Frequently Asked Questions

Why should I choose a lawyer for cybersecurity consulting?

Breaches are legal nightmares requiring expertise in incident response AND breach notification laws. You need someone who understands privilege protections, data retention laws, and regulatory compliance—not just firewall rules. Our dual legal and technical background means we handle the technical response while your counsel handles the legal strategy, seamlessly.

Do you only work with large enterprises?

We work with organizations of all sizes, from solo practitioners to companies with 100+ employees. Our flexible engagement models (hourly, project-based, and retainer) allow us to serve small businesses effectively. In fact, small businesses are our sweet spot—we provide enterprise-grade expertise without enterprise pricing.

What makes Steele Fortress different from other cybersecurity firms?

Three things: (1) Legal expertise most firms don't have, (2) Direct access to senior consultants—not junior analysts, and (3) Pragmatic recommendations based on actual risk and budget, not vendor commissions. We're a boutique firm competing on expertise and client service, not volume.

Do you work nationwide or only in specific states?

We work nationwide and internationally. Cybersecurity consulting doesn't require state-by-state licensing, and most of our work is conducted remotely. We travel on-site for incident response, audits, and strategy sessions as needed.

How do you charge for services?

We offer three models: (1) Hourly consulting for one-off projects and incident response, (2) Project-based pricing for defined scopes like SOC 2 readiness or security assessments, and (3) Monthly retainers for ongoing vCISO or continuous security management. We provide transparent upfront pricing—no surprise bills.

Can you help with both cybersecurity and privacy consulting?

Yes—that's our specialty. We combine technical security (firewalls, encryption, incident response) with privacy consulting (GDPR/CCPA compliance, privacy policies, data protection). This combination is rare—most firms do one or the other, but we handle both technical controls and legal compliance.

What is your average response time for emergency incidents?

For active breaches and ransomware attacks, we typically begin remote triage within 1-2 hours. Retainer clients receive a guaranteed 4-hour response SLA. Our 24/7 emergency hotline connects you directly with Jonathan—not a call center.

Do you work with cyber insurance providers?

Yes. We regularly coordinate with insurance carriers, help navigate the claims process, and provide the detailed incident reports and forensic documentation that insurers require.

What industries do you specialize in for incident response?

We specialize in healthcare, legal, financial services, manufacturing, and technology. Our team has deep experience with HIPAA, GLBA, and PCI DSS compliance requirements specific to these industries.

Can you help prevent future incidents after a breach?

Absolutely. Every incident response engagement includes a post-incident security assessment and recommendations. We can also provide ongoing vCISO services for continuous security improvement and monitoring.

How do you charge for incident response services?

We bill hourly with a 4-hour minimum for emergency response. Pricing is transparent and provided upfront. We work within your cyber insurance policy limits when applicable. Post-incident remediation can be quoted on a project basis.

How is a vCISO different from a security consultant?

A vCISO provides ongoing strategic leadership and accountability—not one-time assessments. We attend board meetings, manage vendor relationships, oversee security teams, and drive your long-term security roadmap. Think of us as your part-time CISO, not a consultant who delivers a report and disappears.

What size organizations benefit most from vCISO services?

Organizations with 20-500 employees typically see the most value. You're large enough to need strategic security leadership, but not large enough to justify a full-time CISO salary ($250K+). We also work with pre-IPO startups preparing for compliance audits or investor due diligence.

How much time will you spend with our organization?

It varies based on your needs. Strategic engagements run 8-16 hours/month for quarterly planning. Balanced engagements run 20-40 hours/month for active program development. Intensive engagements run 40-80 hours/month for major initiatives like SOC 2 certification or incident response.

Will you work with our existing IT team or MSP?

Absolutely. We collaborate closely with internal IT teams, MSPs, and existing vendors. Our role is strategic oversight and guidance—we're not replacing your technical staff. We help prioritize initiatives and ensure they align with business objectives.

What compliance frameworks do you support?

We support SOC 2, ISO 27001, NIST CSF, NIST 800-171, CMMC, HIPAA, PCI DSS, GDPR, CCPA, and various state-specific privacy laws. We help you choose the right framework for your business and guide you through implementation and audit preparation.

How long does it take to achieve compliance?

It depends on your starting point and target framework. SOC 2 typically takes 3-6 months. HIPAA compliance takes 2-4 months. ISO 27001 certification takes 6-12 months. We provide realistic timelines after assessing your current state.

Do I need to comply with multiple regulations?

Many organizations do. For example, a healthcare SaaS company might need HIPAA (for health data), SOC 2 (for enterprise customers), and CCPA (for California residents). The good news: controls overlap significantly. We help you build an integrated compliance program that addresses multiple frameworks efficiently.

What's the difference between compliance and security?

Compliance is about meeting minimum regulatory requirements—it's a checkbox. Security is about actual protection—it's a mindset. You can be compliant but insecure, or secure but non-compliant. We help you achieve both: real security that also satisfies auditors.

How much does compliance cost?

Costs vary by organization size and complexity. SOC 2 audits typically run $15k-$50k annually. ISO 27001 certification costs $20k-$75k. Our consulting fees are typically 20-30% of your total compliance program costs. We provide detailed estimates after an initial assessment.

What happens if we fail an audit?

An unsuccessful audit results in a findings report detailing what needs remediation before certification. We help you address findings systematically and prepare for re-audit. With our pre-audit readiness assessments, 90% of our clients pass on their first attempt.