Fractional CISO - M&A Due Diligence

Job Title: Fractional CISO - M&A Due Diligence

Location: Remote

Type: Contract / Hourly (Part-Time or As-Needed Basis)

Reports To: Head of M&A / Corporate Development / CISO

We are seeking a seasoned Security Consultant to support cybersecurity due diligence for mergers, acquisitions, and strategic investments. This remote, hourly-paid role involves assessing the security posture of target companies, identifying critical risks, and advising on remediation and post-close integration planning. The ideal candidate is detail-oriented, technically strong, and comfortable working independently with minimal oversight.

Perform security due diligence assessments for M&A targets across various industries and maturity levels.

• Security policies, procedures, and governance frameworks
• Infrastructure and network architecture (cloud/on-prem/hybrid)
• Application and cloud security posture (AWS, Azure, GCP)
• Identity and access management (IAM) practices
• Data protection and encryption strategies
• Vulnerability management and incident response capabilities
• Compliance with standards such as ISO 27001, SOC 2, GDPR, HIPAA, PCI-DSS, etc.
• Analyze provided documentation: network diagrams, risk assessments, audit reports, penetration test results, and security controls inventories.
• Conduct interviews with key personnel (security, IT, Dev Ops, GRC, etc.) to validate practices and identify risks.
• Provide concise written deliverables, including:
• Detailed security diligence reports
• Risk register with severity ratings and business impact
• 30/60/90/180-day remediation plans
• Collaborate with legal, technical, and integration teams to support informed decision-making.
• Work flexibly based on diligence timelines and deal schedules.

• 15+ years of experience in cybersecurity or information security, with 2+ years in security due diligence or third‑party risk assessments.
• Strong working knowledge of security frameworks: NIST CSF, ISO 27001, CIS Controls, SOC 2.
• Familiarity with securing cloud‑native and SaaS environments.
• Ability to assess security risk holistically across technical, organizational, and compliance domains.
• Excellent written communication skills; able to summarize complex findings in an executive‑friendly format.
• Self‑starter comfortable with ambiguity and fast‑paced deal environments.

• Experience in a consulting, private equity, venture capital, or corporate M&A environment.
• Certifications such as CISSP, CISA, CISM, CCSP, or OSCP.
• Prior work with high‑growth startups or tech/SaaS companies.
• Experience using security assessment tools (e.g., Nessus, Qualys, Burp, Wiz, etc.) is a plus.