Fractional CISO

10–20 hrs / week

Seed–Series D

Remote-first

SOC 2 (Type I & II)ISO 27001 / 27017 / 27018HIPAA Security & Privacy RuleFedRAMP (Moderate / High)PCI DSSGDPR Article 32 & DPIAsCloud Security (AWS / GCP / Azure)SIEM & Detection EngineeringIncident Response & ForensicsThird-Party Risk ManagementSecure SDLCZero-Trust ArchitecturePenetration Testing ManagementEnterprise Security Reviews

Ready to apply?

Application takes 10 minutes. We review within 48 hours and will reach out to schedule your panel interview.

Apply Now

Free · No placement fees · Ever.

10-min application

48-hr expert review

Engagement within 2 wks

About this opportunity

CXOwork is matching Fractional CISOs with Seed–Series D companies where security has gone from checkbox to strategic priority. These are companies selling into mid-market and enterprise, entering regulated industries (healthcare, financial services, government), or preparing for certifications that unlock pipeline — SOC 2 Type II, ISO 27001, HIPAA, FedRAMP, PCI DSS.

You will own the full security and compliance program — not hand-wave at it. You'll design the controls, pick the tooling, lead the audits, and sit in the deals where the CISO stamp is the difference between a closed contract and a stalled one. You'll report directly to the CEO and regularly brief the board and external auditors.

Core responsibilities

Own the company's security and compliance roadmap — SOC 2 Type I → Type II, ISO 27001, HIPAA, FedRAMP (Moderate / High), PCI DSS, StateRAMP, as relevant to the business
Lead audit readiness end-to-end: evidence collection, control mapping, remediation planning, auditor selection, and Type I / Type II audit execution
Design and operate the Governance, Risk & Compliance (GRC) program — policies, risk register, vendor due-diligence, third-party risk, annual risk assessments
Implement and harden cloud security posture on AWS / GCP / Azure — IAM, KMS, logging/SIEM, EDR, WAF, zero-trust network architecture, CSPM tooling
Establish the Secure Software Development Lifecycle (SSDLC) — SAST, DAST, dependency scanning, secrets scanning, threat modelling, and security-in-CI
Build the incident response program: runbooks, tabletop exercises, on-call rotations, forensics vendor relationships, and customer-notification playbooks
Own customer-facing security — enterprise security questionnaires (SIG, CAIQ), trust center, penetration test coordination, bug bounty program, and sales call support
Lead privacy program execution: GDPR Article 32, CCPA, HIPAA Security/Privacy Rule, DPIAs, sub-processor management, and data-subject request handling
Hire and coach the first security engineers / GRC analysts; select and manage outside firms (MSSP, vCISO augmentation, pentest vendors, auditors)
Represent security to the board, to enterprise customer CISOs, and to federal agency authorising officials during FedRAMP 3PAO assessments

Required qualifications

10+ years in security, with at least 4 years as a CISO, Deputy CISO, Head of Security, or Head of GRC at a venture-backed or high-growth company
Proven track record leading at least one SOC 2 Type II and one additional framework (ISO 27001, HIPAA, PCI DSS, or FedRAMP) end-to-end — from gap analysis through clean opinion
Deep, hands-on expertise in cloud security on AWS, GCP, or Azure — including IAM design, detection engineering, and production incident response
Strong working knowledge of modern security tooling: SIEM (Splunk / Datadog / Panther), EDR (CrowdStrike / SentinelOne), SSDLC (Snyk / Semgrep), CSPM (Wiz / Prisma), and GRC (Vanta / Drata / Secureframe)
Demonstrated ability to close enterprise security reviews and act as executive sponsor on 6- and 7-figure deals
Excellent written + verbal communication — able to translate CVSS scores and compliance jargon for founders, non-technical boards, and customer procurement teams

Nice to have

Not required — but will strengthen your match quality.

FedRAMP experience as ISSO / AO advisor — familiarity with 3PAOs, continuous monitoring, and authorisation boundary scoping
Regulated-industry background: HealthTech (HIPAA / HITRUST), FinTech (PCI DSS / SOX ITGC / NYDFS Part 500), GovTech (FedRAMP / CMMC / StateRAMP)
Active certifications: CISSP, CISM, CCSP, CISA, or ISO 27001 Lead Auditor
Experience building and running a bug bounty program (HackerOne / Bugcrowd) or a coordinated vulnerability disclosure policy
Prior fractional CISO, vCISO, or advisory-board engagements

Compensation & benefits

Optional equity participation (0.1–0.4%) for 9+ month strategic engagements
Full remote flexibility — most work is async, with travel only for board meetings or on-site audits
Dedicated CXOwork engagement manager to help scope, line up auditors, and coordinate with the founder
Access to CXOwork's CISO peer network — benchmark data on comp, audit costs, and vendor pricing

Application process

01Submit your application — 10 minutes. We vet framework coverage, incident-response experience, and deal involvement
02Expert panel interview with two senior security practitioners (60 minutes) — deep-dive on one past audit and one past incident
03Reference check with a previous CEO or customer CISO you've partnered with
04Profile activated and surfaced to matching companies
05Curated intro call with matched founder — risk profile, framework target, and engagement scope
06Engagement kick-off within 1–2 weeks of mutual agreement

Roles included

CISOs
Head of Security
Security Architects
GRC Leaders

Key skills

SOC 2 (Type I & II)ISO 27001 / 27017 / 27018HIPAA Security & Privacy RuleFedRAMP (Moderate / High)PCI DSSGDPR Article 32 & DPIAs

Apply Now ← All roles

Looks like the right fit?

Application takes 10 minutes. No placement fees. Ever.

Start Application