Virtual Information Security Officer

Our client is seeking a Virtual Information Security Officer (VISO) to provide expert guidance in cybersecurity governance, risk management, and compliance (GRC). The VISO will work directly with clients to develop and implement security programs, align with regulatory frameworks, and enhance security posture. This role requires strong communication, project management skills, and the ability to translate security requirements into actionable solutions.

Key Responsibilities
Client Engagement & Relationship Management
Build and maintain strong, trusting relationships with clients.

Identify and promote new service opportunities, working with Business Development.

Communicate clearly, ensuring clients and Assura leadership stay informed.

Deliver concise 60-second “elevator pitches” on Assura’s GRC services to clients.

Governance, Risk, and Compliance (GRC)
Demonstrate working knowledge of at least one regulatory framework (e.g., NIST 800-53) and cursory knowledge of at least two others (e.g., HIPAA, PCI DSS).

Stay up to date with regulatory changes, especially for Commonwealth of Virginia clients (e.g., SEC 530, IRS 1075, state election requirements).

Provide expertise in NIST 800-53 control families, including AC, IA, CM, SI, SC, AU, SA, and AT.

Maintain and update policies, procedures, standards, and guidelines.

Assist in Business Impact Analysis (BIA) development, including documentation and coordination.

Security Awareness & Incident Response
Administer KnowBe4 security awareness training and adjust programs for client needs.

Document Disaster Recovery & Incident Response discussions and escalate critical issues.

Support client response to real-world security incidents, assisting senior staff as needed.

Security Program Development & Compliance
Guide the development of System Security Plans, Vulnerability Management Plans, and Third-Party Risk Management programs.

Review and escalate client requests related to third-party contracts and legal agreements (e.g., EULAs, Terms and Conditions).

Develop information security roadmaps and provide recommendations to clients based on regulatory requirements.

IT & Cybersecurity Knowledge
Demonstrate a foundational understanding of:

Networking (firewalls, routers, switches, cloud structures).

Infrastructure (servers, databases, cloud environments).

Cybersecurity principles (threats, vulnerabilities, mitigation).

Data Management & Storage (backup, recovery, cloud storage).

Change Management (secure implementation of IT changes).

Security Engineering Principles
Apply key security principles, including:

Least Privilege, Separation of Duties, Auditability & Accountability.

Defense in Depth, Minimization, and DevSecOps integration.

IT Security Tools & Technologies
Basic knowledge of:

SIEM platforms (Splunk, LogRhythm, QRadar).

Vulnerability Management (Qualys, Nessus, Rapid7).

Identity & Access Management (IAM) (Okta, Azure AD, SailPoint).

Data Loss Prevention (DLP) (Symantec, Forcepoint).

Endpoint Protection (CrowdStrike, Symantec, Microsoft Defender).

Project Management & Quality Assurance
Apply project management principles, ensuring timely, accurate, and high-quality deliverables.

Provide well-formatted, grammatically correct documentation.

Improve work quality over time based on feedback from senior VISOs and GRC leadership.

Qualifications & Skills
Bachelor’s degree in Cybersecurity, IT, or a related field (or equivalent experience).

3+ years of experience in GRC, cybersecurity consulting, or IT security.

Strong understanding of regulatory frameworks and their application in security programs.

Ability to translate security policies into business-friendly language for clients.

Excellent time management and communication skills.