I spent 20 years at Killik & Co, an FCA-regulated wealth management firm operating across 11 UK locations. I joined as a support analyst and spent the next 12 years in senior leadership, including as IT Director with board accountability for technology strategy, cybersecurity, and operational resilience.
That progression matters more than the title. I've worked at infrastructure level, overseen a managed SOC, negotiated major supplier contracts, and sat in the boardroom explaining technology and cyber risk under regulatory scrutiny. This isn't general technology consulting. It's the specific experience of running IT inside a regulated firm, under scrutiny, where getting it wrong has consequences.
Across those roles, I led an SD-WAN and infrastructure overhaul that reduced critical downtime by 70 percent, deployed MFA and a managed SOC that reduced phishing incidents by 50 percent, and co-authored the firm's first AI acceptable use policy and governance framework. I managed an AED 20 million budget and built a stable technical team with average tenure above 15 years.
I relocated permanently to Dubai in 2026 and hold an IFZA consultancy licence. I work directly with a small number of clients at any one time. The FCA and DFSA frameworks are different, but both require firms to evidence control, articulate risk clearly, and recover from disruption without material impact.
There are no GCC client case studies on this site yet. What's here instead is a documented record of what I delivered at Killik & Co, under FCA scrutiny.
Service mapping, impact tolerances, RTO/RPO definitions, and tested incident playbooks, completing the FCA board-overseen audit workplan on schedule while critical system downtime fell 70% and uptime held above 99.9%.
Read the full case study →Company-wide awareness training, MFA rollout, and a 24/7 managed SOC, treated as a structured programme rather than disconnected projects - cutting phishing incidents by 50% and improving incident response times by 40%, against a clean regulated audit record spanning 10+ years.
Read the full case study →A default-ban governance framework moved the firm from uncontrolled AI use to board-approved adoption: nine tools formally whitelisted, seven blocked, and close to 7,000 unauthorised access attempts blocked monthly via DNS enforcement across 380 staff.
Read the full case study →Consolidated an unmanaged estate of 30 vendors into a governed, board-visible model - reducing active vendor count by 50% and producing zero audit findings on third-party management, against an AED 20 million outsourced services base.
Read the full case study →You get board-level accountability without the full-time salary, package, and visa sponsorship for a role you may only need one to three days a week. Engagements are typically retained monthly, scoped to actual workload, and scale with the firm's risk profile.
It goes to the board or relevant committee directly, in writing, with a remediation plan attached. No sitting on findings, no softening them for internal politics. If it's material enough to affect your regulatory position, you need to know immediately, not at the next quarterly review.
Tools like Microsoft Purview or a low-cost DLP product are not the problem; an unconfigured one is. A tool with no risk taxonomy, no ownership, and no tie to your regulatory obligations does not reduce exposure. It creates a false sense of control that surfaces as a gap at audit, not before it. The tool is rarely the expensive part of getting this right. The design, governance, and operating discipline around it are, and that is where cheap implementations fail.
It doesn't have to. A Technology Risk Review is a standalone, fixed-fee diagnostic that gives your board a documented view of where you stand. Some firms act on the findings internally. Others ask me to stay on to implement the remediation plan. Both are legitimate outcomes; there is no push toward a retainer built into the review itself.
A 30-minute call establishes fit and the right starting point. Firms that need a documented baseline first typically start with a Technology Risk Review, a board-ready report in two to three weeks. Firms with a clear immediate priority agree scope and start there directly.
Depends on what's being solved. A Technology Risk Review produces a board-ready report in two to three weeks. Retained engagements are scoped to the specific risk or programme; timelines are set at the start, not promised in the abstract.
Everything discussed is treated as confidential within the engagement. No findings, client names, or operating specifics are referenced externally, in content, or in conversations with other clients.
Because there have not yet been GCC client engagements to write them from. Rather than manufacture regional credibility, I have published case studies from my work at Killik & Co, covering cybersecurity, operational resilience, AI governance, and supplier governance under FCA scrutiny. GCC client case studies will follow GCC client work, not precede it.
The next step is a 30-minute discovery call.