A CISO When You Need One
Without the $300K Salary

Mid-market companies are getting hit hard right now. Cyber insurance requirements. SOC 2 audits. CMMC mandates. Board pressure after every headline breach. They need security leadership but cannot justify a full-time hire. Fractional CISO work is security program leadership on a monthly retainer. You get someone with actual enterprise experience who owns this function for your company, not a certification holder working through a checklist.

Schedule a Conversation

See What This Covers

Who Hires a Fractional CISO

This is not for everyone. It is for companies where something specific has made security impossible to ignore.

Enterprise Deals Stalling

Your sales team is losing deals because prospects send a 50 question security questionnaire and you have no answers. A CISO fixes that.

Cyber Insurance Renewal

Insurers are requiring MFA, endpoint detection, incident response plans, and documented controls. You need someone who can get that done.

SOC 2 or CMMC Pressure

Customers or DoD contracts are requiring audit readiness. You need a security program, not just a policy document someone found online.

Board or Investor Scrutiny

Your investors or board want to know who owns security and what the posture is. Right now you have no good answer.

Post-Incident Cleanup

Something happened. A breach, a vendor compromise, a failed audit. You need a plan and someone to own it.

First Security Hire Coming

You are about to hire your first security person and you need someone senior to write the job description, run the interview, and set the direction.

What a Fractional CISO Engagement Looks Like

Here is how the work actually flows from first call to ongoing advisory.

Security Posture Assessment

First 30 days: understand your current state, identify your real risks, and produce a risk register that is grounded in your actual business, not a generic template.

Program Architecture

Build the security program structure your company needs for its stage. Policies, vendor management, access controls, incident response. The pieces that get asked about in audits and enterprise sales.

Ongoing Advisory

Monthly calls, board reporting, security questionnaire responses, vendor security reviews, and a direct point of contact when something happens.

Audit and Compliance Prep

SOC 2 readiness, CMMC Level 1 and Level 2 prep, cyber insurance questionnaires. Direct preparation for the specific compliance target your business is working toward.

Real Background

Why This Is Different

Built security tools at JPMorgan Chase

Enterprise financial security is a different category. Regulatory scrutiny, real adversaries, zero tolerance for mistakes. That experience translates directly to what your company needs.

Led engineering at DENSO

Security in embedded and operational technology environments where a mistake does not just mean a breach, it means physical harm. Supply chain security, threat modeling across every layer, systems where safety is not optional.

Security built into the foundation

Most vCISOs hand you a policy doc. Security that holds up under real scrutiny comes from understanding how the system is actually built. Built systems from the ground up with security considered from day one.

You work with the senior person

No juniors running your engagement while a senior person signs off. Direct access to the person with the actual background.

How the Engagement Works

Initial call

We talk through your situation, your business, and what is actually driving the need. No pitch. Just understanding whether this is the right fit and what the scope should be.

Posture assessment

First month is always a structured assessment. Current state, gaps, risk prioritization, and a clear view of what needs to happen in what order.

Program build

Months two and three: building the security program components your specific situation requires. Policies, controls, incident response, vendor reviews.

Ongoing retainer

After the foundation is in place, ongoing advisory work: board reporting, new vendor reviews, compliance prep, questionnaire responses, and being available when something comes up.

What This Is Not

Worth being clear about this upfront.

Not a policy document service

You can buy a SOC 2 policy template online for $500. That is not what this is. This is building an actual security program that holds up when it gets tested.

Not for bootstrapped startups

If you have 5 employees and $500K in revenue, this is not the right fit yet. This is for companies where security has a real business impact.

Not just chasing a certification

Getting a SOC 2 report means nothing if the underlying controls are hollow. The goal is a security program that actually works, and the certification follows from that.

Let's Talk About Your Situation

If you have a specific compliance deadline, a deal that is stalling on security questionnaires, or a board asking questions you cannot answer, that is where this starts. One conversation, no commitment.