Cybersecurity, Risk, Compliance & Privacy
Security and compliance that hold up when someone checks.
Whether a customer is demanding proof, a regulation is bearing down, or you just want to know where you stand, I help you get secure, get compliant, and stay that way. Built to survive real scrutiny, not just to look the part.
Where to start
The productized front doors into this practice.
Find out where you actually stand.
A clear, honest read of your security with a prioritized list of what to fix first, from a small, fundable starting point up to a board-ready roadmap.
Get SOC 2 ready, and build something that actually holds up.
Get audit-ready on a fixed timeline, done so it holds up under the next customer's diligence too.
Your privacy policy says one thing. Your website does another.
A full-stack look at what your site actually does with personal data, lined up against the law, with the gaps fixed, not just a document.
Securing the plant floor takes someone who's actually been on it.
Assess and secure operational technology without putting production at risk, from someone whose background runs from the plant floor through ERP.
Most of what gets sold as "compliance" is theater: a binder that satisfies a checklist and crumbles under a real audit or a real attack. We work the other way around. Get genuinely secure, document it honestly, and the certifications and questionnaires take care of themselves. Everything in this practice is built to the same standard: practical enough to actually implement, defensible enough to stand behind, and able to hold up when a customer, an auditor, an insurer, or an attacker puts weight on it.
I've been the CTO and the lead architect on financial-services systems where the details had to be exactly right. So this isn't advice from the sidelines. It's work from someone who's owned the decisions and lived with them.
The rest of the practice
Beyond the front doors above, this is the full range of security, risk, compliance, and privacy work we do. Most of it starts from an assessment and grows into a program.
Compliance and audit readiness
HIPAA, Security and Privacy Rules. If you handle protected health information, we assess where you stand against both the Security Rule and the Privacy Rule, identify the gaps, and build the roadmap to close them. The federal government has proposed a significant update to the HIPAA Security Rule, expected to be finalized in the coming period; we'll make sure what you build accounts for where the rules are heading, not just where they've been.
ISO 27001. A gap assessment against the ISO 27001 standard and a roadmap toward an information security management system, so you know exactly what building a certifiable program would take.
Multiple frameworks at once. Most growing organizations face several of these at the same time: SOC 2 for customers, HIPAA for healthcare data, PCI for card payments, and more. The good news is they overlap heavily. We help you build one coherent program that satisfies several frameworks instead of running parallel fire drills, so the work compounds instead of repeating.
Assessments and reviews
Cloud Security Assessment (AWS / Azure / Microsoft 365). Most organizations live in the cloud now and assume the provider has security handled. The provider secures the platform; you're responsible for how you've configured it, and that's where the gaps are. We assess your actual cloud setup and tell you what to fix.
IAM / Identity Governance Review. Identity is the front door to everything. We review who has access to what, how access is granted and removed, and where the dangerous gaps are: over-privileged accounts, orphaned access, weak authentication on the things that matter.
AI Governance & Risk. If your organization is adopting AI, we assess the risks and help you put sensible governance around it, using recognized frameworks, so you can move forward without creating exposure you don't understand. This is also the productized entry point into Infrastructure, Transformation & AI.
Manufacturing / OT Cybersecurity Assessment. Securing a plant floor takes someone who's actually been on it. We assess operational technology without putting production at risk, because my background runs from PLCs and manufacturing execution systems through ERP. See the OT assessment.
Building the program
Cybersecurity Policy & Procedure Library. The documented policies and procedures a real security program runs on, written to fit how your organization actually works, not generic templates you'll ignore. The foundation auditors, customers, and insurers expect to see.
Vendor / Third-Party Risk Program. Your security is only as strong as the vendors you hand data to. We build a program for assessing and managing third-party risk, so a partner's weak security doesn't quietly become your breach.
Penetration Test Scoping & Remediation Translation. When you need a penetration test, often for SOC 2 or a customer requirement, we scope it correctly, bring in the right testing partner, and then do the part that's usually missing: translate the findings into a clear, prioritized remediation plan and make sure the fixes actually happen. You get the test and the follow-through, from one accountable point of contact.
Privacy Program Build & Data Mapping. Beyond the website review, a broader privacy program: mapping what personal data you hold and where it flows, building consumer-rights (DSAR) processes, setting retention rules, and getting vendor data-processing terms right.
How delivery works
When work needs hands we don't have, penetration testing, around-the-clock monitoring, managed operations, we bring in vetted partners and direct them. You get one accountable relationship: we own the strategy, the judgment, and the outcome, and we're straight with you about who's doing what. More on how we work.