Cybersecurity GRC & Advisory Consultant

 Posted 12 days ago
  
 Worldwide
  
2-5 years experience
Apply Now

Please mention DailyRemote when applying

AI Summary

Deliver professional GRC and advisory services, including conducting framework-based assessments and building security programs from the ground up. Provide strategic leadership to clients by authoring policy stacks and presenting risk posture reports to boards and executives.

About the Role

We are seeking an experienced, client-focused Cybersecurity GRC & Advisory Consultant to deliver professional services across the following delivery areas: Governance, Risk, and Compliance, Assessments, and Advisory/Consulting services. This is a contractor role for someone who can sit across the table from an organization’s leadership, translate framework requirements into a practical plan, and help that organization build a security program from the ground up.

The right person operates like a trusted senior IT consultant: equally comfortable running a NIST CSF assessment, authoring a policy stack, briefing a board on risk posture, and validating that documented controls actually hold up. You will work as an independent contractor on a per-engagement or retained basis, serving as a seamless extension of each client’s team.

This role is strategic and advisory in nature. It is not a hands-on offensive or operational security position (see What This Role Is Not, below).

What You’ll Do

Governance, Risk & Compliance (GRC)

  • Evaluate client governance structures, policies, procedures, and controls against the frameworks most relevant to their industry - NIST CSF, NIST 800-171, CMMC, SOC 2, HIPAA, PCI DSS, and ISO 27001.
  • Conduct GRC assessments that identify gaps, quantify risk, and map findings across multiple standards simultaneously.
  • Produce risk-ranked findings, executive summaries written for leadership and board audiences, and prioritized remediation roadmaps.
  • Support clients in maintaining compliance over time, including post-certification continuity of controls.

Advisory & Consulting

  • Serve in an advisory capacity, providing strategic security leadership without the cost of a full-time executive hire.
  • Help clients answer the questions their boards and auditors are asking: What is our risk exposure? Are we compliant? Where should we invest next?
  • Develop multi-year cybersecurity roadmaps that benchmark current maturity, define a target future state, and sequence initiatives to balance near-term risk reduction with long-term resilience.
  • Facilitate stakeholder workshops to calibrate strategy to each client’s risk tolerance and business goals.
  • Present findings, roadmaps, and progress through clear executive-level reporting and regular reviews.

Building Security Programs Through Policy Development

  • Stand up information security programs from the ground up for clients with little or no existing structure.
  • Author and mature policies, procedures, charters, RACI matrices, and escalation paths that are internally consistent and built to survive audits and personnel changes.
  • Translate overlapping regulatory obligations into a single, coherent policy and control stack rather than a patchwork of one-off documents.
  • Define decision rights, control ownership, and the operating model that keeps a program running after the engagement ends.

NIST CSF Assessments

  • Lead NIST Cybersecurity Framework assessments across all six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
  • Establish a current-state profile, identify gaps, and build a target-state roadmap with clear milestones and assigned ownership.
  • Apply structured, repeatable assessment methodology so results are actionable rather than academic.

Technical Validation (Controls Assurance)

  • Conduct technical validation engagements that confirm documented controls work as described - moving beyond policy and documentation review to verify real-world control effectiveness.
  • Conduct a comprehensive assessment of the Client’s Cloud environment to identify vulnerabilities, enhance overall security posture, and ensure compliance.
  • Map validated control coverage back to the relevant framework subcategories for traceable, audit-ready results.

Note: “technical validation” here refers to assurance that a client’s existing IT and Cybersecurity stack is properly configured to reduce the risk of a cyberattack by an external party.

What This Role Is Not

To set clear expectations, this engagement does not include hands-on delivery of:

  • Penetration testing, red teaming, or offensive security
  • Digital forensics and incident response (DFIR)
  • 24/7 SOC monitoring, managed detection and response (MDR), or SIEM operations
  • Other purely technical / operational security services

This is a GRC, advisory, and program-build role. Where a client need falls into the categories above, the contractor is expected to recognize it and coordinate a referral or hand-off rather than deliver it personally.

How You Work (Consulting Mindset)

  • Client-focused first. You tailor every engagement to the client’s industry, risk profile, and regulatory obligations.
  • Actionable, not academic. Your deliverables are built for execution, with business context attached to every finding.
  • End-to-end ownership. You don’t hand over a finding list and walk away - you help operationalize the recommendations.
  • Trusted advisor presence. You can move a client from reactive firefighting to a proactive, framework-aligned program, and explain the journey in plain language.

Required Qualifications

  • 3+ years in cybersecurity, IT risk, audit, or compliance consulting, with demonstrated client-facing delivery.
  • Hands-on experience conducting framework-based assessments (NIST CSF and/or SOC 2 strongly preferred).
  • Demonstrated ability to author security policies, procedures, and program documentation from scratch.
  • Working fluency across multiple compliance frameworks (e.g., SOC 2, HIPAA, PCI DSS, ISO 27001, CMMC).
  • Strong written communication: the ability to produce executive summaries, findings reports, and remediation roadmaps that leadership can act on.
  • Comfort presenting to and advising senior stakeholders, including boards and auditors.
  • Ability to work independently as a 1099 contractor, managing your own time, tools, and engagement deliverables.

Preferred Qualifications

  • Relevant certifications such as CISSP, CISA, CISM, CRISC, ISO 27001 Lead Auditor/Implementer, or NIST-focused credentials.
  • Industry depth in one or more regulated sectors - Defense Industrial Base, Financial Services, Healthcare, Manufacturing, or Technology/SaaS.
  • Experience supporting cyber-insurance readiness or M&A diligence from a GRC standpoint.

Engagement Details

  • Classification: 1099 independent contractor. The contractor is responsible for their own taxes and insurance. 
  • Equipment: Cyberleaf will provide a corporate laptop and additional equipment as needed.
  • Structure: Per-project, retained, or fractional advisory arrangements depending on client need.
  • Scheduling: Flexible, scoped to engagement milestones and deliverable timelines.
  • Travel: Primarily remote; limited client-site work may be requested for certain assessments or workshops.

About Cyberleaf

Cyberleaf (Waterleaf International, LLC dba Cyberleaf), a provider of cybersecurity managed and professional services is seeking contract Cybersecurity GRC & Advisory Consultants. Through its Cyberleaf (TM) Managed Cybersecurity Service, Cyberleaf offers advisory, GRC, compliance, CMMC and enterprise grade cybersecurity-as-a-service  to customers of all sizes across a broad range of industry verticals. 

Cyberleaf offers a forward leaning culture – that means our focus and direction is on people, intellect, process and deliverables. As a fast growing company, we offer professional and individual growth and provide dynamic, fascinating, and supportive work environments. 

This description outlines the general nature of the work and is not an exhaustive list of responsibilities. Specific scope is defined per engagement statement of work. Waterleaf International maintains preferred agency relationships and does not accept agency candidate submittals. 

 

 

Similar Jobs

See all Remote Others jobs →

Personalize your Remote Job Search in 3 Easy Steps!

Discover remote opportunities in Others

Answer easy questions

Answer easy questions

200,000+ jobs across 15+ categories

Get your best job matches

Get your best job matches

Only hand-screened, legit jobs

Find a remote job faster

Find a remote job faster

No ads, scams, or junk

I was the first applicant for a remote marketing position that got listed on the company website the same day I applied. Had an interview within 48 hours!

Sarah J. — Sarah J. · Marketing Manager ★★★★★ Verified