# Senior vCISO / GRC Consulting Manager

**Company:** [Agency](https://hotfix.jobs/companies/agency)
**Location:** Richmond, VA
**Role:** Security Engineering
**Salary:** $125k – $125k/yr
**Experience:** 6+ years
**Skills:** SOC 2, ISO 27001, Nist 800-171, Nist 800-53, Cmmc, GRC, Vciso, Risk Management, Audit Readiness, Compliance Frameworks, Security Controls, Policy Development, Vendor Risk Management, Incident Response
**Posted:** 2026-06-08

> Lead client-facing vCISO and GRC consulting engagements for SOC 2, ISO 27001, NIST, and CMMC compliance. Manage a team of consultants while advising executives on security program design, risk prioritization, audit readiness, and control implementation.

## Job Description

## Key Responsibilities

### Client Advisory and vCISO Leadership
- Serve as a trusted vCISO advisor to clients across cybersecurity, governance, risk, and compliance matters
- Provide practical guidance to executive teams, founders, security leaders, IT teams, and business stakeholders
- Help clients understand what they need to do to improve security, pass audits, reduce risk, and satisfy customer requirements
- Advise clients on security program design, risk prioritization, compliance strategy, policy development, and control implementation
- Lead client meetings, executive briefings, audit readiness sessions, and risk review discussions
- Translate technical and compliance requirements into clear, business-friendly recommendations

### GRC and Compliance Program Delivery
- Lead client engagements related to SOC 2, ISO 27001, and other audited security frameworks
- Develop and manage compliance roadmaps, audit readiness plans, and remediation timelines for clients
- Guide clients through the full lifecycle of compliance readiness, including scoping, gap assessments, control implementation, evidence collection, audit support, and ongoing maintenance
- Help clients determine the right level of security and compliance maturity for their size, industry, customer expectations, and business goals
- Ensure compliance programs are practical, defensible, and not unnecessarily burdensome

### Audit Readiness and Framework Management
- Lead SOC 2 Type 1 and Type 2 readiness initiatives for clients
- Support ISO 27001 implementation, certification preparation, surveillance audit readiness, and continuous improvement
- Coordinate with external auditors, assessors, client stakeholders, and internal delivery teams
- Review audit evidence, control documentation, risk registers, policies, and remediation plans
- Help clients understand audit findings and develop clear plans to address gaps
- Maintain strong working knowledge of SOC 2 Trust Services Criteria, ISO 27001 requirements, and common security control expectations

### Team Management and Delivery Oversight
- Manage a team of GRC consultants, analysts, and implementation resources
- Assign work, oversee deliverables, manage deadlines, and ensure consistent quality across client engagements
- Coach and mentor team members on GRC consulting, client communication, audit readiness, and control implementation
- Review team deliverables, including gap assessments, policies, risk registers, audit evidence, project plans, and client-facing reports
- Ensure the team delivers work that is accurate, practical, professional, and aligned with client expectations
- Build repeatable delivery processes, templates, playbooks, and quality standards for the consulting team

### Security Control and Risk Advisory
- Advise clients on the design, implementation, and improvement of security and compliance controls
- Help clients assess risks across cloud infrastructure, identity and access management, endpoint security, vulnerability management, vendor risk, change management, incident response, and secure development practices
- Maintain and improve client risk registers and remediation plans
- Work with client technical teams to prioritize security improvements based on business impact, audit requirements, and real-world risk
- Provide practical recommendations that balance security, compliance, cost, and operational complexity

### Policy, Governance, and Documentation
- Lead the development and review of client security policies, procedures, standards, and governance documentation
- Help clients implement policy review cycles, access review processes, vendor review workflows, risk acceptance procedures, and other governance activities
- Ensure client documentation aligns with actual business practices and audit expectations
- Help clients avoid "paper compliance" by tying policies and controls to real operational processes

### Customer Trust and Security Questionnaire Support
- Advise clients on customer security reviews, vendor assessments, and trust-related requests
- Help clients respond to security questionnaires, customer due diligence requests, and enterprise procurement reviews
- Support the development of reusable security and compliance response libraries
- Help clients use compliance and security posture to support sales, customer trust, and enterprise readiness

### Client Relationship Management
- Own or support client relationships across multiple GRC and vCISO engagements
- Set clear expectations with clients regarding scope, timelines, responsibilities, and deliverables
- Identify client risks, blockers, and expansion opportunities
- Communicate engagement status, risks, and next steps clearly to both internal leadership and client stakeholders
- Ensure clients receive strategic advice, not just task completion

## Required Qualifications
- Minimum 6 years of professional experience in GRC, cybersecurity compliance, security advisory, audit readiness, IT risk, internal audit, or a related field
- Minimum 4 years of management or team leadership experience
- Direct experience advising organizations on audited frameworks such as SOC 2 and ISO 27001
- Experience managing client-facing consulting engagements or advisory relationships
- Strong understanding of security controls, risk management, compliance frameworks, and audit processes
- Experience leading or supporting external audits, including evidence collection, control testing, auditor communications, and remediation
- Ability to explain complex security and compliance concepts to executives, founders, technical teams, and non-technical stakeholders
- Strong written and verbal communication skills
- Strong project management skills with the ability to manage multiple clients, deadlines, stakeholders, and team members
- Ability to work in person from Richmond, VA
- Willingness to attend in-person meetings with internal teams, clients, and leadership as required

## Preferred Qualifications
- Prior experience in a consulting, advisory, MSSP, vCISO, CPA firm, audit firm, cybersecurity firm, or compliance services environment
- Experience with GRC platforms such as Vanta

## Similar roles

- [Senior Security Automation Engineer](https://hotfix.jobs/jobs/2e4e1230-924e-4c2c-8df4-cdee5ef22cdb) - Clickhouse - Remote - $125k – $205k/yr
- [Senior GRC Analyst](https://hotfix.jobs/jobs/407f2371-7a53-4e47-a0d3-028942880179) - Radar Labs - New York, NY - $125k – $160k/yr
- [Corporate Security Lead](https://hotfix.jobs/jobs/2a1defd4-9d21-4eb0-906b-0feb7fd4acc1) - Northwood Space - Los Angeles, CA - $125k – $206k/yr
- [Senior Software Engineer, Server Security](https://hotfix.jobs/jobs/b4220420-4d9c-4513-9c61-8eac97487464) - MongoDB - New York, NY - $126k – $248k/yr
- [Sr. Security Software Engineer, Corporate Security](https://hotfix.jobs/jobs/70d73ad2-d2ed-4b0c-b7bd-11ae186e7186) - Pinterest - Remote - $124k – $255k/yr

**Apply:** https://hotfix.jobs/jobs/1eb33f19-585a-4597-9abd-d0a9ddce8874
**Canonical:** https://hotfix.jobs/jobs/1eb33f19-585a-4597-9abd-d0a9ddce8874