Know where you stand. Build the program to get where you need to be.
Our IT Security Readiness practice gives organizations an honest, framework-aligned view of their security posture — and a practical, prioritized plan to improve it without burning out the IT team you already have.
What we offer.
Risk assessments
A defensible analysis of where the most significant risk to your business actually lives — and what mitigations move the needle.
Framework gap analyses
Posture mapped against NIST CSF 2.0, CIS Controls, and the HIPAA Security Rule, with concrete findings and remediation guidance.
Tabletop exercises
Scenario-driven walkthroughs — ransomware, business email compromise, insider risk — that pressure-test the plan and the people running it.
vCISO advisory
Fractional CISO leadership led by Jack Miller. Strategy, board reporting, vendor oversight, and the executive-level cyber accountability you need without a full-time hire.
Security awareness training
Programs built for adult learners and clinical workflows — not the same generic phishing video everyone clicks through once a year.
Vendor risk & third-party review
Meaningful third-party assessments — questionnaires that drive decisions, not paperwork that gets filed.
M&A security due diligence
Pre-close security reviews that surface integration risk, hidden incident history, and the real cost of bringing the target's environment into yours.
Policy & documentation
Right-sized written policies and standards that map to your framework of choice — defensible without becoming shelfware.
Aligned to what regulators and insurers expect.
We do not pick frameworks for ourselves; we pick them for you. Most organizations land on a primary framework (CSF, CIS, or HIPAA) with one or two overlays for specific obligations.
- NIST CSF 2.0 — broad cybersecurity governance and operations
- CIS Controls v8.1 — practical, prioritized technical controls
- HIPAA Security Rule — for healthcare and business associates
- NIST 800-171 — for organizations supporting federal contracts
- Cyber-insurance questionnaires — control posture that maps to renewal requirements
What a readiness engagement looks like.
Scope & objective alignment
Are we driving toward an audit, an insurance renewal, a board ask, or general posture? Scope is shaped by the answer.
Evidence collection & interviews
Document review, configuration sampling, and interviews with the people who actually operate the environment.
Findings & risk-ranked roadmap
Plain-language findings with risk ratings tied to your business, not generic CVSS scores. A roadmap with realistic effort estimates.
Executive readout
A briefing built for the board and senior leadership — focused on decisions, dollars, and exposure rather than technical minutiae.
Optional ongoing advisory
vCISO retainer, quarterly reviews, or as-needed consults to keep momentum after the initial engagement closes.
Need to know where you stand?
An honest assessment is the cheapest investment you can make in your security program.