Mike Cullen

Mike Cullen



+1 (703) 923 8339

Leave a messagearrowCreated with Sketch.

Mike is a principal and the higher education cybersecurity and IT risk leader with the firm. He helps clients tackle cybersecurity, data and information technology risks. He works with clients in multiple industries with a dedicated focus and extensive experience with higher education, research institutions, not-for-profit organizations and government contractors.

Since 2001, he has been executing various cybersecurity, privacy and IT assessments, myriad of IT internal audits, risk reviews for large transformation projects and numerous IT compliance projects.

Currently, Mike leads multifaceted practice teams with industry specialization all with the goal of helping clients protect data and systems and enhance cybersecurity and IT risk management practices.

  • Interfaces with various client personnel from analysts to chief officers (e.g., information, business, financial, executive) as well as boards and trustees to advise and report on cybersecurity and IT areas in the appropriate context and without technical jargon
  • Delivers reports tailoring those cybersecurity and IT concepts into actionable observations and practical recommendations
  • Develops IT strategies including related guidance, practices and roadmaps for organizations focused on aligning IT operations with IT strategies that support an organization’s overall mission, strategic plans and goals
  • Empowers clients to address the opportunities and challenges posed by various cybersecurity and IT frameworks, laws, regulations and standards such as: FERPA, HIPAA, HITECH Act, PCI DSS, GLBA, NIST CSF, NIST SP 800, CMMC, ISO 27000, CIS Critical Controls, FAR/DFARS and GDPR
  • Advises on various, large-transformation projects including myriad of system implementations by providing project management, risk management, resource management, issue management and strategy guidance before, during and after implementation/go-to-live
  • Provides IT contract and vendor process consulting in the areas of enhancements to risk assessment, project deliverable, compliance and best practices in order to reduce client risk when working with vendors
  • Information Systems Audit and Control Association (ISACA)
  • International Association of Privacy Professionals (IAPP)
  • International Information Systems Security Certification Consortium (ISC2)
  • Institute of Internal Auditors (IIA)
  • “Compliance Potpourri, IT, Privacy and Data Security,” “Getting Practical about Privacy,” “Cybersecurity threats in higher education,” “Protecting your institution with effective cybersecurity governance,” “Auditing your institution’s cybersecurity incident/breach response plan,” “Conducting a system implementation risk review at higher education institutions,” “Cyber risk emerging trends and regulatory update,” and, “Using IT Audit to Your Advantage,” Association of College and University Auditors (ACUA), presenter
  • “Cyber Risk for Foundations,” “The Board’s Role in Cybersecurity,” and, “Cybersecurity Issues That Keep You Up at Night,” Association of Governing Boards (AGB), presenter
  • “The Cybersecurity Headache,” Association of Healthcare Internal Auditors (AHIA), author
  • “IT Risk Assessment: Learn from Our Work, Leverage at Your Campus,” “Digital Transformation in a Time of Uncertainty,” and, “CMMC Latest Developments and How to Prepare,” EDUCAUSE, presenter
  • “A Framework for Auditing Mobile Devices,” Institute of Internal Auditors (IIA) GRC and All-Star conferences, presenter
  • “More Malware, Less Ransomware in Higher Ed,” Inside Higher Ed, contributor
  • “Cybersecurity Issues in Research,” “CMMC Should Scare You – Latest Developments and How to Prepare,” and, “Research Data Discussion Group,” National Council of University Research Administrators (NCURA), presenter
  • “CMMC and Cybersecurity – Addressing Now and Planning for the Future” and, “CMMC and Cybersecurity for Research Data,” Society of Research Administrators International (SRAI), presenter
  • “CMMC Should Scare You,” Society of Corporate Compliance and Ethics (SCCE), presenter
  • “PCI Compliance Crackdown,” UniversityBusiness.com, contributor


Washington, DC


Bachelor of Science in business information technology

Virginia Polytechnic Institute and State University

Mike's latest insights

Mike's upcoming events