Case study 01 FRACTIONAL CISO
Building an IT, security & compliance function from a near-blank state
A US-based SaaS scale-up with a related technology fulfilment business needed senior leadership to take ownership of a sprawling, informal IT footprint, and to deliver SOC 2 Type 1 in six months to unlock its first enterprise customer.
Headline outcome SOC 2 Type 1 in six months. Enterprise customer unlocked.
Situation
The client operated two related entities (a SaaS platform and a technology fulfilment business) sharing a single Google Workspace and a small two-person internal IT function. There was no compliance programme, no SIEM, no centralised identity model and no cloud-cost visibility. AI tooling had spread across the company without a policy framework. A first enterprise customer had begun asking for SOC 2 evidence, and the existing team could not credibly deliver the programme alongside daily operations.
Intervention
Stood up the entire IT, security and compliance function as a fractional VP of Operations and CISO equivalent. Designed and executed a two-tenant Microsoft 365 split, with dynamic security groups and distribution lists driven by Entra ID company-attribute filtering. Established a Drata-managed SOC 2 programme targeting Type 1 in six months, drawing on prior delivery experience at an earlier engagement that had successfully run the same compressed timeline. Deployed and tuned the SIEM and the log-source ingestion plan. Architected GCP cost visibility through BigQuery export across Standard, Detailed and Pricing export types. Selected and rolled out Bitwarden Enterprise with SAML SSO and SCIM provisioning. Authored the AI tooling policy excluding sensitive workflows from AI processing and codifying acceptable use across Claude Teams, Grok Enterprise and Gemini. Designed the internal pipeline visibility console giving the team unified GitHub and GCP delivery oversight with AI-augmented diagnostics.
Result
SOC 2 Type 1 audit-ready environment delivered within the six-month target, unlocking the enterprise customer. A fully operating IT and compliance function across both entities. Centralised identity, monitored security operations, controlled cloud spend and a formal AI tooling policy. Documented runbooks, defined escalation paths and a board-ready reporting cadence. Path established to SOC 2 Type 2 at twelve months and ISO 27001 at eighteen to twenty-four months.