Technology Governance · InfoSec · AI Risk · Business IT

Steady in
uncertain waters.

We turn governance frameworks into working systems, bringing regulated-sector rigour to any organisation that takes technology strategy, security, and risk seriously.

Governance and leadership that actually works

Fractional and interim engagements for organisations that need senior technology and governance capability without a permanent hire. Our background is regulated financial services — we bring that standard of rigour wherever we work.

Information Security Governance
We build InfoSec programmes from the ground up: policy architecture, risk frameworks, audit readiness, and certification. Designed to pass scrutiny, not just tick boxes.
ISO 27001:2022 NIST CSF Cyber Essentials+ Risk frameworks Audit readiness
AI Governance
We establish the policies, controls, and oversight structures that allow businesses to deploy AI responsibly, covering model risk, data handling, bias, and regulatory alignment.
AI policy Model risk EU AI Act
Third-Party Risk
We design and run vendor risk programmes that scale, from initial scoping through ongoing assurance. Built for businesses with complex supplier ecosystems where third-party risk actually matters.
Vendor assurance Due diligence Supplier governance
Business Technology Leadership
We build and lead the business IT function that fast-scaling organisations need, from startup foundations through the operational complexity of rapid growth. Device management, identity, productivity, and IT vendor strategy, all set up to scale without becoming a bottleneck.
Startup to scaleup IT strategy Device & identity IT vendor management

You might need us if...

Your information security programme needs building or maintaining

Whether you're starting from scratch, working towards ISO 27001 readiness, maintaining a live ISMS, or building a trust centre for customer-facing compliance — and don't have the internal expertise to run it.

Your teams are already using AI tools and nobody has put controls around them

Shadow AI is a risk most organisations underestimate until it becomes a problem. The exposure from unmanaged AI tool use is greater than many businesses realise — and it's growing.

Your vendor base has grown faster than your ability to manage it

You have limited visibility beyond your immediate suppliers, no clear process for managing questionnaires at scale, and no reliable way to demonstrate vendor compliance when a regulator, investor, or client asks.

You've had an incident — or a near-miss — and it's changed the conversation

A breach, a serious outage, or a supplier failure has made clear that your governance wasn't where it needed to be. The time to build resilience is before the next one, not after it.

Your board is asking questions about digital risk that nobody can confidently answer

Cyber risk, AI exposure, supplier dependency — these are board-level conversations now. If your organisation doesn't have a credible answer prepared, that's a gap worth closing.

You need senior technology governance capability without a permanent hire

A fractional or interim engagement gives you the expertise when you need it — for a specific programme, a regulatory moment, or an ongoing advisory role — without the overhead of a full-time appointment.

Embedded. Pragmatic. Accountable.

01
Diagnose before prescribing
We start by understanding your actual risk posture, not by mapping your situation to a pre-packaged framework. The gap analysis shapes everything that follows.
02
Build for your organisation, not the textbook
Governance that works is governance your people can own. We write policies and design controls that fit the business, not the other way around.
03
Embed, don't consult from a distance
We work alongside your teams as a senior practitioner, not as an external reviewer. Engagements are structured for knowledge transfer, not dependency.
04
Leave something that lasts
The measure of a successful engagement is what's still running 12 months after we leave, not the quality of the final report.
Large
Vendor base managed through a structured third-party risk programme at a regulated financial services platform
ISO 27001:2022
Readiness programme built from inception in a regulated financial services business
2023
AI governance policy framework designed and implemented, among the earliest in UK financial services
5 years
Sustained, substantial reduction in phishing simulation click rates maintained across a large organisation
Proven
Commercial savings and cost avoidance delivered through structured IT supplier management, beyond risk reduction alone

Embedded expertise, not arm's-length advice.

Wolf Rock Tech provides fractional and interim technology governance to organisations that want senior capability without a permanent hire. We work across technology strategy, information security, AI governance, and supplier risk, operating as an embedded part of your team rather than external consultants reviewing from a distance.

Our approach is practical and evidence-led. We build governance frameworks designed to be used, not displayed - policies people can follow, controls that fit the way the business actually works, and assurance processes that hold up under scrutiny. We know what governance looks like when it works, and what it looks like when it just looks like it works.

Our experience spans regulated financial services, aviation, gaming, and defence, including senior technology leadership in environments where governance is not optional. Deep technical and engineering foundations underpin everything we deliver — rigorous thinking applied to practical problems.

We operate as a principal-led practice. Garry Leacock leads every engagement directly; larger programmes draw on a trusted network of specialist associates where additional capacity is required.

Engagements are structured to fit the organisation. Fractional work typically runs 2–4 days per month on a retained basis; defined programmes are scoped and fixed. We'll propose a structure after an initial conversation.

Technology Strategy Headed up technology and cloud operations functions in a regulated UK financial services business, owning IT strategy and business technology through rapid growth.
Cyber Security Oversight Built the InfoSec function from scratch and led ISO 27001:2022 readiness at a regulated financial services platform. Frameworks applied include ISO 27001:2022, NIST CSF, and Cyber Essentials Plus, with four consecutive CE+ certifications achieved.
AI Governance Designed and implemented an AI governance framework ahead of the regulatory curve, among the earliest in UK financial services.
AIGP Certified AI Governance Professional (AIGP), certified by the International Association of Privacy Professionals (IAPP).
Supplier Management Ran a third-party risk programme across a large vendor base at a regulated financial services platform: scoping, due diligence, and ongoing assurance at scale.
Senior Leadership Advisory Delivered technology programmes and advised on digital risk and opportunity across financial services, aviation, gaming, and defence, including with the Ministry of Defence.
PhD, Engineering Technical depth and comfort with complexity, with rigorous thinking applied to governance challenges.

What this looks like on the ground

ISO 27001:2022 InfoSec Financial Services Mid-size organisation
Building an InfoSec programme from zero to readiness
Outcome Full ISO 27001:2022 readiness achieved across a regulated financial services business — policies, controls, and audit evidence in place — delivered over 18 months alongside normal operations, without a dedicated internal team or business disruption.

A regulated financial services business needed to build its information security programme from the ground up. With no prior InfoSec function in place, the organisation needed a structured path to ISO 27001:2022 readiness covering the full business - its M365 and MS Azure estate, physical sites, people, and an extensive supplier base.

We designed and delivered the programme across all four ISO 27001 control domains: organisational, people, physical, and technical. Where processes already existed, we documented and evidenced them - ISO 27001 is about saying what you do in policy, doing what you say via controls, and proving it with evidence. Where gaps existed, we introduced practical controls, including a full policy suite prepared for public-facing publication in a trust centre, and physical controls such as electronic visitor logging.

The programme was delivered over 18 months alongside normal business operations, without a dedicated internal team or business disruption. At completion, all core policies had been drafted and were moving through attestation, and the substantial majority of audit evidence was in place - a full readiness position achieved without pausing the business to get there.

AI Governance ISO 42001 Financial Services Mid-size organisation
Building an AI governance programme from first principles
Outcome An AI governance programme built from zero to full organisational rollout in 18 months: safe usage policies, approved tools register, MCP security standards, and an ISO 42001-aligned governance architecture — at a point when most organisations were still debating whether to act.

The trigger was familiar: staff were experimenting with AI tools, the business wanted to innovate, and nobody had a clear picture of what was being used or how. Shadow AI represented a real risk, covering data handling, confidentiality, and regulatory exposure, and the organisation needed a framework that enabled responsible adoption rather than simply banning tools that people would use anyway.

We built a governance programme covering both internal AI tool use and AI in the product. On the internal side, this meant a safe usage policy covering tools including ChatGPT, Claude, M365 Copilot, and workflow automation platforms, an approved AI tools register, sensitive data handling guardrails, and secure configuration standards. We also conducted security reviews of Model Context Protocol (MCP) server implementations, emerging infrastructure at the time with no established industry standard, producing guidance where none yet existed.

On the product side, we led thorough due diligence on a customer-facing AI chatbot solution, assessing it across risk, data handling, model behaviour, and InfoSec governance requirements before sign-off.

The programme was built around a formal governance architecture: a charter, operating model, and roadmap, aligned to ISO 42001 and informed by emerging regulatory guidance on AI in financial services. Chosen tools were rolled out at organisational level with guardrails embedded and a governance structure in place to manage new tools as the landscape continues to evolve.

Delivered over 18 months from initial experimentation to full adoption, at a point when most organisations were still debating whether to have an AI policy at all.

Third-Party Risk Supplier Management Financial Services Mid-size organisation
Building a third-party risk programme from vendor sprawl to single pane of glass
Outcome All Critical and High-tier vendors assessed at 90%+ security scores, with real-time supply chain visibility extending to seventh-tier suppliers — built from scratch in a regulated financial services environment where the status quo was untenable.

The starting point was vendor sprawl with no formal management process in place. Vendors had been onboarded at pace as the business grew, with no consistent due diligence, no visibility of supply chain risk beyond the immediate supplier relationship, and regulatory pressure making the status quo untenable.

We built a third-party risk programme from scratch, starting with a tiering framework that categorised all vendors as Critical, High, Medium, or Low risk. Critical vendors, those on the path to BAU continuity, received the highest level of scrutiny, with active relationship management, redundancy planning, and disaster recovery testing in place for the most essential relationships.

To manage the programme at scale, we implemented a specialist TPRM platform providing a single pane of glass across the entire vendor base. The platform uses a shared questionnaire model, where vendors complete a single assessment visible to multiple customers, which significantly reduces completion friction and applies peer pressure to vendors who might otherwise deprioritise the process. It also provided supply chain visibility beyond the immediate vendor relationship, extending to fourth, fifth, sixth, and seventh-tier suppliers, an increasingly important requirement in a complex technology ecosystem.

The programme was built in alignment with ISO 27001, ensuring third-party risk controls were evidenced as part of the broader InfoSec framework. The main challenges were onboarding a large and growing vendor base at pace and persuading vendors to engage, both addressed through the platform's shared model and a structured onboarding process.

At maturity, all Critical and High-tier vendors had completed assessments with outstanding risks resolved and security scores of 90% or above. The business could demonstrate its supply chain posture at any point, query vendor status in real time, and respond quickly when a public threat or incident required immediate visibility across the supplier base.

We keep you off the rocks.

Whether you're building a governance function from scratch, preparing for certification, or need senior InfoSec or AI risk capability on a fractional basis - we'd like to hear from you.

We aim to respond within one working day. A short introductory call is usually the best starting point.

Message received — we'll be in touch within one working day.

Prefer email? info@wolfrocktech.co.uk