Consulting Services

Why work with me?

  • 20+ years in information security and program management. As a consultant and CISO, I’ve implemented over 10 security programs for all types of companies. Most recently, I spent 2.5 years as CISO for Frontline Education where I established the company’s first security program, achieved SOC2-Type 2 certification for all products and have made the security program a competitive differentiator. See my LinkedIn Profile:
  • Hands-on CISO with practical experience in software development, systems administration, DevOps/CI/CD, AWS, privacy law and project management.
  • My approach is practical and will get a team focused on high impact-low effort results. Build processes that can be run with as little impact to business while managing risk. Do the basics well with what you have in place, don’t throw money into tools with unclear ROI.
  • Independent consultant – no agenda to sell technology/tools or promote specific vendors.
  • More than an insurance policy – I can work with your marketing team to differentiate your company in the market and be an ongoing resource to address new risks.

Governance Risk and Compliance Services

  • Customized training and simulated phishing
  • KPI dashboards spanning all aspects of program
  • Quantitative risk modeling to justify investment and develop business cases for executives and BoD
  • Unified control framework based on NIST CSF and CSA CMM (for compliance with SOC2, ISO27001, HIPAA/HITECH, FERPA, NIST 800-53, PCI DSS)
  • Use Objectives & Key Results (OKR) framework to drive results

Software Development Security

  • Container security (Twistlock and Chef Automate/InSpec)
  • Vulnerability prioritization and remediation
  • Red teaming and simulated attacks
  • Static code analysis (SonarCube)
  • IAST and RASP tools (Contrast Security)
  • GitHub code review triggers (Jira integration)
  • OWASP Dependency Checker
  • End-point detection and response (CarbonBlack)
  • AWS security services (GuardDuty, Inspector, Config/CloudWatch, IAM and Well-architected standards)

Security Operations Services

  • Establish comprehensive security monitoring and incident management capability
  • Create playbooks, scripts and communication protocols to ensure all incidents receive quick and adequate response
  • Conduct ongoing table top exercises and simulated attacks

Security Testing and Validation

  • Conduct simulated attacks to find your information asset soft spots
  • Implement latest software development testing tools like Interactive App Sec Testing (IAST) and build automated test cases
  • Assess major product releases with an independent stamp of approval

Security Marketing and Sales

  • Evangelize and promote your security program with current and prospective customers
  • Work with marketing teams to create content for sales and provide thought-leadership through blogging, webinars and customer meetings
  • Proposal development and presentations