Interim GRC & NIST CSF 2.0 Security Consultant Phoenix, AZ local candidates are preferred; remote candidates in the US may be considered We are seeking a Senior GRC & NIST CSF 2.0 Security Consultant to rapidly mature our client's cybersecurity governance and risk management program. This engagement is outcome driven and designed to stand up structure, documentation, and executive ready processes where a loose and inconsistent framework currently exists. The consultant will assess current practices, close gaps, and deliver production ready artifacts, working closely with security leadership and executive stakeholders. Engagement Objectives The consultant will be responsible for delivering the following defined outcomes within the engagement period: Incident Response Plan (IRP) built, tested, and executive tabletop completed Security policies, procedures, compliance, and governance stood up and documented An executive level risk register operationalized and in use A formal, consistent vendor risk management program documented and implemented Alignment of all deliverables to NIST CSF 2.0 Scope of Work & Responsibilities NIST CSF 2.0 Adoption & GRC Foundation Assess current state security controls against NIST CSF 2.0 Define target state outcomes and roadmap for adoption Create and document: Core security policies and standards Supporting procedures and governance mechanisms Establish clear control ownership, review cadence, and compliance expectations Ensure artifacts are audit-ready and reusable post-engagement. Incident Response Program & Executive Tabletop Design and build a comprehensive Incident Response Plan (IRP) aligned to NIST CSF 2.0 Develop incident specific playbooks (e.g., ransomware, data breach, vendor compromise) Conduct: IRP walkthrough / practice run Executive level tabletop exercise Produce: Executive briefing materials After action report Documented remediation recommendations Risk Register & Executive Risk Visibility Design and implement an enterprise risk register aligned to NIST CSF 2.0 Define: Risk statements Likelihood and impact scoring Residual risk and treatment options Ensure the risk register is: Understandable to executives Actionable for leadership decision-making Establish a sustainable process for ongoing risk updates post engagement Vendor Risk Management (VRM) Program Formalize and document a vendor risk management program Replace vendor by vendor inconsistency with a standardized, repeatable approach Deliver: Vendor risk tiers Standard assessment criteria and questionnaires Review and approval workflows Ongoing monitoring requirements Integrate vendor risk outcomes into the enterprise risk register and governance process Expected Deliverables The consultant will produce final, client owned artifacts, including (but not limited to): Incident Response Plan (IRP) Incident response playbooks Executive tabletop presentation and after action report Security policies, procedures, and governance documentation Enterprise risk register with executive ready reporting format Vendor risk management policy, procedures, and assessment framework NIST CSF 2.0 mapping and traceability documentation Required Experience Extensive hands on experience in GRC and cybersecurity risk management Demonstrated expertise with NIST CSF 2.0 adoption and implementation Proven delivery of: Incident Response Plans Executive tabletop exercises Risk registers for senior leadership Vendor/third party risk management programs Strong facilitation and communication skills with executive stakeholders Ability to operate independently and deliver with limited direction About Korn Ferry Korn Ferry unleashes potential in people, teams, and organizations. We work with our clients to design optimal organization structures, roles, and responsibilities. We help them hire the right people and advise them on how to reward and motivate their workforce while developing professionals as they navigate and advance their careers. To learn more, please visit Korn Ferry at