Consulting and professional services firms occupy a uniquely exposed position in the cybersecurity landscape. They hold sensitive client data across every industry they serve, from government contracts and financial institutions to healthcare and manufacturing. Their employees work inside client environments, carry client information across organizational boundaries, and operate in hybrid work models that create security challenges at every layer. The CISOs in this feature are protecting the firms that other organizations turn to for expertise, and the irony of that position, being trusted advisors who also have to earn trust through their own security posture, shapes how they build their programs.
Brian Kirk — CISO, Jacobs
Brian Kirk joined Jacobs as CISO in April 2026, bringing a career built across engineering, consulting, and global enterprise security. Before Jacobs, he spent nearly four years as EVP of cybersecurity services at Triaxiom Security, leading a cybersecurity consulting practice serving higher education and corporate clients across CISO advisory, cloud and framework assessments, vulnerability scanning, policy development, tabletop exercises, and network architecture reviews. Before Triaxiom, he spent four and a half years as director of cybersecurity at Elliott Davis, building an enterprise cybersecurity consulting practice from scratch for a regional accounting and advisory firm that expanded to multiple states under his leadership. The deepest stretch of his career, however, was nearly seven years as CISO at CH2M, where he built and managed a global information security program covering 20,000 employees, establishing standardized perimeter security at seven internet points of presence worldwide, creating a global security operations management team spanning the US and Poland, implementing a company-wide SIEM, developing a centralized identity and access management program, and building an insider threat program in coordination with HR and legal. Before his CISO role at CH2M, he spent nearly eight years as network and security manager at the same organization. His career at Jacobs brings that combination of global engineering firm security leadership and consulting practice expertise to one of the world’s largest professional services and solutions companies.
Amy Howland — Partner and CISO, Guidehouse
Amy Howland has served as partner and CISO at Guidehouse since September 2024, overseeing enterprise-wide cybersecurity initiatives for a consulting firm serving government, healthcare, financial services, and commercial clients globally. Her background spans more than twenty-five years across federal and commercial security environments. She served as CISO at Maxar Technologies, a space technology and geospatial intelligence company, growing the cyber team while implementing NIST 800-171 and CMMC controls against elevated external threats. Before Maxar, she was VP and CISO at Perspecta, securing legacy networks during integration into a hybrid cloud environment, and CISO at CSRA, where she successfully merged two legacy company cybersecurity teams and oversaw the buildout of a new secure hybrid cloud network. Earlier in her career she spent ten years at Camber Corporation managing a $30 million-plus cybersecurity division of more than 200 personnel and eight years at Ernst and Young in security and technology solutions, including penetration testing, ethical hacking instruction, and enterprise-wide security strategy consulting for global corporations. That combination of Big Four consulting roots, federal contractor CISO experience, and space technology security leadership gives her a cross-sector depth that is directly applicable to a firm whose clients span every sector of the economy.
Nathaniel Parker — CISO, BCG Federal
Nathaniel Parker has served as CISO of BCG Federal, the public sector arm of Boston Consulting Group, since October 2019, having joined BCG in 2016 as data loss prevention service owner and progressing through information protection manager before stepping into the CISO role. Before BCG, he spent more than eight years at MIT Lincoln Laboratory as information system security officer and senior security engineer, working across classified and sensitive programs at one of the nation’s premier defense research and development laboratories. Before MIT Lincoln Laboratory, he served as information systems security officer at BAE Systems and spent five years as a staff sergeant and Marine Embassy Guard in the United States Marine Corps, serving at posts in Hanoi and Ankara. He also served as a chief warrant officer in the Army National Guard. That progression from Marine Embassy Guard through defense research laboratory security to global strategy firm CISO reflects a career shaped by the discipline and rigor of high-security environments applied to one of the world’s most prominent consulting organizations.
Emmanuel Galanakis — CISO, J.S. Held
Emmanuel Galanakis has served as CISO at J.S. Held since January 2022, having joined the global consulting firm in September 2019 as head of cybersecurity. J.S. Held operates across construction, environmental health and safety, forensic accounting, water and fire restoration, and forensic architecture and engineering, creating a security environment that spans sensitive expert witness data, client case files, and the technical systems supporting some of the world’s most complex legal and regulatory matters. Before J.S. Held, he spent nearly twenty years at Deutsche Bank across global head of end user technology and desktop services, technology portfolio manager, and director of CISO cyber security, where his responsibilities included data security program and engineering, endpoint security, unstructured data access, and Americas identity and access management across a bank operating in more than 80 countries. That two-decade financial services technology and security foundation, applied to a global forensic and consulting firm, gives him an enterprise-grade security perspective at an organization where the sensitivity of client data is measured in legal and regulatory consequence.
Kevin Lewis — CISO, E78 Partners
Kevin Lewis has served as CISO and senior managing director at E78 Partners since January 2024, managing a $30 million P&L and a global team of 70 while executing a cybersecurity transformation that included achieving SOC 2 compliance, eliminating more than $2 million in annual costs through insourcing the help desk, and establishing a company-wide cybersecurity strategy aligned with business objectives. Before E78, he spent nearly ten years as VP of technology and security at The Moret Group, enabling company revenue growth from $280 million to $1 billion while maintaining 99.99 percent system uptime and leading IT integration across fifteen mergers and acquisitions. Earlier in his career he held roles at Leidos Gibbs and Cox as corporate IT security manager for a DoD contractor, and in CIO and IT director roles across the State of New Jersey Judiciary, the New York State Society of CPAs, and Andrew Marc. His career reflects a technology and security leader equally comfortable in the CIO and CISO seats, with a track record of operational and financial turnarounds that shapes how he approaches security as a business enabler rather than a cost center.
Aaron Momin — Global CISO, Synechron
Aaron Momin has served as global CISO at Synechron, a leading digital transformation consulting firm, since May 2024, accountable for cyber risk management, enterprise risk management, information security, crisis management, and business continuity planning. Before Synechron, he spent six years as CISO at Certinia, a cloud ERP and services software company. Before that, he spent nearly seven years as managing director at PricewaterhouseCoopers specializing in data security and confidentiality of corporate assets, and before PwC he founded FirstClassify, a data classification consultancy, and ForfendSecurity, a security advisory firm. His earlier career includes manager roles at Ernst and Young and Accenture, senior security consultant at VeriSign, and security consultant at PricewaterhouseCoopers spanning nearly four years at the start of his career. Thirty years of security consulting, advisory, and executive leadership built across Big Four firms, enterprise software, and now a global digital transformation consultancy reflects a security leader whose career has been oriented around helping organizations understand and manage security risk across genuinely different industry contexts.
The Consulting Sector Has to Practice What It Preaches
Organizations that advise others on security, risk, and governance are held to an implicit higher standard. A security failure at a consulting firm is not just operationally damaging. It is reputationally catastrophic in a way that calls into question the firm’s fundamental credibility with clients who trusted it with their most sensitive matters. The leaders in this feature carry that weight, building programs that have to be as strong as anything they would recommend to their clients, in environments that are just as complex and just as targeted.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.