Practical security and compliance for organizations that want real protection, not paperwork that looks like it
Security and compliance work shouldn't slow you down or produce paperwork that looks reassuring while leaving you exposed. I help organizations build security programs that address real risks first, then organize the compliance evidence around the work that's actually getting done.
My approach integrates security into your existing workflows rather than bolting it on. Whether you're pursuing SOC 2 certification, getting ahead of a cyber-insurance renewal, or building out DevSecOps practices, I focus on controls your team can actually maintain and that provide genuine protection.
Having worked across industries with different regulatory requirements, from FERPA in education to HIPAA in healthcare-adjacent services to PCI for anyone touching card data, I understand that compliance isn't one-size-fits-all. The right answer for a 30-person charter school looks nothing like the right answer for a regional healthcare practice, and I'll tell you that up front.
Every audit cycle, organizations rediscover that passing the audit and being secure are not the same thing. SOC 2 paperwork stapled on top of an environment with shared admin passwords and skipped patches doesn't protect you from anything except the auditor.
My approach starts with the actual threat model: what's likely to happen, what would hurt, what could you live without. The compliance frameworks come second, organized around the security work that's actually useful. The result is an audit trail that's honest because it documents real practice, not a paperwork firewall stapled on top of business as usual.
Cyber insurers have quietly become the most consequential security regulator for smaller organizations. Renewal questionnaires now ask about MFA coverage, EDR deployment, backup immutability, and patch cadence. Get any of those wrong on the form and you find out at the worst possible moment, usually mid-incident.
I'll work the questionnaire with you, get the controls in place that actually move the needle on your premium and your risk, and document them in a form your insurer will accept. No theater, no buying tools you don't need just to check a box.
Different frameworks, same underlying question: where is the sensitive data, who can touch it, and how do you prove it.
For schools, FERPA is rarely about the technology and almost always about who has unsupervised access to student records, including third-party platforms with terms of service most schools have never read. The work is mostly inventory, vendor review, and access control.
For organizations handling health information, HIPAA's technical requirements are less daunting than the policy and BAA work that has to surround them. The controls are tractable; the documentation discipline is what catches people.
For anyone handling card data, the right answer is usually to architect it out. Let your processor own the cardholder environment so PCI scope shrinks to almost nothing. The cheapest compliance is the compliance you don't have to do.
Naming what's likely to happen, what would hurt, and what to fix first. The threat model your insurer wants and your team can actually act on.
SOC 2, ISO 27001, and NIST, plus FERPA, HIPAA, and PCI where they apply, organized around real practice instead of stapled on top of it
Security checks in your pipeline that catch real issues without grinding releases to a halt
Policies and procedures written for the people who'll actually follow them, not for the binder
Honest review of where you are, in language your CFO can read and your engineers can fix
Plans you've actually rehearsed, so the first time you run them isn't the day you find out they don't work
Let's discuss how to protect your organization while meeting your compliance requirements.
Schedule a Consultation