Keynote Speaker · Regulatory vCISO

Regulatory vCISO Keynote Speaker for High-Risk Organizations

For boards, executive teams, and high-risk organizations weighing the gap between compliance tooling and the experienced regulatory leadership audits actually require.

Sample keynote video
30
Years
200+
Assessments
85
Keynotes
16
Books Published

Why Carl for Your Boardroom or Executive Audience

The most expensive lesson in regulatory compliance is the one organizations learn at audit. Tooling stacks have grown. Automation has matured. GRC platforms produce dashboards that look reassuring on a Tuesday and collapse the first time an OCR investigator, a CMMC assessor, or a state AG asks what's actually behind the green checkmarks. The problem is rarely the tools. The problem is the absence of experienced regulatory judgment sitting above them.

Carl B. Johnson has spent 30 years inside the rules that govern high-risk organizations. As CISO at Cleared Systems, he runs active vCISO engagements every week for healthcare systems, defense suppliers, federal contractors, and technology companies operating under serious regulatory pressure — HIPAA, CMMC, NIST 800-171, ITAR, CUI, and the rapidly evolving rules around AI and privacy. His keynote work draws directly from those engagements: what's failing in real programs, what auditors and regulators are flagging this quarter, and what experienced leadership actually changes about how a program performs.

For board meetings, executive offsites, audit committee briefings, and CISO roundtables, Carl delivers the kind of content that helps senior leadership ask sharper questions and make better decisions about regulatory oversight — not just at the technical level, but at the governance level where the consequential calls actually get made.

Available Sessions on Regulatory vCISO Leadership

Signature Keynote

Regulatory vCISO Services for High-Risk Organizations

The keynote built from active vCISO engagements across healthcare, defense, federal contracting, and technology. Covers why tools and automation alone keep failing under audit, what experienced regulatory leadership materially changes about program maturity, the failure patterns Carl sees most often inside organizations that thought they were covered, and the governance shape that distinguishes programs that hold up from programs that crack. Audience walks away with a clear-eyed picture of where regulatory judgment belongs in their operating model.

Best forExecutive summits, CISO roundtables, GRC association events, board-and-executive conferences Duration45–60 minutes
Executive Briefing

When Compliance Tools Aren't Enough: What Boards Should Be Asking

Focused briefing for boards, audit committees, and senior executive teams. Skips the technical detail and goes straight to governance: the questions directors should be asking the CIO, CISO, and Chief Compliance Officer about regulatory program maturity, the warning signs that show up before an audit failure, the M&A diligence questions that surface real compliance risk, and the oversight patterns that distinguish well-governed programs from ones running on tool dashboards and hope.

Best forBoards, audit committees, executive leadership teams, M&A diligence sessions Duration20–30 minutes plus Q&A
Workshop

Building a Regulatory vCISO Function: In-House, Fractional, or Outsourced

Hands-on session for executive teams, compliance leaders, and audit committee chairs evaluating how to bring regulatory leadership into their organization. Covers when a full-time CISO is the right answer versus a fractional or vCISO model, what the function should actually be responsible for, the reporting structure that gives it real authority, the budget shape that's realistic at different organization sizes, and the failure patterns to avoid when standing up the function.

Best forExecutive teams and audit committees evaluating compliance leadership structure Duration3–4 hours

Download the One-Sheet

Get a printable, shareable PDF of this topic — perfect for circulating to your event committee or program chair. Includes the same sessions, audience profile, and FAQs as this page in a 2-page format.

Download Regulatory vCISO Keynote Speaker One-Sheet

Who This Is For

Audiences where regulatory governance is a boardroom-level concern — the people responsible for oversight, not the people running the controls.

  • Boards and audit committees
  • Executive leadership offsites
  • CISO roundtables and peer groups
  • GRC and compliance association events
  • M&A diligence and integration sessions
  • Private equity portfolio operations forums
  • CFO and CRO leadership events
  • Industry events for highly regulated sectors

What Audiences Walk Away With

  • A clear-eyed view of where compliance tooling stops working and where experienced regulatory judgment has to take over
  • The specific failure patterns Carl sees most often in organizations that thought they were covered
  • A working framework for evaluating whether a full-time CISO, fractional CISO, or vCISO model is right for the organization
  • The governance and reporting structure that gives a compliance function real authority — not just budget
  • The board-level questions that surface real regulatory risk in M&A diligence before it becomes a post-close problem
  • A practical view of what the compliance function should own, what it should challenge, and what it should escalate

Questions Boards and Executive Organizers Ask

Is this content too technical for a board or executive audience?
No. The signature keynote and executive briefing are deliberately calibrated for non-technical leadership. Carl's specialty is translating regulatory complexity into clear decisions board members and executives can actually make — what to ask, what to fund, what to escalate.
Our organization spans multiple regulatory regimes (HIPAA plus CMMC plus privacy, for example). Can the talk address that?
Yes — in fact, multi-regime organizations are where the vCISO conversation matters most. The content is built around the cross-cutting governance and judgment questions that show up regardless of which regulations apply, with sector-specific examples drawn from active engagements.
Can Carl tailor the talk to private equity or M&A diligence audiences?
Yes. Regulatory diligence is one of the most consequential and most poorly performed parts of M&A in regulated industries, and it's a natural focus for PE operating partners, corporate development teams, and audit committees. The pre-event call covers the specific diligence scenarios that matter most for the audience.
Is this a sales pitch for vCISO services?
No. The keynote and briefings are speaking engagements built around the regulatory governance questions executives face — not a product demo. Carl runs an active vCISO practice and will answer questions about how the model works in practice, but the talks are not promotional.
Can Carl handle a CISO-and-engineer audience as well as an executive one?
Yes. Carl works in the technical detail every day — control implementation, audit evidence patterns, regulator interpretation — and is comfortable in a CISO-and-engineer audience as well as a board one. The workshop format is built specifically for that audience.
Does Carl speak at GRC, ISACA, ISC2, IIA, or similar association events?
Yes. These are core audiences for this topic. Submit the event details and audience profile through the contact form and his team will respond with availability and a tailored proposal.

Bring This Talk to Your Event

Submit your event details and Carl's team will respond within one business day with availability and a tailored proposal.

Book Carl to Speak