Max
Alhourani
A CISO's judgment, without the headcount.
Fractional and interim CISO for funded AI and SaaS companies in regulated EU markets. I help teams get enterprise-ready, build defensible EU AI Act and ISO positions, and cover the security leadership gap — boardroom to keyboard, without a full-time hire. I work with a small number of clients at a time, hands-on.
Master of Information Technology · Cybersecurity · Merit
Based in New Zealand · working across UK and European time zones.
Profile
I am Max, a fractional CISO giving AI, SaaS and data driven companies senior security and governance leadership without a full time hire. My focus is regulated markets across the EU, from EU AI Act and GDPR readiness to ISO 27001 and ISO 42001 programs, with real engineering never far from hand.
How I help
Three ways to start, each scoped and priced up front.
EU AI Act Exposure Review
What's actually in scope for your AI, what bites in the next 6 months after the Omnibus, and a position your board will accept.
SOC 2 / ISO 27001 Readiness Review
Know exactly what stands between you and a signable enterprise deal. Gap assessment, prioritised roadmap, questionnaire-ready evidence.
Fractional / Interim CISO
Hands-on security leadership on a retainer — board-facing and technical. Starts with a 30-day posture and board-readiness assessment (€6,500, creditable against your first two months).
MSc Cybersecurity · EU AI Act & Digital Omnibus · GDPR · ISO 27001 · SOC 2 · NIST CSF · DevSecOps
Before we talk
A 15-minute call is most useful if I come with a view. Helpful to know going in:
- What's prompting this now, and any deadline — a blocked enterprise deal, an upcoming audit or raise, a board ask, a departed security lead, or an EU AI Act question.
- Your stage and rough headcount.
- Who owns security today, if anyone.
- Which framework or regulation is in play: SOC 2, ISO 27001, EU AI Act, GDPR.
Who I work with
I work best with AI, SaaS and data driven companies in regulated markets across the EU that need ISO 27001, SOC 2, or EU AI Act and GDPR readiness, but cannot yet justify a full time CISO. Usually founders and execs at startups and scale ups who need senior security judgment now, not another permanent hire.
Proof
"Max took us from a conditional pass in enterprise due diligence to a security posture we can defend in any procurement process. He didn't hand us a report — he built the GDPR pack, fixed our transfer arrangements, and left us with a governance roadmap we're still executing."
Buyer-side vendor security due diligence, then a phased program to make the platform enterprise-ready: a full GDPR pack (RoPA, DPIA, sub-processor register, retention schedule), cross-border transfer remediation (SCCs/TIA), and a hardening roadmap with ISO 42001 as the governance spine. The brief: take a conditional-pass posture to a defensible, enterprise-ready one.
Measured in enterprise security programs I led in prior roles — detailed under Experience
Expertise
AI Governance & EU AI Act
Risk classification, controls for high risk systems, human oversight, ISO 42001.
Data Protection & Privacy
GDPR · DPIAs · cross border transfers (SCCs) · automated decision safeguards.
Security Strategy & Leadership
Building the security program, roadmap, budget ownership, board & executive reporting.
Risk, Compliance & Frameworks
ISO 27001 · SOC 2 · NIST CSF · third party & vendor risk.
Incident Response & Resilience
IR leadership, post incident review, BCP/DR, tabletop exercises.
Security Automation & Engineering
Python · Bash · Terraform · SIEM/SOAR · cloud (AWS · Azure · Cloudflare).
Experience
- Led incident response in high pressure, mission critical operational environments.
- Established and streamlined ITIL based processes, raising operational efficiency and compliance.
- Built and led security operations and automation programs, setting detection strategy that cut false positives 42% and improved response time 28%.
- Embedded security into CI/CD and cloud infrastructure (DevSecOps) with Ansible and Terraform, hardening environments by design.
- Owned SOC 2 and ISO 27001 audit readiness, automating evidence collection and shortening audit cycles 20%+.
- Established post incident review and governance, reducing repeat incidents ~30% across critical infrastructure.
- Directed vulnerability management and red team assessments, prioritising remediation by business risk.
- Advised executives and stakeholders across energy, transport and public sector on security strategy and compliance.
- Published open source security tooling and led cybersecurity awareness and training programmes.
Education
Mentoring
I develop people the way I run engagements: from hands-on craft to board-level judgment. Boardroom to keyboard applies here too. The measure isn't how many I've trained — it's how many now lead.
Contact
Let's talk about your security and governance.
Tell me about your company and where you need support. Send a note and I will come back to you to set up a call.