Senior vCISO / GRC Consulting Manager

Agency Cybersecurity is fast growing, venture-backed startup that provides best‑in‑class cybersecurity and compliance. Our software and services simplify complex compliance frameworks including SOC2, ISO 27001, HIPAA, and others, empowering businesses to scale securely and confidently. We are backed by top tier investors like YCombinator and have offices in NYC, Boston, Richmond, and London. About the Role We are seeking a Senior vCISO / GRC Consulting Manager to lead client‑facing cybersecurity, governance, risk, and compliance engagements for organizations pursuing or maintaining security frameworks such as NIST800‑171, 800‑53, or CMMC as well as experience with SOC2, ISO27001, and related trust and security standards . This is an in‑person consulting leadership role based in Richmond, VA . The Senior vCISO will work directly with clients, internal delivery teams, and company leadership to provide hands‑on advisory support, manage GRC engagements, and lead a team responsible for delivering high‑quality cybersecurity and compliance services. The Senior vCISO will serve as a strategic advisor to clients, helping them understand their security and compliance obligations, prioritize risk, prepare for audits, implement practical controls, and build scalable security programs. This person will also manage a team of GRC consultants, analysts, and implementation specialists responsible for delivering client work. The ideal candidate has at least 6 years of professional experience in GRC, cybersecurity compliance, audit readiness, or related advisory work , including at least 4 years in a management or team leadership role . This person should be comfortable advising executives, managing client relationships, leading teams, working with auditors, and translating complex security and compliance requirements into clear business actions. Key Responsibilities Client Advisory and vCISO Leadership Serve as a trusted vCISO advisor to clients across cybersecurity, governance, risk, and compliance matters. Provide practical guidance to executive teams, founders, security leaders, IT teams, and business stakeholders. Help clients understand what they need to do to improve security, pass audits, reduce risk, and satisfy customer requirements. Advise clients on security program design, risk prioritization, compliance strategy, policy development, and control implementation. Lead client meetings, executive briefings, audit readiness sessions, and risk review discussions. Translate technical and compliance requirements into clear, business‑friendly recommendations. GRC and Compliance Program Delivery Lead client engagements related to SOC2, ISO 27001 , and other audited security frameworks. Develop and manage compliance roadmaps, audit readiness plans, and remediation timelines for clients. Guide clients through the full lifecycle of compliance readiness, including scoping, gap assessments, control implementation, evidence collection, audit support, and ongoing maintenance. Help clients determine the right level of security and compliance maturity for their size, industry, customer expectations, and business goals. Ensure compliance programs are practical, defensible, and not unnecessarily burdensome. Audit Readiness and Framework Management Lead SOC2 Type1 and Type2 readiness initiatives for clients. Support ISO27001 implementation, certification preparation, surveillance audit readiness, and continuous improvement. Coordinate with external auditors, assessors, client stakeholders, and internal delivery teams. Review audit evidence, control documentation, risk registers, policies, and remediation plans. Help clients understand audit findings and develop clear plans to address gaps. Maintain strong working knowledge of SOC2 Trust Services Criteria, ISO27001 requirements, and common security control expectations. Team Management and Delivery Oversight Manage a team of GRC consultants, analysts, and implementation resources. Assign work, oversee deliverables, manage deadlines, and ensure consistent quality across client engagements. Coach and mentor team members on GRC consulting, client communication, audit readiness, and control implementation. Review team deliverables, including gap assessments, policies, risk registers, audit evidence, project plans, and client‑facing reports. Ensure the team delivers work that is accurate, practical, professional, and aligned with client expectations. Build repeatable delivery processes, templates, playbooks, and quality standards for the consulting team. Security Control and Risk Advisory Advise clients on the design, implementation, and improvement of security and compliance controls. Help clients assess risks across cloud infrastructure, identity and access management, endpoint security, vulnerability management, vendor risk, change management, incident response, and secure development practices. Maintain and improve client risk registers and remediation plans. Work with client technical teams to prioritize security improvements based on business impact, audit requirements, and real‑world risk. Provide practical recommendations that balance security, compliance, cost, and operational complexity. Policy, Governance, and Documentation Lead the development and review of client security policies, procedures, standards, and governance documentation. Help clients implement policy review cycles, access review processes, vendor review workflows, risk acceptance procedures, and other governance activities. Ensure client documentation aligns with actual business practices and audit expectations. Help clients avoid “paper compliance” by tying policies and controls to real operational processes. Customer Trust and Security Questionnaire Support Advise clients on customer security reviews, vendor assessments, and trust‑related requests. Help clients respond to security questionnaires, customer due diligence requests, and enterprise procurement reviews. Support the development of reusable security and compliance response libraries. Help clients use compliance and security posture to support sales, customer trust, and enterprise readiness. Client Relationship Management Own or support client relationships across multiple GRC and vCISO engagements. Set clear expectations with clients regarding scope, timelines, responsibilities, and deliverables. Identify client risks, blockers, and expansion opportunities. Communicate engagement status, risks, and next steps clearly to both internal leadership and client stakeholders. Ensure clients receive strategic advice, not just task completion. Required Qualifications Minimum 6 years of professional experience in GRC, cybersecurity compliance, security advisory, audit readiness, IT risk, internal audit, or a related field. Minimum 4 years of management or team leadership experience . Direct experience advising organizations on audited frameworks such as SOC2 and ISO27001 . Experience managing client‑facing consulting engagements or advisory relationships. Strong understanding of security controls, risk management, compliance frameworks, and audit processes. Experience leading or supporting external audits, including evidence collection, control testing, auditor communications, and remediation. Ability to explain complex security and compliance concepts to executives, founders, technical teams, and non‑technical stakeholders. Strong written and verbal communication skills. Strong project management skills with the ability to manage multiple clients, deadlines, stakeholders, and team members. Ability to work in person from Richmond, VA . Willingness to attend in‑person meetings with internal teams, clients, and leadership as required. Preferred Qualifications Prior experience in a consulting, advisory, MSSP, vCISO, CPA firm, audit firm, cybersecurity firm, or compliance services environment. Experience with GRC platforms such as Vanta, Drata, Secureframe, Hyperproof, AuditBoard, OneTrust, or similar tools. Experience with additional frameworks such as HIPAA, HITRUST, NIST CSF, NIST800‑53, NIST800‑171, CMMC, PCIDSS, GDPR, CIS Controls, or privacy/security requirements for SaaS companies. Experience advising startups, SaaS companies, technology companies, fintech companies, healthcare companies, or mid‑market organizations. Familiarity with AWS, Azure, Google Cloud, identity providers, endpoint security tools, vulnerability management tools, ticketing systems, and security monitoring platforms. Relevant certifications such as CISA, CISSP, CRISC, CISM, ISO27001 Lead Implementer, ISO27001 Lead Auditor, Security+, or similar. Ideal Candidate Profile The ideal candidate is a strong consultant, manager, and security advisor. This person knows how to help clients make good security decisions without overwhelming them with unnecessary complexity. You should be able to walk into a client environment, quickly understand their business, assess their compliance and security needs, and tell them what matters most. You should know how to guide clients through SOC2, ISO27001, and broader security program development in a way that is practical, credible, and aligned with the client’s stage of growth. You should also be a strong people manager. This role requires someone who can lead a team, review work, improve delivery quality, coach junior team members, and create repeatable consulting processes. This is not just a documentation role or an audit coordination role. We are looking for someone who can act as a true vCISO: someone who can advise clients, manage risk, guide security strategy, lead a team, and help clients build security and compliance programs they can actually operate. Compensation The base salary for this role is $125,000 per year . Additional compensation, benefits, bonus eligibility, and other incentives may be provided depending on company policy and candidate qualifications. Work Location This is an in‑person role based in one of the following locations: Richmond, Virginia Candidates must be able to work in person from one of these locations and collaborate directly with clients, internal teams, auditors, and external stakeholders. We believe in rewarding hard work with meaningful perks that support your growth, health, and well‑being. 10 days of paid time off (PTO) 11 paid federal holidays 401(k) with 4% company match Monthly healthcare stipend Weekly team lunches and in‑office snacks #J-18808-Ljbffr