About

Operator-grade technology leadership.

Most strategy advice comes from people who've never carried the pager. NorthCTO is different: board-level leadership from someone who has spent 25+ years building, securing and running the systems most consultants only ever talk about — including years running an IT department of his own.

Why we exist

We saw the gap from both sides.

Established organisations with 20–500 users usually have operational IT sorted — an MSP, perhaps some internal staff — but no one owning the strategy, reporting to the board, or making sure cyber risk is genuinely managed.

And much of the "strategy" on offer comes from advisers who've never actually run the environments they pronounce on. NorthCTO closes both gaps: senior, independent leadership from someone who has done the work — part of North Technology Group, alongside our sister managed-IT brand, NorthMSP.

“NorthMSP keeps technology running. NorthCTO makes sure it's running in the right direction — and that someone senior owns the risk.”

Two brands, one group

Who you work with

Meet the principal.

JC

James Calderwood

Principal — Technology & Cybersecurity Leadership

25+ years

hands-on across IT, security and cloud

Engineer to leader

built it, ran the IT department, now advises

Incident-tested

led real ransomware response

Microsoft-certified

security, identity and Azure

“I've built the systems, owned the risk, run the IT department, and led the response when it all broke. NorthCTO brings that experience to your board table.”

James Calderwood has spent more than 25 years in technology — and, unusually, on both sides of the desk. He started hands-on as a systems engineer, then spent several years as an IT Manager running an organisation's entire in-house function: strategy, budgets, a team, suppliers, the lot — while advising hundreds of member businesses on their technology. He has sat in the exact seat many of his clients sit in.

From there, senior consultancy — designing and delivering security, cloud and infrastructure for organisations from 50 to 5,000 users, as the final escalation point when something genuinely hard landed. He has led end-to-end Microsoft 365 and Azure migrations, owned cyber risk and compliance, and led live ransomware incident response when an organisation's worst day arrived.

He already provides fractional IT-management and advisory services, is Microsoft-certified across security, identity and Azure (with deep grounding in Cisco, HPE, VMware, Aruba and Fortinet), and has been invited onto expert panels to advise local businesses on cybersecurity and technology. He talks as comfortably with a board as with the shop floor.

It's an unusual background for a CTO-level adviser: most have either the boardroom experience or the technical depth — rarely both, and rarely with years of actually running an IT department. That combination is the whole point of NorthCTO: strategy you can trust because the person setting it has built it, run it, and answered for it.

  1. 01 Started hands-on — a systems engineer building, migrating and supporting real infrastructure.
  2. 02 Ran an organisation's entire in-house IT as its IT Manager — owning strategy, budgets, a team and suppliers, and advising hundreds of member businesses on their technology.
  3. 03 Moved into senior consultancy — designing and delivering security, cloud and infrastructure for organisations from 50 to 5,000 users, as the final point of technical escalation.
  4. 04 Now brings that operator's judgement to the board table, through NorthCTO.

In practice

The kind of work it comes from.

A flavour of what organisations actually bring us in for. Client names withheld, as you'd expect.

  • Stepping in after a security incident to lead containment, remediation and the calm decision-making a live breach demands.
  • Setting the secure-by-design standard for Microsoft 365 and Azure environments, aligned to Cyber Essentials Plus and ISO 27001.
  • Owning the awkward calls in a cloud migration — what to move, in what order, and what to switch off.
  • Being the senior voice that challenges a supplier's recommendation, or an unrealistic expectation, before it costs you.

How I work

Four things you can hold me to.

Grounded in delivery

Advice that survives contact with reality — because I've implemented it, not just recommended it from a slide.

Accountable, not advisory-only

I own the decision and the outcome, not just the recommendation. Responsibility you can point the board to.

Plain-spoken

Technology and risk translated into language your board can actually act on. No jargon, no mystique.

Genuinely independent

No products, no licences, no commission. The only thing I'm selling is judgement.

Standards & capabilities

Grounded in real-world delivery, not theory.

We work to recognised professional standards and stay hands-on across the technologies UK organisations actually use.

Governance, risk & compliance

Frameworks used as practical tools to manage risk and decision-making — not box-ticking exercises.

  • ISO 27001 information security management
  • UK GDPR and data protection
  • Cyber Essentials and Cyber Essentials Plus
  • NIS and sector-specific regulation
  • PCI DSS for payment environments

Technology platforms & environments

Senior oversight across modern IT environments — owning direction and standards, not day-to-day administration.

  • Microsoft 365, Entra ID, Intune, Defender and Azure
  • On-premises and hybrid infrastructure
  • Cloud platforms and end-to-end migrations
  • Cybersecurity tooling, controls and operating models
  • MSP-delivered environments and third-party suppliers

No obligation

Start with a conversation, or a review.

Book an introductory call, or take the free Technology Leadership Review — a senior look at where you stand, with written findings.