Board & executive cyber posture
What the board needs to know, in language a board can act on. Briefings, threat-landscape reads, and a clear-eyed picture of where the organization actually sits.
04 / Cyber
Cybersecurity advisory & strategy.
Board-level cybersecurity guidance, incident response readiness, vCISO engagements, and the strategic calls IT leadership and executives need someone outside the org to weigh in on.
Engagement formats
Where I'm useful.
Fractional vCISO
For organizations that need senior cybersecurity oversight but not a full-time hire. Strategy, program ownership, and a real voice in the room.
Incident response readiness
Plan review, tabletop exercises, and the answer to the question that matters most: what would actually happen on day one if your environment was hit tomorrow?
Breach response & recovery oversight
Independent oversight when something has already happened. Vendor coordination, executive communication, and decisions that hold up after the fact.
Vendor & tool evaluation
Tool sprawl reduction, vendor selection, MSP/MSSP performance evaluation, contract review for security obligations. Free of any reseller incentive.
Strategic decisions & second opinions
The "we're about to commit to a direction and I want an outside read" call. Often the highest-leverage hour I spend with a client.
Important to know
What I don't do.
No MSP-style services sales, no product reselling, no fear-based pitch. I don't have a tool to sell you, a partnership to push, or a margin riding on which vendor you pick. That independence is the entire point — it's what makes the advice usable.
Client voices
"Sleep well at night."
From the InfoStream years — what protected clients said.
"I sleep very well at night knowing that these guys are on our side and protecting our company and our customers."
"The InfoStream team keeps my IT systems in top shape and they keep us protected. We are grateful to have Alan and his team working with us."
FAQ
Common questions.
Do you sell or implement security products?
No. Outside expert, not vendor. No product resale, no referral fees, no commissions on tools recommended. If a tool is right for the situation it gets recommended; if it is not it does not.
Do you act as a long-term virtual CISO?
Yes, on a selective basis. vCISO engagements work best for organizations between a few dozen and a few hundred employees where a full-time CISO is overkill but the cybersecurity surface has outgrown the IT team. Monthly cadence, defined deliverables, board reporting on request.
Do you handle active incidents?
Yes for incident-response readiness, tabletop exercises, and post-incident reviews. During an active breach the priorities are containment and the incident-response firm running the engagement — my role at that point is advisory to leadership and counsel, translating what the responders are saying into decisions the executive team can actually make.
What industries do you serve?
Municipalities and government agencies, healthcare organizations, legal sector, financial services, education, cultural institutions, and small to mid-sized businesses across most other sectors. Three decades of pattern recognition across industries is the asset.
How is this different from the IT auditing engagement?
An audit is a defined-scope assessment that produces a written report at a point in time. Cybersecurity advisory is ongoing — vCISO, IR readiness, board-level briefings, decision support on tools and roadmap. The two are complementary, often sequential: audit identifies the gaps, advisory engagement closes them.
Engage
Just had a breach? Don't fill out a form. Email me.
Email goes straight to my desk. For active incidents, mention "incident" in the subject line — those move first.