A complete CISO engagement for a Series B fintech startup (200 employees, $40M funding). Built an entire security program from scratch — risk assessment, policy framework, BCP/DR, security awareness, vendor risk management, and executive reporting. Delivered 50+ professional artifacts across 6 phases with a $500K budget.
Each phase produces real, professionally formatted artifacts that a hiring manager or client can review.
Identified 12 crown jewels across 3 tiers. Conducted STRIDE threat modeling on 4 critical systems (24 threats identified). Performed qualitative 5x5 risk assessment and quantitative FAIR analysis. Calculated ALE/SLE/ARO for top 10 risks ($75.9M total ALE). Built full risk register with treatment plans and delivered board heatmap.
Wrote complete policy stack mapped to NIST CSF 2.0 + ISO 27001:2022. Master Information Security Policy plus 11 domain policies (acceptable use, data classification, access control, cryptography, physical security, operations security, incident response, business continuity, vendor management, remote work/BYOD, vulnerability management). Policy hierarchy, NIST CSF control mapping (86% coverage across 50 subcategories), and RACI matrix.
Conducted Business Impact Analysis across 13 business processes ($832K/hour revenue at risk). Defined RTO/RPO per tier. Wrote 4 DR runbooks (data center failover, ransomware, key person loss, vendor failure). Designed and facilitated a realistic ransomware tabletop exercise with 6 injects and a curveball scenario. Produced after-action report with 10 actionable findings.
Deployed GoPhish for multi-wave phishing campaigns. Wave 1 (generic): 27.3% baseline click rate. Wave 2 (spear): 30.7% — personalization increased effectiveness. Wave 3 (BEC): 100% of AP staff clicked. Wave 4 (credential harvest): 23.7% submitted credentials, 66% of whom also entered a fake MFA code. Built annual training curriculum and quarterly improvement dashboard targeting 5% click rate by Q4.
Classified 31 vendors into 4 risk tiers (6 Critical, 8 High, 10 Medium, 7 Low). Built tiered assessment methodology: full SIG + SOC 2 + pentest for Critical, SIG Lite for High, self-assessment for Medium, contractual clauses for Low. Designed quantitative risk scoring algorithm (inherent risk × control effectiveness × business criticality). Vendor risk scorecard tracks findings, remediation, and KPIs across the portfolio. Ongoing monitoring and off-boarding procedures.
Built KRI dashboard with 10 key risk indicators across patch compliance, phishing, vulnerabilities, MTTD/MTTR, vendor risk, and training. Assessed security program maturity at CMMI Level 1.8 with a target of 2.8 by year end. Calculated program ROSI at 10,392% (104× return). Produced board-ready quarterly report and 12-month security roadmap with 35 milestones.
Key metrics extracted from the security program build, showing risk reduction and security awareness baselines.
Annualized Loss Exposure reduced from $75.9M to $21.4M with $520K program investment
4-wave GoPhish campaign — BEC (100%) was most effective; credential harvest (23.7%) was most dangerous
Consolidated view of 31 assessed vendors with risk scores, findings tracking, and portfolio health metrics.
| Vendor | Tier | Risk Score | Rating | Open Findings | Status |
|---|---|---|---|---|---|
| AWS | Critical | 63.1 | Critical | 2 | ✅ On track |
| Okta | Critical | 58.4 | Critical | 4 | ⚠️ Remediating |
| Stripe | Critical | 61.2 | Critical | 1 | ✅ On track |
| Twilio/SendGrid | Critical | 45.8 | High | 0 | ✅ On track |
| Datadog | Critical | 42.1 | High | 0 | ✅ On track |
| GitHub | High | 38.2 | Medium | 0 | ✅ On track |
| Rippling | High | 33.0 | Medium | 0 | ✅ On track |
| Zendesk | High | 41.5 | High | 3 | 🔴 Overdue |
10 top risks quantified with ALE/SLE/ARO, treatment plans, owners, and status tracking
Complete NIST CSF-aligned policy stack with RACI matrix and control mapping
Data center failover, ransomware, key person loss, and vendor failure — with RTO/RPO targets
Facilitator guide with 6 injects + curveball + full after-action report with 10 findings
GoPhish campaign data: click rates, credential submission, report rates, department breakdowns, QoQ targets
Tiering, assessment methodology per tier, quantitative scoring algorithm, scorecard with findings tracking and KPIs, monitoring, off-boarding
Q1 board report with KRI dashboard, risk posture update, budget utilization, and decisions required
35 milestones across 4 quarters with success criteria, owners, and resource requirements
ALE reduced from $75.9M to estimated $21.4M in Year 1 through $520K program investment
Phishing click rate baseline established (27.3%) with target of 5% by Q4. Report rate target of 50%.
Full policy framework, tested DR plans, awareness program, and vendor risk program in place for SOC 2 audit
All 50+ artifacts are available in the project directory, organized by phase with consistent naming conventions.