Fractional CISO

Remote
Contracted
Executive

Fractional CISO

This is a fully remote (work-from-home) position. Work from anywhere in the United States.

Contract / fractional · ~15–25 hrs in the first 60 days, then ~5–10 hrs per quarter

About Reflexion

Reflexion Interactive Technologies builds neuro-cognitive and physiological sensing technology — vision-performance training and respiration-waveform sensing — used by athletes, teams, and now a global consumer-eyewear partner. We are a ~10-person, AWS-hosted company based in Lancaster, PA, closing enterprise partnerships that bring enterprise-grade vendor-security requirements with them.

The role

We are hiring a fractional CISO to be the accountable security executive behind our compliance program as we finalize a major enterprise deal. This is not a build-a-SOC, hire-a-team role: our application-layer security is strong (bcrypt, encrypted sessions, CSRF, parameterized SQL, strict CSP, MFA/RBAC, AES-256 at rest, TLS 1.2+), our compliance calendar and evidence pipeline are run day-to-day by an internal compliance system, and engineering is handled by our CTO. What we need is the credentialed human who signs, validates, and represents.

You will work directly with the CEO (deal owner) and CTO (implementation owner). Our internal compliance agent drafts the documents, tracks the obligations register, and maintains the evidence locker — you review, correct, and put your name on what is true.

What you will do — first 60 days

  • Review and harden our Statement of Applicability + evidence package (ISO 27001/NIST-mapped) responding to an enterprise customer's Information Security Addendum — built largely from an existing, customer-reviewed evidence base.
  • Sign the risk assessment and SoA as the named security officer; be the security contact enterprise vendor-risk teams can call.
  • Sit on 2–3 customer security-diligence calls (enterprise vendor-risk / InfoSec reviewers) alongside the CEO.
  • Validate what we attest against reality with the CTO (controls verification and gap triage: centralized logging, admin RBAC/audit trail, secrets management).
  • Advise on a security-exception / compensating-controls request and, if required, scope a right-sized SOC 2 Type I path (RFQs prepared; you would manage auditor selection and the engagement).
  • Scope and manage our first external penetration test (vendor shortlist ready) and own findings triage with the CTO.

Ongoing — a few hours a quarter

  • Quarterly review of the compliance-calendar output (access reviews, risk-assessment refresh, training, phishing simulations, BC/DR and restore tests).
  • Annual re-attestation support; named contact for customer audits under contractual audit rights.
  • Incident readiness: review our breach-notification runbook (24–72h contractual clocks) and advise if an incident ever triggers it.
  • Tell us when a new deal's requirements genuinely change our posture — versus when to negotiate them down. We optimize for minimum-viable compliance and want a partner who respects that philosophy rather than gold-plating.

What we are looking for

  • Prior CISO / vCISO / security-lead experience at a company that sold to large enterprises — you have personally survived enterprise vendor-risk review (security questionnaires, information-security addenda, right-to-audit clauses) from the vendor side.
  • Hands-on fluency with ISO 27001 / NIST CSF control mapping, SOC 2 (readiness through audit), and pragmatic compensating-controls / security-exception practice.
  • Comfortable being the named, accountable individual — signing SoAs and risk assessments, taking customer calls, standing behind attestations.
  • Technical enough to verify controls in an AWS + Cloudflare stack with the CTO (IAM, KMS, CloudTrail/logging, network posture) — you do not implement, but you cannot be bluffed.
  • Working knowledge of HIPAA applicability analysis (we maintain a no-PHI / not-a-business-associate posture and need it defended, not expanded) and GDPR-adjacent vendor obligations (we have EU counsel; you coordinate, not own).
  • Plain-spoken, fast, allergic to compliance theater. You will be asked "is this actually required, or negotiable?" constantly — we want the honest answer.
  • Bonus: consumer wellness / health-adjacent data classification; EU AI Act awareness; prior work with AI-assisted compliance tooling.

What this is not

  • Not full-time, and no conversion pressure — genuinely fractional.
  • Not a program-build from zero: policies (v1.0), an evidence base, an obligations register, a DPA/SCC pack, and counsel relationships already exist.
  • Not an implementation role: engineering changes belong to the CTO; you verify and advise.

Engagement & compensation

Hourly contract (rate DOE) or an equivalent small monthly block. Front-loaded first 60 days (~15–25 hours), then ~5–10 hours per quarter. Direct line to the CEO and CTO. NDA required; the work references a Fortune-Global-500-scale counterparty under confidentiality.

How to apply

Send a short note covering: (1) an enterprise vendor-security review you got a small company through — what you accepted and what you pushed back on; (2) your hourly rate and availability over the next 60 days. Resume/LinkedIn welcome; the note matters more.

Share

Apply for this position

Required*
We've received your resume. Click here to update it.
Attach resume as .pdf, .doc, .docx, .odt, .txt, or .rtf (limit 5MB) or Paste resume

Paste your resume here or Attach resume file

Human Check*