Hire the Best Certified Information Systems Security Professionals (CISSP)
Colorado Springs, Colorado
"Top Rated Plus" cybersecurity consultant and published author with 25+ years of experience specializing in penetration testing. Clients hire me when they need senior-level testing that includes clear scoping, reporting that drives remediation, and efficient execution. Iโve led red team and penetration testing work for Fortune 100 enterprises, government agencies, and startups. My assessments are designed to simulate realistic attacker behavior, prioritize what matters most, and produce results that are easy for technical teams to reproduce and fix. Areas of expertise: * Web application testing (OWASP Top 10, authentication/session flaws, access control, input validation, SSRF, IDOR, RCE) * API testing (token/session handling, authorization boundaries, input validation, business logic, fuzzing where appropriate) * Internal and external network testing (Windows, Linux, hybrid) with segmentation and control validation * Active Directory testing (enumeration, privilege escalation simulation, attack path validation) * AWS and Azure security reviews (misconfigurations, IAM privilege analysis, exposure discovery, logging and monitoring validation) * Compliance-aligned testing and guidance (PCI DSS, HIPAA, CIS, NIST and more) What you can expect: * Strong communication, documented scope, and no surprises * Findings prioritized by real-world impact, not just scanner output * Executive summary plus actionable remediation steps your team can use immediately * Optional live debrief and remediation testing Certifications: CISSP, CCSP, ISSMP, AWS Security Specialty, AWS Solutions Architect, CCNP Security, and more. Published author of multiple penetration testing books and a frequent security conference speaker.
- Information Security
- Certified Information Systems Security Professional
- Penetration Testing
- Network Security
- Network Penetration Testing
- Cloud Security
- Cybersecurity Management
- Red Team Assessment
- OWASP
- Security Assessment & Testing
- Kali Linux
- Ethical Hacking
- Web Testing
- Vulnerability Assessment
- Application Security
Tucson, Arizona
Need an effective, defensible, responsibly-priced cybersecurity program? My consultancy has helped a wide variety of organizations - from smaller SaaS startups to larger Fortune 1000 brands you know and trust - realize comprehensive, integrated, end-to-end cybersecurity aligned with: โข Institutional goals and internal risk appetite. โข Client supply chain questionnaires / contract requirements. โข Industry and regulatory requirements (e.g. GLBA, PCI-DSS, HIPAA, NYS DFS 23 NYCRR 500, DFARS / CMMC) โข NIST Cybersecurity Framework (CSF) and / or good industry practices (e.g. SOC Readiness, NIST Special Publications 800-30, 800-37, 800-53, 800-171) My consulting practice is reputable, insured, and responsibly priced, and you can expect quality results, because Iโm an award-winning, former IT / cybersecurity leader with: โข Two decades of experience. โข M.Sc. in Information Security & Assurance โข M.B.A. in Information Technology Management โข A wide variety of advanced industry certifications, including the CISSP and CISA. Beyond cybersecurity program compliance, I can represent your organization as a Chief Information Security Officer on a cost-effective, fractional basis supporting any further cybersecurity needs, including: โข Risk assessments. โข Audit response / defense. โข Vulnerability scanning & penetration testing. โข Policy development (e.g. Incident Response, Vulnerability Management, Secure Development) โข Disaster recovery & business continuity planning. โข Third-party risk / supply chain reviews. โข Cybersecurity marketing (e.g. architecture diagrams and white paper development that illustrate, showcase good practices) โข Capability / tool implementation & support (e.g. Data Loss Prevention, Multi-Factor Authentication) Wherever your organization stands in its cybersecurity journey, Iโm almost always able to come up with a responsible, defensible solution within the budget available - often at a fixed cost - so please book a consultation with me to discuss your unique circumstances!
- Certified Information Systems Security Professional
- Application Security
- IT Compliance Audit
- HIPAA
- Vulnerability Assessment
- Security Infrastructure
- Information Technology Strategy
- Email Deliverability
- Network Security
- Security Analysis
- Security Assessment & Testing
- PCI DSS
- SOC 2
- NIST Cybersecurity Framework
- Cybersecurity Management
Oakley, California
Organizations don't fail because they lack technology. They fail because security weaknesses remain undiscovered until attackers exploit them. ๐จ๐๐ ๐๐๐ ๐๐๐๐๐๐๐ ๐๐๐ ๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐ ๐๐๐ ๐๐ ๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐๐, ๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐, ๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐, ๐๐๐ ๐๐๐๐๐๐ ๐๐๐๐ ๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐ ๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐? I help startups, enterprises, and government organizations build secure, compliant, and resilient environments. ๐พ๐๐๐ 15+ ๐๐๐๐๐ ๐๐ ๐๐๐๐ ๐-๐๐ ๐๐๐๐๐๐๐๐๐๐ ๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐, ๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐, ๐๐๐๐๐๐ ๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐, ๐๐๐๐๐ ๐๐๐๐๐๐๐๐, ๐๐๐๐๐๐๐๐๐๐, ๐๐๐ ๐ซ๐๐๐บ๐๐๐ถ๐๐, ๐ฐ ๐ ๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐ ๐๐๐๐ ๐๐๐ ๐๐๐ ๐๐๐๐ ๐๐๐ ๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐. I do not provide generic recommendations or automated scan reports. I deliver actionable security insights, practical remediation strategies, and measurable improvements that directly support business objectives. ๐๐ก๐๐ง ๐๐ฅ๐ข๐๐ง๐ญ๐ฌ ๐๐ง๐ ๐๐ ๐ ๐ฆ๐, ๐ญ๐ก๐๐ฒ ๐ ๐๐ข๐ง ๐ ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฉ๐๐ซ๐ญ๐ง๐๐ซ ๐๐๐ฉ๐๐๐ฅ๐ ๐จ๐ ๐ฎ๐ง๐๐๐ซ๐ฌ๐ญ๐๐ง๐๐ข๐ง๐ ๐๐จ๐ญ๐ก ๐ญ๐๐๐ก๐ง๐ข๐๐๐ฅ ๐๐ก๐๐ฅ๐ฅ๐๐ง๐ ๐๐ฌ ๐๐ง๐ ๐๐ฎ๐ฌ๐ข๐ง๐๐ฌ๐ฌ ๐ซ๐๐ช๐ฎ๐ข๐ซ๐๐ฆ๐๐ง๐ญ๐ฌ. ๐ผ ๐๐ฑ๐ฉ๐๐ซ๐ญ๐ข๐ฌ๐: โ Penetration Testing (Web, API, Network, Cloud) โ Vulnerability Assessment & Risk Management โ ISO 27001, SOC 2, NIST & Security Compliance โ Cloud Security (AWS & Azure) โ DevSecOps & CI/CD Security โ Identity & Access Management (IAM) โ Windows & Linux System Administration โ Security Architecture & Infrastructure Hardening โ SIEM, Security Monitoring & Incident Response ๐ ๏ธ ๐๐ก๐๐ญ ๐ ๐๐๐ฅ๐ข๐ฏ๐๐ซ ๐น Comprehensive Security Assessments ๐น Actionable Remediation Recommendations ๐น Compliance Gap Analysis & Readiness Support ๐น Cloud & Infrastructure Security Reviews ๐น Secure DevOps Implementation ๐น Security Policies, Standards & Procedures ๐น Risk Reduction & Security Improvement Strategies โญ ๐๐ก๐ฒ ๐๐จ๐ซ๐ค ๐๐ข๐ญ๐ก ๐๐? โ 15+ Years of Proven Cybersecurity Experience โ Expertise Across Security, Compliance, Infrastructure, and Cloud โ Business-Focused Security Solutions โ Strong Technical and Strategic Leadership โ Deep Understanding of Modern Threat Landscapes โ Clear Communication and Executive-Level Reporting โ Trusted Advisor for Long-Term Security Initiatives โ Hands-On Experience with Complex Security Environments Cybersecurity is no longer optional. A single vulnerability, misconfiguration, or compliance failure can lead to financial loss, operational disruption, regulatory penalties, and reputational damage. ๐ฐ ๐ ๐๐'๐ ๐๐๐๐ ๐๐ ๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐๐๐, ๐ฐ ๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐ ๐๐๐๐๐, ๐๐๐๐๐๐๐๐๐๐ ๐ ๐๐๐๐๐๐๐, ๐๐๐ ๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐ ๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐. ๐๐ ๐ฒ๐จ๐ฎ'๐ซ๐ ๐ฅ๐จ๐จ๐ค๐ข๐ง๐ ๐๐จ๐ซ ๐ ๐๐ฒ๐๐๐ซ๐ฌ๐๐๐ฎ๐ซ๐ข๐ญ๐ฒ ๐ฉ๐ซ๐จ๐๐๐ฌ๐ฌ๐ข๐จ๐ง๐๐ฅ ๐ฐ๐ก๐จ ๐๐จ๐ฆ๐๐ข๐ง๐๐ฌ ๐๐๐๐ฉ ๐ญ๐๐๐ก๐ง๐ข๐๐๐ฅ ๐๐ฑ๐ฉ๐๐ซ๐ญ๐ข๐ฌ๐ with a business-focused approach, let's discuss how I can help secure your environment. Connect with me today! ๐ #CyberSecurity #InformationSecurity #Pentest #Compliance # DevOps #System Administration #IAM #GRC #CloudSecurity #SecurityOps #NIST #GuardianOfYourData #Cybersecurity #EthicalHacking #InformationSecurity
- Information Security
- Penetration Testing
- Network Security
- Cloud Security
- Cloud Testing
- Threat Detection
- Microsoft Azure
- Compliance
- SOC 2
- Linux System Administration
- Vulnerability Assessment
- DevOps
- ISO 27001
- Risk Assessment
- Incident Response Plan
- Google Workspace Administration
- Data Analysis
- Encryption
- Investigative Reporting
- Information Security Audit
Tonbridge, United Kingdom
๐ You need security that actually works โ not a report that says it does. The organisations I work with want to find the vulnerabilities that matter, fix them with confidence, and get on with growing their business without security becoming the thing that stops them. I have delivered over 1,000 commercial penetration tests across 27 years. Not side projects. Not internal assessments. Full mission-critical engagements for high street and investment banks, hedge funds, insurance firms, government departments, police, military, national infrastructure, retailers, law firms, airports and more. I led the security architecture for the Athens 2004 Olympics internet-facing systems. I was lead architect on the UK Cyber Essentials scheme at launch. I have published in commercial security press and guest lectured at universities. There is a difference between someone who does penetration testing and someone who has seen every flavour of environment, every attack pattern, and every way organisations deceive themselves about their security posture. That difference is what you are hiring. ๐ฏ Where can I help: ๐ก๏ธ Network & Infrastructure Penetration Testing โ adversarial testing of internal and external infrastructure, finding exploitable exposures before an attacker does. ๐ Application Penetration Testing โ web application and API security testing against real attack patterns: authentication, authorisation, input handling and business logic flaws. โ๏ธ Microsoft 365 Security Assessment โ Entra ID, Conditional Access, PIM, Intune, DLP, sensitivity labelling, Exchange Online and Defender for Office 365. ๐ท Azure Security Assessment โ identity and access management, network controls, storage and key management, Defender for Cloud posture, and monitoring coverage. ๐ข Google Workspace, GCP & AWS Security Assessments โ configuration and access control assessments across Google and Amazon cloud environments. ๐๏ธ Security Architecture and Risk Advisory โ senior technical input on architecture decisions, control design and risk without a full engagement commitment. ๐ค Every engagement is delivered directly by me โ David Morgan, founder of Metis Security. No account management layer, no junior handoffs, no templated output. You work with the person conducting the analysis and writing the report. ๐ How I work is as important as what I find Every finding in my reports is one I will defend as genuinely material to your environment. No padding, no low-hanging fruit included to justify the fee, no default risk ratings copied from a scanner. If your context changes the risk, the rating reflects that. What you receive: โ A visually structured report with clear separation between executive summary, findings and remediation roadmap โ written to be read by people who are not security specialists โ Risk ratings adjusted to your specific environment and context, not defaulted from a tool โ A prioritised remediation roadmap so your team knows exactly what to fix first and why it matters commercially โ Immediate escalation of any high-risk finding or schedule-affecting issue during the engagement โ you are never waiting until the end to hear something important โ Daily status updates so you always know where the engagement stands โ A debrief call at close to walk through findings, answer questions and finalise the report before it is delivered CISSP | ISSAP | Microsoft Security certifications | 27 years If you need to know whether your environment is genuinely secure โ not whether it looks configured โ I am worth a conversation.
- Penetration Testing
- Web Application Security
- Network Penetration Testing
- Office 365
- Microsoft Azure
- Cloud Security
- Network Security
- Vulnerability Assessment
- Security Assessment & Testing
- Cybersecurity Management
- Zero Trust Architecture
- Security Analysis
- Google Cloud Platform
- Google Workspace
- Amazon Web Services
- NIST Cybersecurity Framework
- Microsoft 365 Copilot
- Internet Security
- Information Security Audit
- Information Security Consultation
Boerne, Texas
I am the founder of BetterCyber Consulting, a cybersecurity consulting and managed services firm specializing in startups, small businesses, and mid-sized companies. As an Upwork Expert-Vetted Cybersecurity Consultant, I help businesses identify risks, implement security controls, and meet compliance requirements without unnecessary costs or complexity. My experience in cybersecurity includes positions at Fortune 100 companies like PayPal and Marathon Petroleum. I hold several security certifications and earned a masterโs degree in Information Security Engineering from The SANS Technology Institute. I offer the following cybersecurity services: โ Technical Security Assessments โ Security reviews for AWS, Azure, Google Cloud, Microsoft 365, Google Workspace, Slack, and more. โ Penetration Testing โ Web, cloud, mobile, and on-premises security testing. โ Compliance Assessments โ NIST 800-171 & 800-53, FedRAMP, ISO 27001, CIS Controls, CMMC, HIPAA, and SOC 2. โ Security Strategy & Architecture โ Build scalable security programs. โ Incident Response & Threat Mitigation โ Detect and respond to threats. โ Managed Security Services โ Ongoing security monitoring and advisory. โ Virtual CISO (vCISO) Services โ Security leadership for businesses without a full-time CISO.
- Information Security
- Cybersecurity Management
- Security Policies & Procedures Documentation
- Penetration Testing
- Email Security
- Security Analysis
- Security Engineering
- Information Security Awareness
- Information Security Audit
- Internet Security
- Cloud Security
- Risk Assessment
- CMMC
- NIST SP 800-53
- PCI DSS
Manama, Bahrain
Trusted Advisor ๐ฅ ๐ Get Audit-Ready in 6 Weeks โ Guaranteed. Confused by compliance? I translate complex regulations into simple, actionable steps. Whether you need to win enterprise trust with ISO 27001 or unblock sales with a SOC 2 report, I provide the fastest, most cost-effective path to certification. Why hire a consultant when you can hire a Strategic Partner? As the Founder of Axipro, Iโve led over 100 successful certifications in the last year alone. We don't just "give advice"โwe handle the heavy lifting. ๐ THE GRC TOOL EXPERT Are you struggling with your automated GRC platform? I am an official partner and power user of: โ Drata (Gold Partner) โ Vanta (Expert Implementation) โ Secureframe, Thoropass, Sprinto, Scrut, & more. I can help you get your progress running in record time and even provide discounted subscription rates through our MSSP partnership. ๐ก ONE-STOP COMPLIANCE SHOP - Policies & Procedures: Custom-tailored, audit-ready documentation. - Risk Management: Deep-dive assessments that protect your business. - Security Questionnaires: Get them off your desk and submitted in hours, not weeks. - Vulnerability Assessment and Penetration Testings: Remediation recommendations and detailed reports to improve security posture - CPA Attestation: We have in-house CPAs to sign off on your SOC 2 Type 1 & 2 reports. ๐ GLOBAL STANDARDS COVERED ISO 27001, 9001, 14001, 45001, 27701, 27017, 27018, 42001 (AI) | SOC 2 Type 1 & 2 | HIPAA | PCI DSS | GDPR | FedRAMP | NIST CSF | CMMC | TISAX | HITRUST | SAMA NCA โญ WHAT CLIENTS ARE SAYING "Ali is a lifesaver. He got us SOC 2 certified through Vanta and saved us months of work." โ Founder, Druxia (USA) "Knowledgeable, professional, and incredibly responsive. Ali got us across the line with Drata for ISO 27001." โ Founder, Tilt Legal (AUS) ๐ THE AXIPRO ADVANTAGE 10+ Years Experience: Lead Engineer & Auditor minds
- SOC 2
- ISO 27001
- IT Compliance Audit
- HIPAA
- SOC 2 Report
- PCI DSS
- AI Compliance
- Data Privacy
- GDPR
- Governance, Risk Management & Compliance
- Penetration Testing
- Information Security Consultation
- AI Governance
- AI Security
- CMMC
- ISO 14001
How it works
Post a job for free Post a job
Tell us what you need. Create your own job post or generate one with AI then filter talent matches.
Hire top talent fast
Consult, interview, and hire quickly, so you can meet the freelancers you're excited about.
Collaborate easily
Use Upwork to chat or video call, share files, and track project progress right from the app.
Payment simplified
Manage payments in one place with flexible billing options. Only pay for approved work, hourly or by milestone.
Don't just take our word for it
โUpwork provides an umbrella-level of security. I can see a talentโs work history and ratings. I can hold payments in escrow. I can communicate through Upwork Messages instead of working through my email address.โ
Kim Darling
Emerald Tiger
โUpwork is the best platform to hire skilled professionals when we're not looking for a full-time employee. All the companies in our portfolio use Upwork to find talent across a wide range of fields.โ
David Merry
Kinetic Investments
โOur very specific requirements can be a challengeโWith Upwork, weโre able to access a bigger community to ensure the success of our projects.โ
Katja Krohn
Summa Linguae
How to Hire Top Certified Information Systems Security Professional (CISSP)
What is a CISSP?
A CISSP is an independent information security specialist who is certified by the International Information System Security Certification Consortium (ISC)ยฒ. A CISSP offers a minimum of five years of direct, full-time security work experience in at least two of the (ISC)ยฒ information security domains and can be found via Upwork.
How do you hire a CISSP?
You can source CISSP talent on Upwork by following these three steps:
- Write a project description. Youโll want to determine your scope of work and the skills and requirements you are looking for in a CISSP.
- Post it on Upwork. Once youโve written a project description, post it to Upwork. Simply follow the prompts to help you input the information you collected to scope out your project.
- Shortlist and interview a CISSP. Once the proposals start coming in, create a shortlist of the professionals you want to interview.
Of these three steps, your project description is where you will determine your scope of work and the specific type of CISSP you need to complete your project.
How much does it cost to hire a CISSP?
Rates can vary due to many factors, including expertise and experience, location, and market conditions.
- An experienced CISSP may command higher fees but also work faster, have more-specialized areas of expertise, and deliver higher-quality work.
- A contractor who is still in the process of building a client base may price their CISSP services more competitively.
Which one is right for you will depend on the specifics of your project.
How do you write a CISSP job post?
Your job post is your chance to describe your project scope, budget, and talent needs. Although you donโt need a full job description as you would when hiring an employee, aim to provide enough detail for a contractor to know if theyโre the right fit for the project.
Job post title
Create a simple title that describes exactly what youโre looking for. The idea is to target the keywords that your ideal candidate is likely to type into a job search bar to find your project. Here are some sample CISSP job post titles:
- Senior security administrator needed for FinTech company
- Certified security specialist wanted to oversee companyโs risk management efforts
- Network security specialist needed to lead our security architecture program
Project description
An effective CISSP job post should include:
- Scope of work: From software development to overseeing risk management, list all the deliverables youโll need.
- Project length: Your job post should indicate whether this is a smaller or larger project.
- Background: If you prefer experience with certain industries, certifications, or environments, mention this here.
- Budget: Set a budget and note your preference for hourly rates vs. fixed-price contracts.
CISSP job responsibilities
Here are some examples of CISSP job responsibilities:
- Develop and manage companyโs security operations
- Establish security governance and risk management for Fortune 1000 company
- Oversee companyโs business continuity and disaster recovery planning
CISSP job requirements and qualifications
Be sure to include any requirements and qualifications youโre looking for in CISSP. Here are some examples:
- Bachelorโs degree in IT or IS
- Minimum three years overseeing corporate risk management program
- Understanding of all required certifications for department security staff
Find more freelancers
Similar Certified Information Systems Security Professional (CISSP) Skills
- Certified Information Systems Security Professionals
- Certified Systems Security Practitioners
- Information Security Analysts
- Certified Information Systems Auditors
- Information Security Audit Professionals
- Security Consultants
- Certified Ethical Hackers
- White Hat Hackers
- Cybersecurity Experts
- Certified Cloud Security Professionals
- IPsec Specialists
- Wireless Security Specialists
- Privacy Specialists
- Kali Linux Professionals
- Certified AWS Security Specialists
- Cloud Security Framework Specialists
Top Countries for Certified Information Systems Security Professionals (CISSP)
- Certified Information Systems Security Professional (CISSP) in India
- Certified Information Systems Security Professional (CISSP) in Pakistan
- Information Security Analysts in Australia
- Information Security Analysts in Kenya
- Information Security Analysts in Egypt
- Information Security Analysts in Sri Lanka
- Information Security Analysts in Romania
- Information Security Analysts in Saudi Arabia
- Information Security Analysts in India
- Information Security Analysts in Pakistan
- Information Security Analysts in Bangladesh
- Information Security Analysts in Canada
- Information Security Analysts in Nigeria
- Certified Ethical Hackers in Kenya
- Certified Ethical Hackers in Singapore
- Certified Ethical Hackers in Egypt