Virtual Chief Information Security Officer (vCISO)

Many small and medium businesses (SMBs) don't have the need or the budget to justify a full-time CISO, but they still need experienced leadership ensure that they're at least performing "the basics" of information security.  We'll provide a consultant with "hands on" experience as a CISO to provide that leadership. This can be short-term or long-term, and on-site or “virtual” (or a hybrid), depending on your needs and your budget.

Interim Chief Information Security Officer (iCISO)

We'll provide a consultant with 'hands on" experience as a CISO to meet your temporary need for cyber security program leadership due to the departure of your CISO. This can be full-time or part-time, short-term or long-term, and on-site or “virtual” (or a hybrid), depending on your needs and your budget. If you wish, we can also assist you in recruiting, hiring, and onboarding your new CISO.

Cyber Security Program Maturity Assessment

Our consultants will assess the maturity of your cyber security program through the "lens" of the NIST Cybersecurity Framework (CSF), or another framework of your choosing.  We'll do this via documentation review, interviews, and observation.  We'll provide you with a report and maturity “score” for each CSF category that will enable you to better focus your future efforts and investments in your program in the areas where you have the largest "gaps."

Cyber Security Strategic Roadmap Development

Our consultants will work with you and your stakeholders to build long-term strategy and roadmap to help you grow your program to the level of maturity to which you aspire based on your risk “appetite.” We'll recommend specific initiatives and projects to accomplish both your near-term and long-term objectives and estimate how much you'll need to invest in people, process, and technology to get there. This service is often a follow-on to a Cyber Security Program Maturity Assessment.  Once we've worked with you to identify your project priorities, we can provide ongoing guidance and implementation support to your team.     

Board of Directors Cyber Security Subject Matter Expert (SME)

We'll provide an experienced consultant to serve as an outside director on your Board to provide the cyber security expertise and oversight of your cyber security program that many Boards lack today.  Alternatively, we'll provide a consultant on a retainer to advise your Board and/or Audit Committee on cyber security matters when called upon.

Other Targeted Cyber Security Consulting

If you have needs that don’t match one of our standard cyber security service offerings, let’s talk about it.  We pride ourselves on being flexible, but won’t try to sell you services that you don’t need or that don’t match our expertise and experience.  If we can’t help you, we'll tell you.  We have a large nationwide network of cyber security professionals and may be able to refer you to other firms we know or with which we've worked that may be better qualified to provide the assistance that you need. 

Vendor Neutrality

While we are familiar with many quality cyber security products and services and have worked with many of these product and services firms, we are "vendor neutral."  We don't re-sell products or services and receive no compensation if one of our clients chooses a vendor's product or services that we've recommended.    


Our fees are negotiable, but are generally less than those of our competitors.  We offer discounts to non-profit organizations because we recognize that they're trying to keep their administrative costs low in order to serve more clients.  All of our work is done under a Master Services Agreement (i.e., a contract) with engagement details, deliverables, and fees specified in a mutually agreed-upon Statement of Work (SoW).  

All of the services described above are available directly from D.W. Stacy & Associates or through one of several cyber security consulting and advisory firms with which we have a contractual business relationship.  Our firm carries general liability, professional liability (including errors & omissions coverage), and workers' compensation insurance.  None of our work has ever resulted in an insurance claim or litigation.