Check
fCISO   Revenue CISO

I make SOC2 and cybersecurity a core strength of your organization.

As a serial founder and CTO, I know the value of cybersecurity and the toll that take on a company, as well as the security it can install, when done well.


  Schedule a Call   TL;DR

Stephan Smith

fCISO & fCTO | Founder

Boston based. I work in the EST +/- 2 timezones. Taking a series of long deep breathes since leaving my last startup, and focusing on new projects. My last company was part of Techstars Boston cohort in 2018. We have benefited from Techstars vision of 'Give First', and always look for ways to give back.

HIPAA CCPA GDPR SOC AI Compliance

 

Stephan Smith, Fractional fCTO

Why use a fractional CISO?

You use a fractional CISO (aka fCISO) when you need cybersecurity to be a core strength, a source of empowerment for your team, and trust builder for your business. This takes experience, and a gentle approach to the firehose that SOC can become.


Advisory Only

You have a team, but you and your team needs context and help getting mentally ready to address.


  • Time frame: 2-3 months
  • Engagement: Weekly or Bi-weekly calls
  • Summary: Weekly calls, background Research, not visible to team, bottom up review of existing code, tools, patterns and stack components. Good for the CEO who needs background before dealing with board, investors or internal leadership.
Perspective Revenue Blockers Board Prep Vendor Selection

Advisory + Execution

When you need hands on help to get the job done. To talk to outside cybersecurity experts, and you need to keep work from overloading your team.


  • Time frame: 2-3 months
  • Engagement: Weekly Tasks
  • Summary: Weekly calls, background Research, not visible to team, bottom up review of existing code, tools, patterns and stack components. Good for the CEO who needs background before dealing with board, investors or internal leadership.
Tasks Configuration Custom Policies

My Value Proposition

There is silver bullet for building trust into your team, but there are approaches that work. Here are some of the patterns I have seen, addresses and build techniques to address.

  Observed   Solution
Timeline When a founding team is heads down and building, thinking about and planning for cyber prep is hard. "Context is KING". A fractional CTO/CISO can help bridge the gap when tech challenges need a resource to change mindsets.

Roadmap Founding teams build puts off SOC2, its because the workload is unknown, and the impact of their roadmap is impossible to balance. Don't flood your roadmap, work smarter, and do the cyber prep that matches your actual stage of funding, sales and build.

Mental SOC2 and cyber prep puts stress on teams. It adds tickets to sprints, work to IT, and train to everyone else. Getting to SOC2 can seem to be the goal. The real goal is getting the value from SOC2. Reports are good. Trust is better.

Risks Not preparing is a risk. The first big hack event can cause CLevels career risk. Everyone in a company needs to understand the value security, but C-Levels need to know, deeply, how the build the core values into their teams.

Some References

Yvan Castilloux
Yvan Castilloux
CEO of Augusta Care

“Stephan has been helping us in figuring out how we should get to SOC2 compliance within a reasonable budget. He's looked at our tech stack and gave us practical recommendations on how it should evolve over time. I'm looking forward to working with him again."


Michelle Chao
Michelle Chao
COO of Phoenix Tailings

"Stephan worked with our team as we started to scale up and address security requirements. He assisted in our selection of security frameworks that matched our unique funding, IP, and cyber-security needs. His startup experience provided us with options that matched our stage and immediate concerns. We hope to tap into his experience when our security requirements change."


Jesse Marple
Jesse Marple
Solutions Architect at Brytebridge

"We pulled in Stephan to build out our tech stack and API. He executed in record time, provided our front end teams with Just-in-Time API resources as we decided on email providers, payment gateways, hosting and storage options on AWS. He takes a very practical approach to solutions. He gave us both working solutions, as well as best practices for API route testing, JWT token security and a framework that we can hand off to a team to extend. He helped our team go from idea to revenue in 4 weeks. Zero to MVP in record time!"


TL;DR

The best metaphor for SOC2 is to think about it like a college class. You need this one class to graduate. You have put off taking this class because know to be grueling, has a legendary for the amount of reading. You have skipped all the lectures, so you can not cram for it. You will value the knowledge but it just feels like a slog, like a tax that gives no value.

Basically, its hard to work smart.


References from past and current clients are available, after an initial screening call. Client data and relationships are all covered by NDAs. No leaks.