Skip to main content
verified_user Cybersecurity Leadership

Fractional CISO Advisory

Senior cybersecurity leadership without the cost of a full-time executive.

SullySoft provides fractional CISO and virtual CISO (vCISO) advisory services for startups, small businesses, and growing organizations that need practical security direction, risk oversight, and hands-on guidance. Delivered by a CISSP-certified security engineer with more than 25 years of enterprise experience.

Start the Conversation View All Services
workspace_premium

Engagements are led by Mike Sullivan, CISSP — a Certified Information Systems Security Professional with more than 25 years of experience in cybersecurity engineering, cloud security, and enterprise architecture.

Meet Mike →

What Changes

What Security Leadership Delivers

Fractional CISO engagements help organizations move from reactive and uncertain to structured and resilient.

No security program or clear ownership

arrow_forward

Structured security roadmap and SOC 2 readiness

Security tool noise and alert fatigue

arrow_forward

Actionable risk priorities and a clear remediation plan

Cloud sprawl and unmanaged security posture

arrow_forward

Secure, well-managed cloud environment

Ad hoc development with security bolted on

arrow_forward

Secure software delivery with DevSecOps practices

Scope

What Engagements May Include

Engagements are tailored to your security priorities and maturity level. The areas below represent common fractional CISO scope — not every engagement covers all of them.

shield_lock

Cybersecurity Strategy & Roadmap

Help developing a prioritized security roadmap aligned to business goals, risk tolerance, and current maturity.

manage_search

Security Posture & Risk Assessments

Review of current security controls, gaps, and risk exposure with a prioritized action plan.

cloud_lock

Cloud, M365 & Identity Security

Guidance on securing cloud environments, Microsoft 365, identity systems, and access controls.

bug_report

Vulnerability Management

Support developing or improving a vulnerability management program, including prioritization and remediation planning.

emergency

Incident Response Readiness

Support planning and improving incident response preparedness, including process reviews and tabletop support.

policy

Security Policy & Governance

Help developing and reviewing security policies, standards, and governance structures appropriate for your organization's size and risk.

integration_instructions

Secure SDLC & DevSecOps

Guidance on embedding security into software development workflows, CI/CD pipelines, and delivery practices.

storefront

Security Tooling & Vendor Oversight

Advisory on selecting, optimizing, and coordinating security tools, MSSPs, and third-party vendors.

fact_check

Audit & Customer Security Readiness

Support preparing for customer security questionnaires, vendor assessments, and security audit requirements.

Compliance & Frameworks

Frameworks I Work In

Engagements draw on established security frameworks and standards to guide risk-based decisions and prepare organizations for compliance expectations.

security

NIST CSF 2.0

NIST Cybersecurity Framework for structured risk management and security program development.

checklist

CIS Controls

Center for Internet Security Controls for prioritized, practical security improvement guidance.

verified

SOC 2 Readiness

Guidance on preparing your security program and controls for SOC 2 Type I or Type II assessments.

globe

ISO/IEC 27001 Readiness

Advisory support for organizations preparing for or working toward ISO 27001 information security management certification.

credit_card

PCI-DSS Readiness

Guidance for organizations handling cardholder data and working toward PCI-DSS compliance requirements.

Framework guidance is advisory in nature. Formal certification and compliance assessments are conducted by accredited third-party auditors.

Ways to Engage

Structured for Your Level of Need

Fractional CISO engagements are structured as monthly commitments with a defined level of access, advisory, and implementation support. Most engagements begin with a 3-month initial term to allow enough time to assess your environment, identify priorities, and support meaningful security improvement.

lightbulb

Advisory Retainer

For founders and business leaders who need a senior security sounding board for risk prioritization, cloud security decisions, vendor oversight, and security governance questions.

Typical Commitment

5 – 8 hours per month

Most Common
security

Fractional Technology Leader

For organizations that need regular CISO-level security leadership — including roadmap ownership, risk oversight, executive reporting, and coordination with internal teams and external providers.

Typical Commitment

10 – 20 hours per month

engineering

Fractional Leadership + Execution

For clients who need both strategic security leadership and practical, hands-on support across cloud hardening, vulnerability management, DevSecOps, and security program implementation.

Typical Commitment

25 – 40 hours per month

Each engagement is tailored to the client's needs while maintaining a clear monthly commitment, defined priorities, and a practical operating rhythm.

Deliverables

Typical Outputs From Each Engagement

check_circle

30/60/90-day security roadmap

check_circle

Executive security summary

check_circle

Risk register and prioritized action plan

check_circle

Cloud and identity security recommendations

check_circle

Vulnerability management process

check_circle

Incident response readiness checklist

check_circle

Security policy and governance recommendations

check_circle

Monthly security progress report

Best Fit

A Strong Fit When

  • check_circle You are a startup that needs security leadership but is not ready for a full-time CISO
  • check_circle Your organization has growing security requirements from customers, regulators, or internal stakeholders
  • check_circle You are preparing for a customer security review, SOC 2 audit, or compliance requirement
  • check_circle You use MSPs, MSSPs, developers, or cloud platforms and need independent security oversight
  • check_circle You need clear, practical guidance on cybersecurity risk — not a compliance checkbox exercise
Mike Sullivan, Fractional CISO

Mike Sullivan, CISSP

Fractional CISO  ·  Cybersecurity Engineer

As a CISSP-certified cybersecurity engineer with more than 25 years of experience, I help organizations understand their real security posture, prioritize what matters most, and build a practical path to a stronger security program — without overcomplicating or overengineering the work.

CISSP Certified Cloud Security DevSecOps Vulnerability Management 25+ Years Experience
Learn more about Mike arrow_forward
verified_user

Ready to talk about your security situation?

There is no obligation. A short conversation is all it takes to understand your current environment, your most pressing concerns, and whether a fractional CISO engagement is the right fit for your organization.

Start the Conversation

No commitment required. Pricing is custom to your situation.