Mahad A.

I am a cybersecurity and management systems leader with more than 12 years of experience helping organisations design, implement, and maintain integrated ISO programmes. My work covers information security, quality, environmental management, business continuity, AI, and occupational health and safety. I have supported organisations of all sizes, from small businesses to FTSE 100 companies and Critical National Infrastructure, throughout their certification journeys. The Cabinet Office and the UK National Cyber Security Centre have recognised my work for achieving an industry-first maturity outcome in publicly visible and verifiable security measures.

How I help

I offer CISO-level guidance, cyber resilience assessments, and help organisations get ready for certifications like ISO 27001, 42001, 9001, 14001, 45001, and 22301, as well as NCSC CAF, NIST CSF, and GovAssure. I make standards and regulations easier to understand by turning them into clear, practical programmes that support your team, satisfy auditors and regulators, and give your board confidence. As a fractional CISO, 95% of clients who started with a cyber resilience assessment chose to keep working with me.

What sets me apart

I combine strategic thinking with hands-on technical experience, supported by certifications like CISSP, CISM, C|CISO, CRISC, CDPSE, AWS Solutions Architect Associate, and Chartered Member of IOSH.

Typical engagements

— Fractional and virtual CISO support

— Cyber resilience assessments (NCSC CAF, NIST CSF, ISO 27001/42001)

— ISO certification readiness and implementation

— Integrated management system design

— GDPR privacy programmes and GRC frameworks (PCI DSS, Cyber Essentials Plus)

— Zero Trust architecture advice

— Supply chain and third-party risk

— Board reporting and cyber-business alignment

I enjoy working with founders, CISOs, CTOs, COOs, and compliance leads who want a trusted, senior partner who is easy to work with and gets things done.

Full CISO accountability for a Category 1 UK CNI water utility under NIS Regulations and NCSC CAF. Mahad's leadership delivered industry-first initiatives, including enterprise email security and attack simulation platforms, extended detection and response capability, and an enhanced continuous vulnerability management solution, significantly improving security maturity levels verified by independent assessment. Collaborated with executive management on all security matters, overseeing governance and supporting incident management during crises.

▸ Spearheaded the 3–5 year security strategy and technology roadmap; strengthened organisational cyber security maturity through a unified compliance framework spanning NCSC CAF and ISO 27001

▸ Informed the board and EMT directly on all security matters and technology risk management; improved cyber maturity verified by an independent regulatory assessment

▸ Executed the first-ever XDR deployment and early-adoption AI/ML security solution, applying MITRE ATT&CK and threat profiling to significantly reduce phishing exposure

▸ Oversaw the SOC build from zero, team structure, identity governance, tooling, runbooks, playbooks, and SIEM use cases; resolved major incidents as Incident Commander

▸ Spearheaded the first enhanced vulnerability management programme using CIS and controls; transformed the regulator relationship with the Drinking Water Inspectorate into a trusted, collaborative dialogue

▸ Promoted people development and performance management across the security function; facilitated cross-functional collaboration to embed security culture organisation-wide

Cybersecurity advisory and assurance for FTSE 100 clients, including a major financial services organisation, in complex hosted and managed IT environments.

▸ Oversaw contractual security compliance and identity & access management across hosted and managed IT infrastructure, serving as the central point of accountability for all security obligations

▸ Conducted continuous vulnerability management, analysing risk exposure using NIST RMF principles, directing remediation, and reporting findings to senior stakeholders

▸ Facilitated incident response activities (triage, RCA, escalation); examined and optimised technical controls across firewalls, DLP, proxies, and endpoint protection

▸ Collaborated with client stakeholders and internal teams to recommend security improvements, resolving conflicts and strengthening customer relationship management