Virtual Chief Information Security Officer; vCISO

Virtual Chief Information Security Officer (vCISO)

Woburn/Hybrid

iCorps Technologies has delivered IT consulting and managed services to mid-market clients since 1994. We specialize in cloud computing, cybersecurity, IT governance, and outsourced IT support. We are a Microsoft Solutions Partner and Cloud Service Provider, and a Microsoft US Partner Award Winner for Security and Compliance.

The virtual Chief Information Security Officer is a client-facing role. You are the security leader iCorps puts in front of its clients, bringing the experience and operational discipline of a seasoned CISO to organizations that cannot retain one full time. We expect security to be treated as an operational discipline, with clear priorities, measurable outcomes, realistic sequencing, and honest conversations when something is not working.

The work spans three connected responsibilities, and a successful vCISO moves between them across a single engagement and across a portfolio.

1. Active Security Advisor. Provide hands‑on advisory guidance on day‑to‑day security decisions: architecture choices, control implementation, vendor selection, configuration questions, incident calls, and the steady stream of judgment calls a maturing program generates. This pillar covers identity‑first security and zero trust adoption, cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, endpoint and detection strategy, MDR and XDR partnerships, ransomware resilience and tested recovery, third‑party and supply‑chain risk, and the secure adoption of generative AI.

2. vCISO Alignment of Business, Governance, and Technical Control. Set and run the security program so the client is aligned to the frameworks that apply: NIST CSF 2.0, ISO 27001:2022, CMMC 2.0 (meaningful given our DoD‑adjacent client base), SOC 2, HIPAA, PCI DSS 4.0, US state privacy laws led by CCPA, SEC cyber disclosure where applicable, and cyber insurance attestations. Translate executive intent into governance structure, governance into policy, policy into control, and control state into board‑ready reporting.

Stand up and run a recurring security committee at each client. Own AI governance specifically: the policies, review processes, and committee structure that let a client adopt AI tooling without losing control of their data.

3. Gap Analysis and Assessment. Run baseline assessments at engagement kickoff, periodic reassessments on an agreed cadence, and targeted assessments tied to events such as acquisitions, regulatory change, new product lines, or CMMC certification cycles. Produce remediation roadmaps with sequencing, ownership, and effort the client can fund and execute. Run post‑incident assessments to verify whether controls performed the way the program described.

• Own the security program for each assigned client, with a written strategy, roadmap, and reporting cadence with the executive sponsor and, where applicable, the board or audit committee.
• Lead identity‑first security: conditional access, PIM and PAM, least privilege, identity threat detection, and joiner‑mover‑leaver discipline.
• Drive cloud posture across Microsoft 365, Azure, AWS, and Google Cloud, including CSPM and SSPM findings, hybrid work controls, and SaaS‑to‑SaaS risk.
• Set the direction for detection and response, treating incident readiness (tabletops, runbooks, escalation paths, retainer relationships) with the same weight as incident response itself.
• Guide ransomware resilience: immutable backups, tested recovery objectives, recovery drills, and tabletop cadence at the executive level.
• Own third‑party and supply‑chain risk, including vendor due diligence, SBOM awareness, and fourth‑party exposure.
• Lead AI governance and the secure adoption of AI tooling across policy, technical configuration, and ongoing monitoring for shadow AI.
• Guide incident response when an event occurs, coordinating with legal, forensics, insurance, and law enforcement, and lead the post‑incident review so lessons land in policy and controls.
• Partner with iCorps delivery teams so recommendations are implementable in the environments we manage.