Where executive
security meets measurable business outcomes.
Meridian Cyber is a boutique advisory led by Ajay Mathai — providing Fractional CISO (vCISO) services, compliance readiness, and AI-driven automation for regulated enterprises navigating the most complex security and technology decisions at global scale.
Ajay Mathai founded Meridian Cyber after nearly two decades leading enterprise IT and cybersecurity at global scale — most recently as Director of IT for one of the region's most operationally complex hospitality groups.
Four major 2025 industry awards. Eight elite credentials including CISSP, CISM, and CCIE. Career mandates spanning five continents and multi-million dollar programme budgets — from global telecommunications rollouts to group-wide PCI DSS governance for multinational hospitality estates. Every recommendation he makes is rooted in systems he has built, deployed, and broken himself.
Based
London & Dubai
Remit
5 continents · EMEA · APAC · Americas
Scale
Multi-million USD mandates
Programmes
PCI DSS · ISO 27001 · GDPR
Availability
Q2 2026 · accepting
/ 01 — Recognition
Industry-validated. Peer-recognised.
Four major industry awards in 2025 alone. Trusted voice across MENA's premier cybersecurity and CIO gatherings.
2025
Honouree
IDC CIO Excellence Awards
Recognising excellence in IT leadership across United Arab Emirates.
CISO Middle East Summit · Millennium Airport Hotel, Dubai.
2025
Winner
Emerging Tech Leader Award
TechNext Conference Dubai 2025.
The Principal Honour
IDC CIO Excellence Honouree 2025.
"In recognition of visionary leadership that redefined digital strategy, harnessed future-ready technologies, and fostered resilience."
Selected by the International Data Corporation alongside the United Arab Emirates' most influential technology executives — a peer-nominated award reflecting measurable impact on enterprise security posture and digital transformation at scale.
Awarded By
IDC · International Data Corporation
Jyoti Lalchandani, MD META · Ronita Bhattacharjee, Group VP
Ceremony
IDC CIO Excellence Symposium
United Arab Emirates · 2025
Speaking & Panel Appearances
Sharing the stage with MENA's security leaders
CyberX MENA · Dubai
Balancing Innovation & Security
With James Wiles (Cigna Healthcare), Omar Nasreldin (Seclore). Moderated by Davide Del Vecchio, CISO at Careem.
CISO50 Awards · Sofitel Dubai
Cybersecurity at the Core
With Anoop Kumar Paudval (Head of InfoSec Governance, Gulf News Publishing) and Kawther Haciane (Principal, EY). Hosted by Tahawul Tech.
ETCIO Exchange · Middle East
The Cyber Imperative
With Sri Lakshmi (Group CIO, Switz Group). Moderated by Shashi Punjabi (Head of IT & Digital Transformation, Al Faris Group). Hosted by The Economic Times.
DATE MENA · Nov 2025
AI, Digitisation & Emerging Tech
With Hussein Jaghoub (Group Director Technology & Cyber Audit, DP World). Moderated by Tanishqa Kambli, Editor, The Technology Express.
IDCTHE ECONOMIC TIMESTAHAWUL TECHCyberX GlobalDATE · BY TRESCONTechNextEXE · CISO ME SUMMIT
/ 02 — Services
Five practices.
One strategic mandate.
Each practice area can be engaged independently or combined as a multi-track programme. All engagements are scoped to outcomes — governance maturity, audit readiness, cost reduction, or technology lift — not to billable hours.
i
Practice I
Fractional CISO
Also known as vCISO · CISO-as-a-Service
Board-level security leadership on retainer. Govern risk, translate threat posture into executive decisions, and lead your security programme without the full-time overhead.
Structured readiness assessments against ISO 27001, PCI DSS, GDPR, and UAE PDPL. Surface the gaps, prioritise remediation, and enter your audit with confidence.
Independent technical evaluation and commercial negotiation for major security and infrastructure purchases. No vendor kickbacks — your interests only.
Private, self-hosted AI deployments engineered for data sovereignty. Docker-orchestrated agentic workflows on Apple Silicon — your data never leaves premises.
Digital strategy for organisations scaling across jurisdictions. Modernise the stack, consolidate vendors, and build IT operations that support expansion.
Four industries where regulatory weight, technical complexity, and reputational sensitivity demand more than a generalist. We bring sector-specific frameworks, regulator fluency, and pattern recognition from years inside the operating environment.
i
Sector I
Finance & Fintech
Banks, brokers, asset managers, payment providers, and crypto-asset firms. We align security and continuity programmes with the regulators who actually examine your firm.
Regulator Coverage
DFSA·FSRA·CBUAE·VARA·SAMA
ii
Sector II
Hospitality & Resorts
Hotels, resorts, F&B groups, and entertainment venues. Operationally complex environments where guest data, POS systems, and room automation share infrastructure — and every breach has a brand-equity cost.
Frameworks & Focus
PCI DSS v4.0·UAE PDPL·GDPR·ISO 27001
iii
Sector III
Healthcare & Life Sciences
Hospitals, clinics, telehealth platforms, and pharma companies. Where patient data sensitivity meets the unique operational pressures of healthcare delivery — and the cost of downtime is measured in lives, not lost revenue.
Regulator Coverage
ADHICS·NHS DSP Toolkit·HIPAA·UAE PDPL
iv
Sector IV
Critical Infrastructure & SaaS
Telecoms, energy, government services, and B2B SaaS platforms. Where uptime is regulatory, vendor risk compounds, and a single API outage cascades across an entire industry's operating day.
A dedicated advisory practice for firms licensed under the Dubai Financial Services Authority and the Abu Dhabi Financial Services Regulatory Authority — aligned to the DFSA GEN Module and FSRA Operational Risk framework. Cybersecurity and continuity, delivered in the language regulators recognise.
a
Practice A
Cybersecurity for DFSA & FSRA firms
End-to-end information security advisory built around regulator-recognised frameworks. From policy design through to incident response readiness.
i — Framework Design
Information Security Management Framework
Design and implement ISO 27001-aligned policies and procedures, mapped to DFSA and FSRA expectations.
ii — Technical Assurance
Vulnerability Assessment & Penetration Testing
Identify technical exposures before regulators or threat actors do. Coordinated through trusted CREST-registered partners.
iii — Incident Readiness
Cyber Incident Response Planning
Develop and test response plans that include DFSA and FSRA breach-notification procedures aligned with regulator timelines.
iv — Governance Reviews
Access Control, Data Classification & Privacy
Structured reviews of data governance and access management controls against UAE PDPL and DIFC/ADGM data protection regimes.
v — Supply Chain
Third-Party Cyber Risk Management
Assess and monitor vendor and outsourced provider cyber risk on an ongoing basis, in line with DFSA outsourcing requirements.
vi — Risk Integration
Cyber Risk & ICAAP / IRAP Integration
Embed cyber risk into your firm's risk appetite, ICAAP submissions, and FSRA Integrated Risk Management framework.
vii — People & Culture
Cybersecurity Awareness Training
Customised programmes for front-office, operations, and technology teams — with attendance evidence retained for examiner review.
Regulator-aligned, board-ready continuity programmes tailored to firm type, prudential category, and risk profile. Designed to satisfy DFSA GEN Module and FSRA Operational Risk evidential requirements.
i — Framework
BCP Framework Design & Documentation
Board-ready continuity plans tailored to firm type and risk profile under DFSA GEN Module and FSRA Operational Risk guidelines.
ii — Impact Analysis
RTO/RPO Assessment & Critical Function Mapping
Identify critical systems and define realistic, defensible recovery objectives for board sign-off and regulator review.
iii — Exercises
BCP Testing & Tabletop Exercises
Annual tabletop simulations and live drills with fully documented outcomes — designed to satisfy DFSA and FSRA evidential expectations.
iv — Supply Chain
Third-Party & Outsourcing BCP Coverage
Review and strengthen continuity provisions across vendor, cloud, and outsourcing arrangements — closing the gap most BCP programmes miss.
v — Maintenance
BCP Maintenance Retainer
Ongoing updates, annual reviews, and regulatory-change monitoring to keep your plan current between examinations.
Client identities are withheld under standing confidentiality. Sectors, scope, and outcomes disclosed with permission. Representative of engagement patterns across fifteen years of senior mandates.
Full infrastructure redesign for a national utility operator
A government-owned utility required a complete rebuild of its network and security infrastructure following a strategic review. Legacy architecture had accumulated over a decade, creating operational risk, vendor lock-in, and audit exposure. Meridian Cyber was engaged to design the target-state architecture and direct the execution.
Approach
◇Greenfield network topology design
◇Zero Trust segmentation & NAC rollout
◇Vendor consolidation & contract renegotiation
◇Phased cutover with zero service interruption
Outcome
◇Regulatory audit cleared on first attempt
◇Network incidents reduced materially
◇Multi-year operational cost savings realised
◇Resilient foundation for future modernisation
Duration: multi-phase·Geography: Middle East·Client size: Large-cap · public sector
Security architecture review for a New York SaaS platform
A venture-backed social media records provider headquartered in New York engaged Meridian Cyber for an independent architecture review ahead of enterprise-customer security questionnaires. Existing defences were modern but uncatalogued; the board needed a third-party view of where real risk sat versus where budget was being spent.
◇Prioritised hardening roadmap with board narrative
Outcome
◇Enterprise security questionnaires streamlined
◇Board gained defensible security narrative
◇Top-three risk items remediated within quarter
◇Ongoing advisory retainer established
Duration: focused engagement·Geography: United States · New York·Client size: Venture-backed SaaS
In Progress
03Live
Sector
Manufacturing · Industrial · India
Practice
AI Automation & Agents
Remit
Private AI deployment · process automation
Sovereign AI automation for an Indian manufacturing firm
A mid-sized Indian manufacturer operating across multiple production sites required AI-driven automation for document processing, quality reporting, and supplier workflow orchestration — but could not permit production data to leave the premises. Meridian Cyber is designing and deploying a fully on-premises, air-gapped agentic AI stack.
Approach
◇Private LLM runtime on Apple Silicon hardware
◇Docker-orchestrated agent workflows
◇Document-intelligence pipeline for quality records
◇Zero egress network design (air-gapped)
Expected Outcome
◇Manual document processing time collapsed
◇Data sovereignty preserved end-to-end
◇Zero ongoing per-seat AI licensing costs
◇Reusable template for other sites & SBUs
Status: Active · phase 1·Geography: India·Client size: Mid-market manufacturing
04Delivered
Sector
Telecommunications · ISP
Practice
Vendor Evaluation & Negotiation
Remit
High-end network hardware procurement advisory
Independent vendor evaluation for a regional ISP
A regional internet service provider was preparing a multi-million-dollar investment in carrier-grade network hardware and needed an independent technical and commercial evaluation — free of vendor kickbacks or channel bias. Meridian Cyber was retained as the neutral technical advisor to the procurement board.
✓Scoped to outcomes: audit-pass, cost-reduction, uplift
✓Risk-prioritised — protect the crown jewels first
✓Implementation-led, measured by real-world results
/ 07 — Engagement Process
A disciplined five-step method.
Every engagement follows the same architected sequence — from the first scoping call to steady-state governance. No mystery, no billable-hour drift, no methodology invented on the fly. Each step produces a named deliverable you can audit.
Step 01
Scope
A 30-minute strategic consultation, followed by a written scoping document within 72 hours.
◇Problem framing & fit assessment
◇Engagement tier recommendation
◇Commercial & timeline envelope
Deliverable
Scoping document & SOW
Step 02
Assess
Structured diagnostic of current-state security, architecture, and control posture.
◇Gap analysis against target framework
◇Risk register & threat modelling
◇Architecture & vendor stack review
Deliverable
Diagnostic report & risk register
Step 03 · Core
Strategise
Target-state design, prioritised roadmap, and board-ready narrative translating risk into business terms.
◇Target architecture & control design
◇Multi-year remediation roadmap
◇Budget & sequencing plan
Deliverable
Strategy document & board pack
Step 04
Execute
Hands-on delivery alongside your team. We implement — not just advise.
◇Vendor RFPs & contract negotiation
◇Policy drafting & control implementation
◇Team enablement & knowledge transfer
Deliverable
Implemented controls & policies
Step 05
Govern
Ongoing stewardship of the programme — monthly rhythm, board reporting, incident readiness.
◇Monthly risk & control reviews
◇Quarterly board reporting
◇Vendor renewal & incident advocacy
Deliverable
Ongoing executive reporting
Typical Onboarding
7–14 days
From SOW signature to active engagement
Cadence
Monthly rhythm
Fortnightly operational · monthly exec
Notice Period
30 days
Pause, scale, or exit at any time
/ 08 — Trusted
What peers are saying.
Testimonials from industry colleagues · Published with permission
Ajay is the rare technology leader who pairs deep technical command with genuine boardroom presence. He translates complex security posture into business language executives actually act on.
VP
Vinu Peter
CEO · Locatenow.ai
Working with Ajay across infrastructure and network engagements, I have consistently seen a leader who pairs rigor with pragmatism. The rarest quality is his ability to execute what he designs.
TS
Tony Scaria
CEO · Cubit Technologies LLC
Across our work in regional enterprise technology, Ajay consistently demonstrates the rare blend of commercial awareness and deep operational understanding. He delivers — and he brings his team along with him.
MS
Muhammad Shahid
Managing Director · Elevate Infrastructure Solutions
Ajay combines the rare qualities of calm leadership under pressure with clear, board-ready written strategy. A highly recommended partner for any organisation navigating complex technology transformation.
TA
Tony Aslam
Department GM · Sumitomo Corporation
Ajay's strength is scale. He has led cross-continental teams through multi-framework compliance cycles where most leaders would stumble — while carrying the warmth and humility that makes him a trusted partner.
SS
Sudheer Subramanian
Consultant CTO · 33+ years in Digital
Become a Client
Your organisation could be here next.
Every engagement begins with a 30-minute strategic consultation. No obligation — just a candid assessment of fit.
All plans include initial scoping call · Month-to-month · No lock-in contracts
/ 10 — Founder
Twenty years. One discipline.
Ajay V. Mathai
Founder · Principal Advisor
CISSP · CISM CCIE · CRISC
"
I've spent two decades building, securing, and scaling enterprise IT across three continents — most recently leading IT & Cybersecurity at the executive level for a multinational hospitality group, one of the world's most operationally complex resort and entertainment businesses.
Leadership
Director-level roles across EMEA and APAC. Led cross-continental teams through digital transformation, multi-framework compliance, SOC modernisation, and post-incident recovery.
Domains
Cybersecurity governance, agentic AI systems, network architecture, Zero Trust design, cloud transformation, ERP integration, and IT-enabled business growth.
Now applying that operator-grade discipline to the firms in the regulatory spotlight: DFSA and FSRA authorised entities navigating GEN 5.5 and GEN 3.5, UAE PDPL obligations, ICAAP and operational risk integration — and to regulated enterprises across hospitality, healthcare, and critical infrastructure facing the practical reality of running a credible cyber and resilience programme without the headcount of a tier-one bank.
The remit now is narrower and sharper. Fewer clients. Deeper work. Real outcomes.
Global Director — Security, Infrastructure & Network
International hospitality portfolio · EMEA & APAC scope
2016–2017
IT Systems Engineer · FTSE-listed Government Services Group
Dubai Metro mandate · critical transport infrastructure
2011–2014
Solution Manager · Global Telecommunications Infrastructure Leader
Enterprise networks & security portfolio · MEA region · $100M+ client deals
2007–2008
Senior Engineer · Global Networking Technology Leader
Carrier-grade backhaul networks · APAC delivery centre
Credentials
CISSP · (ISC)²CISM · ISACACCIE #16441CRISCAI for Cybersec · JHUProofpoint AI DataITILQualys VM
/ 11 — Insights
Field notes from the practice.
Published writing on AI governance, compliance realities, infrastructure resilience, and the human dimensions of modern cyber defence. Original essays, distributed via LinkedIn.
A short monthly letter on what's actually working in the field — compliance realities, AI governance, and the decisions CISOs are quietly making. For operators only. Unsubscribe any time.
Private list · No sharing · Unsubscribe in one click
/ 12 — Questions
Common questions. Direct answers.
What is a Fractional CISO and how is it different from a vCISO?
A Fractional CISO (also known as vCISO or CISO-as-a-Service) is an experienced Chief Information Security Officer engaged on a part-time retainer basis — giving organisations executive-grade security leadership without the cost of a full-time hire. The terms are used interchangeably across the industry. Meridian Cyber's Fractional CISO service includes security strategy, governance frameworks, board reporting, Zero Trust architecture design, and compliance oversight.
Where is Meridian Cyber based?
Meridian Cyber is a UK-incorporated cybersecurity advisory with offices in London and Dubai, operating globally across EMEA, APAC, and the Americas. All engagements are delivered via secure video collaboration with on-site presence as required.
What compliance frameworks does Meridian Cyber support?
Gap analysis and readiness services are provided for ISO 27001:2022, PCI DSS v4.0, GDPR, and UAE PDPL. Each engagement produces a documented gap analysis, Statement of Applicability, risk register, and prioritised remediation roadmap. Extensions to NIST CSF, SOC 2, and HITRUST available on request.
How much does a Fractional CISO cost?
Meridian Cyber offers transparent monthly retainers starting at $999 for Starter, $1,499 for Seed, $2,499 for Growth, and $5,499 for Enterprise. All plans are month-to-month with no lock-in contracts. Engagements can be paused, scaled up, or scaled down with 30 days notice.
View pricing tiers →
What does the engagement process look like?
Every engagement begins with a 30-minute strategic consultation at no cost. If there is mutual fit, a detailed scoping document is produced within 72 hours covering deliverables, timeline, and commercial terms. Formal engagement begins within 7-14 days of contract signature.
Does Meridian Cyber take vendor commissions or kickbacks?
No. Meridian Cyber operates on a strict independence principle — no vendor commissions, no channel-partner arrangements, and no resale agreements. Technology recommendations are based solely on client requirements, total cost of ownership, and architectural fit. This independence is the foundation of Practice III (Vendor Evaluation & Negotiation).
How confidential are client engagements?
Every engagement begins with a mutual NDA. Client identities are never disclosed in marketing material or case studies without explicit written permission. Case study descriptors (sector, geography, engagement type) are published only with client sign-off and at a level of abstraction that protects identity.
Which UAE financial regulators do you advise across?
Our Financial Services Practice covers the four primary UAE regulators directly: DFSA (Dubai Financial Services Authority, DIFC), FSRA (Financial Services Regulatory Authority, ADGM), CBUAE (Central Bank of the UAE, for onshore banks and payment providers), and VARA (Virtual Assets Regulatory Authority, for crypto and virtual-asset service providers). For healthcare we align to ADHICS; for critical national infrastructure, the UAE IAR standard. Engagements are framework-led and mapped to the specific regulator's evidential expectations.
Can a Fractional CISO be appointed as the named CISO under UAE regulations?
Most UAE regulators (DFSA, FSRA, ADHICS, UAE IAR) permit a named Senior Information Security Officer who carries individual accountability to the regulator and the firm's board. A Fractional CISO can fulfil this role provided the engagement establishes formal accountability, defined hours, board-level reporting access, and incident-response decision authority. We draft the appointment terms with your General Counsel and outline the regulator-facing accountability clearly in the engagement letter.
How does a Fractional CISO differ from an MSSP or general consultant?
An MSSP (managed security service provider) operates technology — monitoring tools, SIEMs, EDR consoles. They are excellent at the operational layer but cannot serve as your strategic security executive, sit in board meetings, or speak for the firm to regulators. A general consultant delivers project work — gap analyses, policies, audits — then leaves. A Fractional CISO is the recurring strategic leader: defining direction, owning the risk register, reporting to the board, leading regulator dialogue, and pulling in MSSPs or consultants as needed. Meridian Cyber operates strictly at this executive-advisory layer; we do not resell MSSP tools or take vendor commissions.
Question not answered? Every engagement begins with a direct conversation.
