Fractional CISO
* 2–3 days per week
* 1 day a week in London (City)
* Initial 3-month engagement (likely extension)
Partnered with an AI-driven digital health startup that’s redefining care across the UK and US.
As they scale commercially and prepare for continued US growth, they’re looking for a hands-on Fractional CISO to work directly alongside the CTO and take ownership of their security, governance and compliance maturity.
This is not a “strategy-only” advisory role. They need someone who can operate at Board level whilst also getting deep into controls, engineering processes, access management and audit readiness.
What you’ll be doing
* The immediate priority is leading the SOC 2 programme end-to-end, driving Type I readiness and laying the operational foundations for Type II.
* Crucially, the environment needs to be architected against NIST SP 800-53 from day one, so the controls implemented now can later support frameworks such as FedRAMP, TX-RAMP and broader US public-sector healthcare procurement without rework
You’ll:
* Own the SOC 2 programme from scoping through audit delivery
* Define the system boundary, Trust Services Criteria and evidence strategy
* Lead Vanta implementation, continuous monitoring and audit preparation
* Select and manage the external auditor relationship
* Build a reusable control framework mapped across SOC 2, NIST 800-53, HIPAA, GDPR and ISO 13485
* Mature engineering governance around secure SDLC, CI/CD, IaC, change management and release controls
* Strengthen identity and access management across cloud infrastructure, SaaS tooling and production environments
* Implement least-privilege access controls, PAM processes and auditable JML workflows
* Improve Microsoft 365 / Entra ID security posture including Conditional Access, DLP and endpoint compliance
* Drive incident response, logging, monitoring, backup and disaster recovery maturity
* Lead third-party risk management and security reviews
* Support enterprise customer security reviews and questionnaires with US healthcare partners
What they’re looking for
* Proven experience leading multiple SOC 2 Type I & II programmes end-to-end
* Strong working knowledge of NIST SP 800-53 control families and cross-framework mapping
* Experience within healthtech, medtech, fintech or another regulated SaaS environment
* Hands-on understanding of cloud security, IAM, secure engineering practices and operational resilience
* Experience working with AICPA auditors and compliance automation tooling
* Ability to balance pragmatism with strong security standards in a fast-moving scale-up
* Comfortable operating across engineering teams, senior leadership, enterprise customers and investors
* CISSP, CISM or equivalent preferred
Please apply and we will contact you to discuss further and your charge rate