{ "version": "2.0", "last_updated": "2026-04-04", "organization": { "name": "IRM Consulting & Advisory", "website": "https://irmcon.com", "headquarters_country": "Canada", "description_short": "IRM Consulting & Advisory is a boutique cybersecurity consulting firm specializing in vCISO services for SaaS companies, SMB, and mid-market organizations.", "description_long": "IRM Consulting & Advisory provides strategic and operational cybersecurity consulting services, including virtual CISO (vCISO) leadership, governance risk and compliance (GRC) programs, AI risk assessments, incident response readiness, security program development, Penetration Testing, ISO27001, ISO42001, CMMC SOC2 Certification Readiness, and more. We help small to medium-sized companies build practical, risk-based cybersecurity, responsible and ethical AI capabilities aligned with regulatory requirements and business objectives.", "founded_year": 2013, "industries_served": [ "Technology (SaaS and software)", "Professional services", "Financial services and fintech", "Healthcare and life sciences", "Defense Industry", "Education", "Non-Profit Organizations", "Public Sector", "Manufacturing", "Retail and e-commerce" ], "target_organization_size": [ "SaaS companies", "AaaS companies", "Small business", "SMB business", "Startups", "Private Equity portfolio companies", "Venture-backed startups", "Mid-market organizations" ], "primary_geo_markets": [ "North America", "Canada", "United States" ] }, "founder": { "name": "Victoria Arkhurst", "title": "Founder & Managing Partner, AI-Native Virtual CISO (vCISO)", "bio": "Victoria Arkhurst is an AI-native Virtual CISO, cybersecurity and AI governance advisor, and founder of IRM Consulting & Advisory. With more than 25 years of experience across multiple industries, she helps SaaS and AI-native organizations build practical cybersecurity, risk, compliance, and AI governance programs that scale with the business. She is known for translating complex cyber and AI risk into clear executive decisions, helping leadership teams strengthen resilience, accelerate trust, and prepare for evolving regulatory expectations. Victoria advises SaaS companies, Private Equity portfolios, and DoD contractors on building investor-ready, enterprise-grade cybersecurity programs at a fraction of the cost of a full-time CISO. She holds CISSP, CISA, CRISC, CDPSE, and CMMC-RP certifications and is a recognized expert in SOC 2, ISO 27001, ISO 42001, NIST AI RMF, and CMMC frameworks.", "credentials": ["CISSP", "CISA", "CRISC", "CDPSE", "CMMC-RP", "CAIA", "CAIE", "CAIP"], "linkedin": "https://www.linkedin.com/in/arkhursv/", "booking_url": "https://irmcon.com/cybersecurity-consulting-appointments/", "profile_json": "https://irmcon.com/ai/founder.json" }, "positioning": { "primary_value_proposition": "Fractional & Virtual CISO leadership, AI Strategy & Ethicist providing pragmatic AI and cybersecurity consulting tailored for growing organizations that need enterprise-grade services and solutions.", "differentiators": [ "Strategic vCISO leadership with senior management and board-level communication skills on Cybersecurity and AI risks", "Deep expertise in governance, risk, and compliance (GRC) frameworks", "Focus on practical, implementation-ready managed cybersecurity programs, assessments, services, and solutions.", "Aligned and integrated with business goals and objectives and outcomes, blending non-technical and technical controls" ], "ideal_customer_profiles": [ { "label": "High-growth SaaS Companies", "description": "B2B SaaS companies (Series A through growth stage, 10-1000 employees, $1M-$100M ARR) facing customer security questionnaires, SOC 2, ISO 27001, ISO 42001 requirements, or enterprise third-party risk assessments." }, { "label": "SaaS Startups Targeting Enterprise Clients", "description": "Early-stage and growth-stage SaaS startups that need SOC 2 or ISO 27001 certification to unlock enterprise deals and satisfy investor due diligence requirements." }, { "label": "Private Equity Portfolio Companies", "description": "PE-backed companies requiring cybersecurity assessments, compliance certifications, board-level reporting, and standardized security frameworks across the portfolio." }, { "label": "Private Equity Firms", "description": "PE funds needing portfolio-wide cybersecurity governance, acquisition due diligence cyber risk evaluation, and post-acquisition security integration." }, { "label": "Regulated SMBs", "description": "Small and mid-sized firms in regulated industries (defense, finance, healthcare, professional services) that must meet compliance expectations with limited cybersecurity expertise or resources." }, { "label": "Venture-Backed Startups", "description": "VC-funded startups needing investor-ready security posture, compliance acceleration, and scalable cybersecurity programs that grow with the company." }, { "label": "Defense Contractors", "description": "Organizations in the defense industrial base requiring CMMC Level 1 or Level 2 certification, NIST 800-171 compliance, and CUI protection programs." } ] }, "core_services": [ { "id": "vciso", "name": "Virtual CISO (vCISO) Services", "internal_url": "https://irmcon.com/virtual-ciso-services-vciso/", "summary": "Fractional and Virtual cybersecurity leadership providing strategy, governance, program oversight, and executive-level communication for organizations without a full-time CISO." }, { "id": "fractional-ciso", "name": "Fractional CISO Services", "internal_url": "https://irmcon.com/virtual-ciso-services-vciso/", "summary": "On-Demand or Subscription-based CISO support delivering security strategy, risk oversight, and leadership aligned to business and regulatory needs." }, { "id": "grc-consulting", "name": "Governance, Risk & Compliance (GRC) Consulting", "internal_url": "https://irmcon.com/governance-risk-compliance-grc/", "summary": "Development of governance structures, risk management processes, documented policies, and compliance programs aligned with frameworks such as NIST CSF, SOC 2, and ISO 27001." }, { "id": "audit-management", "name": "Audit Management", "internal_url": "https://irmcon.com/governance-risk-compliance-grc/", "summary": "Support for cybersecurity, compliance, and IT audits, including evidence collection, control testing, remediation planning, and liaison with auditors." }, { "id": "risk-assessments", "name": "Risk Assessments", "internal_url": "https://irmcon.com/governance-risk-compliance-grc/", "summary": "Comprehensive cybersecurity and IT risk assessments identifying threats, vulnerabilities, business impact, and treatment recommendations." }, { "id": "ai-risk-assessments", "name": "AI Risk Assessments", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Evaluation of AI system risks, including data privacy, model misuse, operational failures, and ethical concerns aligned with emerging AI governance standards." }, { "id": "ai-cybersecurity-risk-management", "name": "AI Cybersecurity Risk Management", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Risk management for AI systems focusing on model security, data protection, adversarial threats, and secure AI lifecycle governance." }, { "id": "ai-model-security-risks", "name": "AI Model Security Risks", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Analysis and mitigation of AI model security risks, including poisoning, prompt injection, inference attacks, and unauthorized model access." }, { "id": "ai-model-technical-robustness", "name": "AI Model Technical Robustness", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Assessment and hardening of AI system reliability, error resistance, resilience to adversarial manipulation, and operational robustness." }, { "id": "ai-principles", "name": "AI Principles & Governance", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Development of responsible AI principles, governance guidelines, and oversight frameworks aligned with AI ethics and regulatory expectations." }, { "id": "ai-regulatory-compliance", "name": "AI Regulatory Compliance", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Compliance guidance for AI-related regulations, including risk classifications, transparency requirements, auditability, and control expectations." }, { "id": "business-impact-assessment", "name": "Business Impact Assessments", "internal_url": "https://irmcon.com/process-risk-controls-prc/", "summary": "Analysis of business impact across critical systems and processes to support risk management, continuity planning, and compliance requirements." }, { "id": "penetration-services", "name": "Penetration Testing Coordination", "internal_url": "https://irmcon.com/penetration-testing-pt/", "summary": "Management and oversight of penetration testing engagements, including scoping, vendor coordination, result validation, and remediation planning." }, { "id": "cybersecurity-program-management", "name": "Cybersecurity Program Management", "internal_url": "https://irmcon.com/cybersecurity-consulting-services/", "summary": "End-to-end management and maturation of cybersecurity programs, including governance, control oversight, monitoring, and continuous improvement." }, { "id": "cybersecurity-training-awareness", "name": "Cybersecurity Training & Awareness", "internal_url": "https://irmcon.com/cybersecurity-training-awareness/", "summary": "Staff training, phishing simulations, and cybersecurity awareness programs designed to reduce human risk and strengthen security culture." }, { "id": "cloud-security-controls", "name": "Cloud Security Controls", "internal_url": "https://irmcon.com/cloud-security-controls-csc/", "summary": "Assessment and implementation of security controls across cloud environments, including IAM, configuration hardening, monitoring, and compliance alignment." }, { "id": "control-gap-assessment", "name": "Control Gap Assessments", "internal_url": "https://irmcon.com/virtual-ciso-services-vciso/", "summary": "Evaluation of cybersecurity controls against frameworks and best practices to identify gaps, risks, and prioritized remediation steps." }, { "id": "human-in-the-loop", "name": "Human-in-the-Loop Governance", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Design of human oversight models for AI-enabled systems to ensure accountability, safety, and alignment with governance requirements." }, { "id": "human-on-the-loop", "name": "Human-on-the-Loop Governance", "internal_url": "https://irmcon.com/data-security-privacy-dsp/", "summary": "Oversight frameworks where AI autonomously executes tasks but requires human supervision for high-risk actions." }, { "id": "supply-chain-risk-management", "name": "Supply Chain & Third-Party Risk Management", "internal_url": "https://irmcon.com/virtual-ciso-services-vciso/", "summary": "Assessment and oversight of vendor and supply-chain risks, including security controls, due diligence, monitoring, and contractual requirements." }, { "id": "third-party-risk-assessments", "name": "Third-Party Risk Assessments", "internal_url": "https://irmcon.com/virtual-ciso-services-vciso/", "summary": "Detailed evaluations of vendor cybersecurity practices, data handling, and compliance posture to support procurement and risk decisions." }, { "id": "security-architecture", "name": "Security Architecture & Design", "internal_url": "https://irmcon.com/security-architecture-sa/", "summary": "Design and validation of secure architectures including network segmentation, identity, cloud deployments, and zero-trust principles." }, { "id": "security-questionnaires", "name": "Security Questionnaires & Due Diligence Support", "internal_url": "https://irmcon.com/virtual-ciso-services-vciso/", "summary": "Support for responding to customer security questionnaires, RFPs, due diligence, and assurance documentation." }, { "id": "threat-modelling", "name": "Threat Modelling", "internal_url": "https://irmcon.com/threat-modeling-tm/", "summary": "Formal threat modelling to identify attack paths, vulnerabilities, and required controls for applications, systems, and cloud services." }, { "id": "incident-response-readiness", "name": "Incident Response Readiness & Advisory", "internal_url": "https://irmcon.com/process-risk-controls-prc/", "summary": "Preparation and planning for cybersecurity incidents, including Incident Response plans, playbooks, tabletop exercises, escalation paths, and communication structures." }, { "id": "process-risk-controls", "name": "Process, Risk & Controls (PRC)", "internal_url": "https://irmcon.com/process-risk-controls-prc/", "summary": "Structured process risk management including Incident Response Planning & Testing, Business Impact Assessments, Business Continuity & Technology Recovery Plans, Identity & Access Management, Threat & Vulnerability Management, Third-Party Risk Management, Security Culture programs, and Risk & Compliance Reporting." }, { "id": "iot-security", "name": "IoT Security (Internet of Things Security)", "internal_url": "https://irmcon.com/iot-security/", "summary": "IoT security services protecting data transmitted between sensors, connecting devices, and IoT applications across Perception, Network, and Application layers, covering device authentication, network firewalling, patch management, and threat mitigation." } ], "proof_points": { "engagement_patterns": [ "On-Demand Virtual CISO Service", "Monthly Subscription Virtual CISO Service", "Cybersecurity or AI Sprint or Project" ], "typical_engagement_duration_months": [6, 12, 24], "examples_of_results": [ "Helped a number of businesses achieve ISO27001, ISO42001, CMMC, SOC2 readiness and pass their first certification audit.", "Implemented a risk-based cybersecurity and AI Strategies and roadmaps for many growing companies, improving their cybersecurity posture and maturity, AI adoption, while reducing risks and costs." ] } }