Fractional CISO
- 2–3 days per week
- 1 day a week in London (City)
- Initial 3-month engagement (likely extension)
Partnered with an AI-driven digital health startup that’s redefining care across the UK and US.
As they scale commercially and prepare for continued US growth, they’re looking for a hands-on Fractional CISO to work directly alongside the CTO and take ownership of their security, governance and compliance maturity.
This is not a “strategy-only” advisory role. They need someone who can operate at Board level whilst also getting deep into controls, engineering processes, access management and audit readiness.
What you’ll be doing
- The immediate priority is leading the SOC 2 programme end-to-end, driving Type I readiness and laying the operational foundations for Type II.
- Crucially, the environment needs to be architected against NIST SP 800-53 from day one, so the controls implemented now can later support frameworks such as FedRAMP, TX-RAMP and broader US public-sector healthcare procurement without rework
You’ll:
- Own the SOC 2 programme from scoping through audit delivery
- Define the system boundary, Trust Services Criteria and evidence strategy
- Lead Vanta implementation, continuous monitoring and audit preparation
- Select and manage the external auditor relationship
- Build a reusable control framework mapped across SOC 2, NIST 800-53, HIPAA, GDPR and ISO 13485
- Mature engineering governance around secure SDLC, CI/CD, IaC, change management and release controls
- Strengthen identity and access management across cloud infrastructure, SaaS tooling and production environments
- Implement least-privilege access controls, PAM processes and auditable JML workflows
- Improve Microsoft 365 / Entra ID security posture including Conditional Access, DLP and endpoint compliance
- Drive incident response, logging, monitoring, backup and disaster recovery maturity
- Lead third-party risk management and security reviews
- Support enterprise customer security reviews and questionnaires with US healthcare partners
What they’re looking for
- Proven experience leading multiple SOC 2 Type I & II programmes end-to-end
- Strong working knowledge of NIST SP 800-53 control families and cross-framework mapping
- Experience within healthtech, medtech, fintech or another regulated SaaS environment
- Hands-on understanding of cloud security, IAM, secure engineering practices and operational resilience
- Experience working with AICPA auditors and compliance automation tooling
- Ability to balance pragmatism with strong security standards in a fast-moving scale-up
- Comfortable operating across engineering teams, senior leadership, enterprise customers and investors
- CISSP, CISM or equivalent preferred
Please apply and we will contact you to discuss further and your charge rate