Most engagements follow the same shape — diagnose first, build the foundation that survives an audit, then operate as your security function until you outgrow me.
Four principles I run every engagement on.
Frameworks are how auditors verify your program; risk is what your program actually addresses. I run the program for risk, then map it to whichever framework your buyers and regulators care about — not the other way around.
Every artifact I produce is shaped to survive auditor scrutiny: documented decisions, control-owner sign-off, evidence-of-control, change-control attestation. The audit becomes confirmation, not discovery.
Your audit committee and board don't need a CISSP study guide. They need a one-page picture of where you stand, what's next, and what changed since last quarter. I write for that audience.
A vCISO engagement should end. The job is to mature your security program to the point where you don't need me — and to tell you when that point arrives.
Monthly written deliverables
Policies, decisions, reports — not just meetings.
Audit-committee-ready quarterly briefings
One-page picture of where you stand, what's next, what changed.
Documented control-owner assignments
Every control has a named owner and an evidence trail.
Clear engagement scope and clear endpoint
You'll always know what I'm doing this month and how the engagement ends.
Sell you tools.
No vendor referral fees. Tool recommendations are independent and scoped to your scale.
Run penetration tests myself.
Conflict of interest. I scope, broker the right firm, and triage findings — but a separate set of eyes is the point.
Take federal classified work.
No security clearance, intentional. If your scope requires it, I'll refer you to someone who's cleared.
Be your full-time CISO in disguise.
A fractional engagement only works if it's actually fractional. If your needs are full-time, I'll tell you and help you hire.