RMKeefer Advisory LLC — Washington, DC

Security
leadership,
translated.

Fractional CISO services for nonprofits, healthcare organizations, and privacy-regulated firms. Executive-grade security programs — without the executive-grade overhead.

Not every organization needs a full-time CISO.

Many need senior security leadership — applied with discipline, translated for non-technical executives, and sized to their actual risk profile.

Nonprofits & Foundations

Mid-sized organizations ($25M–$500M budget) navigating donor data protection, state privacy laws, and boards asking harder questions about security posture. We understand how mission-driven organizations make decisions.

Global & GDPR-Exposed Organizations

Organizations with European operations, EU donors, cross-border data flows, or international funding relationships where US-only security thinking falls short. GDPR compliance is not an afterthought here — it's a core competency.

Healthcare & Health-Tech

Organizations needing HIPAA maturity, HITRUST readiness, or a security voice their patients, customers, and regulators will respect. We've built security programs at health plans — on both sides of the audit table.

Organizations in Transition

Post-breach, pre-audit, between CISOs, or building a security program for the first time. The structured first-30-days engagement means you have a board-ready deliverable in hand before month one ends.

Results

$7M+

In potential GDPR penalties avoided through proactive program build and regulator engagement before enforcement action.

90%

Reduction in security event detection timeline across a mid-market security operations program.

$50M

Customer contract renewed — anchored by demonstrated security program maturity during enterprise vendor review.

Services & Pricing

Three engagement tiers. Transparent, fixed pricing.

Scope grows with maturity and regulatory complexity. All tiers include E&O and cyber liability insurance coverage, Blanket Additional Insured, and a structured first-30-days onboarding.

Foundational
$6,500/month

~20 hours per month
For organizations building a security program from a standing start, or moving beyond ad-hoc IT security.

  • Baseline gap assessment — NIST CSF 2.0

  • Core policy suite review, gap remediation, or full authoring

  • Quarterly board & executive reporting package

  • Monthly 60-minute executive session

  • Email responsiveness within one business day

Standard
$9,500/month

~30 hours per month
For organizations under active compliance pressure — SOC 2, HIPAA, ISO 27001, GDPR, or state privacy law.

  • Everything in Foundational, plus:

  • Risk register establishment & ongoing maintenance

  • Vendor & third-party risk program

  • Compliance framework alignment (one named framework)

  • Incident response plan + annual tabletop exercise

  • Monthly board & executive reporting package

  • Biweekly 60-minute executive session

Executive
$12,500/month

~45 hours per month
For organizations with complex regulatory environments, international operations, active M&A, or regulator-facing exposure.

  • Everything in Standard, plus:

  • Multi-framework compliance oversight

  • Direct board presentation cadence (quarterly minimum)

  • Regulator-facing support — auditors, regulatory inquiries, customer security reviews

  • M&A & diligence security support (up to 2 per year)

  • Active incident leadership (advisory)

  • Weekly 60-minute executive session

Robert Keefer

RMKeefer Advisory was founded by Robert Keefer — a security practitioner who has spent 25+ years building programs inside organizations, not above them.

Robert has led security across nonprofits, healthcare plans, and global enterprise organizations, and has held the CISO title directly. He brings the practitioner depth that distinguishes a former CISO from a career consultant.

He carries the credentials boards expect — CISSP, CEH, and an MBA — and brings the business fluency that produces board-ready reporting, not technical jargon.

He doesn't sell fear. He doesn't sell frameworks. He builds disciplined, business-aware security programs that your CFO and your auditor can both sign off on.

  • CISSP — Active

  • CEH — Active

  • MBA — Washington State University

  • ISSA Chapter President — Two Terms

Speaking and Publications: • Gartner / Evanta CISO Summit • SecureWorld
• Converge Conference • Co-Author, Published • Beyond the Alert Podcast

Common Questions

If you don't see your situation here, we should still talk. Fit beats framework.

Q: How is this different from a consulting firm vCISO?

You work directly with Robert — not a rotating cast of associates. The person on the intro call is the person presenting to your board a quarter later. Most boutique vCISO firms use a senior name to close the engagement and juniors to deliver it. That's not the model here.

Q: What does the first 30 days look like?

Week 1: document review and stakeholder interviews.
Week 2: baseline gap assessment against NIST CSF 2.0.
Week 3: draft 12-month roadmap with named owners and timeline.
Week 4: roadmap review and first board or executive briefing.
By day 30 you have a board-ready deliverable regardless of what you do next.

Q: We already have an IT team and an MSP — do we still need this?

Yes; those relationships become more effective with a strategic layer on top. The MSP runs your tools. RMKeefer Advisory sets direction, writes policy, reports to the board, and keeps the MSP accountable to a coherent plan. We sit at different levels and work better together.

Q: What happens during an active security incident?

Robert's role is advisory — running executive and board communications, coordinating outside counsel and forensic responders, and managing regulator notification timelines. Executive-tier clients receive direct incident leadership within committed monthly hours; larger incidents are scoped via change order.

Q: What does this cost compared to a full-time hire?

Standard tier at $9,500/month ($114,000/year) is roughly 20–25% of a full-time CISO's fully loaded cost. For most mid-sized nonprofits and healthcare organizations, that's the difference between having senior security leadership and not having it.

Q: What about insurance — are you covered?

RMKeefer Advisory carries E&O (professional liability) and cyber liability coverage, with Blanket Additional Insured on all policies. Certificates of insurance are available on request and provided at contract signing.

Q: Do you do hands-on technical work?

No. RMKeefer Advisory advises, sets strategy, and governs. Your team — or your vendors — execute. That division of labor is what keeps the engagement priced correctly and the outcomes high. Every hour spent on implementation is an hour not spent on the strategic work you're actually paying for.

Ready to talk?

Start with a 30-minute intro call. No obligation — just a direct conversation about whether RMKeefer Advisory is the right fit for your organization.

Contact Details

Email: [email protected]
LinkedIn: https://www.linkedin.com/in/rmkeefer
Phone: (202)491-9117