Crystal Harris
GRC & Cybersecurity
Washington, DC
0%
Loading

GRC · Cybersecurity · AI Governance

Your business stays secure. You stay moving.

Most businesses don't get breached because hackers are clever. They get breached because nobody was paying attention to the basics. I fix that — with frameworks, policies, and programs built for how your business actually works.

Read my insights See services
Scroll
No security policy in place
Failed or upcoming compliance audit
Deploying AI with no governance
Vendor risk nobody has reviewed
Team doesn't know what a phishing email looks like
Leadership wants a security roadmap

Insights

All articles →
GRC
The Marks & Spencer Breach Was Preventable. Here's the GRC Failure Nobody's Talking About.

M&S had tools. They had teams. What they didn't have was a functioning risk management process that connected technical controls to business decisions. That's the gap that got them — and it's the same gap I see in most mid-size companies.

Jun 2026
AI Governance
You're Using AI Tools at Work. Do You Have a Policy For That?
May 2026
Small Business
5 Security Gaps That Make Cyber Insurance Carriers Say No
Apr 2026
Compliance
NIST CSF 2.0 Dropped. What Actually Changed for SMBs?
Mar 2026

How I can
help you

Flat-fee engagements with clear deliverables. No retainers unless you want one. No jargon — just work that actually protects your business.

Security Gap Assessment

Find out exactly where your risks are before something forces you to find out the hard way. Ideal starting point for businesses with no existing security program.

Written gap analysis report Risk priority matrix 90-day remediation roadmap
Get started →
GRC Program Build

Policies, procedures, and risk frameworks mapped to NIST CSF, ISO 27001, or SOC 2 — built for your team size and industry, not copy-pasted from a template.

Policy library (10–20 docs) Risk register Compliance mapping
Get started →
AI Governance

Using AI tools across your business without a governance policy is a liability. I build the framework before regulators, insurers, or a breach make you build it.

AI use policy ISO 42001 alignment Risk controls & documentation
Get started →
Vendor Risk Review

Your security is only as strong as the weakest vendor with access to your data. I assess your third-party relationships and flag what needs attention.

Vendor risk scoring Due diligence questionnaires Remediation recommendations
Get started →
Security Awareness Training

Your team is your biggest attack surface. I build training your employees will actually pay attention to — including phishing scenarios built around how your business really runs.

Custom training program Phishing simulation Incident response playbook
Get started →
Fractional CISO

Not ready to hire a full-time security lead? I act as your ongoing security advisor — attending meetings, reviewing decisions, and keeping your program moving month to month.

Monthly strategy sessions On-call advisory Quarterly risk reviews
Get started →
Why it works

Security that fits how you actually operate

7+
Years of operational experience From help desk to operations management to field supervision — I've seen how organizations actually function, not just how policy docs say they should.
SMB
Built for small and mid-size businesses Enterprise-grade frameworks adapted for teams that don't have a dedicated security department — practical, not theoretical.
DC
Washington, DC metro area Available for on-site engagements across the DMV, and remote consulting nationwide.
Work with me

Let's talk about
what needs fixing.

Free 30-minute consultation. No sales pitch — just a conversation about where you are and whether I can help.

Or email directly