GRC / NIST Security Consultant

Interim GRC & NIST CSF 2.0 Security ConsultantPhoenix, AZ local candidates are preferred; remote candidates in the US may be considered.We are seeking a Senior GRC & NIST CSF 2.0 Security Consultant to rapidly mature our client's cybersecurity governance and risk management program. This engagement is outcome driven and designed to stand up structure, documentation, and executive ready processes where a loose and inconsistent framework currently exists.The consultant will assess current practices, close gaps, and deliver production ready artifacts, working closely with security leadership and executive stakeholders.Engagement ObjectivesThe consultant will be responsible for delivering the following defined outcomes within the engagement period:Incident Response Plan (IRP) built, tested, and executive tabletop completedSecurity policies, procedures, compliance, and governance stood up and documentedAn executive level risk register operationalized and in useA formal, consistent vendor risk management program documented and implementedAlignment of all deliverables to NIST CSF 2.0NIST CSF 2.0 Adoption & GRC FoundationAssess current state security controls against NIST CSF 2.0Define target state outcomes and roadmap for adoptionCreate and document:Core security policies and standardsSupporting procedures and governance mechanismsEstablish clear control ownership, review cadence, and compliance expectationsEnsure artifacts are audit-ready and reusable post-engagement.Incident Response Program & Executive TabletopDesign and build a comprehensive Incident Response Plan (IRP) aligned to NIST CSF 2.0Develop incident specific playbooks (e.g., ransomware, data breach, vendor compromise)Conduct:IRP walkthrough / practice runExecutive level tabletop exerciseProduce:Executive briefing materialsAfter action reportDocumented remediation recommendationsRisk Register & Executive Risk VisibilityDesign and implement an enterprise risk register aligned to NIST CSF 2.0Define:Risk statementsLikelihood and impact scoringResidual risk and treatment optionsEnsure the risk register is:Understandable to executivesActionable for leadership decision-makingEstablish a sustainable process for ongoing risk updates post engagementVendor Risk Management (VRM) ProgramFormalize and document a vendor risk management programReplace vendor by vendor inconsistency with a standardized, repeatable approachDeliver:Vendor risk tiersStandard assessment criteria and questionnairesReview and approval workflowsOngoing monitoring requirementsIntegrate vendor risk outcomes into the enterprise risk register and governance processExpected DeliverablesThe consultant will produce final, client owned artifacts, including (but not limited to):Incident Response Plan (IRP)Incident response playbooksExecutive tabletop presentation and after action reportSecurity policies, procedures, and governance documentationEnterprise risk register with executive ready reporting formatVendor risk management policy, procedures, and assessment frameworkNIST CSF 2.0 mapping and traceability documentationRequired ExperienceExtensive hands on experience in GRC and cybersecurity risk managementDemonstrated expertise with NIST CSF 2.0 adoption and implementationProven delivery of:Incident Response PlansExecutive tabletop exercisesRisk registers for senior leadershipVendor/third party risk management programsStrong facilitation and communication skills with executive stakeholdersAbility to operate independently and deliver with limited directionJ-18808-Ljbffr