Security Services
For over a decade I've helped organizations build security programs that work — not just check boxes. Here's what a fractional CISO engagement with me looks like in practice.
Fractional CISO / vCISO
A seasoned CISO without the full-time cost.
You get a seasoned CISO without the full-time cost. I integrate with your leadership team, own your security program, and report to your board or executive team. Engagements are flexible — monthly retainer, project-based, or interim coverage.
Compliance Programs
I've achieved SOC 2 Type II, ISO 27001, Common Criteria, HIPAA, and GDPR compliance at a 2,000-person multinational. I know what auditors actually look for, and how to build programs that pass — and stay passed. Whether you're starting from zero or remediating a failed audit, I've done it.
Product Security & DevSecOps
No known vulnerabilities on day of release.
I enforced a standard most software companies consider aspirational: no known vulnerabilities on day of release. I work with development teams to integrate security into the SDLC — threat modeling, code review practices, dependency management, and security testing — so problems are caught before they ship, not after.
Security Risk Assessment
A clear picture of your actual risk posture.
A clear picture of your actual risk posture, presented in language your board and executives can act on. I assess your people, processes, and technology, then deliver a prioritized roadmap with business context — not just a list of CVEs.
Security Awareness Training
Training that sticks.
I've built security awareness programs from scratch, tailored to the actual threats facing a global software company. Generic training doesn't stick. I build programs around your culture, your industry, and your real threat landscape.
Who I Work With
Mid-market US and Canadian companies.
Typically $20M to $500M in revenue, that need enterprise security leadership without a full-time CISO. I'm particularly effective with SaaS companies, healthcare technology firms, software publishers, and PE-backed companies preparing for security due diligence.