About

Senior technology leadership built inside an FCA-regulated wealth manager, now based in Dubai.

I spent 20 years at Killik & Co, an FCA-regulated wealth management firm operating across 11 UK locations. I joined as a support analyst and spent the next 12 years in senior leadership, including as IT Director with board accountability for technology strategy, cybersecurity, and operational resilience.

That progression matters more than the title. I've worked at infrastructure level, overseen a managed SOC, negotiated major supplier contracts, and sat in the boardroom explaining technology and cyber risk under regulatory scrutiny. This isn't general technology consulting. It's the specific experience of running IT inside a regulated firm, under scrutiny, where getting it wrong has consequences.

Across those roles, I led an SD-WAN and infrastructure overhaul that reduced critical downtime by 70 percent, deployed MFA and a managed SOC that reduced phishing incidents by 50 percent, and co-authored the firm's first AI acceptable use policy and governance framework. I managed an AED 20 million budget and built a stable technical team with average tenure above 15 years.

I relocated permanently to Dubai in 2026 and hold an IFZA consultancy licence. I work directly with a small number of clients at any one time. The FCA and DFSA frameworks are different, but both require firms to evidence control, articulate risk clearly, and recover from disruption without material impact.

There are no GCC client case studies on this site yet. What's here instead is a documented record of what I delivered at Killik & Co, under FCA scrutiny.

Daniel Young
  • 20 years, Killik & Co - London wealth management, FCA-regulated
  • 12 years senior leadership, IT Director from 2022 with board accountability
  • IFZA consultancy licence, UAE
  • Member, ISACA
  • Professional Member, BCS (MBCS)
  • BSc (Hons), Kingston University
  • Operational resilience programme design and delivery
  • AI governance framework - inaugural policy at regulated firm
  • SOC oversight and incident response management
  • DFSA, CBUAE, ADGM regulatory frameworks
Daniel Young

Case studies from Killik & Co

Four programmes delivered under FCA board scrutiny, relevant to the same obligations DIFC and ADGM firms operate under today. No GCC client work yet - these are the documented record this practice is built on.

Case Study · Operational Resilience

Building an operational resilience programme at a regulated wealth manager

Service mapping, impact tolerances, RTO/RPO definitions, and tested incident playbooks, completing the FCA board-overseen audit workplan on schedule while critical system downtime fell 70% and uptime held above 99.9%.

Read the full case study →
Case Study · Cyber Maturity

Reducing phishing incidents by 50% through SOC oversight and MFA deployment

Company-wide awareness training, MFA rollout, and a 24/7 managed SOC, treated as a structured programme rather than disconnected projects - cutting phishing incidents by 50% and improving incident response times by 40%, against a clean regulated audit record spanning 10+ years.

Read the full case study →
Case Study · AI Governance

Co-authoring a regulated firm's first AI acceptable use policy

A default-ban governance framework moved the firm from uncontrolled AI use to board-approved adoption: nine tools formally whitelisted, seven blocked, and close to 7,000 unauthorised access attempts blocked monthly via DNS enforcement across 380 staff.

Read the full case study →
Case Study · Vendor Governance

Negotiating 20+ supplier contracts to secure 10% annual savings

Consolidated an unmanaged estate of 30 vendors into a governed, board-visible model - reducing active vendor count by 50% and producing zero audit findings on third-party management, against an AED 20 million outsourced services base.

Read the full case study →

Answers before you ask

How is this different to hiring full-time?

You get board-level accountability without the full-time salary, package, and visa sponsorship for a role you may only need one to three days a week. Engagements are typically retained monthly, scoped to actual workload, and scale with the firm's risk profile.

What happens if you find something serious during an engagement?

It goes to the board or relevant committee directly, in writing, with a remediation plan attached. No sitting on findings, no softening them for internal politics. If it's material enough to affect your regulatory position, you need to know immediately, not at the next quarterly review.

Why not use a free or built-in tool instead of paying for advisory?

Tools like Microsoft Purview or a low-cost DLP product are not the problem; an unconfigured one is. A tool with no risk taxonomy, no ownership, and no tie to your regulatory obligations does not reduce exposure. It creates a false sense of control that surfaces as a gap at audit, not before it. The tool is rarely the expensive part of getting this right. The design, governance, and operating discipline around it are, and that is where cheap implementations fail.

How does a fixed-fee review turn into an ongoing engagement?

It doesn't have to. A Technology Risk Review is a standalone, fixed-fee diagnostic that gives your board a documented view of where you stand. Some firms act on the findings internally. Others ask me to stay on to implement the remediation plan. Both are legitimate outcomes; there is no push toward a retainer built into the review itself.

What happens after I book a call?

A 30-minute call establishes fit and the right starting point. Firms that need a documented baseline first typically start with a Technology Risk Review, a board-ready report in two to three weeks. Firms with a clear immediate priority agree scope and start there directly.

How soon can we expect results?

Depends on what's being solved. A Technology Risk Review produces a board-ready report in two to three weeks. Retained engagements are scoped to the specific risk or programme; timelines are set at the start, not promised in the abstract.

How is information handled?

Everything discussed is treated as confidential within the engagement. No findings, client names, or operating specifics are referenced externally, in content, or in conversations with other clients.

Why are there no regional client case studies yet?

Because there have not yet been GCC client engagements to write them from. Rather than manufacture regional credibility, I have published case studies from my work at Killik & Co, covering cybersecurity, operational resilience, AI governance, and supplier governance under FCA scrutiny. GCC client case studies will follow GCC client work, not precede it.

If that background matches your firm's stage

The next step is a 30-minute discovery call.