Services
Three engagement shapes. One operator. Choose the shape that fits the work.
Most senior consultancies sell a long menu and let the buyer figure out which item applies. The work doesn't actually divide that way. Engagements take three shapes. Which one is right depends on the kind of accountability the work needs, not the topic of the work itself.
The three shapes are Lead, Build and Guide. Each one is hands-on. Each one runs on the same operator credibility. The difference is how the work is owned.
Door I · Lead
Embedded senior leadership.
When the function needs senior accountability and a permanent exec hire isn't yet right.
A Lead engagement is a multi-month, multi-day-per-week relationship in which I take ownership of a function. CISO, IT Director, Head of Technology, Head of Delivery. The title varies, the role doesn't. Board-ready reporting, audit-ready documentation, platform administration, vendor selection, escalation cover, and the operational accountability that comes with all of it.
This is what most people mean by fractional leadership. The work is embedded, not advisory. The engagement is measured against the same outcomes a permanent hire would carry (closed audits, shipped platforms, retained customers, controlled cost) at a scale and cost that fits an organisation that isn't yet ready for the permanent role. See a Lead engagement in practice.
What's typical
- Committed hours per week, multi-month engagement
- Defined function ownership with named outcomes
- Board, client, customer and audit-facing reporting
- Direct platform administration where needed (not delegated to MSPs)
- Escalation cover for the in-house team
Named offer under Lead · Retainer · Ongoing
Fractional CISO & IT Director Retainer
End-to-end ownership of the IT, security, identity and compliance function. Designed for organisations between Series A and a hundred-plus staff where the work has outgrown an MSP and a part-time consultant, but where a permanent CISO or IT Director hire isn't yet the right next step.
Scope
Microsoft 365 administration. GCP and cloud operations. Identity and access management. SIEM (vendor-agnostic). Compliance programme management. Vendor selection. Escalation cover.
What you get each month
- Board-ready risk and compliance reporting
- Maintained risk register
- Audit-ready evidence collection on a continuous basis
- Platform administration across the agreed stack
- On-call escalation cover for security incidents
- Quarterly business reviews with leadership
Pricing
Pricing on application. Each engagement is scoped on the discovery call against your specific situation, environment and timeline. Indicative figures available during that conversation.
Door II · Build
Custom delivery.
When the answer is to build, not to buy.
A Build engagement is a fixed-scope, defined-outcome project in which something gets shipped. Sometimes that's a compliance environment. Sometimes that's a cloud foundation. Sometimes that's a bespoke platform for a problem that doesn't fit any off-the-shelf product. What the engagements share is the shape: discovery, architecture, delivery, handover, owned by a senior operator and AI-augmented throughout.
The build-vs-buy decision matters here. Sometimes the right answer is buy that SaaS product instead. You'll hear that during discovery if it's true. The Build engagement is structured around problems where bespoke is the right shape, not problems where buyers want bespoke for the wrong reasons. See a regulated platform delivered end-to-end and an internal platform built instead of bought.
What's typical
- Discovery sprint to define scope and architecture
- Fixed-scope or fixed-time delivery against committed outcomes
- AI-augmented delivery: Claude for code, Gemini for infrastructure analysis
- Handover that an in-house team or another operator can pick up
Named offer under Build · Fixed scope · 6 months
Compliance Sprint
A fixed-scope, fixed-fee path to a SOC 2 Type 1 audit-ready environment, run on Drata, with the technical work to make the controls real handled in the same engagement.
Scope
Gap analysis. Policy authoring. Control implementation across identity, M365, GCP, endpoints and logging. Evidence library set-up and population. Vendor management. Auditor liaison and handoff.
Deliverables
- Audit-ready environment at month six
- Complete policy and control documentation
- Evidence library populated and maintained
- Auditor handoff package
- Readiness scorecard at agreed milestones (months 1, 3, 5)
Optional continuation
Type 2 audit support (six- to twelve-month observation window) and onward ISO 27001 path can be added at the end of the Sprint. Most clients take at least the Type 2 add-on.
Pricing
Pricing on application. Scoped on the discovery call against your specific situation, environment and timeline.
Named offer under Build · Project · 4–8 weeks
GCP Operations Foundation
A four- to eight-week project to stand up a credible GCP operations baseline. The foundation that compliance work, engineering productivity and cloud cost control all depend on.
Scope
Org policy enforcement. IAM tiering and role design. Billing visibility through BigQuery export across Standard, Detailed and Pricing exports. SDLC (Software Development Lifecycle) patterns using CI/CD via Cloud Build or GitHub Actions with IAM-gated access controls. Cloud automation through Terraform, OpenTofu or Pulumi.
Deliverables
- Production-grade cloud-automation repository
- Documented IAM model with named roles and grants
- Billing dashboards with cost-per-service visibility
- CI/CD pipelines for the agreed services
- Operational runbooks
- Handover session for the engineering team
Optional add-on
SIEM deployment (vendor selected against the team's stack and budget), log-source ingestion plan and dashboards. Adds approximately two weeks to the engagement.
Pricing
Pricing on application. Scoped on the discovery call against your specific situation, environment and timeline.
Named offer under Build · Discovery-led
Custom Platform Build
Bespoke systems for organisations that have decided buying isn't the answer. AI-augmented internal platforms, compliance-grade environments, custom workflow systems, client-facing platforms with business-specific logic, replacements for expensive tooling that no longer earns its keep.
Two stages
Discovery Sprint. One to two weeks, fixed price. Deep work with the people who'll use the system and the people who run the business around it. Output: a clear product requirements document, a proposed architecture, a phased delivery plan with named milestones, and a build-or-guide recommendation. If the right answer is "don't build this, buy that instead", you'll hear it. The Discovery Sprint pays for itself either way.
Delivery. Either fixed-scope (committed deliverables, committed timeline) or fixed-time (committed days, evolving scope), chosen during discovery and committed to in writing before delivery begins.
Two delivery modes
- I build and deliver. The work is mine end-to-end. Suited to organisations without an in-house technical team, or where the team is already at capacity.
- I architect, your team builds. The work happens with your engineers, with me embedded as senior architect, reviewer and unblocker. Suited to organisations with engineering capability that needs senior direction, not replacement.
- Hybrid delivery. I build the foundations, your team takes over operation. Named in the discovery output if it fits.
Who this isn't for
MSP-shaped engagements. Mobile-app-first projects. Generic SaaS replication. Organisations without leadership commitment to the build. Custom platforms succeed when leadership owns them and fail when leadership delegates them.
Pricing
Pricing on application. Discovery is fixed price; delivery shape and pricing are agreed at the end of discovery before any further commitment.
Door III · Guide
Advisory and enablement.
When your team will do the work and needs a senior operator alongside them.
A Guide engagement is the work that builds an organisation's own capability rather than its dependence on an outside consultant. AI opportunity assessments, technology strategy, architecture review, capability building for in-house teams. The deliverable isn't a deck and an exit. It's a team that can keep delivering after the engagement ends.
The senior-operator credibility matters here particularly. Advisory engagements fail when the advisor doesn't have the operational depth to know what's actually buildable, what's hard, and what the team is going to hit when they try. A Guide engagement runs on the same operator who runs the Build and Lead work. The advice is informed by current delivery, not by historical recollection. See a Guide engagement in practice.
What's typical
- Fixed-scope, fixed-price engagements with defined deliverables
- Working sessions with the people who'll do the work, not just the people who describe it
- A working artefact at the end: a prototype, a roadmap, a documented architecture. Not just a strategy document
- Optional follow-on into Build or Lead if the engagement surfaces work that needs delivery
Named offer under Guide · Fixed scope · 6 weeks
AI Opportunity Assessment
Find out where AI actually belongs in your business, and prove one of the answers works. Six weeks producing a discovery document, a prioritised opportunity matrix with build-vs-buy recommendations, and a working prototype of the highest-priority quick win. Focused on productivity, not headcount reduction.
What you get
- A discovery document. A clear written review of the systems and processes covered during discovery, written for both the leadership team and the people who'll do the work.
- An opportunity matrix. A prioritised view of where AI can be applied across the business, scored on impact, feasibility and time-to-value. Each opportunity carries a build-vs-buy recommendation.
- A working prototype of the highest-priority quick win. Not slideware. Working software. Built far enough to be convincing, deliberately not built far enough to be production-grade. The aim is to prove the opportunity is real before you commit to building it properly.
How it runs
Six weeks, fixed scope, fixed price. Discovery in the first three weeks (working sessions with the people who actually do the work). Opportunity matrix and prototype build across weeks four to six. Final readout to leadership in week six. Run by me personally.
Who this isn't for
Organisations looking for AI as a cost-reduction or headcount-reduction lever. Organisations whose data, processes or systems aren't yet documented enough to assess. Organisations expecting a magic-wand strategy with no willingness to deliver against it.
Pricing
Pricing on application. Scoped on the discovery call against your specific situation and the systems in scope.
How to choose
The shape of the accountability tells you the shape of the engagement.
The decision isn't really about the topic. Security, cloud, AI, compliance and custom platforms can all show up in any of the three shapes. The decision is about how the work needs to be owned.
Choose Lead if
The work is ongoing, the function needs a senior accountable owner, and the organisation isn't yet ready for a permanent executive hire.
Choose Build if
There's a defined thing that needs to ship: a platform, an environment, a foundation, with a clear outcome and a finite timeline.
Choose Guide if
The in-house team will do the work, and what's needed is a senior operator alongside them to shape the approach, build their capability, or de-risk the delivery.
If the right answer turns out to be all three over time (which it sometimes is), the engagements compose cleanly. A Build engagement that succeeds often graduates into a Lead retainer for the function it lives in. A Guide engagement that surfaces a buildable opportunity often steps directly into a Build engagement to deliver it. The model is designed to flex.
If you're not sure which shape fits, the first conversation is for working that out together.
Frequently asked
Common questions about the work.
What people usually ask before the first conversation. If the question you're holding isn't here, the discovery call is the place to put it.
- What's the difference between a fractional CISO and a vCISO?
- In practice they describe the same role. "Fractional" tends to signal a senior operator who is embedded in a specific function on a committed time basis; "vCISO" tends to signal a packaged service from a managed-security provider. The work I do is the former: a senior leader inside the organisation, accountable to the board, not a remote advisory layer.
- How long does SOC 2 Type 1 take to achieve?
- For a mid-market SaaS with no prior compliance work, six months to a clean Type 1 audit is realistic. The Compliance Sprint engagement is structured around that timeline using Drata for the evidence platform, with policies, controls and auditor liaison handled end-to-end.
- What does a fractional technology leader actually do?
- They own a function (security, IT, technology, delivery) on a committed-hours basis, with board-level accountability. The work covers strategy and reporting, but also hands-on operating decisions: vendor selection, platform administration, audit response, hiring, and escalation cover. It is not advisory.
- How is an AI Opportunity Assessment different from a strategy deck?
- The output is a working prototype alongside the document. The six-week engagement produces a discovery report, an opportunity matrix, and one functional AI-augmented prototype of the highest-priority use case. The point is to leave the organisation with evidence, not a slide that lands on the shelf.
- Do you work outside the UK?
- Yes. Engagements run across the UK, EU and US. Most work is remote-first with travel as needed; the sector and time-zone shape the cadence more than the postcode.
- What sectors do you work in?
- Sector-agnostic. The shape of the problem matters more than the industry. Existing engagements have covered SaaS, healthcare technology, cybersecurity vendors and regulated technology platforms.
Book a 30-minute conversation.
The first call is informal. Describe what's going on, hear how I'd approach it, decide together whether there's a fit. No slide deck, no sales pitch.
or email keith@biggin-insights.com