Virtual CISO (vCISO)– GRC Advisor

The  vCISO Advisor serves as a fractional Chief Information Security Officer for multiple client organizations, providing executive-level security leadership, enterprise risk governance, and compliance oversight, independent of any managed IT provider.

The vCISO is backed by a broader Security Advisory team including analysts, GRC specialists, offensive security testers, and other senior advisors.

• Serve as the primary security executive advisor to client leadership and boards.
• Define and maintain security strategy, multi-year roadmaps, and risk priorities, aligned to NIST-based risk management practices.
• Own enterprise risk programs, including risk registers, treatment decisions, and maturity tracking.
• Lead audit and compliance readiness across common security and compliance frameworks.
• Govern incident response programs, including IR plans, tabletop exercises, and executive coordination during active incidents.
• Oversee client GRC platforms as the system of record for risk, controls, policies, vendors, and audit evidence.
• Lead vendor and service-provider risk management, including cyber insurance and customer security reviews.
• Manage multiple concurrent vCISO engagements while maintaining delivery quality, executive credibility, and client trust.
• Direct, review, and assure work performed by analysts, specialists, and other advisors in support of client objectives.

• 6+ years in information security, GRC, audit, or security program leadership.
• Demonstrated experience functioning as a vCISO, CISO, or senior CISO advisor.
• Deep hands-on experience with enterprise security and compliance frameworks including NIST.
• Proven ability to:
  • Operate at the executive and board level
  • Translate security risk into business and financial impact
  • Advise client leadership in making risk acceptance, prioritization, and investment decisions
• Demonstrated leadership in:
  • Incident response governance
  • Third-party and service-provider risk
•  Experience managing multiple clients in parallel.

• Microsoft data governance and information protection, including Purview, sensitivity labels, DLP, and records management.
• Cloud security governance across Azure, AWS, and SaaS platforms.
• Privacy engineering and data protection operations supporting global privacy programs.
• Identity and access governance, including privileged access management and zero trust strategies.
• Cyber insurance readiness and claims advisory.
• M&A cyber due diligence and post-close security integration.
• Business continuity and disaster recovery governance and tabletop facilitation.
• Security metrics, KRIs, and board-level reporting.
• Regulatory change management and policy modernization.
• Industry-related certifications: CISSP, CISM, CISA, CRISC, ISO 27001 Lead Auditor or Lead Implementor