GRC and Cybersecurity phrasing, especially in the consulting world, can be confusing. I’ve created definitions and descriptions for my services to help demystify them. Not sure if your needs fit into one of these service buckets? Send me a message and let’s get chatting about how I can help you!
Virtual Chief Information Security Officer (vCISO) or temporary CISO needs: a VCISO is a less-than-full-time position that allows a company to have a qualified CISO on staff without utilizing a full time employee to do so. These are often consultants/contract employees who work with you for a set number of hours per month to do both regular/repeating and ad-hoc tasks that a full time CISO would do for your company. Examples include but are not limited to: security program design & implementation; policy drafting, reviewing, implementation and reviews; control/configuration guidance & assistance; before, during and after audit support from an executive level; operational support to assist with business activity (i.e. new software acquisition, software development changes, vendor evaluation, etc.); board or management-level reporting or presentations.
Consulting on GRC/cybersecurity: Not sure where to start, how you stack up against the industry, or how you’ve implemented best practices? Maybe you want an assessment done against the NIST framework, or need a risk assessment done on a new product/service segment? Not sure how to implement new PCI-DSS controls, or maybe you’ve already covered them in existing control documentation and didn’t even know it? Sign up for this service, which includes reviews, interviews & other activities, culminating in a report and next-step guidance on how to improve, right-size or build your GRC and/or cybersecurity program.
Project-based GRC/cybersecurity support: Have you already done an assessment or review task and know what your next steps are but don’t have the appropriate staffing to get there? Hire me on as a SME-level task-executor where I can take your project from an idea to completed before you know it. Your project might be recurring (i.e. annual audit support) or one-time (i.e. drafting of policies); either way, let’s partner to make your projects come to life! Tasks include but are not limited to setting up governance programs; risk and control self-assessment (RCSA) Program assistance and execution; drafting/updating policies, standards or procedures; audit facilitation (i.e. SOC2 or PCI-DSS audit with external auditor); and assisting with post-audit issue resolution activities.
Control-based GRC/cybersecurity work: Do you need help with your control environment? Whether you’re required to make enhancements before your next board meeting, got findings from an internal or external auditor, or have an upcoming compliance deadline, let’s partner together to get that control environment working for you. Tasks include but are not limited to design/operating effectiveness control updates; issue resolution; documentation of current control environment; testing/auditing of controls; control automation/control evidence automation or audit evidence gathering.
