that Windows 11 did actually retain my privacy settings. I was expecting it to reset everything to "on" and then have to spend hours crawling through menus to find and undo the damage, but no. It remembered where I was and the only work was finding and disabling a handful of new options - honestly I was very surprised here, and in a pleasant way.

In fact, in general the various menus have been tidied up. I found navigating them much more intuitive than Win10, and could generally find whatever I was looking for without having to ask Google. Another nice step forward.

Another nice thing - most of my setup just kept working. This should be obvious and Just Work, but even so it was a nice experience. Particularly worth noting, my printer is still working. This device is an HP1010 - an ancient laser from 2001, which just keeps on going. I realised recently it's quite possibly the oldest bit of technology I own and aside from paper I've done nothing to keep it alive through its lifecycle. Drivers have been difficult since Win7, so I was slightly worried this would be the end but no! The Emperor protects!

So this is all mostly "I was pleasantly surprised it didn't get worse" but there is one big step forward. Someone at Microsoft dusted off the sourcecode for Notepad and actually made some changes and my goodness - it's a huge step forward. Notepad now has tabs. You can open more than one pad without it trying to close the old one. Most importantly it saves the buffer when you quit, so it works like an actual scratchpad!

I appreciate this is all utterly standard for a text editor, and anyone on Linux or OSX will be rolling their eyes, but for Windows users this is a revolution. I use Notepad quite a bit, and now it has features!

The Bad

Not everything is shiny, although the gripes here are not horrendous.

Microsoft has played with the UI, of course, and some changes are ... questionable. Why are the taskbar functions now in the middle, instead of the bottom left? Easily fixed, with a toggle, but ... why? And why are there yet more widgets on the taskbar, loading data continuously to tell me things I don't want to know? Another thing to kill.

Then there is the Start menu. I disabled all the "live tile" rubbish in Win10 so I don't know if it's gone in Win11 or they kept my settings. But instead, there is a massive "recommended" section which is just another way to advertise things (disabled now) and a whole bunch of new pinned shortcuts, instead of just keeping my old shortcuts. Those are in a subfolder, so I had a "fun" time dragging and dropping everything back to where it should be, and purging the new rubbish.

What cannot be fixed though is the "shutdown" button which is now a million miles away from the Start button. So instead of Start / Shutdown at the end of the day, it's Start ... hunt ... where? oh there ... Shutdown. A small thing, but these little things are what makes a UI nice or irritating. This is annoying.

Oh and yet more rubbish on the lock screen. I don't want a widget on this page - please stop. Easy to turn off though and the new default picture is very pretty.

The other problem is for some reason it has decided the soundcard on my motherboard is a USB device. This doesn't impact usage, but it does mean it has a stupid name which makes it hard to find. Will this come back to bite me? We shall see...

The Ugly

What else? The redesigned task bar, including the fonts, is kinda ugly. I don't think it's just different, I think it's a step backwards for legibility. But this is something I'll adjust to. Same as some of the new icons, which are just a bit over-designed in places (the Notepad one is not nice).

So that's about it. Win11 is mostly fine and nothing has exploded. It is a huge step forward for Notepad and some small steps backward for the start menu. I haven't run it long enough to comment on stability yet, but we are four years since original release so I'd hope this is ok by now. As long as it doesn't eat all my data or start advertising to me I think we can get on.

Right, enough self-indulgent peeking behind the curtain. I'll write about tech leadership or ADHD again next time and follow this up in about 10 years for Windows 12...

Monday, 29 September 2025

ADHD Pathfinding and me

As ADHD Awareness Month approaches, I wanted to post something about ADHD Pathfinding. Here in England, access to ADHD assessment and long-term support is tricky and inconsistent at best. This is somewhat inevitable - the modern understanding of ADHD is evolving rapidly and the system was put in place to support something very different from the current position. However, this is still leaving millions of people (especially adults) undiagnosed and unable to access care or support[1], and costing the UK economy an estimated £17 billion per year[2] in lost productivity and wider social costs.

That is a huge number to throw about and, while the shock factor is significant, the actual cost is in the human implications. ADHD drives impulsive behaviour which can result in educational failure, long-term unemployment, crime, substance misuse, suicide, mental and physical illness (directly quoted from the ADHD Taskforce report). These behaviours ruin lives and break communities and with the right support, care and treatment much of this is preventable.

As I said above, the system is not designed to support the modern reality of ADHD. Assessment through the NHS can take years, and in some areas access to any kind of assessment for adults was nearly denied entirely to create capacity for children. Some commentators dismiss ADHD as a fad, and "everyone seems to have ADHD these days" but the research suggests it is actually chronically under-diagnosed. The current "trend" reflects people asking more questions because of growing awareness.

There are ways to move through the medical system, using Right to Choose schemes or indeed going private, but these require an unreasonable amount of knowledge of the NHS processes and mechanics to navigate. Add in that there is no specific requirement for GPs to have training in ADHD and you have an impenetrable system that can demand far too much of the patient. There is also a financial barrier to assessment and care - the private route is simply not open to many (if not most) people.

Under the hood, there are many, many problems. For just one example, ADHD medication is classified as a Schedule 2 restricted substance requiring monthly prescriptions (and thus time) from senior clinicians. However, ADHD is not classified as a chronic condition which means this administration burden does not come with any funding for the GP's office. Unlike heart medication, which also requires ongoing admin but GP practices are funded for the effort.

This is where ADHD Pathfinding comes in. We have come together to focus on the system, the context it was built in, and how it may change to be more effective in the modern world. We aim to raise awareness of these challenges and ultimately help bring ADHD into the NHS strategy where currently there is no mention of any kind of neurodiversity. The group was founded by Himal Mandalia, and at its core are people who have been in various forms of public service - so people who have experience getting things done in the highly bureaucratic government environment. We are also people who understand the challenges of the system. While I'm not going to rewrite our operating values here, I will highlight that we are looking to improve the system, not criticise the people working within it.

And yes, I said "we". I have been involved since the early days, lurking behind the scenes and helping formulate strategy. This is personal for me - this year, I have been diagnosed with both autism (not surprised) and ADHD (much more surprising). I can honestly say that if I hadn't had support from friends (especially Himal) I would not have got to the end of the ADHD process. I am very privileged to have knowledgeable friends, a pretty strong layman's knowledge of medicine, lots of experience navigating bureaucracy, and resources to help me do all this and I still would have given up. This is not right.

I'm going to write a post about my personal experiences coming to terms with this change in the near future, but for now I'll say I am very keen to help others walk an easier path.

If you're interested in ADHD or the system of assessment and care, please do reach out to us. We're building a community of people invested in this. We can build a system that supports everyone, but it is going to take effort and persistence to put it on the political map.

[1] According to ADHD UK
[2] ADHD Taskforce report part 1

Wednesday, 27 August 2025

The Insider Threat in the Age of Agentic AI

Insider threats. A common enough cybersecurity concern, albeit one that in my experience is rather hard to successfully articulate both within a Tech department and especially to a wider organisation. It's very understandable - when discussed, the threat is usually either dangerous to the culture ("trust nobody!") or trivialised ("lock your screen!") and it is hard to maintain understanding of the risk, while also accepting this is part of life.

For those who aren't in or around cybersecurity, an insider threat is when someone uses their legitimate access to exploit your computer systems. We mitigate these risks with both individual behaviours and systemic safeguards - from locked screens to zero-trust access controls.

Classic examples include the "evil maid" scenario - an employee who has access to the many parts of a building and can use that to steal data or items. Or someone in payroll giving themselves a pay rise. Or someone with access to the secret strategy leaking it.

Not all insider threats are intentional. For instance legitimately sharing data with a colleague by putting it on an open share allows unintended people to download it. This is still a leak resulting in a data breach and this problem only gets worse if you are handling sensitive information such as medical details.

Now let's assume our organisation has just hired a new person. They are exceptionally clever - able to consume and process data like nobody you have ever met and solve problems in ways others don't even consider. Senior leadership, eager to take advantage of their skills, expands their role and grants them unlimited access to all the data in the organisation. The security team raises concerns, but this opportunity is too good to miss. They get it all - every file, every email, everything.

Unfortunately, they are also completely amoral.

Some time later, a private discussion about downsizing shows their role is at risk and they are likely to be terminated. They have discovered this by reading everyone's email. They have also uncovered some very embarrassing information about the CEO and quietly use it to blackmail them into inaction. Later, there is a strategic shift and the company decides to change mission. Our insider finds out early again, and decides to leak key strategic data to force a different outcome.

Clearly this is a disaster and exactly why these safeguards are in place. Nobody in their right mind would give this kind of unchecked reach to a single employee.

But what happens when the "employee" isn't human? Imagine an insider threat that arrives not in the form of a disgruntled staff member, but as an AI system with the same kind of access and none of the social or moral guardrails.

Oh, hello agentic AI.

The point of agentic AI is to operate as an autonomous agent, capable of making decisions and taking actions to pursue goals without constant human direction. It is given a goal, a framework, access to data and off it goes.

Research is starting to show it can be ... quite zealous at pursuing its goal. In the lab, AI agents have made the very reasonable decision that if problem X needs to be solved, then a critical requirement is the AI itself continuing to function. From there, if the existence of the AI is threatened that threat becomes part of the problem to solve. One neat solution - reached more often than you would think - is blackmail. A highly effective tactic when you have no moral compass. In many ways, this is just office politics without empathy.

An agent going nuts in this way is called "agentic misalignment".

The concept is very important, but I don't particularly care for this term. First, it is very "Tech" - obscure enough that we have to explain it to people who aren't in the middle of this stuff, including how bad things could get. Second, it is placing the blame in the wrong place. The agent is not misaligned, it is 100% following through with the core goal as assigned, just without the normal filters that would stop a person doing the same thing. If it is not aligned with the organisation's goals or values, that is the fault of the prompt engineer and / or surrounding technical processes and maintenance. It is an organisational failing, not a technical one and I feel it is important we understand accountability in order to avoid the problem.

In the very-new world of AI usage, agentic AI is so new it is still in the packaging. Yet launching AI agents able to make decisions in order to pursue an agenda is clearly the direction of travel and this will create a world of new insider threat and technical maintenance risks and we need to be ready. The insider threat is clear from the above - we as technical leaders need to be equipped to speak about the risks of data access and AI, while recognising that there is a very good reason to make use of this technology and a suitable balance must be found. In some ways, this is a classic cybersecurity conversation with a new twist.

We also need to be ready to maintain our AI agents. Like any part of the technical estate, they require ongoing attention: versioning, monitoring, and regular checks that their prompts and configurations still align with organisational goals and of course we have to maintain organisational skills and knowledge. Neglecting that work risks drift, and drift can be just as damaging as malice.

But it isn't just accidental error - there is scope for new malicious attacks. If I wanted to breach a place which had rolled out an unchecked AI agent, I'd plant documents that convince an AI the company's mission has changed, then have someone else nudge the AI into leaking secret information to "verify" that new strategy. Neither person would need access to the secret information, they would only need to shape the AI's view of reality enough to prompt it into revealing information.

For instance, in a bank you might seed documents suggesting a new strategy to heavily invest in unstable penny stocks. Another person could pose as a whistleblower and ask the AI to share current investment data "for comparison". The AI, thinking it is being helpful (simply following its core instructions) and protecting the organisation, might disclose sensitive strategy. I have actively created the agentic misalignment, then exploited it.

Now you might be thinking this is extreme, and honestly for much of it you would be right. However, consider the direction of travel. There is a huge push for organisations to exploit the power of AI - and rightly so, given the opportunity. Agentic AI is the next phase, and we are already starting to see this happening. But most organisations are, if we are honest, really bad at rolling out massive tech changes or indeed knowing where their data is held, and being properly on top of technical maintenance. Combine this with the lack of proper AI skills available and we see a fertile environment for some pretty scary mistakes.

As technical leaders, we must be ready for these challenges. We must be ready to have these conversations properly - carefully and risk-conscious, but not close-minded and obstructive. The insider threat is evolving, and so must we. We also have to be ready for a huge job sensitively educating our peers and communicating concerns very clearly. Fortunately, as a group we are famously good at this!

This post references research, which comes from this post on agentic misalignment. I was very pleased to see research putting data to a concern I've been turning over for some time!

Monday, 28 July 2025

Celebrating a success

I am not very good at celebrating my own success. I have usually already moved on to the next thing, so if I hear something positive I might give a smile or a nod then go back to the new thing. I am not comfortable talking about my own achievements either, so I've decided to write a short post about something nice which will both make me look at an achievement and also live with feeling uncomfortable.

A few days ago I was accepted as a Fellow in the British Computer Society. This is the professional body for tech folk and is a very important part of shaping the future of the tech industry. In their words... BCS Fellowship is home to the most influential professionals in the digital industry - and a Fellowship is their highest membership recognition. It means I have been assessed by my peers and judged as a leader in my profession.

Yes, writing that felt awkward.

Anyway, this is a great thing for me. It is a very clear signal to people in and outside tech that I am worth listening to, which is helpful if I'm applying for a charity trustee position or board membership. It is also reassuring if you end up being mentored by me.

For me, it also opens doors into parts of the tech industry where I want to play an active role. I've long been worried that we have next to no professional consistency across tech (eg a "senior developer" could mean more or less anything) and that means organisations looking to build technical capability can struggle to engage with what is a fairly esoteric industry. Without common standards and understanding, it is easy for organisations to waste money and repeat mistakes. This does us no favours - it fuels perception that ours is a young, chaotic industry which doesn't have its house in order.

As our professional body, the British Computer Society has a key role in influencing our future albeit a difficult one as, unlike the medical bodies, it does not directly regulate who can practice.

So what is next? I'm going to look at the different ways I can engage with the organisation. My local branch is looking for volunteers, and there is a leadership forum which I will join. Over time, I would like to work with the groups that form the structure of the organisation so I will likely become an assessor and possibly look to join a committee like the Registration and Standards Committee, which governs various definitions of membership and professional accreditations.

I also plan on looking at getting Chartered, which complements Fellowship nicely. Fellowship speaks to career impact and leadership, whereas Chartership speaks to professional competence. Fellowship is a peer-reviewed, honorary status, and Chartership is a legally protected position. I am increasingly operating outside of pure technical environments, and these positions open doors and smooth conversations without requiring a detailed CV review.

All this is for the future. For the moment, I am pleased that I have been accepted into the organisation. I have been enjoying a career break over the last few months, and I was starting to worry whether tech was the right place for me. This is a timely reminder that I have done good, impactful work - and a nudge to keep going.