Security Leadership for Growing SaaS,
Without the Full-Time Hire
I'm Jonathan Thompson. I provide virtual CISO leadership and security assessments for growing B2B SaaS companies running on AWS: the kind that have outgrown ad-hoc security but aren't ready for a full-time CISO. Part CISO, part CTO, with a background in DevOps and cloud architecture before security leadership. I work two ways: an ongoing retainer, or a fixed-scope assessment.
Book a Free 30-Min Call
About Jonathan Thompson
I founded Thompson InfoSec after working across DevOps, cloud architecture, and security leadership: technical enough to assess AWS environments and CI/CD pipelines directly, strategic enough to run a security program against SOC 2 or ISO 27001. I hold a master's in Cybersecurity along with CISSP, CISM, OSCP, and CvCISO Level 2. Past clients range from cloud-native SaaS startups to national nonprofits.
An outstanding infosec leader with deep expertise in cloud security and a calm, pragmatic approach to solving complex challenges. He balances risk and business needs with clarity and precision.
Thomas J., Chief Information Officer
What I Do
Virtual CISO
For growing SaaS companies that need a CISO but cannot justify a full-time hire. The retainer covers strategy, governance, board reporting, vendor risk, and program management. You get CISO-level leadership with one accountable person running the program.
ISO 27001 Readiness
For organizations that need ISO 27001 certification to win deals or satisfy contractual requirements. The engagement starts with a gap analysis against the Annex A controls, then moves into ISMS construction: policies, risk assessment, statement of applicability, and the operational evidence auditors look for. Most clients reach Stage 1 readiness in 4 to 6 months.
SOC 2 Readiness
For growing SaaS companies that need SOC 2 to clear enterprise procurement. I map your existing controls to the Trust Services Criteria you actually need (Security is mandatory, the others are scope decisions), close the gaps, and prepare evidence packages your auditor will accept on the first pass. Type II adds the observation window itself.
Risk Assessment
For leadership teams that need a defensible answer to "how exposed are we?" I catalog assets, identify threats, score likelihood and impact, and produce a risk register tied to specific controls. The deliverable is an executive summary plus a prioritized remediation roadmap, not a generic template with your logo on it.
Cloud Security Assessment
For engineering teams running production workloads on AWS, Azure, GCP, Google Workspace, or Microsoft 365. I review IAM, network architecture, encryption, logging, secrets management, and OAuth governance against CIS Benchmarks and CSA guidance. Findings are prioritized by exploitability, with remediation guidance your team can actually execute.
Network Security Assessment
For organizations with on-premises infrastructure, hybrid cloud, or both. I review network architecture, segmentation, firewall rule sets, VPN configuration, wireless posture, and east-west traffic controls. The output is a remediation roadmap mapped to attack paths, not a Nessus dump.
Not sure which kind of vCISO fits? Read the buyer's guide →
Frequently Asked Questions
What's the difference between a vCISO and a security consultant?
A vCISO holds an executive role on retainer and runs the security program over time. A consultant delivers a project and then leaves. The vCISO model fits SaaS companies and SMBs with ongoing compliance obligations. The consultant model fits a defined deliverable with a clear endpoint.
Can you work with us if we don't have an internal security team?
Yes. Most engagements start that way. The vCISO covers strategy and governance while your engineering or IT team executes day-to-day controls. Where deep technical work is required, like cloud assessments or incident response, that comes through standalone projects.
What if we already have a CTO who handles security?
That works for many companies, until it doesn't. The vCISO complements a technical CTO by taking on governance, board reporting, vendor risk, audit preparation, and the policy and evidence work that pulls a CTO away from product. I run as part-CISO, part-CTO myself, so I understand the role from both sides.
How long does SOC 2 readiness take?
Most organizations reach ready-for-audit in 4 to 6 months from kickoff, assuming a reasonable infrastructure baseline. The Type II observation period adds 3 to 12 months depending on what your enterprise customers expect.
What does an AWS security assessment cover?
Account structure, IAM, network architecture, logging and monitoring, encryption, secrets management, and OAuth or third-party integrations. Findings map to the CIS AWS Foundations Benchmark plus whichever compliance framework you operate under. The deliverable is a prioritized remediation list, not a 200-page PDF nobody reads.
How does retainer pricing compare to project-based assessments?
A vCISO retainer is monthly and covers ongoing strategy, governance, and program management. Standalone assessments are fixed-scope and fixed-fee. Most clients use both: a retainer for the program plus targeted assessments when they need depth on a specific area.
How is this different from compliance-automation platforms like Vanta or Drata?
Compliance-automation platforms collect evidence and generate templated policies. They do not interpret your environment, design controls, run a real risk assessment, or talk to your auditor when something is wrong. I do that work, and integrate with whatever platform you already use.
Not sure if I'm the right fit?
Book a free 30-minute call. If I'm not the right fit, I'll tell you and point you to someone who is.
Book a Free 30-Min Call