You have a security deadline coming
A customer is asking for a SOC 2 report. A board member wants a risk assessment. An investor is doing due diligence. You need someone who can produce a credible answer, not a checklist.
Security leadership that integrates early.
Fractional security leadership for growth-stage and PE-backed companies.
Long-term relationship, not a project that ends. Same CISO across the years, variable cadence around your cycle.
What fractional security leadership is
- A long-term relationship, not a project. The same CISO comes back for the next audit window, the next board report, the next customer security review. The compounding comes from knowing the company, the team, the controls, and the audit history.
- Variable cadence around the cycle. Three to four days a week during audit prep, board cycles, and customer due diligence. Around ten hours a week steady state between them. Periodic check-ins during quieter stretches.
- Leadership, not execution. The work is strategic direction, program architecture, and decision support. Your team or contractors handle implementation. The CISO sets the standard, reviews the output, and represents security to the board and customers.
Who this is for
A fractional security leader fits when the work is concentrated in time, the company is still building, and the full-time package is more than the work justifies.
You need a security program, not a security hire
You have engineers, you have IT, you have compliance. What you do not have is someone who can design the program, write the policies, stand up the controls, and defend the result in front of an auditor or a customer.
You are growing faster than your security function
The controls that worked at 20 people do not work at 200. The architecture decisions from the seed round are now compliance liabilities. You need leadership that has seen this curve before.
You need someone who can talk to the board
Security risk is a board-level conversation now. You need someone who can translate technical reality into business risk, without jargon, and without making the board feel like they are being managed.
Areas of leadership
The work concentrates in four areas. Every engagement is a single relationship that draws on whichever areas the company needs at the moment.
01
Security program development
Framework selection and implementation (NIST, ISO 27001, SOC 2). Policy creation. Governance design. Incident response planning. Built for your reality, not copied from templates.
02
Compliance and risk management
SOC 2, ISO 27001, HIPAA, GDPR preparation. Evidence collection. Vendor risk assessment. Control documentation that auditors accept and teams can actually use.
03
Product and architecture security
Security design reviews. Threat modeling that surfaces real risks. Architecture assessments that balance security with shipping velocity. Secure SDLC integration.
04
Board and executive advisory
Security strategy and roadmap. Risk communication that connects to business outcomes. Budget planning. Investor due diligence support. You can defend your security posture.
How relationships start
01
Call
A 30-minute conversation to establish fit. No pitch, no deck. You describe the situation; I describe what I would do. If the fit is not there, that is the end of it.
02
Assess
Two to three weeks of structured assessment. The output is a written document: current state, gap, and a proposed arc for the engagement. The arc is the deliverable. If the arc does not make sense, the relationship does not start.
03
Engage
Recurring fractional commitment, scope-defined, signed off in writing. The cadence flexes around the company's cycle. The CISO who shows up for the next audit window is the one who wrote the controls the first time around.
If this sounds like the shape of relationship you're looking for, let's talk.
A 30-minute call is the cleanest way to figure out whether the engagement makes sense for where your company is right now.