Straightforward answers to the questions that come up most frequently about independent IT and cyber advisory, the Northstar model and what working with Carl actually involves.
Northstar IT and Cyber Advisory is an independent IT and cyber leadership practice founded by Carl Spencer. We provide fractional IT and cyber director services, board-level risk reviews and AI advisory to UK SMEs.
The practice is built around a simple premise. Most SMEs have an IT supplier managing their technology day to day, but nobody asking the harder questions about risk, spend, governance and strategy. Northstar fills that gap, independently and without commercial interest in any particular supplier or platform.
Three things primarily. First, complete independence. Northstar has no commercial relationship with any IT supplier, software vendor or platform provider. The advice is not shaped by referral fees, reseller margins or certification requirements.
Second, Carl leads every engagement personally. There are no junior consultants, no subcontractors and no standardised frameworks applied regardless of the client situation.
Third, the approach is commercial rather than purely technical. The advice connects directly to business outcomes, risk and spend rather than technical complexity for its own sake.
Carl Spencer has 27 years of experience in IT services, managed services, telecoms and commercial technology leadership. Before founding Northstar he spent nearly a decade at Network Fish, a UK managed IT services provider, where he served as both Global Sales Director and Managing Director.
That background, running an MSP and managing the commercial relationships from the supplier side, gives Carl a distinctive perspective. He understands how MSPs think, what drives their commercial decisions, and what good and poor performance actually look like from both sides of the relationship.
More detail on Carl's background is on the About page.
Northstar works nationally across the UK. Carl is based in Kent and works with clients across England, Wales and Scotland. Most advisory work is conducted remotely, with in-person attendance at board meetings and key meetings where appropriate.
Northstar provides three core services. The Fractional IT and Cyber Director is a retained engagement providing ongoing independent IT and cyber leadership. The Board-Level IT and Cyber Risk Review is a one-off independent assessment of where your business actually stands. AI Readiness and Advisory is vendor-neutral guidance on AI adoption and governance.
In practice many engagements start as a one-off review and evolve into an ongoing fractional director relationship. Full details of each service are on the What We Do page.
Northstar works primarily with UK SMEs, typically businesses of 15 to 150 people. The sweet spot is businesses that have outgrown informal IT management but do not yet justify a full-time IT Director. That said, the specific situation matters more than the headcount. If you are facing one of the situations on the How We Help page, a conversation is worthwhile regardless of exact size.
Northstar works across a wide range of sectors including professional services, financial services, technology, healthcare, logistics and business services. The IT governance and cyber risk challenges facing SMEs are broadly consistent across sectors, though the specific compliance obligations and risk profile vary by industry. Carl will always tell you if a situation requires sector-specific expertise beyond what Northstar provides.
Pricing is structured to be proportionate to the size of the business and the scope of the engagement. The Board-Level Risk Review is a fixed-fee one-off engagement. The Fractional IT Director service is a monthly retainer priced according to the frequency and scope of involvement.
We discuss pricing transparently during an initial conversation once we understand what the engagement involves. The starting point is always a no-obligation conversation, not a proposal. Please get in touch via the contact form or call 0333 577 1714.
In a typical retained engagement Carl attends relevant board and leadership meetings as the independent IT and cyber voice, conducts structured quarterly service reviews with the MSP, provides regular reporting on IT and cyber risk in terms the board can act on, and advises on technology decisions and supplier proposals as they arise.
The specific scope varies by client. Some businesses need primarily MSP oversight and governance. Others need more active involvement in technology strategy or cyber risk management. The engagement is structured around what the business actually needs rather than a fixed service definition.
Yes. Northstar is not a managed service provider and does not replace your MSP. The Fractional IT Director sits above the MSP relationship, managing and holding them accountable rather than replacing them. Most businesses find that having independent oversight of their MSP relationship significantly improves the quality of service they receive from it.
The most obvious difference is cost. A full-time IT Director in the UK typically costs between £80,000 and £120,000 per year in salary alone, before employer costs, benefits and management overhead. A fractional engagement provides the same quality of senior oversight at a fraction of that investment, scaled to what the business actually needs.
The second difference is independence. A full-time employee is part of the organisation and subject to the same internal pressures and politics. An independent fractional advisor brings external perspective and has no stake in existing relationships or decisions.
Cyber Essentials is now required for central government contracts involving personal data or sensitive information. Beyond that, it is increasingly required by enterprise clients as a condition of supplier relationships, by cyber insurers as evidence of minimum security controls, and by regulated sector organisations as part of supply chain due diligence.
If you supply any organisation that has asked for Cyber Essentials, or if you are approaching a contract renewal where it may be required, Northstar can help you understand where you stand and what preparation is needed. More detail is on the Cyber Essentials page.
No. Northstar provides commercial and operational advisory on data protection, not legal advice. We help businesses understand what their GDPR obligations mean in practice, identify gaps in current practices and implement proportionate responses. Where a situation requires formal legal advice, we will tell you clearly and can help you identify the right support.
If you are dealing with an active or recent incident, call Carl directly on 0333 577 1714. The first hours after a cyber incident are the most consequential and having independent advice immediately available makes a material difference to the outcome.
More detail on what to do and how Northstar supports businesses through incidents is on the Cyber Incident Response page.
It depends on your specific situation. Copilot delivers genuine value in the right context, particularly for roles that involve significant amounts of writing, summarising and information processing. It underdelivers in organisations where the Microsoft 365 environment is not well organised, where permissions have not been reviewed, or where the use cases do not align with what the product actually does well.
Northstar provides independent assessment of whether Copilot is right for your specific environment before you commit to the licensing cost. More detail is on the AI Strategy page.
It depends on what they are using, for what purposes and with what data. AI tools used appropriately, within a sensible governance framework, can deliver genuine value. The same tools used without oversight, with personal or client data being processed through public AI systems, create real GDPR and confidentiality risks.
The starting point is understanding what is actually being used and how. Northstar can help with that assessment and with putting proportionate governance in place. More detail is on the AI Governance page.
The starting point is always a straightforward, no-obligation conversation. You can get in touch via the contact form on this website, by emailing cs@northstaritadvisory.com, or by calling 0333 577 1714. Carl will listen to your situation, ask the right questions and give you an honest view of whether independent IT advisory is the right fit.
There is no sales process, no proposal before a conversation, and no obligation to proceed. If Northstar is not the right fit for your situation, Carl will tell you.
Yes. Northstar works alongside internal IT staff rather than replacing them. An IT Manager typically handles day-to-day operational IT. The Fractional IT Director role sits above that, providing board-level oversight, strategic direction and independent accountability for the MSP relationship. The two roles are complementary rather than competing.
A Board-Level Risk Review is typically completed within four to six weeks from engagement. Fractional IT Director engagements are ongoing, typically reviewed annually, and continue as long as the relationship is delivering value for the business. Many clients engage Northstar initially for a specific situation and move to a retained relationship once the value of ongoing independent oversight is clear.
Yes. Northstar works alongside your existing MSP and other IT suppliers. In a retained engagement Carl will typically conduct structured service reviews with your MSP, represent your interests in contract negotiations and renewals, and provide independent oversight of their performance. Good MSPs welcome independent oversight. It gives them a more informed client and clearer accountability. Suppliers who resist independent oversight are usually those who have been benefiting from its absence.
No sales process, no obligation. A straightforward conversation about your situation and whether Northstar can help.