Growing regulation is making boards directly accountable for cybersecurity decisions. Regulators, customers and auditors increasingly demand evidence of governance. Every engagement is designed to produce the leadership, reporting and assurance that holds up when they look closely.
Each engagement addresses a different source of scrutiny, but all of them are about building governance and evidence that holds up.
For organisations that need senior cybersecurity leadership without appointing a permanent CISO.
Discuss fractional CISO supportFor leadership teams that need cyber risk explained in business terms.
Discuss cyber risk reportingFor organisations that need independent assurance over cloud security and critical workload decisions.
Discuss cloud assuranceFor companies that need to satisfy customer security, procurement or audit reviews without slowing commercial activity.
Discuss security review supportSome situations require immediate senior security judgement rather than an ongoing advisory relationship. These engagements are scoped to a specific event or decision.
For organisations dealing with a live security incident that need senior security leadership to manage the response.
For acquirers that need to understand the security posture and inherited risk of a target before or after close.
A consultant typically delivers a defined piece of work: a report, an assessment, a set of recommendations. A fractional CISO takes on an ongoing leadership role, owning the security agenda, advising the board and executives, making decisions alongside the business, and being accountable for outcomes rather than just outputs.
The distinction matters when what you need is not another report but someone who will sit alongside your leadership team, challenge decisions in real time, and be reachable when something unexpected happens.
Usually yes. An IT manager keeps the lights on and manages technical operations. A fractional CISO operates at a different level: translating risk into business decisions, reporting to the board, engaging with customers on security, and providing the senior judgement that an IT manager is not positioned to give.
The two roles complement rather than compete. In most engagements the existing team continues to handle technical operations while I provide the senior layer above.
Typically mid-market organisations that have outgrown their current security approach but are not yet at the scale where a full-time CISO makes commercial sense. The common trigger is one of three things: a board that has started asking questions about cyber risk, a significant customer or regulator applying pressure, or a cloud migration or acquisition that has brought security to the surface.
Larger organisations with an established CISO also engage for specific situations: additional capacity during a major programme, independent challenge of the internal security position, specialist input on a topic outside the existing team's experience, or interim senior cover when the CISO role is between incumbents.
Industry matters less than maturity and intent. I work across sectors including professional services, technology, manufacturing and financial services.
It depends on what you need. Fractional CISO and ongoing advisory relationships are usually structured as a monthly retainer covering a defined number of days. Project work such as cloud assurance, compliance programmes, or M&A due diligence is scoped and priced as a fixed engagement.
The starting point is always a conversation about your situation. From there I can propose a structure that fits the work rather than a standard package.
Most engagements start at two to four days a month. That covers regular touchpoints with the leadership team, board reporting, and being available when decisions need senior input. Some organisations need more during periods of change or when a specific programme is running.
The right level is established at the start of the engagement and can be adjusted as things evolve.
Each engagement is structured with a defined monthly allocation, and I work with a limited number of clients at any one time to protect that commitment. The advisory is delivered through Epitechnic Ltd, a cybersecurity and technology consulting practice with a network of associates across security, legal and technical disciplines. Where an engagement requires additional specialist depth or capacity, I draw on that network rather than stretching beyond what can be reliably delivered.
For time-critical situations such as active incidents, I treat those as a priority and can typically be available the same day. Retainer clients have a defined point of contact and agreed response expectations built into the engagement from the start.
Quickly. Enterprise security reviews often arrive with tight commercial deadlines and I am set up to engage at short notice. In most cases I can begin reviewing questionnaires and evidence within a few days of an initial conversation.
If a review is already in progress, the first step is understanding what has been submitted, what gaps remain, and where the greatest risk to the commercial outcome sits.
Same-day in most cases. Incident response is time-critical and I treat it accordingly. If you contact me during an active incident I will prioritise getting on a call quickly to understand the situation and agree immediate next steps.
Availability cannot be guaranteed without a prior retainer arrangement, but I do not run a long intake process when an organisation is under active threat.
Ideally before heads of terms, once you have enough information to assess the target's technology and security posture. Engaging early means material risks can influence pricing, warranties, or conditions rather than becoming surprises post-close.
If you are already past that point, due diligence immediately after close is still valuable. Understanding what you have inherited is essential for integration planning and for managing any liabilities that come with the acquisition.