Virtual CISO

Why This Engagement Exists

Big 4 firms sell a partner in the pitch meeting and staff your engagement with second-year analysts. MSPs are bolting auto-generated risk assessments onto their service catalogs and calling it vCISO. Neither gets you someone who's built and run the programs they're advising on.

I built security architecture for Amazon's global payments platform, ran application security delivery across 400+ accounts at Synopsys, and served as Field CISO at Praetorian. No rotating cast, no junior analyst with a checklist.

What This Looks Like

I operate as your security executive on retainer. Program assessment, risk governance, board reporting, vendor evaluation, incident planning. The strategic and governance side of the CISO role, scoped to what you actually need right now.

Deliverables

• Security program assessment and gap analysis
• Risk governance framework and board reporting
• Security roadmap with prioritized initiatives
• Vendor evaluation and architecture guidance
• Policy and standards development
• Incident readiness planning and tabletop exercises
• Third-party and vendor risk management
• Compliance readiness: SOC 2, HIPAA, PCI DSS, GDPR

Engagement Model

Starts with a 2-3 week program assessment to establish baseline and priorities. From there, a monthly retainer, typically 2-4 days per month of active advisory with availability for urgent matters between sessions. When the work calls for offensive testing, I staff it through senior researchers at Critical Assets. One relationship, not five vendors.

Who This Is For

• Mid-market companies ($50M-$500M) that need senior security leadership but can't justify or find a full-time CISO
• Organizations facing a compliance push, board scrutiny, or incident that need experienced security leadership on short notice
• Companies running security through IT or engineering who need someone to build the program