Max AlhouraniFractional CISO NZ · AU · EU · Available Book a call
Available for fractional & advisory engagements

Max
Alhourani

Fractional Chief Information Security Officer

A CISO's judgment, without the headcount.

Fractional and interim CISO for AI, SaaS and data companies in regulated markets. Eighteen years across defence, critical infrastructure and enterprise technology, now applied to the governance problems that block enterprise deals: EU AI Act, GDPR, ISO 27001 and ISO 42001, SOC 2. I work with a small number of clients at a time, hands-on. Boardroom to keyboard.

AI Governance · Data Protection · Regulatory Readiness

Master of Information Technology · Cybersecurity · Merit

Based in New Zealand · working across New Zealand, Australia and Europe

Profile

I'm Max, a fractional CISO for AI, SaaS and data driven companies that need senior security leadership without a full time hire.

My foundation is technical. I served in the New Zealand Defence Force's Communications and Information Systems branch as a systems engineer and Oracle DBA, supporting deployed operations. I secured enterprise systems for Meridian Energy, Transpower, KiwiRail and Coca-Cola Amatil, and deployed detection and SOC monitoring inside a critical infrastructure business. I hold a Master of IT in Cybersecurity (Merit), and I still read the config, not just the control matrix.

What I do with that now is governance: EU AI Act exposure, GDPR and cross border transfers, ISO 27001 and ISO 42001, SOC 2 readiness, and the board narrative that has to hold up in front of a customer, an auditor or a regulator.

How I help

Three ways to start, each scoped and priced up front. Assessments are fixed fee, fixed scope and fixed end date; retainers are a fixed monthly fee for a defined term.

EU AI Act Exposure Review

What's actually in scope for your AI, what bites in the next 6 months after the Omnibus, and a position your board will accept.

From €8,000 · ~2 weeks

SOC 2 / ISO 27001 Readiness Review

Know exactly what stands between you and a signable enterprise deal. Gap assessment, prioritised roadmap, questionnaire-ready evidence.

From €7,500 · ~2–3 weeks

Fractional / Interim CISO

Hands-on security leadership on a retainer — board-facing and technical. Starts with a 30-day posture and board-readiness assessment (€6,500, creditable against your first two months).

From €6,000/month

M.IT Cybersecurity (Merit) · ISO 27001 · ISO 42001 · EU AI Act · GDPR · SOC 2 · NIST CSF

Before we talk

A 15-minute call is most useful if I come with a view. Helpful to know going in:

  • What's prompting this now, and any deadline — a blocked enterprise deal, an upcoming audit or raise, a board ask, a departed security lead, or an EU AI Act question.
  • Your stage and rough headcount.
  • Who owns security today, if anyone.
  • Which framework or regulation is in play: SOC 2, ISO 27001, EU AI Act, GDPR.

Prefer to brief me first? Email me these →

Who I work with

I work best with AI, SaaS and data driven companies in regulated markets that need ISO 27001, SOC 2, or EU AI Act and GDPR readiness, but cannot yet justify a full time CISO. Usually founders and execs at startups and scale ups who need senior security judgment now, not another permanent hire.

Proof

Current engagement — EU AI SaaS (anonymised, in progress)
  • Full GDPR pack: RoPA, DPIA, sub-processor register, retention schedule
  • Cross border transfer remediation: SCCs and transfer impact assessment
  • Vendor security due diligence and questionnaire ready evidence
  • ISO 42001 governance spine and a 36 item hardening roadmap, owned to a fixed date

"Max didn't deliver a deck and walk away. He got hands-on: he assembled our full GDPR compliance pack, restructured our cross-border data transfer mechanisms, and gave us a governance roadmap we're actively executing. Our enterprise due diligence went from a conditional pass to a posture we can defend in any procurement process. He's currently leading us through ISO 42001 implementation and EU AI Act alignment — and doing so with a level of precision and pragmatism that makes complex regulation feel manageable. An outstanding partner."

Founder & CEO · EU AI SaaS

Expertise

AI Governance & EU AI Act

Risk classification, controls for high risk systems, human oversight, ISO 42001.

Data Protection & Privacy

GDPR · DPIAs · cross border transfers (SCCs) · automated decision safeguards.

Identity & Access

Privileged access (PAM) · SSO · MFA · JIT access · Zero Trust · IAM lifecycle and governance, cloud and on premise.

Security Strategy & Leadership

Building the security program, roadmap, budget ownership, board & executive reporting.

Risk, Compliance & Frameworks

ISO 27001 · SOC 2 · NIST CSF · APRA CPS 230 · third party & vendor risk.

Incident Response & Resilience

IR readiness and playbooks, post incident review, BCP/DR, tabletop exercises.

Security Automation & Engineering

Python · Bash · Terraform · SIEM/SOAR · cloud (AWS · Azure · Cloudflare).

Remediation, prioritised

I prioritise by what an attacker can actually reach, not by CVSS score. Offensive security coursework (OSCP curriculum, CEH) informs how I read a finding; eighteen years of operations informs what I tell you to fix first.

Experience

Fractional CISO · alhourani.dev · 2025 to present
  • Security and governance leadership for AI, SaaS and data companies in regulated markets.
  • Current client is an EU AI SaaS platform: buyer side vendor security due diligence, full GDPR pack (RoPA, DPIA, sub-processor register, retention schedule), cross border transfer remediation (SCCs and transfer impact assessment), and a hardening roadmap with ISO 42001 as the governance spine.
  • Currently leading ISO 42001 implementation and EU AI Act alignment.
  • APRA CPS 230 supplier side readiness for vendors serving AU/NZ regulated financial entities.
Independent Security Research and Community Education · 2020 to present
  • Master's research on secure cloud infrastructure, open source security and emerging threats.
  • Writing on identity and access management, Zero Trust and encrypted communications.
  • Community sessions for parents and children on online safety and responsible digital habits.
Enterprise Asset Management Specialist · Fulton Hogan · 2017 to 2020
  • Within the technology function of a critical infrastructure contractor, reporting into the CIO organisation.
  • Led IBM Maximo upgrades implementing Single Sign-On and Multi-Factor Authentication; deployed Darktrace and Sumo Logic and established SOC monitoring; built the executive security dashboards that gave leadership its first regular security reporting.
EAM Consultant · New Zealand and Australia · 2015 to 2017
  • Secured enterprise application deployments for energy, transport and retail clients including Meridian Energy, Transpower, KiwiRail and Coca-Cola Amatil.
  • Privileged access controls and secured system integrations.
Maximo Consultant and Developer · Ascom Systems & Solutions, Switzerland · 2014 to 2015
  • WebSphere Application Server and Oracle database administration, Maximo solution development and support, BIRT reporting.
  • European delivery experience.
Technical Analyst · OSC · 2009 to 2014
  • Cybersecurity and database security support across enterprise clients.
Systems Engineer / Oracle DBA · New Zealand Defence Force · 2007 to 2009
  • Communications and Information Systems branch.
  • Oracle database administration and systems engineering for NZDF services and deployed personnel; enhanced the HP OpenView service management platform and implemented service level agreement strategies.
Earlier career
  • Network and systems roles at EDS, Vodafone, Spark and Orcon.

Systems I've secured have run at

New Zealand Defence Force · Meridian Energy · Transpower · KiwiRail · Coca-Cola Amatil · Fulton Hogan · Ascom (Switzerland)

Education

Master of Information Technology · CybersecurityMerit Whitecliffe Technology & Innovation · 2025
Advanced Diploma · Data and Systems Analysis University of Oxford · 2013

Certifications

Scrum Fundamentals Certified (SFC) SCRUMstudy · 2017 · Credential ID 562380

Professional development — courses completed, certificates of completion, not certification exams

AWS DevOps Engineer Professional (exam preparation course) · Offensive Security (OSCP curriculum) · Certified Ethical Hacker (CEH) · Certified Cybersecurity Technician (CCT)

Mentoring

I develop people the way I run engagements: hands-on craft through to board level judgment. Boardroom to keyboard applies here too. The measure isn't how many I've trained, it's how many now lead.

Contact

Let's talk about your security and governance.

Tell me about your company and where you need support. Send a note and I will come back to you to set up a call.