A CISO on your team, at startup scale
Ongoing, part-time security leadership embedded with your team — strategy, risk, compliance ownership, and board-level reporting, scaled to what your stage actually requires.
Who this is for
Companies between seed and Series B — roughly 10 to 150 people — where security has become real: customers are asking hard questions, a certification is on the horizon, investors want to know who’s accountable, or you’re entering a regulated market and need someone who’s done it before.
You don’t need a full-time CISO yet. You need senior ownership for a few days a month — someone accountable for the program, not another report telling you what’s wrong.
What the engagement covers
Strategy & roadmap
A security roadmap tied to your revenue goals and funding milestones — not a generic maturity model.
Risk management
A living risk register your leadership team actually uses, with decisions documented and owned.
Program ownership
Policies, controls, and compliance obligations with one accountable owner — including your SOC 2 or ISO program.
Vendor & customer security
Questionnaires, trust reviews, and vendor assessments handled by your security leader, not your founders.
Board & investor reporting
Clear, honest reporting on posture and progress — the kind that makes due diligence a non-event.
Incident readiness & coaching
A tested response plan, and a team that gets more security-capable every month I’m there.
How it works
Typically two to eight days a month, depending on stage and what’s in flight. I work embedded in your tools — Slack, your ticketing system, your meetings — so security decisions happen where your team already works, at the speed your team already moves.
The first 90 days: a clear-eyed assessment of where you stand, a risk register your leadership agrees with, the three to five changes that matter most actually shipped, and a roadmap for the rest — sequenced against your deals, audits, and funding timeline.
When you’ve outgrown this
At some point — usually past 150 people, or when security becomes a daily operational function — fractional stops being the right answer. That’s the goal. When you get there, I’ll help you write the job description, interview candidates, and hand your first full-time security leader a program that works, not a pile of findings.
FAQ
How is this priced?
A monthly retainer scoped to a set number of days. No hourly billing, no surprise invoices. We adjust the scope quarterly as your needs change.
How much of my team’s time does this take?
Less than you’d think. I do the work, not just direct it — your engineers get specific, prioritized asks, not a 40-page report to interpret.
Do you work with our existing tools?
Yes — including compliance platforms like Vanta or Drata if you have one. Tools help; they still need an owner.
Is this remote?
Remote-first, from Metro Vancouver. On-site when it matters — board meetings, audits, customer visits.
Wondering who owns security at your company?
The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.