Regulators are raising the bar on what it means to be truly compliant before an audit, a breach, or a vendor incident forces the issue. Cybersecurity Advisory Group gives you a battle-tested CISO in your corner, personally led by Melissa Thornton.
Schedule a Conversation →Who It Is For: Organizations that need ongoing security leadership but cannot justify a full-time CISO hire.
Starting at
$5,000/mo
A structured onboarding process that delivers real security program foundations — not just a plan to plan.
Days 1–30
Understand your environment, risks, and gaps
Security posture assessment · Policy inventory · Vendor and BAA review · Stakeholder interviews
Deliverable: Written risk assessment and gap analysis report
Days 31–60
Build the core security program
Policy development · Incident response plan · Security awareness program launch · Vendor risk framework
Deliverable: Core policy suite and IR plan delivered
Days 61–90
Operationalize and report to leadership
First executive security briefing · Security scorecard · Roadmap presentation · Insurance questionnaire support
Deliverable: Board-ready security scorecard and 12-month roadmap
Every vendor with access to patient data is a liability until proven otherwise. The vCISO retainer includes active BAA oversight — not just a signature on file.
Audit every vendor relationship and surface missing, expired, or insufficient Business Associate Agreements before a regulator does.
Build a repeatable process for reviewing new vendors, tracking renewals, and escalating risk before contracts are signed.
Identify outdated agreements that no longer reflect your actual data flows and lead the negotiation and update process.
Melissa held a dual CEO and CISO role before moving into pure security leadership. She understands the business decisions behind security investments, not just the technical controls.
As Senior Director of Information Security at a cloud-first, HIPAA-regulated healthcare company, Melissa built the entire security function from the ground up.
No bait-and-switch. No junior associates. Every deliverable, every briefing, every vendor review is handled by Melissa Thornton directly.
A growing specialization in AI governance and agentic AI security means your program is ready for the risks your competitors have not yet considered.
What is a Fractional CISO and what do they do?
A Fractional CISO is an experienced security executive who provides part-time or project-based security leadership to organizations that need CISO-level expertise without the cost of a full-time hire. They own your security program, report to leadership, manage compliance obligations, and make the strategic decisions a full-time CISO would make — at a fraction of the cost.
How is this different from hiring a cybersecurity consultant?
A consultant delivers a project and leaves. A Fractional CISO becomes part of your team — owning outcomes, not just deliverables. Melissa attends your leadership meetings, responds to incidents, advises on vendor decisions, and is accountable for the health of your security program month over month.
What size organization is this right for?
Healthcare organizations from 20 to 500 employees are the best fit. You're large enough to have real regulatory exposure but not yet at the scale where a full-time CISO hire makes financial sense.
How quickly can we get started?
Most engagements begin within two to three weeks of a signed agreement. The first 30 days are dedicated to discovery — no homework required from your team beyond availability for stakeholder interviews.
Schedule a 30-minute call to discuss your organization's security posture and whether the retainer is the right fit.
Schedule a Conversation →