What we do

Services built for regulated businesses

Three engagements — each designed for a specific stage of your compliance journey. We scope every project to what your regulation actually requires, not to what sells the largest contract.

01

IT Security Assessment

A structured evaluation of your security posture against the regulations that apply to your business — HIPAA, FTC Safeguards Rule, PCI-DSS, or GLBA. You get a clear picture of where you stand and what needs to change.

What you get

  • Technical controls review — network configuration, access management, endpoint protection, patch status, and backup verification.
  • Regulatory gap analysis — mapped to the specific requirements that apply to your license, sector, and size. Not a generic checklist.
  • Risk analysis document — required by name under HIPAA Security Rule §164.308(a)(1). Accepted by OCR auditors and cyber insurance carriers.
  • Findings report — written for a business owner, not a security engineer. Prioritized by risk level and remediation effort.
  • Remediation roadmap — sequenced action plan with responsible parties, timelines, and estimated effort per finding.

Right for you if

Your cyber insurance carrier added new questions to your renewal. An auditor or examiner is asking for documentation you don't have. You're onboarding a new EMR, POS system, or cloud service and need to understand the exposure. Or you simply don't know what your current risk level is.

Schedule your security consultation
02

Monthly Security Maintenance

Ongoing security oversight for businesses that need a functioning security program without the cost of a full-time security hire. We handle the recurring work so your team can focus on operations.

What's included

  • Patch and update verification — confirming that operating systems, applications, and firmware are current across your environment.
  • Access review — monthly check of user accounts, privileged access, and terminated employee offboarding. One of the most common audit findings in SMBs.
  • Security policy updates — keeping your written policies current as your technology stack and personnel change.
  • Incident response readiness — quarterly tabletop exercises and contact list verification so you're not building a response plan during an incident.
  • Quarterly business review — 60-minute session to review findings, adjust priorities, and answer questions from your leadership team.

Right for you if

You completed an assessment and need someone to stay on top of the remediation items. You have ongoing compliance obligations — annual HIPAA reviews, FTC Safeguards program maintenance, PCI-DSS quarterly scans — and no internal security staff to own them.

Schedule your security consultation
03

Virtual CISO (vCISO)

CISO-level security leadership on a fractional basis. For organizations that need a qualified security executive in the room — for board presentations, regulatory exams, and vendor risk decisions — without adding executive headcount.

What's included

  • Security program governance — building and maintaining the written policies, procedures, and controls framework required by your applicable regulation.
  • Regulatory exam support — direct participation in OCIF examinations, OCR audits, or PCI-DSS assessor conversations as your designated security representative.
  • Board and leadership reporting — translating security posture and risk into business terms for executives and board members who need to make informed decisions.
  • Vendor risk management — evaluating third-party vendors and business associates against your regulatory obligations before you sign a contract.
  • Strategic roadmap — 12-month security program plan aligned to your business objectives, budget, and compliance calendar.

Right for you if

You have a compliance program but no one with the credentials and experience to defend it in front of an auditor or your board. Your regulator is asking questions that go beyond what your IT vendor can answer. Or you're preparing for a significant audit cycle and need a qualified security executive on your team.

Schedule your security consultation

How it starts

Every engagement begins the same way — with a conversation. Before we scope anything or quote anything, we need to understand your business, your regulatory environment, and what's already in place.

1

Initial consultation

We listen. You walk us through your business, your sector, and the pressures you're facing — from your insurance carrier, your examiner, or your clients. No pitch, no proposal yet.

2

Scope and proposal

Based on what we heard, we propose the right engagement — the one your situation actually calls for, not the largest one we can sell. You get a written scope and a fixed price before we start.

3

Engagement and delivery

We do the work. You stay informed throughout — not surprised at the end. Every deliverable is written for a business owner, not a security engineer.

Not sure which service fits your situation?

Start with a consultation. We'll tell you which regulations apply, where your gaps are likely, and which engagement makes sense — or whether you need anything at all.

Schedule your security consultation