iCorps Technologies

Virtual Chief Information Security Officer (vCISO)

iCorps Technologies$150K — $200K *
US-AnywhereRemote in Woburn, MA
Information Technology
8 - 10 years of experience
Job Overview by Ladders

Qualifications

  • 10+ years in information security, with proven leadership experience, preferably as a CISO or deputy CISO.
  • Experience conducting gap analyses against major security frameworks and implementing findings into actionable roadmaps.
  • Direct experience with frameworks like NIST CSF, ISO 27001, SOC 2, HIPAA, or CMMC, with knowledge of CMMC 2.0 preferred.
  • Expertise in AI governance and secure integration of generative AI in business practices.
  • Strong familiarity with identity, endpoint, cloud, and detection technologies, with the ability to distinguish effective implementations from ineffective ones.
  • Excellent judgment and communication skills to convey investment decisions and risk management to executive-level stakeholders.
  • Bachelor’s degree in computer science, information systems, cybersecurity, or a related field.

Responsibilities

  • Own and manage each client's security program with a strategy, roadmap, and regular reporting to executive sponsors.
  • Lead initiatives in identity-first security, ensuring tight control over access and identity management processes.
  • Oversee cloud security posture across multiple platforms including Microsoft 365, Azure, AWS, and Google Cloud.
  • Set strategic direction for incident detection and response, emphasizing readiness and preparation as well as active response during incidents.
  • Guide clients in ransomware resilience strategies, including backup and recovery drills and executive-level tabletop exercises.
  • Manage third-party and supply chain risk through comprehensive vendor due diligence and risk assessment processes.
  • Lead governance of AI usage within client organizations, ensuring secure practices in policy and technical implementation.

Benefits

  • Hybrid work model that allows for flexibility between remote and on-site engagements.
  • Opportunity to work with a variety of clients, providing exposure to different industries and challenges.
  • Participation in a peer-reviewed security practice, promoting knowledge sharing and consistent standards.
  • Engagements designed to encourage meaningful impact on clients’ security postures and operations.
  • Continuous professional development opportunities through certifications and training.
Full Job Description
Virtual Chief Information Security Officer (vCISO)

Woburn/Hybrid
The virtual Chief Information Security Officer is a client-facing role. You are the security leader iCorps puts in front of its clients, bringing the experience and operational discipline of a seasoned CISO to organizations that cannot retain one full time. We expect security to be treated as an operational discipline, with clear priorities, measurable outcomes, realistic sequencing, and honest conversations when something is not working.
Scope of the Role
The work spans three connected responsibilities, and a successful vCISO moves between them across a single engagement and across a portfolio.

1. Active Security Advisor. Provide hands-on advisory guidance on day-to-day security decisions: architecture choices, control implementation, vendor selection, configuration questions, incident calls, and the steady stream of judgment calls a maturing program generates. This pillar covers identity-first security and zero trust adoption, cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, endpoint and detection strategy, MDR and XDR partnerships, ransomware resilience and tested recovery, third-party and supply chain risk, and the secure adoption of generative AI.

2. vCISO Alignment of Business, Governance, and Technical Control. Set and run the security program so the client is aligned to the frameworks that apply: NIST CSF 2.0, ISO 27001:2022, CMMC 2.0 (meaningful given our DoD-adjacent client base), SOC 2, HIPAA, PCI DSS 4.0, US state privacy laws led by CCPA, SEC cyber disclosure where applicable, and cyber insurance attestations. Translate executive intent into governance structure, governance into policy, policy into control, and control state into board-ready reporting. Stand up and run a recurring security committee at each client. Own AI governance specifically: the policies, review processes, and committee structure that let a client adopt AI tooling without losing control of their data.

3. Gap Analysis and Assessment. Run baseline assessments at engagement kickoff, periodic reassessments on an agreed cadence, and targeted assessments tied to events such as acquisitions, regulatory change, new product lines, or CMMC certification cycles. Produce remediation roadmaps with sequencing, ownership, and effort the client can fund and execute. Run post-incident assessments to verify whether controls performed the way the program described.
What You Will Do
  • Own the security program for each assigned client, with a written strategy, roadmap, and reporting cadence with the executive sponsor and, where applicable, the board or audit committee.
  • Lead identity-first security: conditional access, PIM and PAM, least privilege, identity threat detection, and joiner-mover-leaver discipline.
  • Drive cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, including CSPM and SSPM findings, hybrid work controls, and SaaS-to-SaaS risk.
  • Set the direction for detection and response, treating incident readiness (tabletops, runbooks, escalation paths, retainer relationships) with the same weight as incident response itself.
  • Guide ransomware resilience: immutable backups, tested recovery objectives, recovery drills, and tabletop cadence at the executive level.
  • Own third-party and supply chain risk, including vendor due diligence, SBOM awareness, and fourth-party exposure.
  • Lead AI governance and the secure adoption of AI tooling across policy, technical configuration, and ongoing monitoring for shadow AI.
  • Guide incident response when an event occurs, coordinating with legal, forensics, insurance, and law enforcement, and lead the post-incident review so lessons land in policy and controls.
  • Partner with iCorps delivery teams so recommendations are implementable in the environments we manage.
What You Bring
  • At least ten years in information security, with meaningful time in a leadership role. Prior CISO or deputy CISO experience is strongly preferred.
  • Demonstrated experience running gap analyses against more than one major framework and translating findings into roadmaps clients funded and executed.
  • Direct experience aligning a business to NIST CSF, ISO 27001, SOC 2, HIPAA, or CMMC, with enough range to pick up the others. CMMC 2.0 working knowledge is a meaningful advantage.
  • A point of view on AI governance and the secure adoption of generative AI in a business setting.
  • Fluency with modern identity, endpoint, cloud, and detection tooling, with enough depth to tell a good implementation from a bad one.
  • Judgment on where to invest, where to defer, and where to accept risk, and the communication skills to explain that judgment to a CFO, general counsel, or board member.
  • A bachelor's degree in computer science, information systems, cybersecurity, or a related field, or equivalent experience.
Certifications
Required at hire or within a reasonable onboarding window: CISSP or CISM.

Preferred: CCSP for cloud-heavy engagements, CRISC for governance and risk, CISA for audit, CMMC CCP or CCA for clients pursuing CMMC certification, and relevant GIAC certifications (GSLC, GCIH, GPCS) where they match the engagement focus.

Certifications are useful shorthand for baseline knowledge, not a substitute for the operational judgment the role demands.
How the Role Runs
Client-facing advisory work delivered as a service. You manage a portfolio of clients with different risk profiles, maturity levels, and budgets. Cadence per client typically runs monthly operating reviews, quarterly executive reviews, and annual strategy refreshes, with formal gap analyses at kickoff and at least annually thereafter. Travel is occasional. Most work is remote, with onsite presence when it materially improves the engagement. The vCISO is part of iCorps' managed security practice, with peer review on major client deliverables and a consistent point of view across the practice.

If you want to do real security work with clients who need it, in an environment that takes the craft seriously, we would like to hear from you.

Similar Jobs

More Information Technology Jobs

Find similar Virtual Chief Information Security Officer (vCISO) jobs: