Three shapes the work takes.
One audit.
Architecture review. Pre-audit readiness. Vendor due diligence. The kind of work that has a defined end and a written deliverable.
Fractional CISO.
Strategy, policy, compliance, vendor assessment, incident response. I’ll sign the annual review only after I’ve read it.
Fractional CTO.
Security by design, not bolted on. Vendor selection, technical due diligence. When one head isn’t enough, I bring people from iitcon.
Lived in, not studied.
HIPAA. HITRUST. NIST 800-53/171. ISO 27001. SOC 2. PIPEDA, PIPA. Worked across all of them on production infrastructure — not in a course module. The work is mapping controls against the data flow you actually have, then closing the gaps that matter.
The certifications belong on the cv page.
What I won’t do.
Saying no to the wrong fit is the most useful thing I can do for both of us.
- Write a SOC 2 policy you’ll never read so an auditor can tick a box.
- Run a phishing simulation that demoralises your help desk while the executive team is exempt.
- Sell a SIEM, an EDR, or a CASB. I have no vendor commissions and don’t accept them.
- Sign a review I haven’t read — or one I have read and disagree with, for the sake of the relationship.
- Soften a finding to protect a stakeholder’s quarter.
- Take a retainer I can’t deliver against. If your problem is acute and I’m engaged, I’ll point you at someone who can.