Sep 2025 – Present · 7 mos · Greater Boston · Remote

• Kayla Williams Consulting provides fractional CISO and senior advisory support to help organizations strengthen cybersecurity, privacy, and AI risk management with a pragmatic, business-aligned approach. As vCISO & Principal Security & Privacy Risk Manager, I partner with founders, executives, and boards to assess risk, set security strategy, and build right-sized governance and controls that scale.
• Engagements commonly include security program and maturity assessments, roadmap and KPI development, risk register creation and remediation planning, third-party/vendor risk management, cloud/SaaS security reviews, incident response readiness, privacy program support, and audit/compliance alignment. My focus is translating complex risk into clear decisions and prioritized action, reducing exposure while enabling growth and trust.

Sep 2025 – Present · 7 mos · Remote · Remote

Feb 2025 – Oct 2025 · 8 mos · Boston, Massachusetts, United States · Remote

Sep 2024 – Present · 1 yr 7 mos · Remote

Aug 2023 – Present · 2 yrs 8 mos · Remote

• The CISO Society is a private community of CISOs collaborating on everything from security strategy, industry challenges, project roadmaps, technology partners, talent acquisition, leadership and investments.

Mar 2023 – Present · 3 yrs 1 mo · Remote

• The Team8 CISO Village is a global community of cyber security senior executives, CISOs and thought leaders from leading enterprises. The Village is an avenue for exchanging ideas, collaborating as an industry, and promoting innovation in cyber security.

Jan 2022 – Apr 2025 · 3 yrs 3 mos · Remote

• Promoted to transform, build, and direct an impressive talent pool of security and risk management professionals by designing & implementing a robust security strategy, including automating processes, increasing compliance requirements, and through the M&A transformation process.

Feb 2021 – Jan 2022 · 11 mos · Remote

• Developed and implemented a cybersecurity framework, consisting of a security policy, control standard, and guidelines;
• Created and implemented a risk management framework to form the foundation of the security governance process and a Privacy by Design policy to meet global privacy regulation requirements;
• Established a governance committee for security and operations decisions and projects to deduce executive consensus of risks and remediation activities;
• Implemented key security policies and processes to achieve and maintain FedRAMP Moderate status;
• Executed the identity and access management (IAM) program, establishing the guidance for key processes for a successful implementation and maintenance of the IAM program;
• Managed the CISO Team portfolio of projects and budget;
• Drove continuous improvement in compliance, risk management, governance, and technical privacy programs aligned to industry and global expectations (GDPR, SOC2TII, and PCI, as required) through gap assessments and coordination of external audit engagements;
• Established the framework for vendor security reviews through creation of policies and procedures and the procurement of technologies to help continuously monitor critical vendors;
• Established the policy and led the team that created the vulnerability management program;
• Managed the implementation of the GRC, Vulnerability Management, and CMDB modules of ServiceNow;
• Oversaw the global implementation of XDR, MDM, AV, and VPN technologies.

Feb 2018 – Feb 2021 · 3 yrs · Boston, Massachusetts, United States

• served as a trusted adviser to the business and technology stakeholders across the enterprise to partner on security, compliance and technical privacy improvements, and manage the life cycle of risk exceptions and acceptances;
• produced, implemented, and maintained an enterprise-wide security and technology risk framework, and developed a set of enterprise KRIs and minimum standards in line with business objectives, laws, and regulations;
• established the security, technical privacy and compliance risk strategy, approach and thresholds, risk prioritization, and tolerances across the enterprise;
• implemented an enterprise-wide security governance structure to discuss security & technical privacy risk and issues impacting LogMeIn;
• drove continuous improvement in compliance, risk management, governance, and technical privacy programs across a wide portfolio of SaaS products, aligned to industry and global expectations (GDPR, IRAP, SOC2TII/C5, PCI, ISO27001 as required);
• worked with resource owners to identify company technology assets that require security controls and determine appropriate security policies for identified resources through risk and control assessments;
• assisted in reviewing existing tools, applications, and processes to help strengthen and optimize current capabilities, as well as identifying any gaps or technical solutions to further enhance the organization's effectiveness;
• managed the enterprise-wide, multi-phased global roll out of the strategy for the Identity Governance & Administration (IGA) program and implementation of the IGA tool;
• led the strategy for onboarding the GRC module within ServiceNow;
• established the first comprehensive physical security framework;
• developed a Supplier Security Risk program for all new & existing supplier due diligence activities; and
• assisted four company products in achieving an ISO27001 certification, led the team that manages & facilitated the SOC2TII/C5 engagement for 20+ SaaS products.

Jan 2016 – Nov 2017 · 1 yr 10 mos · Boston, Ma, USA, and Bristol, England, UK

• A senior position, reporting to the US Chief Risk Officer. The role is responsible for supporting the development, implementation, and monitoring of all facets of risk to identify, assess, and mitigate any risk that arises from inadequate or failed processes, people, systems, or external events, while maintaining a balance between risk mitigation and operational efficiency. Key accountabilities include:
• contributing to the development, implementation, and management of the Global Risk Framework, risk appetite, policies, procedures, and management information requirements;
• supporting a proactive risk culture across the US Region that is infused across the entire organization;
• driving provision and maintenance of an accurate and reliable risk profile, partnering with the business areas, and ensuring that all key risks are identified, assessed, monitored, controlled, and reported in a timely fashion;
• undertaking the review of independent assurance of the adequacy and effectiveness of management of its risks, controls and processes;
• contributing to the effective governance of the US region by taking an active role in regional risk committees, offering constructive challenge, and helping to support the Committee fulfill its role and responsibilities;
• facilitating and encouraging informed and constructive debate, and challenging key risk issues, ensuring that management information is provided in an accurate, timely and clear manner, ensuring all activity is undertaken against a background of the agreed risk appetite;
• leading, driving, and embedding best practice and pragmatic risk/control management across the organization, demonstrating an understanding of the control weaknesses, driving remedial action plans to improve business, and moving towards the agreed risk appetite position;
• alerting Senior management, including the US CRO, immediately of any significant changes to the risk environment, deteriorating exposures and evidence of emerging risks

Jul 2014 – Jan 2016 · 1 yr 6 mos · City Of Bristol, England, United Kingdom

• A senior position within the Computershare Global Information Security and Risk Group (GISRG). This critical role is responsible for acting as the focal point for global information security and risk related initiatives and monitoring, tracking, and reporting on progress.
• Key accountabilities include:
• Developing and maintaining a suite of reporting templates for Global Information Security & Risk Management Services;
• Providing accurate GISRG Program reporting information in a timely manner;
• Developing and maintaining GISRG portfolio of services and supporting materials, including presentations;
• Developing and maintaining a global schedule of GISRG activities to disseminate to all GISRG staff on a regular basis;
• Holding regular meetings with key members of GISRG in order to understand and report on major group activities;
• Acting as the focal point and internally coordinating GISRG contribution to global projects, including the Global Information Security & Risk Transformation program.
• Organizing and managing a GISRG Program Control Board to manage all Global Information Security and Risk projects.
• Management of the GISRG fiscal budget.
• Management and coordination of the 3-year GISRG strategy document.

Mar 2013 – Nov 2013 · 8 mos · boston, massachusetts

• The Information Security Technical Advisor (ISTA) is responsible for providing IT Security Advisory and Accreditation services to IT and the business to ensure that the company's IT infrastructure, applications and services are compliant with the company's information security policy.
• ISTA principal responsibilities are to conduct Information Security Risk Analyses or existing applications and IT projects and to provide information security advice to the business lines of service and IT in response to day-to-day enquiries; such advice covers a wide range of topics including policies and standards, and security awareness. The ISTA may also be required to initiate and manage Information Security Self Certification Reviews for specific third parties. Additional responsibilities include conducting pre-audit assessments, at the request of the individual business lines, and liaising with Computershare Technology Services teams to deliver and interpret the findings of monthly, global perimeter scans to regional stakeholders.
• The role requires the ability to establish and develop effective, trusting relationships with internal customers, together with a proven knowledge of the methods necessary to assess information security within a large organization. During the course of normal business the ISTA will be required to meet and communicate to staff and Senior Management at the highest level within the company, therefore, the utmost degree of personal presentation, integrity and professionalism are essential.

Nov 2013 – Jul 2014 · 8 mos · Bristol, United Kingdom

• Essential responsibilities include, but are not limited to:
• Provide IT Security Advisory and Accreditation services to IT and the business to ensure that the company's IT infrastructure, applications and services are compliant with the company's information security policy.
• Perform Information Security Risk Analyses on existing applications and IT projects and provide information security advice to the business lines of service and IT in response to day-to-day enquiries; such advice covers a wide range of topics including policies and standards, and security awareness.
• Conduct client security engagements:
• 1) Respond to unique client questionnaires ranging from application security, infrastructure security, human resources and personnel security.
• 2) Review and amending client security contracts/addendums.
• 3) Present Computershare's information security controls at client on-site audits and on-site reviews.
• 4) Ensure Computershare’s externally facing client documentation is relevant, accurate and consistent on a global scale to meet the needs of our clients, including how Computershare meets ISO 27001:2005 and the underlying controls.
• Participate in third party supplier reviews in conjunction with the Procurement/Vendor Management teams, to include:
• 1) Initiate and manage information security risk analyses of third party suppliers during the initial bidding phase, or during annual due diligence exercises.
• 2) Review third party supplier SIGs and other information security documents (policies, standards, and guidelines) provided.
• 3) Make risk based recommendations to enhance their security structure to meet, if not exceed, our and our clients’ expectations.
• 4) Review and amend third party supplier contracts to ensure due care is taken when third party suppliers are exposed to company confidential or company restricted information including client data, PII, PFI, and/or employee data.