North Hills Cyber Security Advisors helps small and mid-size businesses in Western Pennsylvania build real security programs, pass audits, and manage risk. No full-time hire required.
Most small and mid-size businesses reach a point where the old approach stops working. Clients are asking questions. Cyber insurance premiums are climbing. An incident or audit would hurt. But hiring a full-time CISO isn't the right move yet.
"The businesses I work with don't need a full-time CISO. They need someone who has built this before, can explain the risk clearly, and can help them take the next practical steps without overcomplicating it."
— Ashley, Founder, North Hills Cyber Security AdvisorsThree ways to engage, sized to where your business actually is.
A monthly retainer that gives your business an experienced security advisor without the cost of a full-time hire. Policy, vendor risk, audit prep, incident support, and strategic guidance — on a part-time basis that fits your budget.
Fixed-scope, fixed-price engagements that tell you where you actually stand. Gap assessments, SOC 2 readiness reviews, Active Directory hardening reviews, and tabletop incident response exercises.
A flat monthly fee to have an experienced security professional on call when something goes wrong. Most months nothing happens. When it does, you're not starting from scratch.
A few years ago, I walked into a company as its first-ever dedicated security hire. Family-owned, operationally solid, no security program to speak of. No policy library, no formal risk process, no tooling that had kept pace with the business. By the time I was done, the company had SOC 2 Type II certification.
That experience shaped how I think about security for small and mid-size businesses. Frameworks don't build programs. People do. And the person doing the building needs to understand how the business actually works before they touch a control or write a policy.
Through North Hills Cyber Security Advisors, I bring that same approach to businesses across Western Pennsylvania. You get someone who has been in the room when the audit evidence request comes in, who has run a real incident response, and who has had the conversation with leadership about what security is actually going to cost and why it's worth it.
When you work with me, you work with me directly. There's no account manager, no junior consultant doing the actual work. Just a straight conversation about where you stand and what it's going to take.
We work best with businesses that have grown past informal security and need a clear path forward.
AEC firms facing client security questionnaires, CMMC-adjacent requirements, or supply chain pressure from larger contractors. You've built exceptional operational programs. Security is the gap.
Law firms, accounting practices, and financial services businesses operating under state and federal data protection obligations. Client data is your most sensitive asset and your biggest liability.
Businesses with HIPAA obligations that don't have a dedicated compliance officer. Billing companies, specialty clinics, and healthcare vendors navigating the intersection of IT and patient data.
Organizations that just experienced a phishing incident, failed a vendor risk assessment, or received a client questionnaire they couldn't answer. Sometimes urgency is the best motivator.
Not sure if you're the right fit? Reach out anyway. The first conversation is always free, and if I'm not the right person for your situation, I'll tell you that directly.
No pitch, no pressure. Just tell me what's going on and I'll tell you what I actually think.
Most of the businesses I work with have been sitting on the security conversation for a while. They know they need to do something, they're just not sure what, or whether it's worth the cost.
The first call is 30 minutes. I'll ask about what's driving the conversation, what your current setup looks like, and what you're actually worried about. You'll walk away with a straight answer on what you need and roughly what it's going to take.
I'm based in the Pittsburgh area and work primarily with Western Pennsylvania businesses, though I take on remote engagements for the right fit.