Star City Security Consulting (SC2)

vCISO practice in Lafayette, Indiana - practical security leadership, open source tools, by appointment

Star City Security Consulting (SC2) is the small, by-appointment vCISO and security consulting practice of Ben Craton, based in Lafayette, Indiana. This is an independent, after-hours consulting service, not affiliated with any other employer or organization.

I help small to mid-sized organizations design practical security and privacy programs without the enterprise-grade noise—focusing on right-sized controls, honest compliance, and tools you can actually use.

  • Fractional vCISO and security leadership for Lafayette-area businesses
  • Open source tools and templates first; by-appointment consulting when you need a guide
  • Strictly limited client slots to ensure focused, direct work—no handoffs to juniors, and all work is performed outside of standard business hours.

Disclaimer: This consulting practice is operated independently and outside of my primary employment. It is not affiliated with, endorsed by, or in competition with my employer. All services are provided after hours and by appointment only.

Who I work with

I work with organizations in and around Tippecanoe County that need security leadership but do not need - or cannot justify - a full-time CISO.

  • Local professional services (law, accounting, healthcare practices)
  • SaaS and software companies under security or compliance pressure from customers
  • Community and regional organizations handling sensitive data (education, non-profits, local government)

I am based in Lafayette and primarily serve local clients, with selected remote engagements when there is a strong fit.

vCISO services

Rather than a long menu of offerings, I focus on three opinionated engagements built around outcomes.

Security & Privacy Baseline (4–6 weeks)

A focused engagement to understand where you stand and what matters most next.

  • Interviews and light discovery of your systems, vendors, and data flows
  • Prioritized list of findings and risks, explained in plain language
  • One-page security roadmap you can share with leadership
  • 3–5 specific controls you can implement immediately

This is often the best starting point, whether or not you continue with ongoing vCISO support.

vCISO Essentials (3–12 months, limited slots)

Part-time security leadership for organizations that need a CISO’s responsibilities without a full-time hire.

  • Regular cadence (for example, one standing session per month)
  • Guidance on incidents, vendor and security questionnaires, and customer expectations
  • Practical policy and control work aligned to frameworks such as CIS, NIST, or the Secure Controls Framework
  • Coaching internal owners so security work is distributed instead of centralized

I keep a small number of active vCISO clients at a time so there is enough attention for each engagement. New work is scheduled by appointment and may involve a short wait.

Compliance & Customer Assurance (project-based)

Support for organizations facing compliance, customer, or partner pressure around security.

  • Preparing for audits or customer security reviews (for example, SOC 2-style expectations or vendor assessments)
  • Clarifying security and privacy commitments in contracts and documentation
  • Updating policies and procedures so they match how your organization actually operates

The goal is to make your security story clear, honest, and sustainable - not a binder of controls that no one follows.

Tools, templates, and open source

Much of my work is codifying repeatable security and privacy tasks into small tools, templates, and checklists. These are available under open source or permissive licenses; if they help you, we can work together to tailor and operationalize them.

Planned and existing resources:

  • Security intake questionnaire – a simple way to evaluate new vendors, projects, or integrations
  • Incident snapshot template – a lightweight structure for capturing and communicating incidents
  • Controls mapping starter – a minimal mapping between common controls and your environment (for example, CIS, NIST, Secure Controls Framework)

As these tools are published, they will be linked here and on my code hosting (GitHub, Codeberg, etc.).

If you are using one of these tools and want help adapting it to your environment,

About SC2 and Ben Craton

I have more than 20 years of experience across software development, operations, application protection, and compliance management. My work has included healthcare and Medicaid systems, application security engineering, and leading compliance and security programs for SaaS products.

Along the way I have earned certifications such as CISSP and PMP, and worked with frameworks including ISO-style medical technology standards, Scrum, and the Secure Controls Framework. I bring that mix of technical depth and program experience to organizations that need pragmatic, not theatrical, security.

SC2 is intentionally a one-person practice. If we work together, you work directly with me - no handoffs to juniors or rotating account teams.

Read more about me on my bio page or on my LinkedIn.

Pricing

We do not publish a price sheet because each engagement depends on your size, urgency, and what you are trying to achieve.

Most work falls into one of three shapes:

  • A fixed-scope Security & Privacy Baseline
  • A monthly vCISO Essentials retainer
  • A time-bound Compliance & Customer Assurance project

For planning purposes: baseline engagements typically land in the low four figures for local organizations (e.g. the price of a decent laptop), and ongoing vCISO retainers are designed to feel reasonable for small to mid-sized teams - not enterprise budgets.

During our first conversation, I’ll suggest one of these shapes (or tell you if I’m not the right fit) and give you a clear price and scope before we start.

Working together

Consulting is limited and by appointment. I reserve most of my time for developing tools and frameworks and for a small number of ongoing vCISO clients.

If you think we might be a fit:

  • Send a short note about your organization, what you are trying to achieve, and any deadlines you are under
  • I will respond with availability and, if appropriate, a suggestion for a short introductory call