Virtual Chief Information Security Officer (vCISO)

About The Position

Requirements

• At least ten years in information security.
• Meaningful time spent in a leadership role.
• Demonstrated experience running gap analyses against more than one major framework.
• Experience translating findings into funded and executed roadmaps for clients.
• Direct experience aligning a business to NIST CSF, ISO 27001, SOC 2, HIPAA, or CMMC.
• Sufficient range to adapt to other frameworks.
• Fluency with modern identity, endpoint, cloud, and detection tooling, with the ability to distinguish good implementations from bad.
• Judgment on investment, deferral, and risk acceptance, with strong communication skills to explain this judgment to executives and boards.
• A bachelor’s degree in computer science, information systems, cybersecurity, or a related field, or equivalent experience.
• CISSP or CISM certification required at hire or within a reasonable onboarding window.

Nice To Haves

• Prior CISO or deputy CISO experience is strongly preferred.
• CMMC 2.0 working knowledge is a meaningful advantage.
• A point of view on AI governance and the secure adoption of generative AI in a business setting.
• CCSP for cloud-heavy engagements.
• CRISC for governance and risk.
• CISA for audit.
• CMMC CCP or CCA for clients pursuing CMMC certification.
• Relevant GIAC certifications (GSLC, GCIH, GPCS) where they match the engagement focus.

Responsibilities

• Provide hands-on advisory guidance on day-to-day security decisions, including architecture choices, control implementation, vendor selection, configuration questions, incident calls, and judgment calls for maturing programs.
• Advise on identity-first security and zero trust adoption, cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, endpoint and detection strategy, MDR and XDR partnerships, ransomware resilience and tested recovery, third-party and supply chain risk, and the secure adoption of generative AI.
• Set and run security programs to align clients with applicable frameworks such as NIST CSF 2.0, ISO 27001:2022, CMMC 2.0, SOC 2, HIPAA, PCI DSS 4.0, US state privacy laws, SEC cyber disclosure, and cyber insurance attestations.
• Translate executive intent into governance structure, policy, controls, and board-ready reporting.
• Establish and manage recurring security committees at each client.
• Own AI governance, including policies, review processes, and committee structures for the secure adoption of AI tooling.
• Conduct baseline assessments at engagement kickoff, periodic reassessments, and targeted assessments tied to events like acquisitions or regulatory changes.
• Produce remediation roadmaps with sequencing, ownership, and effort that clients can fund and execute.
• Run post-incident assessments to verify control performance.
• Own the security program for each assigned client, including strategy, roadmap, and reporting cadence with executive sponsors and boards.
• Lead identity-first security initiatives, including conditional access, PIM and PAM, least privilege, identity threat detection, and joiner-mover-leaver discipline.
• Drive cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, addressing CSPM and SSPM findings, hybrid work controls, and SaaS-to-SaaS risk.
• Set the direction for detection and response, emphasizing incident readiness (tabletops, runbooks, escalation paths, retainer relationships).
• Guide ransomware resilience efforts, focusing on immutable backups, tested recovery objectives, recovery drills, and executive-level tabletop exercises.
• Own third-party and supply chain risk management, including vendor due diligence, SBOM awareness, and fourth-party exposure.
• Lead AI governance and the secure adoption of AI tooling across policy, technical configuration, and monitoring for shadow AI.
• Guide incident response efforts, coordinating with legal, forensics, insurance, and law enforcement, and lead post-incident reviews to integrate lessons into policy and controls.
• Partner with iCorps delivery teams to ensure recommendations are implementable within managed environments.

Benefits

• IT consulting and managed services delivered since 1994
• Specialization in cloud computing, cybersecurity, IT governance, and outsourced IT support
• Microsoft Solutions Partner and Cloud Service Provider
• Microsoft US Partner Award Winner for Security and Compliance
• Client-facing role
• Opportunity to act as a security leader for clients
• Treats security as an operational discipline
• Clear priorities, measurable outcomes, realistic sequencing, and honest conversations
• Hands-on advisory guidance
• Identity-first security and zero trust adoption
• Cloud posture management across major cloud providers
• Endpoint and detection strategy
• MDR and XDR partnerships
• Ransomware resilience and tested recovery
• Third-party and supply chain risk management
• Secure adoption of generative AI
• Alignment to multiple security frameworks (NIST CSF, ISO 27001, CMMC, SOC 2, HIPAA, PCI DSS)
• Translation of executive intent into governance, policy, and controls
• Board-ready reporting
• Recurring security committee management
• AI governance ownership
• Gap analysis and assessment services
• Remediation roadmap development
• Post-incident assessment services
• Ownership of client security programs
• Lead identity-first security initiatives
• Drive cloud posture management
• Set direction for detection and response
• Guide ransomware resilience
• Own third-party and supply chain risk
• Lead AI governance and secure adoption
• Guide incident response
• Partner with iCorps delivery teams
• Client-facing advisory work delivered as a service
• Manage a portfolio of clients
• Monthly operating reviews, quarterly executive reviews, and annual strategy refreshes
• Formal gap analyses at kickoff and annually
• Occasional travel
• Most work is remote
• Onsite presence when it materially improves engagement
• Part of iCorps' managed security practice
• Peer review on major client deliverables
• Consistent point of view across the practice
• Environment that takes the craft seriously