Fractional CISO · Vancouver, BC

Senior security leadership for startups selling into regulated markets

I’m Hieg Khatcherian, a fractional CISO based in Vancouver. I help Canadian startups win enterprise deals and enter regulated markets in the US, EU, and UK — with the security leadership those markets expect, at a scale that makes sense for your stage.

Three ways I help

Fractional CISO

Ongoing, part-time security leadership embedded with your team. Strategy, risk, compliance ownership, and board-level reporting — a CISO on your org chart without the full-time cost.

Learn more →

Compliance readiness

SOC 2, ISO 27001, HIPAA, and the privacy frameworks your markets demand. Built as one coherent security program that maps to many certifications — not five parallel checkbox projects.

Learn more →

Enterprise deal support

Security questionnaires, customer trust reviews, and procurement requirements — handled by someone who’s sat on both sides of the table, so your deal keeps moving.

Learn more →

Why fractional

Most startups between seed and Series B need real security leadership for somewhere between two and eight days a month. A full-time CISO costs more than the problem does at your stage; a junior hire or a compliance tool leaves nobody actually accountable when a customer, auditor, or investor starts asking hard questions.

A fractional CISO closes that gap: senior experience, embedded in your team and your tools, scaled to what your stage actually requires. When you eventually outgrow the model — and the goal is that you do — I’ll help you hire your first full-time security leader and hand over a program that works.

25+
Years in security & technology leadership

Former CISO at Thrive Health. Senior technology leadership at Vision Critical and BuildDirect. Fractional CISO to companies including Thrive Health, HeadCheck Health, Dooly, and Readymode.

Recent writing

All insights →
July 2026 · 8 min

CPCSC vs CMMC: the Canadian supplier’s guide to doing both

Canada’s CPCSC and the US CMMC share the same NIST 800-171 roots but offer no mutual recognition. How to build once and certify for both.

If any of this sounds familiar, let’s talk.

The next step is a 30-minute conversation — no pitch, no obligation. You’ll walk away with an honest read on where you stand and what actually matters next, whether or not we work together.