Virtual Chief Information Security Officer (vCISO)

Many small and medium businesses (SMBs) don't have the need or the budget to justify a full-time CISO, but they still need experienced leadership to ensure that they're at least performing "the basics" of information security.  We'll provide a consultant with "hands on" experience as a CISO to provide that leadership. This can be short-term or long-term, and on-site or “virtual” (or a hybrid), depending on the client's need and their budget.

Interim Chief Information Security Officer (iCISO)

We'll provide a consultant with 'hands on" experience as a CISO to meet a client's temporary need for cyber security program leadership due to the departure of their CISO. This can be full-time or part-time, short-term or long-term, and on-site or “virtual” (or a hybrid), depending on the client's needs and their budget. We can also assist the client in recruiting, hiring, and onboarding a new CISO.

Cyber Security Risk & Program Maturity Assessment

Our consultants will assess a client's cyber security risk posture and the maturity of their cyber security program through the "lens" of the NIST Cybersecurity Framework (CSF), or another framework of the client's choosing.  We'll do this via documentation review, interviews, and observation.  We'll provide the client you with a report that identifies your risks and the maturity of their controls in each CSF category.  This will enable the client to better focus future efforts and investments in their program in the areas where they have the greatest risks and largest control "gaps."

Cyber Security Strategic Roadmap Development

Our consultants will work with a client and their stakeholders to build long-term strategy and roadmap to reduce their cyber security risks and grow their program to the level of maturity to which they aspire based on their risk “appetite” and budget.  We'll recommend specific initiatives and projects to accomplish both the client's your near-term and long-term objectives and estimate how they'll need to invest in people, process, and technology to get there. This service is often a follow-on to a Cyber Security Risk & Program Maturity Assessment.  Once we've worked with the client identify their project priorities, we can provide ongoing guidance and implementation support to their implementation team.     

Board of Directors Cyber Security Subject Matter Expert (SME)

We'll provide an experienced consultant to serve as an outside director on a client's Board to provide the cyber security expertise and oversight of their cyber security program that many Boards lack today.  Alternatively, we'll provide a consultant on a retainer to advise the client's Board and/or Audit Committee on cyber security matters when called upon.

Other Targeted Cyber Security Consulting

If you have needs that don’t match one of our standard cyber security service offerings, let’s talk about it.  We pride ourselves on being flexible, but won’t try to sell you services that you don’t need or that don’t match our expertise and experience.  If we can’t help you, we'll tell you.  We have a large nationwide network of cyber security professionals and may be able to refer you to other firms we know about or with which we've worked that may be better qualified to provide the assistance that you need. 

Vendor Neutrality

While we are familiar with many quality cyber security products and services and have worked with many of these product and services firms, we are "vendor neutral."  We don't re-sell products or services and receive no compensation if one of our clients chooses a vendor's product or services that we've recommended.    


Our fees are negotiable, but are generally less than those of our competitors.  We offer discounts to non-profit organizations because we recognize that they're trying to keep their administrative costs low in order to serve more clients.  All of our work is done under a Master Services Agreement (i.e., a contract) with engagement details, deliverables, and fees specified in a mutually agreed-upon Statement of Work (SoW).  

All of the services described above are available directly from D.W. Stacy & Associates or through one of several cyber security consulting and advisory firms with which we have a contractual business relationship.  Our firm carries general liability, professional liability (errors & omissions), and workers' compensation insurance.  None of our work has ever resulted in an insurance claim or litigation.