Practitioner. Executive. Speaker.
- Name
- Jim Nitterauer
- Title
- Fractional CISO
- Certifications
- CISSP #547941 · CISM #1192800
- Experience
- 30+ years in information security
- SOC 2 Track Record
- 4 consecutive Type II audits · Zero exceptions · 2 organizations
- Conference Appearances
- 15+ conferences including DEF CON main track, RSA, FBIIC-FSSCC
Jim Nitterauer is a strategic information security executive with over 30 years of experience building and leading enterprise security, IT, and compliance programs. He combines rare technical depth with executive-level communication. The same person who spoke at DEF CON main track is the one who reported quarterly to the board.
At Graylog, Jim delivered four consecutive SOC 2 Type II audits with zero exceptions, reduced corporate tooling spend by 30%, and built an AI security governance framework before regulators required one. He has managed simultaneous SOC 2, ISO 27001, PCI DSS, HIPAA, and SOX audit programs not sequentially, but concurrently.
At Zix, Jim transformed the existing audit evidence collection processes from hardcopy documentation to a completely automated process through the deployment of a GRC platform with built-in cross framework mapping of all criteria referenced back to NIST 800-171. This happened at the same time as multiple services acquired as part of an acquisition were added to the scope of the annual Sarbanes-Oxley audit and other customer required security standards including AICPA Systust, AICPA SOC 2 Type II, Payment Card Industry (PCI) and ISO 27001. This created significant time savings and benefit, streamlining the audit process and allowing for a more efficient audit completion at the end of the year.
He founded and grew one of the first web hosting companies in the Southeast, which gives him a perspective on security from the business owner's side of the table that most security executives don't have.
30 years of building things that work.
- →Led 2025 SOC 2 Type II audit — zero findings
- →Built AI security governance framework for entire organization
- →Deployed Cloudflare Zero Trust + EntraID SSO globally
- →Sustained Microsoft Security Score above 98%
- →Reduced tooling expenditure 30% through vendor consolidation
- →Reported directly to Board of Directors on risk and compliance
- →Three consecutive SOC 2 Type II audits with zero exceptions
- →Reduced IT onboarding from hours to under 10 minutes via automation
- →Deployed CrowdStrike Falcon EDR + 24/7 SOC monitoring
- →Elevated to Acting CISO for 500+ employee organization during OpenText acquisition
- →Managed simultaneous PCI DSS, SOC 2, SOC 2+HITRUST, SOX, ISO 27001 audits
- →Led Enterprise Risk Management program formalization
- →Built Pandemic Preparedness program with board-level briefings
- →Managed SecureSurf DNS security platform across 7 global data centers
- →Spoke at DEF CON main track, BSides Las Vegas, DerbyCon, and 10+ conferences
- →Led GDPR compliance effort with 6-person team
- →Core member of Systems Engineering team managing all AppRiver production services across nine global data centers
- →Architected and built the log aggregation cluster using Graylog and Elasticsearch — foundational work that led to a later role at Graylog, Inc.
- →Engineered DNS security infrastructure using F5 iRules, custom alerting, and anomaly detection for DDoS mitigation
- →Managed 18 F5 Big IP load balancers, BGP routing, global DNS infrastructure, and Microsoft Active Directory across nine data centers
- →Revitalized web hosting and managed services company post-Hurricane Ivan
- →Virtualized a 40-server infrastructure using VMware and Nexenta SAN
- →Expanded service offerings to Metro Ethernet, colocation, and managed hosting
- →Minority owner of successor company First City Internet following OpenText acquisition of Zix | AppRiver
- →Founded and grew one of the first web hosting and web development companies in the Southeast
- →Scaled client base to over 400 customers; built all infrastructure from scratch
- →Managed a team of five including programmers, designers, and content writers