Skip to content
Jaime Pauline

About Jaime

A vCISO and security-leadership practice for commercial regulated industries.

Most companies in regulated environments don't need a full-time CISO — but they need someone who's been in the room when an FDA auditor asks how change control got bypassed, who understands the difference between a SOX-grade control and security theater, and who can do that work fifteen hours a month instead of forty.

That's the job I do. I work with commercial regulated companies — pharma and life sciences, public companies and their subsidiaries, healthtech, fintech, and regulated growth-stage SaaS — running the security function until they're ready to bring it in-house. Twenty years in IT, eleven in cybersecurity leadership, including managing security at two pharma companies where I led risk assessments and remediated both FDA and SOX audit findings on the security-control side.

Certifications
  • CISSP (primary)
  • VCP — VMware Certified Professional
  • MCSA
Education
  • BS, Information Technology
Experience
  • 20+ years in IT
  • 11+ years cybersecurity leadership (manager level and above)
  • Managed cybersecurity at two pharma companies
  • Remediated FDA and SOX audit findings on security controls
  • Primary frameworks — GxP, SOX, NIST, ISO

How I work

  1. Risk-driven, not framework-driven.

    Frameworks are how auditors verify your program; risk is what your program actually addresses. I run the program for risk, then map it to whichever framework your buyers and regulators care about — not the other way around.

  2. Audit-ready, not audit-anxious.

    Every artifact I produce is shaped to survive auditor scrutiny: documented decisions, control-owner sign-off, evidence-of-control, change-control attestation. The audit becomes confirmation, not discovery.

  3. Board-ready, jargon-light.

    Your audit committee and board don't need a CISSP study guide. They need a one-page picture of where you stand, what's next, and what changed since last quarter. I write for that audience.

  4. Honest scope, honest exit.

    A vCISO engagement should end. The job is to mature your security program to the point where you don't need me — and to tell you when that point arrives.

Beyond consulting

I'm also the founder of GateDragon LLC, an AI-engineering studio where I build SaaS products. The most relevant of those for the security audience is ShieldBrief — an AI-curated threat-intelligence brief I built for CISOs and security teams, with CVE enrichment, IOC extraction, and MITRE ATT&CK mapping baked in. Building security tools deepens the consulting practice; the consulting practice keeps the tools honest.

All consulting engagements are contracted through GateDragon LLC.

Most engagements start with a 30-minute conversation about your audit cycle.

Book a 30-min call