Max AlhouraniFractional CISO EU + UK · Available Book a call
Available for fractional & advisory engagements

Max
Alhourani

Fractional Chief Information Security Officer

A CISO's judgment, without the headcount.

Fractional and interim CISO for funded AI and SaaS companies in regulated EU and UK markets. I unblock enterprise deals, build defensible EU AI Act and ISO positions, and cover security leadership gaps — boardroom to keyboard, without a full-time hire.

AI Governance · Data Protection · EU & UK Regulatory Readiness

Master of Information Technology · Cybersecurity · Merit

Based in New Zealand · working across UK and European time zones.

Book a 15-minute call Email me

Profile

I am Max, a CISO with 18+ years building and leading security programs. I now work as a fractional CISO, giving AI, SaaS and data driven companies senior security and governance leadership without a full time hire. My focus is regulated markets across the EU and UK, from EU AI Act and GDPR readiness to ISO 27001 and ISO 42001 programs, with real engineering never far from hand.

How I help

Three ways to start, each scoped and priced up front.

EU AI Act Exposure Review

What's actually in scope for your AI, what bites in the next 6 months after the Omnibus, and a position your board will accept.

From €8,000 · ~2 weeks

SOC 2 / ISO 27001 Readiness Review

Know exactly what stands between you and a signable enterprise deal. Gap assessment, prioritised roadmap, questionnaire-ready evidence.

From €7,500 · ~2–3 weeks

Fractional / Interim CISO

Senior security leadership on a retainer — board-facing and hands-on. Starts with a 30-day posture and board-readiness assessment (€6,500, creditable against your first two months).

From €6,000/month

18+ years in security leadership · Master of IT, Cybersecurity · EU AI Act · ISO 27001 · SOC 2 · GDPR · NIST CSF

Before we talk

A 15-minute call is most useful if I come with a view. Helpful to know going in:

  • What's prompting this now, and any deadline — a blocked enterprise deal, an upcoming audit or raise, a board ask, a departed security lead, or an EU AI Act question.
  • Your stage and rough headcount.
  • Who owns security today, if anyone.
  • Which framework or regulation is in play: SOC 2, ISO 27001, EU AI Act, GDPR.

Prefer to brief me first? Email me these →

Who I work with

I work best with AI, SaaS and data driven companies in regulated markets across the EU and UK that need ISO 27001, SOC 2, or EU AI Act and GDPR readiness, but cannot yet justify a full time CISO. Usually founders and execs at startups and scale ups who need senior security judgement now, not another permanent hire.

Proof

Representative outcomes from security programs I have led

42%
fewer false positives, so the team spends its time on real threats
28%
faster incident response through automated triage
20%+
shorter SOC 2 and ISO 27001 audit cycles by automating evidence

Expertise

AI Governance & EU AI Act

Risk classification, controls for high risk systems, human oversight, ISO 42001.

Data Protection & Privacy

GDPR · DPIAs · cross border transfers (SCCs) · automated decision safeguards.

Security Strategy & Leadership

Building the security program, roadmap, budget ownership, board & executive reporting.

Risk, Compliance & Frameworks

ISO 27001 · SOC 2 · NIST CSF · third party & vendor risk.

Incident Response & Resilience

IR leadership, post incident review, BCP/DR, tabletop exercises.

Security Automation & Engineering

Python · Bash · Terraform · SIEM/SOAR · cloud (AWS · Azure · Cloudflare).

Experience

Military Experience
  • Led incident response in high pressure, mission critical operational environments.
  • Established and streamlined ITIL based processes, raising operational efficiency and compliance.
Enterprise Experience
  • Built and led security operations and automation programs, setting detection strategy that cut false positives 42% and improved response time 28%.
  • Embedded security into CI/CD and cloud infrastructure (DevSecOps) with Ansible and Terraform, hardening environments by design.
  • Owned SOC 2 and ISO 27001 audit readiness, automating evidence collection and shortening audit cycles 20%+.
  • Established post incident review and governance, reducing repeat incidents ~30% across critical infrastructure.
  • Directed vulnerability management and red team assessments, prioritising remediation by business risk.
  • Advised executives and stakeholders across energy, transport and public sector on security strategy and compliance.
  • Published open source security tooling and led cybersecurity awareness and training programmes.

Education

Master of Information Technology · CybersecurityMerit Whitecliffe Technology & Innovation

Mentoring

Developing security talent and the next generation of practitioners, from the fundamentals through hands on offensive security.

100+
person cohort organised together with a mentee through Cisco Networking Academy · Introduction to Cybersecurity. Currently guiding mentees through the AI Red Teamer path.

Research

IEEE 2026 · Under review

Ongoing research in secure infrastructure and security automation, currently under peer review.

Contact

Let's talk about your security and governance.

Tell me about your company and where you need support. Send a note and I will come back to you to set up a call.