Security Consulting#

I’m a CISSP, and most of what I do is GRC: governance, risk, and compliance. It’s the unglamorous part of security, but it’s the part that keeps you out of trouble when an auditor, a customer, or an investor starts asking hard questions.

Here’s what most people get wrong. They treat compliance like a box-checking exercise, write a stack of policies nobody reads, and hope the auditor doesn’t look too closely. That’s compliance theater, and it falls apart the moment it actually matters. I build programs that are true. The policy says what you do, you do what the policy says, and you have the evidence to prove it.

What I’ve actually done#

Over the last two years I wrote, or rewrote, most of AvatarFleet’s security policies and procedures. I took a startup’s loose, ad-hoc practices and turned them into an enterprise-ready information security program that holds up to real scrutiny. On the back of that work, I led the company through SOC 2 Type 1 and then Type 2, two years running, with zero adverse findings.

I didn’t inherit a program. I built it from nothing: the policies, the procedures, the risk register, and the security-aware culture that makes all of it stick. And I’ve done this kind of work across medical, municipal, SaaS, critical infrastructure, government, education, and banking. Different rules every time, same core problem: prove you’re handling risk like a grown-up.

I’ve also done a lot of this work for other practices. For a medical practice, that meant walking them through HIPAA’s data storage and protection requirements and getting their environment actually compliant, not just paperwork-compliant. For critical infrastructure and OT shops, it meant building vulnerability management programs that fit the realities of operational technology, where you can’t just patch a PLC on a Tuesday like it’s a web server. The constraints are different, the stakes are higher, and the off-the-shelf playbooks usually don’t fit.

Where I can help#

  • Policies and procedures. This is my bread and butter. I’ll write your security policy set from scratch, or take the generic templates you pulled off the internet and make them real, enforceable, and matched to how your business actually runs. Acceptable use, access control, change management, incident response, data classification, BCP, DR, the whole library.
  • SOC 2, HIPAA, and audit readiness. Getting you genuinely ready for the auditor instead of scrambling the week before. Control implementation, evidence collection, and the unglamorous prep that decides whether the audit goes smoothly or painfully. I’ve walked medical practices through HIPAA’s storage and data-protection requirements and gotten them actually compliant.
  • Risk management. A real risk register, honest risk assessments, vendor risk reviews, and business impact analysis. This is the work that tells you where to actually spend your security budget instead of guessing.
  • Cloud security. AWS hardening done as code. IAM administration and audit, least-privilege rebuilds, and controls enforced in Terraform and Ansible so they stay enforced instead of quietly drifting.
  • Vulnerability management. Standing up real vuln-management workflows for Linux fleets, including regulated shops with tens of thousands of endpoints under management. I’ve also built vuln-management programs for critical infrastructure and OT environments, where uptime and safety constraints change the whole game.

AI is a tool, not a practitioner#

Right now everyone is racing to hand their security and compliance work to AI and quietly let people go. I get the appeal, and honestly, I use AI constantly. It’s a huge part of how I work every day. But here’s the part the hype skips: AI is only as good as the person steering it.

If you’re not a seasoned practitioner, you don’t know what you don’t know. You feed it bad assumptions and you get back answers that are confident, professional-looking, and wrong. Garbage in, garbage out, except now the garbage has perfect grammar. Worse, AI can’t see around corners. It won’t catch the risk that’s baked into the practice you’re building, because it doesn’t have the scars to know where those risks hide. That part only comes from years of doing the work.

That’s where I come in. I’m the human in the loop. I use AI to move fast, and I use my experience to make sure what comes out is actually right and actually safe for your business. You get the speed without the blind spots, instead of throwing something into the ether and hoping.

It doesn’t have to cost a lot, either. If you want to know what having that kind of guidance looks like, reach out and I’ll put together a quote.

How I work#

I’ll tell you the truth about what lowers your risk versus what’s just theater. I automate the controls that can be automated, because a control a human has to remember to run is a control that eventually doesn’t get run. And I write everything down, because a security program that only lives in one person’s head isn’t a program, it’s a liability.

Independent consulting work runs through my company, Brooks Security LLC.

Want to talk? Get in touch.

Backward Services Operations Consulting Forward