GRC & Compliance Consulting

You need someone who's built these programs, not just audited them.

I'm David Frier — an independent information security consultant with two decades of hands-on experience implementing the frameworks your organization actually needs to pass. No junior staff, no overhead. Just senior expertise, every engagement.

Schedule a Consultation See What I Do

Credentials

CISSP Certified Info. Systems Security Professional

CISM Certified Information Security Manager

CRISC Certified in Risk & Info. Systems Control

RIMS-CRMP Certified Risk Management Professional

"Security and compliance should enable your business — not hold it hostage to paperwork."

About

Why hire an independent consultant?

I've spent my career on both sides of the audit table — managing compliance programs from the inside at regulated organizations, and guiding clients through certification as a consultant. That combination is rare, and it makes a real difference.

Working with an independent practitioner means you get direct access to senior expertise from day one. There are no project managers to route through, no junior analysts doing the work while a senior person signs off. When you hire me, I'm the one doing the work.

My background spans SOX ITGC compliance, NIST CSF implementations, SOC 2 audits, and security operations leadership across thousands of endpoints in complex, regulated environments. I've managed the programs you're trying to build. I know what auditors actually look for, and I know how to get your team there efficiently.

Built, Not Advised

Real implementation experience — not theoretical guidance. I've run the programs you're trying to stand up.

No Bait-and-Switch

You talk to me, you work with me. No handoff to junior staff after the sale.

Business-Aware

Security controls that your organization will actually use and maintain — not perfect-on-paper solutions that don't survive contact with your operations team.

Transfer, Not Dependency

Every engagement leaves your team more capable than it started. The goal is to make you less reliant on consultants, not more.

Services

How I can help

Engagements are scoped to your situation — whether you're starting from scratch or need help crossing the finish line for an upcoming audit.

Compliance Readiness Assessment

A clear-eyed gap analysis against your target framework. You'll know exactly where you stand, what needs to change, and in what order — with effort estimates you can actually plan around.

Implementation & Control Build-Out

Hands-on help designing and implementing required controls, developing policies and procedures, and building the evidence trail auditors need to see. Sustainable from the first day.

Audit Preparation

Pre-audit readiness reviews, evidence organization, staff preparation, and auditor liaison support. I've been in that room. I know how to get you ready for it.

Security Program Development

Building a mature program from the ground up — governance structure, risk management processes, policies, metrics, and security awareness. Right-sized for your organization.

Ongoing Advisory Retainer

Regular expert guidance as questions arise between audits — compliance maintenance, new regulation interpretation, and strategic security planning on a schedule that fits your needs.

→

Not sure what you need?

An initial consultation is always free. We'll talk through your situation and I'll give you an honest view of what's required — even if that means you don't need me.

Framework Expertise

NIST 800-53 NIST Cybersecurity Framework NIST 800-171 CMMC ISO 27001 SOC 2 SOX ITGC

Who I Work With

Organizations at every stage of the compliance journey

From first-time certifications to mature program improvements — across defense, healthcare, financial services, technology, and manufacturing.

Most engagements can be delivered fully remote.
International clients welcome.

Growing companies facing their first compliance requirement

A new enterprise contract requires SOC 2. A DoD opportunity means CMMC is on the table. I help you understand what's actually required and build a program you can maintain after we're done.

SMBs without dedicated security staff

You need enterprise-grade compliance guidance, but you're not big enough to have a CISO. I become your security program lead for the engagement — then transfer the knowledge to your team.

Established organizations that need specialized expertise

Your security team is solid, but a new framework or upcoming audit needs a specialist. I augment your existing team without duplicating work or creating internal friction.

Contact

Let's talk about what you're trying to accomplish.

Initial consultations are free and carry no obligation. If I'm not the right fit for your situation, I'll tell you that too.

Email david@rocinfosec.com

Location Rochester, NY — serving clients nationwide & internationally

Availability New engagements typically begin within 1–3 weeks of agreement

CV / Résumé Download PDF →

Get in Touch