Max AlhouraniFractional CISO EU · Available Book a call
Available for fractional & advisory engagements

Max
Alhourani

Fractional Chief Information Security Officer

A CISO's judgment, without the headcount.

Fractional and interim CISO for funded AI and SaaS companies in regulated EU markets. I help teams get enterprise-ready, build defensible EU AI Act and ISO positions, and cover the security leadership gap — boardroom to keyboard, without a full-time hire. I work with a small number of clients at a time, hands-on.

AI Governance · Data Protection · EU Regulatory Readiness

Master of Information Technology · Cybersecurity · Merit

Based in New Zealand · working across UK and European time zones.

Profile

I am Max, a fractional CISO giving AI, SaaS and data driven companies senior security and governance leadership without a full time hire. My focus is regulated markets across the EU, from EU AI Act and GDPR readiness to ISO 27001 and ISO 42001 programs, with real engineering never far from hand.

How I help

Three ways to start, each scoped and priced up front.

EU AI Act Exposure Review

What's actually in scope for your AI, what bites in the next 6 months after the Omnibus, and a position your board will accept.

From €8,000 · ~2 weeks

SOC 2 / ISO 27001 Readiness Review

Know exactly what stands between you and a signable enterprise deal. Gap assessment, prioritised roadmap, questionnaire-ready evidence.

From €7,500 · ~2–3 weeks

Fractional / Interim CISO

Hands-on security leadership on a retainer — board-facing and technical. Starts with a 30-day posture and board-readiness assessment (€6,500, creditable against your first two months).

From €6,000/month

MSc Cybersecurity · EU AI Act & Digital Omnibus · GDPR · ISO 27001 · SOC 2 · NIST CSF · DevSecOps

Before we talk

A 15-minute call is most useful if I come with a view. Helpful to know going in:

  • What's prompting this now, and any deadline — a blocked enterprise deal, an upcoming audit or raise, a board ask, a departed security lead, or an EU AI Act question.
  • Your stage and rough headcount.
  • Who owns security today, if anyone.
  • Which framework or regulation is in play: SOC 2, ISO 27001, EU AI Act, GDPR.

Prefer to brief me first? Email me these →

Who I work with

I work best with AI, SaaS and data driven companies in regulated markets across the EU that need ISO 27001, SOC 2, or EU AI Act and GDPR readiness, but cannot yet justify a full time CISO. Usually founders and execs at startups and scale ups who need senior security judgment now, not another permanent hire.

Proof

"Max took us from a conditional pass in enterprise due diligence to a security posture we can defend in any procurement process. He didn't hand us a report — he built the GDPR pack, fixed our transfer arrangements, and left us with a governance roadmap we're still executing."

Founder & CEO · EU AI SaaS
Current engagement — EU AI SaaS · anonymised, in progress

Buyer-side vendor security due diligence, then a phased program to make the platform enterprise-ready: a full GDPR pack (RoPA, DPIA, sub-processor register, retention schedule), cross-border transfer remediation (SCCs/TIA), and a hardening roadmap with ISO 42001 as the governance spine. The brief: take a conditional-pass posture to a defensible, enterprise-ready one.

Measured in enterprise security programs I led in prior roles — detailed under Experience

42%
fewer false positives, so the team spends its time on real threats
28%
faster incident response through automated triage
20%+
shorter ISO 27001 / SOC 2 audit cycle

Expertise

AI Governance & EU AI Act

Risk classification, controls for high risk systems, human oversight, ISO 42001.

Data Protection & Privacy

GDPR · DPIAs · cross border transfers (SCCs) · automated decision safeguards.

Security Strategy & Leadership

Building the security program, roadmap, budget ownership, board & executive reporting.

Risk, Compliance & Frameworks

ISO 27001 · SOC 2 · NIST CSF · third party & vendor risk.

Incident Response & Resilience

IR leadership, post incident review, BCP/DR, tabletop exercises.

Security Automation & Engineering

Python · Bash · Terraform · SIEM/SOAR · cloud (AWS · Azure · Cloudflare).

Experience

Military Experience
  • Led incident response in high pressure, mission critical operational environments.
  • Established and streamlined ITIL based processes, raising operational efficiency and compliance.
Enterprise Experience
  • Built and led security operations and automation programs, setting detection strategy that cut false positives 42% and improved response time 28%.
  • Embedded security into CI/CD and cloud infrastructure (DevSecOps) with Ansible and Terraform, hardening environments by design.
  • Owned SOC 2 and ISO 27001 audit readiness, automating evidence collection and shortening audit cycles 20%+.
  • Established post incident review and governance, reducing repeat incidents ~30% across critical infrastructure.
  • Directed vulnerability management and red team assessments, prioritising remediation by business risk.
  • Advised executives and stakeholders across energy, transport and public sector on security strategy and compliance.
  • Published open source security tooling and led cybersecurity awareness and training programmes.

Education

Master of Information Technology · CybersecurityMerit Whitecliffe Technology & Innovation

Mentoring

I develop people the way I run engagements: from hands-on craft to board-level judgment. Boardroom to keyboard applies here too. The measure isn't how many I've trained — it's how many now lead.

100+
Practitioners mentored since 2002, starting in the military and continuing through enterprise — many now lead security teams, functions, and companies across the industry.

Contact

Let's talk about your security and governance.

Tell me about your company and where you need support. Send a note and I will come back to you to set up a call.