Fractional Security Program Lead
Practical security programs built for SaaS companies — from policies and controls to SOC 2 audit readiness, without the cost of a full-time CISO.
Start a ConversationI build and run security programs for software companies — from establishing the foundational policies and controls to leading organizations through SOC 2 audit preparation. I've built a security program from the ground up for a company with no prior formal program, and led that same organization through four consecutive SOC 2 Type 2 audits with zero findings.
This work spans policies, technical controls, vendor oversight, customer questionnaire responses, and ongoing governance. For organizations adopting AI tools, it also includes developing usage policies and reviewing the security implications of AI integrations.
When Customers Start Asking Questions You Can't Answer
It usually starts with a deal. An enterprise prospect is ready to move forward, and then their security team sends over a questionnaire — forty pages of detailed questions about your data handling, access controls, encryption, incident response, and audit history. Nobody on your team knows how to respond. The answers get cobbled together by a developer and a project manager who do their best, but the responses reveal gaps that are impossible to hide. The deal stalls. Sometimes it dies.
This is the moment most SaaS companies realize they need a security program — not because of a breach, but because the lack of one is costing them revenue. Enterprise customers have security requirements, and those requirements are getting stricter every year. If you can't produce a SOC 2 report, if you can't describe your controls in language that satisfies a procurement review, you're excluded from the deals that drive real growth. The question isn't whether you need a security program. It's how long you can afford to operate without one.
The challenge is that many companies actually have reasonable security practices in place — they're just not documented, not formalized, and not auditable. Developers are following good habits. Infrastructure is configured sensibly. But none of it is written down in a way that an auditor or an enterprise customer can verify. There's no policy library. There's no evidence collection process. There's no formal vendor oversight or incident response plan. The practices exist, but the program doesn't. And SOC 2 audit preparation requires a program, not just good intentions.
The other pattern I see is companies that treat security as a technical problem — firewalls, passwords, vulnerability scans — without recognizing that a security program is an organizational discipline. It's about governance, accountability, and continuous improvement. It's about knowing what your risks are, documenting how you manage them, and proving it to the people who need proof. That's what enterprise customer security requirements actually demand, and it's what a SOC 2 auditor evaluates.
If every security questionnaire is a scramble, if you've lost a deal because you couldn't produce the right documentation, or if you know a SOC 2 audit is on the horizon and you're not sure where to start — that's the situation this engagement is designed to address. A practical, defensible security program built by someone who has done it before and knows what auditors are actually looking for.
What's Included
Security Program Build-out
Establish the policies, controls, and processes that form the foundation of a defensible security program — from nothing or from an incomplete baseline.
SOC 2 Audit Readiness
Gap assessment, control implementation, evidence collection, and audit coordination for SOC 2 Type 2 — including working directly with your auditors.
Security Questionnaire Response
Respond to customer and enterprise security questionnaires in language that satisfies security and procurement reviews.
Vendor Security Oversight
Assess and monitor third-party vendors against your security requirements and document the outcomes for audit purposes.
AI Usage Policies
Develop practical policies for AI tool adoption that address data handling, access controls, and compliance implications for your specific environment.
Ongoing Security Governance
Regular review of security posture, incident response readiness, and control effectiveness — keeping your program current between audits.
How Engagements Work
Security program engagements typically run at Tier 3 during the initial build or audit preparation phase, then taper to Tier 1 or Tier 2 for ongoing governance.
Tier 3 — Transformation (multiple days/month): Active SOC 2 preparation, program build-out from scratch, or major compliance initiatives requiring close coordination with auditors and internal teams.
Tier 2 — Core (2–3 days/month): Monthly security oversight, control monitoring, vendor assessments, and ongoing questionnaire support.
Tier 1 — Advisory (~1 day/month): Quarterly reviews, policy updates, and on-call support for security questions and questionnaire responses between audits.
Who This Is For
SaaS companies facing their first SOC 2 audit or struggling to get a clean Type 2 opinion
Organizations that need to satisfy enterprise customer security questionnaires to close deals
Companies with compliance requirements in healthcare, financial services, or insurance that need formal security governance
Businesses adopting AI tools and needing policies that address data handling and regulatory exposure
Experience & Proof Points
Built an information security program from the ground up for a company with no prior formal program. Four consecutive SOC 2 Type 2 audits, zero findings.
Responded to enterprise client security questionnaires — translating technical controls into language that satisfies procurement and security reviews.
25+ years in technology leadership including executive responsibility for information security programs and compliance frameworks across healthcare and financial services.
Ready to talk?
Tell me where you are with your security program and I'll let you know what an engagement could look like.
Start a Conversation