I've sat in the
hot seat.
Now I help you
stay out of it.
Twenty years as a practicing CISO taught me what the textbooks don't cover. What it feels like when the board is waiting, the auditors are circling, and your program isn't ready. Corvus exists because organizations deserve better than checkbox consulting.
Built from two decades inside the role.
I started my career in security long before “CISO” was a common title — back when you were the person who said “we shouldn’t do that” in a room full of people who didn’t want to hear it. Over the next two decades, I held the seat at organizations across financial services, healthcare, media, and technology. I built programs from scratch, rebuilt programs that were quietly failing, and stood in front of boards to explain incidents I didn’t cause but was responsible for fixing.
“I’ve seen what happens when a security program is built by someone who’s never had to defend it at 2 AM.”
That experience taught me something the consulting industry consistently gets wrong: security advice without operational accountability is just theory. Firms that have never run a program, never managed a breach response, never faced a QSA on the other side of the table — they give you frameworks. They give you deliverables. They give you a report and a handshake.
I founded Corvus to do something different. Every engagement I take on, I’m the practitioner in the room — not a junior analyst following a checklist. When I recommend a control, I’ve implemented that control. When I prepare you for an audit, I’ve been on both sides of that conversation. When I tell you what the board needs to hear, I’ve delivered that briefing dozens of times.
The decision to build Corvus full-time wasn’t a sudden one. For years, I watched organizations — especially mid-market companies, production studios, PE-backed firms — struggle to get meaningful security leadership without the overhead of a full-time executive hire. The vCISO model existed, but too often it meant a part-time consultant showing up once a quarter with a slide deck.
That’s not what organizations actually need. They need someone who answers the phone when the auditor calls unexpectedly. Someone who knows their business risks, not just their security controls. Someone who can translate a threat briefing into a budget conversation without losing either audience.
“Your security program should make your business stronger — not just make auditors comfortable.”
Corvus is the practice I wished existed when I was on the other side of the table, trying to find a partner I could actually trust. We work with a focused set of clients, go deep on each engagement, and measure our success by one thing: whether your organization is genuinely more secure and more resilient than when we started.
If that’s what you’re looking for — not a vendor, not a checkbox, but a practitioner who’s been exactly where you are — I’d like to talk.
Why Corvus.
Our name comes from Corvus, the genus of ravens and crows, birds known across cultures for their intelligence, vigilance, and adaptability. Ravens are problem solvers. They recognize patterns, anticipate threats, and adapt in ways that consistently outpace their environment. That is the standard we hold ourselves to on every engagement.
A raven doesn't react to danger. It sees it coming.
The path that built the practice.
Held CISO roles across multiple industries — financial services, healthcare, media production, and technology. Board-level reporting, program ownership, and incident command.
Designed and delivered SOC 2, PCI DSS, HIPAA, and NIST CSF programs. Led organizations from first assessment through Type II certification and continuous compliance.
Provided CISO-level security assessment across the deal lifecycle — pre-LOI risk snapshots, full diligence reports, post-close integration roadmaps.
Built vendor risk management programs for complex supply chains — financial services, media production, and technology ecosystems.
Translated technical risk into business language for C-suite, audit committees, and board directors. Developed security KPIs and risk dashboards for executive audiences.
Fractional vCISO and GRC consulting practice serving media production, financial services, healthcare, and technology clients across Southern California and beyond.
The principles behind every engagement.
Practitioners, Not Consultants
I’ve held every role I advise on. When I recommend a control framework, a vendor, or a remediation path — it’s because I’ve implemented it, tested it, and defended it in a real audit. No textbook theory, no generic best practices. Lived experience only.
No Upsell Culture
Corvus doesn’t have a products division to cross-sell or a staffing bench to fill. My only incentive is your outcome. If you need a $5,000 gap assessment and not a $50,000 retainer, I’ll tell you that. Your trust is worth more than a larger invoice.
Audit-Tested Methods
Every policy, control, and evidence artifact I build has been reviewed by real auditors in real audits. I know what QSAs look for. I know where Type II assessors push back. I build programs to survive scrutiny, not just to satisfy checkboxes.
Fixed-Scope Engagements
Every engagement has clear deliverables, a defined timeline, and transparent pricing before work begins. You will never receive a surprise invoice from Corvus. Ambiguity in scope is my problem to solve before we start, not yours to absorb at the end.
Every engagement starts with a no-cost discovery call.
Tell me what you’re facing — an upcoming audit, a board presentation, a program that needs rebuilding, a deal that needs a security lens. I’ll tell you honestly whether Corvus is the right fit, and what a first step looks like.
No sales pressure. No obligation. Just a straight conversation with a practitioner who’s been there.
🔒 NDA available upon request · Responses within one business day
We respond within one business day · No spam · No obligation