Advisory Services
Over my career I've worked to offer tailored cybersecurity expertise to help organizations build, improve, and operationalize their security program. From compliance, to building out risk management functions and executive-level advisory, I'm experienced in providing actionable guidance backed by industry standards and experience.
Control Maturity
Helping organizations develop a clear understanding of where they stand against top security frameworks. I've worked to identify gaps, prioritize remediation efforts, and help organizations move confidently toward compliance or certification
Control Maturity
“How strong and effective are the controls we already have?”
Assessing how well current security controls are designed, implemented, and maintained
Scoring controls using a maturity model (e.g., 1–5 scale) based on process, automation, and consistency
Identifying areas where controls exist but are weak, inconsistent, or outdated
Aligning improvements with your risk tolerance and long-term business goals
Gap Assessments
“Do we have all the required controls in place?”
Tailored assessments to security/privacy frameworks
ISO 27001, NIST CSF & 800-53, SOC 2, HIPAA, PCI-DSS, and more
Readiness assessments for audits or certifications
Identify missing or incomplete controls needed for certification or attestation
Tailored action plans based on maturity and risk
3rd Party Risk Management
Managing and mitigating risks from vendors, suppliers, and partners—both inbound and outbound
Vendor Due Diligence
Performing initial and ongoing risk reviews of third parties
Creating and customizing standard questionnaires (SIG, CAIQ, custom)
Contract and SLA Risk Review
Analyzing vendor contracts for data protection, breach response, and liabilities
Aligning terms with internal security requirements
Recommending changes to ensure enforceability and clarity
TPRM Program Development
Designing and operationalizing a complete TPRM function
Advising on tooling and workflow automation
Policy Development
Building policies that work in the real world, not just on paper
Policy Review and Gap Analysis
Reviewing current documentation for completeness and alignment
Mapping policies to applicable frameworks (SOC 2, ISO, HIPAA, etc.)
Recommending updates for clarity, enforcement, and effectiveness
Policy Creation and Customization
Developing security policies tailored to your environment and risk profile
Including guidance for versioning, ownership, and approval
Employee-Facing Documentation
Creating Acceptable Use, Remote Work, and Awareness policies
Writing in plain language for non-technical audiences
Risk Assessments
Understanding the risk landscape and helping organization make informed, prioritized decisions
Enterprise Risk
Identifying and evaluate security, compliance, and operational risks across your organization
Mapping risks to business impact, likelihood, and existing control coverage
Prioritizing mitigation efforts based on severity and alignment with risk appetite
Aligning risk programs with industry standards like NIST RMF, ISO 27005, or FAIR methodology
Supporting internal risk registers, compliance initiatives, or board reporting
Tailoring programs for enterprise-wide reviews, targeted systems, or specific initiatives (e.g., cloud migration)
And more...
Providing flexible, ongoing advisory services to support organizations' security and compliance goals
CISO Services
Incident Response Preparedness
Building, testing, and refining incident response programs to ensure organizations are prepared when it matters most