CISO

Inversion6 is seeking an experienced and credentialed Fractional Chief Information Security Officer to join our growing advisory practice. This is a senior leadership role, not a staff augmentation position. The Fractional CISO embeds directly with client organizations on 12-month engagements, serving as a trusted security executive who owns outcomes and drives measurable program maturity. The right candidate has been a CISO. Not a near-CISO, not a security director who reported to one — a practicing CISO who has owned the program, managed the team and budget, briefed the board, led the response, and built something that worked. That experience is the foundation from which great advisory work is delivered. Our clients deserve that depth, and they can feel the difference. The Fractional CISO is responsible for the full spectrum of strategic security leadership: designing and implementing security programs aligned to business goals and recognized frameworks, managing governance, risk, and compliance functions, conducting risk assessments, leading incident response planning, briefing executive leadership and boards, and advancing the client's security posture through both planning and hands‑on execution. This role demands someone who can operate at the board level and in the weeds with engineers — often in the same week. Success is measured by client outcomes. Inversion6 Fractional CISOs maintain a 95% client renewal rate. That standard is earned through long‑term relationship building, consistent delivery, and the kind of embedded advisory presence that clients renew not because they have to, but because they want to. Most fractional CISO engagements are transactional. A consultant appears, documents what's wrong, and disappears. That is not what we do. Inversion6 Fractional CISOs embed with clients on structured 12-month engagements, building real relationships and delivering real work — not reports that collect dust. The right candidate owns outcomes, not just recommendations. This means running GRC and risk review meetings, conducting risk assessments, writing policies and procedures, leading tabletop exercises, managing Microsoft 365 and Azure security configurations, supporting M&A security diligence, scoping SaaS application security assessments, and developing incident response and disaster recovery plans. The work that needs doing is the work this candidate does. They do not point at problems and wait for someone else to fix them. We are looking for proven CISOs who want to be part of a team, embed with clients long‑term, and help those clients build sustainable, compliant security programs that actually work. Inversion6 evaluates its advisory team against three core attributes. These are non‑negotiable. Humble. Collaborative by nature, low ego by choice. Works well with internal teams, client stakeholders, and fellow advisors. Leads through influence, not authority. Understands that being the smartest person in the room is far less valuable than making the room smarter. Hungry. Actively supports sales, proactively identifies opportunities within client engagements, and understands that growing the practice is part of the job. Seeks out problems worth solving, not just problems worth reporting. Smart. Strong emotional intelligence, deep technical fluency, and the ability to translate complex security risk into executive‑level clarity. Delivers results, not just recommendations. Strategic Security Leadership Design and implement comprehensive, business‑aligned cybersecurity strategies tailored to each client's industry, risk profile, and regulatory obligations. Serve as the primary security executive for client organizations, attending leadership meetings, steering committees, and board sessions as required. Translate technical security risks into business impact language that resonates with executives, boards, and non‑technical stakeholders. Develop 12‑month security program roadmaps with measurable milestones, maturity targets, and clear ownership. Build and sustain security cultures through workforce awareness programs and executive education. Governance, Risk, and Compliance (GRC) Lead ongoing GRC oversight, including risk reviews, policy maintenance, control assessments, and exception tracking. Conduct formal, enterprise‑wide risk assessments aligned to NIST CSF 2.0, NIST 800‑53, NIST 800‑171, ISO 27001/27002, SOC 2, HIPAA, CMMC, NYDFS, FTC Safeguards, and PCI DSS — as applicable to each client's environment. Develop, maintain, and communicate information security policies, standards, and procedures grounded in framework controls and operational reality. Track and report compliance posture against applicable regulatory frameworks and contractual obligations, including customer‑driven security questionnaires and cyber insurance requirements. Manage audit preparation, evidence collection, auditor interaction, and client‑facing audit support — keeping audits on track and within scope. Incident Response and Business Continuity Develop and maintain incident response plans, playbooks, and escalation procedures tailored to each client's environment and risk profile. Plan, facilitate, and debrief tabletop exercises and IR simulations with client leadership and technical teams. Develop disaster recovery and business continuity plans in coordination with client IT and operations leadership. Serve as a trusted advisor during active incidents — providing calm, structured, and operationally grounded guidance under pressure. Security Program Execution Run security steering committee and GRC review meetings on a defined cadence aligned to the Inversion6 Assess → Build → Collaborate → Report delivery model. Oversee vulnerability management programs, ensuring findings are risk‑rated, tracked, remediated, and reported to leadership. Lead Microsoft 365 and Azure security assessments, reviewing configurations against CIS benchmarks and Microsoft security defaults, and delivering prioritized remediation guidance. Conduct SaaS application security assessments, delivering findings against best practices and preferred policy frameworks with a risk register and recommended remediation actions. Support M&A security due diligence — assessing the security posture of assets being acquired and leading integration planning with a phased, stage‑gated approach. Evaluate and advise on security technology investments, tool selection, and vendor relationships. Manage third‑party and vendor risk programs, including assessments, contract reviews, and ongoing monitoring. Business Development and Practice Support Support Inversion6 sales efforts by participating in prospect conversations, scoping engagements, and contributing to proposals and statements of work. Identify expansion opportunities within existing client accounts and communicate them to practice leadership. Contribute to Inversion6 thought leadership through writing, speaking, and representing the firm in the market. Required Qualifications 10 or more years of progressive, hands‑on experience as a CISO, Deputy CISO, or equivalent senior security executive — with direct ownership of the security program, budget, team, and board relationship. Demonstrated experience leading and maturing security programs in mid‑to‑large, regulated organizations. Manufacturing, finance, healthcare, and government experience strongly preferred. Proven track record of building and managing security teams, owning operational budgets, selecting and managing vendors, and stewarding multi‑year security program roadmaps. Direct experience briefing executive leadership and boards of directors on security risk, program maturity, incident status, and strategic priorities — with the ability to hold that conversation without a script. Deep, applied experience conducting risk assessments and operationalizing controls across frameworks including NIST CSF, NIST 800‑53, NIST 800‑171, ISO 27001/27002, SOC 2, HIPAA, CMMC, NYDFS, FTC Safeguards, and/or PCI DSS. Experience with Microsoft 365 and Azure security — including configuration reviews, identity and access governance, and Microsoft Secure Score improvement programs. Hands‑on experience with threat modeling, security architecture review, and technical risk assessment across cloud, hybrid, and on‑premises environments. Experience writing and maintaining information security policies, incident response plans, business continuity plans, and supporting procedures — not just reviewing them. Demonstrated ability to plan, facilitate, and debrief tabletop exercises and IR simulations at the executive and technical levels. Comfortable managing multiple client engagements simultaneously, with strong organizational discipline, self‑direction, and professional accountability. Preferred Credentials CISSP (Certified Information Systems Security Professional) — strongly preferred. CISM, CISA, CRISC, or equivalent governance and risk‑focused certification. MBA or equivalent business leadership experience — valued in a practice that serves executive teams. Prior experience in an MSSP, consultancy, or fractional executive capacity. Competency What This Looks Like in Practice Executive Presence Communicates with authority and calm at the board and C‑suite level. Earns trust quickly. Does not over‑qualify, over‑explain, or hedge when the room needs clarity. Security Program Leadership Has designed, funded, staffed, and matured real security programs — not just recommended what someone else should build. Makes sound risk decisions under uncertainty. Prioritizes based on business impact and operational reality, not just CVSS scores or framework checklists. Technical Depth Understands how attacks happen, how environments are configured, how controls fail, and how architecture choices create or close exposure. Can hold a technical conversation without a translator. Frameworks & Compliance Deep working knowledge of NIST, ISO, CMMC, SOC 2, HIPAA, NYDFS, FTC Safeguards, and PCI — applied, not theoretical. Has used these frameworks to drive real program work. Client Relationship Management Builds long‑term trust with client executives, IT teams, and boards. Shows up consistently, communicates clearly, and earns the 95% renewal. Communication Skills Writes and speaks with precision. Can translate a complex vulnerability into a one‑sentence board risk statement without losing the substance. Problem Solving Finds root causes, not just symptoms. Develops practical, executable solutions grounded in how clients actually operate — not how they should operate in theory. Works well across internal practice teams and client organizations. Shares knowledge, supports colleagues, and checks the ego at the door. Business Development Proactively identifies client needs and expansion opportunities. Participates in scoping conversations and understands that practice growth is a shared responsibility. Stays current with the threat landscape, regulatory changes, and emerging technology risk. Applies new knowledge to active engagements without being asked. Equal Opportunity Employer This employer is required to notify all applicants of their rights pursuant to federal employment laws.For further information, please review the Know Your Rights notice from the Department of Labor. #J-18808-Ljbffr