GRC Case Study — 2026

RiskCommand
Security Program Build

A complete CISO engagement for a Series B fintech startup (200 employees, $40M funding). Built an entire security program from scratch — risk assessment, policy framework, BCP/DR, security awareness, vendor risk management, and executive reporting. Delivered 50+ professional artifacts across 6 phases with a $500K budget.

Engagement at a Glance

0 Artifacts Produced
0 Project Phases
0 ALE Identified
0 Program ROSI

Six-Phase Program Build

Each phase produces real, professionally formatted artifacts that a hiring manager or client can review.

Phase 1
Weeks 1-3
Phase 2
Weeks 3-5
Phase 3
Weeks 5-7
Phase 4
Weeks 7-9
Phase 5
Weeks 9-11
Phase 6
Weeks 11-12
Phase 1 — Weeks 1-3 7 documents

Risk Assessment & Crown Jewels Analysis

Identified 12 crown jewels across 3 tiers. Conducted STRIDE threat modeling on 4 critical systems (24 threats identified). Performed qualitative 5x5 risk assessment and quantitative FAIR analysis. Calculated ALE/SLE/ARO for top 10 risks ($75.9M total ALE). Built full risk register with treatment plans and delivered board heatmap.

Phase 2 — Weeks 3-5 15 documents

Security Policy Framework

Wrote complete policy stack mapped to NIST CSF 2.0 + ISO 27001:2022. Master Information Security Policy plus 11 domain policies (acceptable use, data classification, access control, cryptography, physical security, operations security, incident response, business continuity, vendor management, remote work/BYOD, vulnerability management). Policy hierarchy, NIST CSF control mapping (86% coverage across 50 subcategories), and RACI matrix.

Phase 3 — Weeks 5-7 8 documents

BCP/DR with Tested Runbooks

Conducted Business Impact Analysis across 13 business processes ($832K/hour revenue at risk). Defined RTO/RPO per tier. Wrote 4 DR runbooks (data center failover, ransomware, key person loss, vendor failure). Designed and facilitated a realistic ransomware tabletop exercise with 6 injects and a curveball scenario. Produced after-action report with 10 actionable findings.

Phase 4 — Weeks 7-9 7 documents

Security Awareness & Phishing Program

Deployed GoPhish for multi-wave phishing campaigns. Wave 1 (generic): 27.3% baseline click rate. Wave 2 (spear): 30.7% — personalization increased effectiveness. Wave 3 (BEC): 100% of AP staff clicked. Wave 4 (credential harvest): 23.7% submitted credentials, 66% of whom also entered a fake MFA code. Built annual training curriculum and quarterly improvement dashboard targeting 5% click rate by Q4.

Phase 5 — Weeks 9-11 6 documents

Vendor Risk Management Program

Classified 31 vendors into 4 risk tiers (6 Critical, 8 High, 10 Medium, 7 Low). Built tiered assessment methodology: full SIG + SOC 2 + pentest for Critical, SIG Lite for High, self-assessment for Medium, contractual clauses for Low. Designed quantitative risk scoring algorithm (inherent risk × control effectiveness × business criticality). Vendor risk scorecard tracks findings, remediation, and KPIs across the portfolio. Ongoing monitoring and off-boarding procedures.

Phase 6 — Weeks 11-12 5 documents

Executive Reporting & KRIs

Built KRI dashboard with 10 key risk indicators across patch compliance, phishing, vulnerabilities, MTTD/MTTR, vendor risk, and training. Assessed security program maturity at CMMI Level 1.8 with a target of 2.8 by year end. Calculated program ROSI at 10,392% (104× return). Produced board-ready quarterly report and 12-month security roadmap with 35 milestones.

Quantified Results

Key metrics extracted from the security program build, showing risk reduction and security awareness baselines.

ALE Reduction

Annualized Loss Exposure reduced from $75.9M to $21.4M with $520K program investment

Phishing Campaign Results

4-wave GoPhish campaign — BEC (100%) was most effective; credential harvest (23.7%) was most dangerous

Third-Party Risk Scorecard

Consolidated view of 31 assessed vendors with risk scores, findings tracking, and portfolio health metrics.

31 Vendors Assessed
$1.12M Annual Vendor Spend
14 Critical/High Vendors
27.4 Portfolio Risk Score
Vendors by Risk Rating
Vendor Spend by Tier
Vendor Tier Risk Score Rating Open Findings Status
AWS Critical 63.1 Critical 2 ✅ On track
Okta Critical 58.4 Critical 4 ⚠️ Remediating
Stripe Critical 61.2 Critical 1 ✅ On track
Twilio/SendGrid Critical 45.8 High 0 ✅ On track
Datadog Critical 42.1 High 0 ✅ On track
GitHub High 38.2 Medium 0 ✅ On track
Rippling High 33.0 Medium 0 ✅ On track
Zendesk High 41.5 High 3 🔴 Overdue

Key Professional Deliverables

Risk Register (FAIR Quantified)

10 top risks quantified with ALE/SLE/ARO, treatment plans, owners, and status tracking

Policy Framework (12 Policies)

Complete NIST CSF-aligned policy stack with RACI matrix and control mapping

DR Runbooks (4 Scenarios)

Data center failover, ransomware, key person loss, and vendor failure — with RTO/RPO targets

Tabletop Exercise Guide + AAR

Facilitator guide with 6 injects + curveball + full after-action report with 10 findings

Phishing Campaign Results (4 Waves)

GoPhish campaign data: click rates, credential submission, report rates, department breakdowns, QoQ targets

Vendor Risk Program (31 Vendors)

Tiering, assessment methodology per tier, quantitative scoring algorithm, scorecard with findings tracking and KPIs, monitoring, off-boarding

Board-Ready Quarterly Report

Q1 board report with KRI dashboard, risk posture update, budget utilization, and decisions required

12-Month Security Roadmap

35 milestones across 4 quarters with success criteria, owners, and resource requirements

Business Impact

53% Risk Reduction

ALE reduced from $75.9M to estimated $21.4M in Year 1 through $520K program investment

200 Employees Trained

Phishing click rate baseline established (27.3%) with target of 5% by Q4. Report rate target of 50%.

SOC 2 Readiness

Full policy framework, tested DR plans, awareness program, and vendor risk program in place for SOC 2 audit

Full Project Repository

All 50+ artifacts are available in the project directory, organized by phase with consistent naming conventions.


View on GitHub Back to GRC Projects