Senior vCISO / GRC Consulting Manager

Key Responsibilities

Client Advisory and vCISO Leadership

• Serve as a trusted vCISO advisor to clients across cybersecurity, governance, risk, and compliance matters
• Provide practical guidance to executive teams, founders, security leaders, IT teams, and business stakeholders
• Help clients understand what they need to do to improve security, pass audits, reduce risk, and satisfy customer requirements
• Advise clients on security program design, risk prioritization, compliance strategy, policy development, and control implementation
• Lead client meetings, executive briefings, audit readiness sessions, and risk review discussions
• Translate technical and compliance requirements into clear, business-friendly recommendations

GRC and Compliance Program Delivery

• Lead client engagements related to SOC 2, ISO 27001, and other audited security frameworks
• Develop and manage compliance roadmaps, audit readiness plans, and remediation timelines for clients
• Guide clients through the full lifecycle of compliance readiness, including scoping, gap assessments, control implementation, evidence collection, audit support, and ongoing maintenance
• Help clients determine the right level of security and compliance maturity for their size, industry, customer expectations, and business goals
• Ensure compliance programs are practical, defensible, and not unnecessarily burdensome

Audit Readiness and Framework Management

• Lead SOC 2 Type 1 and Type 2 readiness initiatives for clients
• Support ISO 27001 implementation, certification preparation, surveillance audit readiness, and continuous improvement
• Coordinate with external auditors, assessors, client stakeholders, and internal delivery teams
• Review audit evidence, control documentation, risk registers, policies, and remediation plans
• Help clients understand audit findings and develop clear plans to address gaps
• Maintain strong working knowledge of SOC 2 Trust Services Criteria, ISO 27001 requirements, and common security control expectations

Team Management and Delivery Oversight

• Manage a team of GRC consultants, analysts, and implementation resources
• Assign work, oversee deliverables, manage deadlines, and ensure consistent quality across client engagements
• Coach and mentor team members on GRC consulting, client communication, audit readiness, and control implementation
• Review team deliverables, including gap assessments, policies, risk registers, audit evidence, project plans, and client-facing reports
• Ensure the team delivers work that is accurate, practical, professional, and aligned with client expectations
• Build repeatable delivery processes, templates, playbooks, and quality standards for the consulting team

Security Control and Risk Advisory

• Advise clients on the design, implementation, and improvement of security and compliance controls
• Help clients assess risks across cloud infrastructure, identity and access management, endpoint security, vulnerability management, vendor risk, change management, incident response, and secure development practices
• Maintain and improve client risk registers and remediation plans
• Work with client technical teams to prioritize security improvements based on business impact, audit requirements, and real-world risk
• Provide practical recommendations that balance security, compliance, cost, and operational complexity

Policy, Governance, and Documentation

• Lead the development and review of client security policies, procedures, standards, and governance documentation
• Help clients implement policy review cycles, access review processes, vendor review workflows, risk acceptance procedures, and other governance activities
• Ensure client documentation aligns with actual business practices and audit expectations
• Help clients avoid "paper compliance" by tying policies and controls to real operational processes

Customer Trust and Security Questionnaire Support

• Advise clients on customer security reviews, vendor assessments, and trust-related requests
• Help clients respond to security questionnaires, customer due diligence requests, and enterprise procurement reviews
• Support the development of reusable security and compliance response libraries
• Help clients use compliance and security posture to support sales, customer trust, and enterprise readiness

Client Relationship Management

• Own or support client relationships across multiple GRC and vCISO engagements
• Set clear expectations with clients regarding scope, timelines, responsibilities, and deliverables
• Identify client risks, blockers, and expansion opportunities
• Communicate engagement status, risks, and next steps clearly to both internal leadership and client stakeholders
• Ensure clients receive strategic advice, not just task completion

Required Qualifications

• Minimum 6 years of professional experience in GRC, cybersecurity compliance, security advisory, audit readiness, IT risk, internal audit, or a related field
• Minimum 4 years of management or team leadership experience
• Direct experience advising organizations on audited frameworks such as SOC 2 and ISO 27001
• Experience managing client-facing consulting engagements or advisory relationships
• Strong understanding of security controls, risk management, compliance frameworks, and audit processes
• Experience leading or supporting external audits, including evidence collection, control testing, auditor communications, and remediation
• Ability to explain complex security and compliance concepts to executives, founders, technical teams, and non-technical stakeholders
• Strong written and verbal communication skills
• Strong project management skills with the ability to manage multiple clients, deadlines, stakeholders, and team members
• Ability to work in person from Richmond, VA
• Willingness to attend in-person meetings with internal teams, clients, and leadership as required

Preferred Qualifications

• Prior experience in a consulting, advisory, MSSP, vCISO, CPA firm, audit firm, cybersecurity firm, or compliance services environment
• Experience with GRC platforms such as Vanta