Growth-Stage HealthTech Startup
A growth-stage healthtech startup needed senior security leadership to run the program — not a consultant to rubber-stamp it. We embedded as their fractional CISO, covering the full set of standing CISO responsibilities so the business kept moving with security in the seat.
- Client
- Growth-Stage HealthTech Startup
- Sector
- Fractional CISO
- Services
- Fractional CISO
- Security program management
- Policy & controls
- HIPAA compliance oversight
- Access & identity reviews
- Vendor security reviews
- Security awareness & training
A company at this stage is too big to operate without a CISO and too lean to justify a full-time one. HIPAA, policy, access reviews, vendor risk, training — all of it has to be owned by someone accountable. The ask wasn't a specific incident or a one-off project. It was: run the program.
What we built.
- 01
The standing program
Security governance, policy, and controls owned end-to-end — on a cadence, with named owners. Not a deck reviewed at the next QBR.
- 02
HIPAA baseline, maintained
PHI handling, BAAs, encryption posture, and audit trails — reviewed, enforced, and kept current as the product, vendors, and team change.
- 03
Access, identity, and vendor risk
Periodic access reviews, identity hygiene, and vendor security assessments run as operating work — not one-offs scheduled when something almost goes wrong.
- 04
Executive visibility
Regular reporting to leadership that translates security posture into trade-offs the exec team can actually make — without a 200-page PDF.
Security runs as a program with an owner, not as a stack of open tickets. HIPAA posture maintained, access reviews on a cadence, vendors risk-scored, and leadership getting the signal they need to make the calls.
- EngagementFractional CISO
- ComplianceHIPAA maintained
- CadenceStanding program