Senior Security Consultant / CISO Track

# Senior Security Consultant — Contract-to-Hire (CISO Track)

Careful Security | Remote (US-Based, Pacific Time Preferred) | Contract 10-25 hrs/week | Path to Full-Time

## The Opportunity

Careful Security is a cybersecurity and compliance implementation firm. Not advisors. Not auditors. We do the actual work — fix security gaps, build compliance programs, get clients certified, and keep them secure after the auditor leaves.

We serve mid-market companies (200-2,000 employees) in SaaS, FinTech, Healthcare, Manufacturing, and Financial Services. 100% first-attempt pass rate across 50+ certifications. 87-day average completion. Zero missed deadlines. Money-back guarantee.

We need a senior security practitioner who can take over hands-on client delivery — the full stack, not just compliance paperwork. Contract engagement (10-25 hrs/week) with a clear path to full-time CISO as we scale toward $5M ARR.

If you want to lead assessments from a conference room and never touch a console, this isn't for you.

## What You'll Own

\*\*Risk Assessment & Remediation\*\* — Get into client environments, review cloud configs against CIS Benchmarks, trace data flows, find risks no scanner detects. Then fix them. Enforce MFA, close dormant accounts, harden cloud configs, build incident response workflows, stand up vendor risk programs. Every risk gets an owner, a deadline, and follow-up until it's verified closed.

\*\*CIS 18 Controls — Our Operational Backbone\*\* — Assess client maturity against all 18 control families. Drive implementation using Implementation Groups (IG1/IG2/IG3). Map every CIS control to compliance frameworks. Review maturity percentages in Dashr.ai every working meeting. This is how we deliver certification in 90 days — the security work IS the compliance work.

\*\*Compliance Certification\*\* — Full-service SOC 2 Type I/II, ISO 27001, ISO 42001, HIPAA, PCI DSS. Write 40+ policies customized to operations. Implement controls. Collect evidence via Dashr.ai. Run mock audits. Coordinate with external auditors.

\*\*Penetration Testing\*\* — Plan, scope, and execute or quality-review pentests (Nmap, Burp Suite, Nessus, Nuclei). Reports include business impact, step-by-step remediation, and real-world exploitability ranking. Retest after remediation.

\*\*Identity Management\*\* — Build centralized identity systems. Consolidate into Entra ID, Okta, Google Workspace, or JumpCloud. Configure SSO, conditional access MFA, automated provisioning/deprovisioning, RBAC, quarterly access reviews.

\*\*Device & Asset Security\*\* — Configure and operate SentinelOne (EDR), NinjaOne (RMM), Microsoft Defender, Intune. Activate the M365 security stack clients already own but aren't using. Work across Google Workspace, AWS, and Azure security services.

\*\*Log Analysis & Anomaly Monitoring\*\* — Hands-on log review across M365/Sentinel, Google Workspace, AWS CloudTrail/GuardDuty, Azure Monitor, and client SIEMs (Splunk, Elastic, QRadar, Datadog). Identify IOCs, investigate anomalies, take action. Detect, investigate, respond, close, document.

\*\*Security Architecture & Configuration Review\*\* — Map network topology, evaluate trust boundaries, trace data flows. Compare configs against CIS Benchmarks at the IAM policy statement level.

\*\*Data Security & Privacy\*\* — Data discovery, classification, DLP using existing platforms (Purview, Google DLP, Macie). Build privacy programs for CCPA/CPRA, HIPAA, GDPR, NIST Privacy Framework.

\*\*Attack Surface Monitoring\*\* — Enumerate external assets (Shodan, Censys, cert transparency, DNS recon). Identify exposed credentials. Then reduce the surface — not just document it.

\*\*vCISO Advisory\*\* — Board/executive reporting, security program strategy, risk register maintenance, vendor oversight, incident response planning, tabletop exercises. Embedded leadership, not a monthly check-in call.

\*\*Team Leadership\*\* — Mentor security engineers. Set quality standards for all deliverables. Build playbooks and processes that scale.

## Must-Haves

• 10+ years hands-on security delivery (not just advisory)

• Led full-cycle SOC 2, ISO 27001, HIPAA, or PCI DSS certifications

• Strong CIS 18 Controls mastery — Implementation Groups, control-to-framework mapping, maturity scoring

• Hands-on with: endpoint (SentinelOne, CrowdStrike, Defender), identity (Entra ID, Okta, Google Workspace), cloud security (AWS, Azure, GCP), RMM/MDM (NinjaOne, Intune, Jamf)

• Log analysis experience across M365, Google Workspace, AWS, Azure, and/or SIEM platforms

• Penetration testing — run them or quality-review them

• Security remediation — you've personally fixed problems, not just documented them

• CISSP, CISA, CISM, GPEN, or ISO 27001 Lead Auditor

• Executive presence — command a room with a CTO or CISO

• Self-directed. Clear writer. Deliverables go to clients without editing.

## How We Evaluate Our Team

Technical skills get you in the door. These 14 qualities keep you here:

Proactive, Communicative, Problem Solver, Innovative, Ownership Mindset, Juggler, Change Driver, Prioritizer, Finisher, Client Leader, Meeting Driver, Continuous Learner, Conviction, Clear Writer.

If this list reads like "that's just how I work" — we should talk.

## Engagement Details

• Contract (1099), 10-25 hrs/week,

• 3-month initial, path to full-time CISO with equity consideration

• Remote, US-based, Pacific Time overlap required

## How to Apply

Answer this question in 3-5 sentences (no cover letter novels):

\*\*What's the most complex compliance engagement you've led, and what made it hard?\*\*

Mention which framework you have the most depth in and how many full-cycle engagements you've led.

Read the full scope above first. This is hands-on work — configuring tools, hardening systems, closing risks. If that's not how you operate, this isn't the right fit.

We respond within 48 hours.