Max
Alhourani
A CISO's judgment, without the headcount.
Fractional and interim CISO for AI, SaaS and data companies in regulated markets. Eighteen years across defence, critical infrastructure and enterprise technology, now applied to the governance problems that block enterprise deals: EU AI Act, GDPR, ISO 27001 and ISO 42001, SOC 2. I work with a small number of clients at a time, hands-on. Boardroom to keyboard.
Master of Information Technology · Cybersecurity · Merit
Based in New Zealand · working across New Zealand, Australia and Europe
Profile
I'm Max, a fractional CISO for AI, SaaS and data driven companies that need senior security leadership without a full time hire.
My foundation is technical. I served in the New Zealand Defence Force's Communications and Information Systems branch as a systems engineer and Oracle DBA, supporting deployed operations. I secured enterprise systems for Meridian Energy, Transpower, KiwiRail and Coca-Cola Amatil, and deployed detection and SOC monitoring inside a critical infrastructure business. I hold a Master of IT in Cybersecurity (Merit), and I still read the config, not just the control matrix.
What I do with that now is governance: EU AI Act exposure, GDPR and cross border transfers, ISO 27001 and ISO 42001, SOC 2 readiness, and the board narrative that has to hold up in front of a customer, an auditor or a regulator.
How I help
Three ways to start, each scoped and priced up front. Assessments are fixed fee, fixed scope and fixed end date; retainers are a fixed monthly fee for a defined term.
EU AI Act Exposure Review
What's actually in scope for your AI, what bites in the next 6 months after the Omnibus, and a position your board will accept.
SOC 2 / ISO 27001 Readiness Review
Know exactly what stands between you and a signable enterprise deal. Gap assessment, prioritised roadmap, questionnaire-ready evidence.
Fractional / Interim CISO
Hands-on security leadership on a retainer — board-facing and technical. Starts with a 30-day posture and board-readiness assessment (€6,500, creditable against your first two months).
M.IT Cybersecurity (Merit) · ISO 27001 · ISO 42001 · EU AI Act · GDPR · SOC 2 · NIST CSF
Before we talk
A 15-minute call is most useful if I come with a view. Helpful to know going in:
- What's prompting this now, and any deadline — a blocked enterprise deal, an upcoming audit or raise, a board ask, a departed security lead, or an EU AI Act question.
- Your stage and rough headcount.
- Who owns security today, if anyone.
- Which framework or regulation is in play: SOC 2, ISO 27001, EU AI Act, GDPR.
Who I work with
I work best with AI, SaaS and data driven companies in regulated markets that need ISO 27001, SOC 2, or EU AI Act and GDPR readiness, but cannot yet justify a full time CISO. Usually founders and execs at startups and scale ups who need senior security judgment now, not another permanent hire.
Proof
- Full GDPR pack: RoPA, DPIA, sub-processor register, retention schedule
- Cross border transfer remediation: SCCs and transfer impact assessment
- Vendor security due diligence and questionnaire ready evidence
- ISO 42001 governance spine and a 36 item hardening roadmap, owned to a fixed date
"Max didn't deliver a deck and walk away. He got hands-on: he assembled our full GDPR compliance pack, restructured our cross-border data transfer mechanisms, and gave us a governance roadmap we're actively executing. Our enterprise due diligence went from a conditional pass to a posture we can defend in any procurement process. He's currently leading us through ISO 42001 implementation and EU AI Act alignment — and doing so with a level of precision and pragmatism that makes complex regulation feel manageable. An outstanding partner."
Expertise
AI Governance & EU AI Act
Risk classification, controls for high risk systems, human oversight, ISO 42001.
Data Protection & Privacy
GDPR · DPIAs · cross border transfers (SCCs) · automated decision safeguards.
Identity & Access
Privileged access (PAM) · SSO · MFA · JIT access · Zero Trust · IAM lifecycle and governance, cloud and on premise.
Security Strategy & Leadership
Building the security program, roadmap, budget ownership, board & executive reporting.
Risk, Compliance & Frameworks
ISO 27001 · SOC 2 · NIST CSF · APRA CPS 230 · third party & vendor risk.
Incident Response & Resilience
IR readiness and playbooks, post incident review, BCP/DR, tabletop exercises.
Security Automation & Engineering
Python · Bash · Terraform · SIEM/SOAR · cloud (AWS · Azure · Cloudflare).
Remediation, prioritised
I prioritise by what an attacker can actually reach, not by CVSS score. Offensive security coursework (OSCP curriculum, CEH) informs how I read a finding; eighteen years of operations informs what I tell you to fix first.
Experience
- Security and governance leadership for AI, SaaS and data companies in regulated markets.
- Current client is an EU AI SaaS platform: buyer side vendor security due diligence, full GDPR pack (RoPA, DPIA, sub-processor register, retention schedule), cross border transfer remediation (SCCs and transfer impact assessment), and a hardening roadmap with ISO 42001 as the governance spine.
- Currently leading ISO 42001 implementation and EU AI Act alignment.
- APRA CPS 230 supplier side readiness for vendors serving AU/NZ regulated financial entities.
- Master's research on secure cloud infrastructure, open source security and emerging threats.
- Writing on identity and access management, Zero Trust and encrypted communications.
- Community sessions for parents and children on online safety and responsible digital habits.
- Within the technology function of a critical infrastructure contractor, reporting into the CIO organisation.
- Led IBM Maximo upgrades implementing Single Sign-On and Multi-Factor Authentication; deployed Darktrace and Sumo Logic and established SOC monitoring; built the executive security dashboards that gave leadership its first regular security reporting.
- Secured enterprise application deployments for energy, transport and retail clients including Meridian Energy, Transpower, KiwiRail and Coca-Cola Amatil.
- Privileged access controls and secured system integrations.
- WebSphere Application Server and Oracle database administration, Maximo solution development and support, BIRT reporting.
- European delivery experience.
- Cybersecurity and database security support across enterprise clients.
- Communications and Information Systems branch.
- Oracle database administration and systems engineering for NZDF services and deployed personnel; enhanced the HP OpenView service management platform and implemented service level agreement strategies.
- Network and systems roles at EDS, Vodafone, Spark and Orcon.
Systems I've secured have run at
New Zealand Defence Force · Meridian Energy · Transpower · KiwiRail · Coca-Cola Amatil · Fulton Hogan · Ascom (Switzerland)
Education
Certifications
Professional development — courses completed, certificates of completion, not certification exams
AWS DevOps Engineer Professional (exam preparation course) · Offensive Security (OSCP curriculum) · Certified Ethical Hacker (CEH) · Certified Cybersecurity Technician (CCT)
Mentoring
I develop people the way I run engagements: hands-on craft through to board level judgment. Boardroom to keyboard applies here too. The measure isn't how many I've trained, it's how many now lead.
Contact
Let's talk about your security and governance.
I work with a small number of clients at a time, and I currently have capacity for one more engagement. Tell me what's on your desk and I'll come back to you.