Virtual Chief Information Security Officer (vCISO)

Woburn/Hybrid
The virtual Chief Information Security Officer is a client-facing role. You are the security leader iCorps puts in front of its clients, bringing the experience and operational discipline of a seasoned CISO to organizations that cannot retain one full time. We expect security to be treated as an operational discipline, with clear priorities, measurable outcomes, realistic sequencing, and honest conversations when something is not working.
Scope of the Role
The work spans three connected responsibilities, and a successful vCISO moves between them across a single engagement and across a portfolio.

1. Active Security Advisor. Provide hands-on advisory guidance on day-to-day security decisions: architecture choices, control implementation, vendor selection, configuration questions, incident calls, and the steady stream of judgment calls a maturing program generates. This pillar covers identity-first security and zero trust adoption, cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, endpoint and detection strategy, MDR and XDR partnerships, ransomware resilience and tested recovery, third-party and supply chain risk, and the secure adoption of generative AI.

2. vCISO Alignment of Business, Governance, and Technical Control. Set and run the security program so the client is aligned to the frameworks that apply: NIST CSF 2.0, ISO 27001:2022, CMMC 2.0 (meaningful given our DoD-adjacent client base), SOC 2, HIPAA, PCI DSS 4.0, US state privacy laws led by CCPA, SEC cyber disclosure where applicable, and cyber insurance attestations. Translate executive intent into governance structure, governance into policy, policy into control, and control state into board-ready reporting. Stand up and run a recurring security committee at each client. Own AI governance specifically: the policies, review processes, and committee structure that let a client adopt AI tooling without losing control of their data.

3. Gap Analysis and Assessment. Run baseline assessments at engagement kickoff, periodic reassessments on an agreed cadence, and targeted assessments tied to events such as acquisitions, regulatory change, new product lines, or CMMC certification cycles. Produce remediation roadmaps with sequencing, ownership, and effort the client can fund and execute. Run post-incident assessments to verify whether controls performed the way the program described.
What You Will Do

• Own the security program for each assigned client, with a written strategy, roadmap, and reporting cadence with the executive sponsor and, where applicable, the board or audit committee.
• Lead identity-first security: conditional access, PIM and PAM, least privilege, identity threat detection, and joiner-mover-leaver discipline.
• Drive cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, including CSPM and SSPM findings, hybrid work controls, and SaaS-to-SaaS risk.
• Set the direction for detection and response, treating incident readiness (tabletops, runbooks, escalation paths, retainer relationships) with the same weight as incident response itself.
• Guide ransomware resilience: immutable backups, tested recovery objectives, recovery drills, and tabletop cadence at the executive level.
• Own third-party and supply chain risk, including vendor due diligence, SBOM awareness, and fourth-party exposure.
• Lead AI governance and the secure adoption of AI tooling across policy, technical configuration, and ongoing monitoring for shadow AI.
• Guide incident response when an event occurs, coordinating with legal, forensics, insurance, and law enforcement, and lead the post-incident review so lessons land in policy and controls.
• Partner with iCorps delivery teams so recommendations are implementable in the environments we manage.

What You Bring

• At least ten years in information security, with meaningful time in a leadership role. Prior CISO or deputy CISO experience is strongly preferred.
• Demonstrated experience running gap analyses against more than one major framework and translating findings into roadmaps clients funded and executed.
• Direct experience aligning a business to NIST CSF, ISO 27001, SOC 2, HIPAA, or CMMC, with enough range to pick up the others. CMMC 2.0 working knowledge is a meaningful advantage.
• A point of view on AI governance and the secure adoption of generative AI in a business setting.
• Fluency with modern identity, endpoint, cloud, and detection tooling, with enough depth to tell a good implementation from a bad one.
• Judgment on where to invest, where to defer, and where to accept risk, and the communication skills to explain that judgment to a CFO, general counsel, or board member.
• A bachelor's degree in computer science, information systems, cybersecurity, or a related field, or equivalent experience.

Certifications
Required at hire or within a reasonable onboarding window: CISSP or CISM.

Preferred: CCSP for cloud-heavy engagements, CRISC for governance and risk, CISA for audit, CMMC CCP or CCA for clients pursuing CMMC certification, and relevant GIAC certifications (GSLC, GCIH, GPCS) where they match the engagement focus.

Certifications are useful shorthand for baseline knowledge, not a substitute for the operational judgment the role demands.
How the Role Runs
Client-facing advisory work delivered as a service. You manage a portfolio of clients with different risk profiles, maturity levels, and budgets. Cadence per client typically runs monthly operating reviews, quarterly executive reviews, and annual strategy refreshes, with formal gap analyses at kickoff and at least annually thereafter. Travel is occasional. Most work is remote, with onsite presence when it materially improves the engagement. The vCISO is part of iCorps' managed security practice, with peer review on major client deliverables and a consistent point of view across the practice.

If you want to do real security work with clients who need it, in an environment that takes the craft seriously, we would like to hear from you.