Foundation
~10 hrs / month
Pre-audit-cycle posture; first compliance hire or first formal program
- Risk assessment
- Baseline policies
- Incident response plan
- Monthly check-in
Services
An integrated practice across nine focus areas, scoped to your audit cycle and your buyers' compliance demands.
Engagement tiers
Most engagements start here
Growth
~20 hrs / month
In active audit cycles; expanding to second framework or first regulated buyer
- All Foundation, plus
- TPRM program
- Awareness training program
- Quarterly audit-committee updates
Scale
~40 hrs / month
Multi-framework program; public-company subsidiary or active SOX environment
- All Growth, plus
- Dedicated office hours
- Audit coordination
- Mentoring for in-house security hires
Every engagement is scoped to your specific risk profile and audit cycle.
Schedule a conversation →Practice areas
vCISO Retainer
What it is
Ongoing fractional CISO engagement. I run your security function — strategy, audit cycle leadership, board and audit-committee reporting, incident response leadership, hire planning — on a monthly cadence aligned to your audit calendar.
Who it's for
Commercial regulated companies operating under one or more of GxP, SOX, NIST, ISO 27001, HIPAA, PCI, or GLBA, where security leadership is needed but a full-time CISO isn't yet warranted.
Typical timeline
12+ month engagements, scoped to align with your audit cycle and revisited annually.
Deliverables
- Monthly security review meeting
- Quarterly audit-committee or board-ready security report
- Incident response leadership when needed
- Control-evidence guidance ahead of audit windows
- Security hire planning when the role becomes full-time
Risk Assessments
What it is
Quantitative and qualitative risk reads against the frameworks your auditors and regulators care about — NIST CSF, NIST 800-53, NIST 800-171, ISO 27001, FAIR-style scenario analysis where it adds clarity. Output is a prioritized risk register, not a checklist.
Who it's for
Companies entering a new audit cycle, taking on a regulated buyer, or building a security program from scratch where leadership wants a defensible baseline.
Typical timeline
4–8 weeks for an initial assessment; annual refresh thereafter.
Deliverables
- Documented risk register with severity, owner, and target date
- Framework gap analysis report
- Executive summary suitable for board distribution
- Quick-wins action list
Security Policy & Control Documentation
What it is
Authoring and maintaining the policy and control set that underpins your compliance posture — written for control-owner accountability, not for shelf decoration. Tied to whichever framework your buyers and auditors require.
Who it's for
Organizations that need a defensible policy library that holds up under audit scrutiny — typically pre-audit, mid-audit-remediation, or post-acquisition when policy alignment becomes urgent.
Typical timeline
6–10 weeks for a foundational set; ongoing maintenance through retainer.
Deliverables
- Core policy set (information security, access, change control, incident response, vendor risk, more)
- Control matrix mapping to your relevant frameworks
- Control-owner assignments and review cadence
- Annual policy review process
Tabletop Exercises & Incident Response Planning
What it is
Documented IR plans with executive escalation paths, plus facilitated tabletops that put your leadership team in the seat before an incident does. Outputs are drilled, not theoretical.
Who it's for
Companies with regulatory disclosure obligations, board-level incident reporting requirements, or an IR plan that hasn't been exercised in 12+ months.
Typical timeline
4–6 weeks for plan + first tabletop; recurring tabletops on a 6-month cadence.
Deliverables
- Written incident response plan
- Executive escalation runbook
- Tabletop exercise facilitation (~3 hours, leadership level)
- Post-exercise findings report and remediation list
Vendor / Third-Party Risk Management
What it is
Designing and operating a TPRM program — vendor classification, due-diligence questionnaire flow, ongoing review cadence, and the documented evidence trail your auditors will ask for.
Who it's for
Organizations with significant third-party data flows, regulated buyers asking for vendor attestations, or a TPRM program that exists in spreadsheets but not in practice.
Typical timeline
4–6 weeks to stand up; ongoing operation through retainer.
Deliverables
- TPRM policy and process documentation
- Vendor risk classification framework
- Due-diligence questionnaire (DDQ) templates
- Ongoing review cadence definition
Security Awareness Training Programs
What it is
Curriculum, delivery cadence, and measurement for a security awareness program that holds up to compliance review — including phishing simulation governance, role-based training paths, and training-completion reporting.
Who it's for
Companies subject to HIPAA / SOX / PCI training mandates, or regulated buyers asking for training-completion attestations.
Typical timeline
6–8 weeks to stand up; annual refresh and reporting.
Deliverables
- Annual training curriculum
- Phishing simulation policy and scoring rubric
- Role-based training path design
- Training-completion reporting framework
Penetration Testing Coordination
What it is
Scoping, vendor selection, and findings triage for penetration tests. I broker the engagement to a separate firm — never run the test myself — then translate findings into a remediation roadmap your engineers can act on.
Who it's for
Companies that need an annual or pre-audit pentest and want the scoping, vendor selection, and remediation work managed by someone who isn't selling the test.
Typical timeline
2 weeks for scoping; 4–8 weeks for execution and findings; ongoing remediation tracking.
Deliverables
- Test scoping document
- Vendor evaluation and selection
- Findings triage report with severity and effort estimates
- Remediation tracking through completion
Board / Audit-Committee Security Reporting
What it is
Quarterly written security narratives for your board or audit committee — current-state posture, trend lines, incidents, regulatory landscape changes, and what's next. Written for executives, not for engineers.
Who it's for
Public companies, regulated companies with active audit committees, and growth-stage companies where the board has begun asking security questions.
Typical timeline
Ongoing through retainer, aligned to your board calendar.
Deliverables
- Quarterly board-ready security report (one-page summary + supporting detail)
- Annual security narrative for the board package
- Q&A preparation for committee meetings
Security Staff Mentoring
What it is
1:1 mentoring for in-house security hires — analyst through security manager. Helps your first or second security hire grow into the role faster and gives them a senior peer to escalate to outside the chain of command.
Who it's for
Companies with a junior or mid-level security hire who lacks a senior security peer in-house, particularly during compliance-heavy stretches.
Typical timeline
6+ month engagements; revisited as the hire matures.
Deliverables
- Bi-weekly 1:1 mentoring sessions
- Career-path discussion and goal-setting
- Technical and judgment-call sounding board