Brian DeVore Consulting
Security & Governance

Security findings shouldn't be your first sign you have a problem.

Most SMBs discover cloud security gaps during an audit, a prospect's security review, or — worst case — after a breach. We build the controls, policies, and continuous monitoring that keeps you ahead of all three.

Security gaps that don't show up until they hurt you

Cloud security debt accumulates quietly. Here's what we typically find in the first audit.

IAM sprawl and excessive permissions

Developers granted AdministratorAccess because it was easier. Service accounts with permissions they've never needed. Long-forgotten access keys that haven't been rotated in years.

Secrets hardcoded in repos and environment variables

Database passwords in .env files committed to Git three years ago. API keys shared in Slack. AWS credentials in CI pipelines with no rotation plan.

Compliance requirements blocking enterprise deals

A SOC2 Type II or HIPAA BAA is blocking your biggest prospect. The gap between where you are and where you need to be feels overwhelming.

What's included

Concrete deliverables — not vague "advisory" work.

IAM security audit and remediation

Review of every IAM user, role, and policy. Least-privilege enforcement, access key rotation, and MFA enforcement across your AWS organization.

Secrets management implementation

Migration to AWS Secrets Manager or HashiCorp Vault, rotation policies, and a process to eliminate hardcoded credentials from your codebase.

AWS Security Hub baseline

CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices enabled and tuned to your environment.

HIPAA controls mapping (for healthtech)

An audit of your infrastructure against the HIPAA Security Rule technical safeguards, with a remediation roadmap and evidence collection for a BAA.

SOC2 readiness assessment

A gap analysis against SOC2 Trust Service Criteria (Security, Availability, Confidentiality) with a prioritized remediation plan.

VPC and network security review

Security group audit, public exposure review, network segmentation assessment, and flow log configuration.

CloudTrail and GuardDuty configuration

Audit logging enabled across all regions, GuardDuty active with findings routed to your alerting system.

Monthly security posture review

Regular review of Security Hub findings, new CVEs relevant to your stack, and progress against compliance roadmap.

How it works

A structured approach, not trial-and-error.

1

Security audit

We assess your current posture across IAM, network, data protection, and logging — producing a findings report with severity ratings.

2

Compliance mapping

We map your current controls (and gaps) against your target framework: HIPAA, SOC2, PCI, or the CIS Benchmark.

3

Remediate by priority

Critical findings first. We implement controls in order of risk reduction, with documentation for every change.

4

Continuous monitoring

Security Hub, GuardDuty, and automated policy enforcement keep your posture from drifting as your team builds.

What you can expect

Specific, measurable results — not "improved efficiency."

Zero

Critical findings in your next security review

Prospects, enterprise customers, and auditors will find a defensible posture instead of a list of blockers.

SOC2 / HIPAA

Readiness in 60–90 days

Not certification (that takes longer) — but a documented, auditable posture that puts you on a credible path.

100%

Credentials managed, rotated, and tracked

No more secrets in code, no more forgotten access keys, no more shared passwords in Slack.

Who this is for

This service works best for companies in a specific situation. Here's how to know if it's right for you.

Healthtech SMBs handling PHIHIPAA compliance is both a legal requirement and a trust signal for healthcare customers. Most cloud environments have significant HIPAA gaps by default.
Fintech companies pursuing SOC2 Type IISOC2 is increasingly required by enterprise buyers. Getting your cloud controls right is the first and largest part of that work.
SaaS companies fielding security questionnaires from enterprise prospectsThat 150-question vendor security questionnaire is answerable — but only if the controls exist. We build the controls and the evidence.
Any company that has never had a formal cloud security reviewIf you've never had a formal review, there are almost certainly findings. Getting ahead of them now is far less painful than after an incident.

Pricing

Security & Governance is included in the Professional retainer ($2,500/mo) and the Growth retainer ($4,000/mo). For companies with active compliance timelines, project-based engagements are also available. HIPAA or SOC2 readiness work is typically scoped as a project first, transitioning to ongoing monitoring.

Related services

Most clients combine multiple services for complete cloud coverage.

Observability & Intelligence

Security without observability is blind. Know when something anomalous is happening in your environment.

Learn more

Reliability & Resilience

Security incidents are reliability incidents. Defense in depth improves both.

Learn more

Strategic Cloud Advisory

Security architecture decisions have long-term implications. Advisory helps you make them intentionally.

Learn more

Common questions

Ready to get started?

Schedule a free 30-minute discovery call. No pitch deck. Just an honest conversation about your cloud environment.