Star City Security Consulting (SC2)

vCISO practice in Lafayette, Indiana - practical security leadership, open source tools, by appointment

Star City Security Consulting (SC2) is the small, by-appointment vCISO and security consulting practice of Ben Craton, based in Lafayette, Indiana. This is an independent, after-hours consulting service, not affiliated with any other employer or organization.

We help small to mid-sized organizations design practical security and privacy programs without the enterprise-grade noise—focusing on right-sized controls, honest compliance, and tools you can actually use.

  • Fractional vCISO and security leadership for Lafayette-area businesses
  • Open source tools and templates first; by-appointment consulting when you need a guide
  • Strictly limited client slots to ensure focused, direct work—no handoffs to juniors, and all work is performed outside of standard business hours.

Who we work with

We work with organizations in and around Tippecanoe County that need security leadership but do not need - or cannot justify - a full-time CISO.

  • Local professional services (law, accounting, healthcare practices)
  • SaaS and software companies under security or compliance pressure from customers
  • Community and regional organizations handling sensitive data (education, non-profits, local government)

We are based in Lafayette and primarily serve local clients, with selected remote engagements when there is a strong fit.

vCISO services

Rather than a long menu of offerings, we focus on three opinionated engagements built around outcomes.

Security & Privacy Baseline (4–6 weeks)

A focused engagement to understand where you stand and what matters most next.

  • Interviews and light discovery of your systems, vendors, and data flows
  • Prioritized list of findings and risks, explained in plain language
  • One-page security roadmap you can share with leadership
  • 3–5 specific controls you can implement immediately

This is often the best starting point, whether or not you continue with ongoing vCISO support.

vCISO Essentials (3–12 months, limited slots)

Part-time security leadership for organizations that need a CISO’s responsibilities without a full-time hire.

  • Regular cadence (for example, one standing session per month)
  • Guidance on incidents, vendor and security questionnaires, and customer expectations
  • Practical policy and control work aligned to frameworks such as CIS, NIST, or the Secure Controls Framework
  • Coaching internal owners so security work is distributed instead of centralized

We keep a small number of active vCISO clients at a time so there is enough attention for each engagement. New work is scheduled by appointment and may involve a short wait.

Compliance & Customer Assurance (project-based)

Support for organizations facing compliance, customer, or partner pressure around security.

  • Preparing for audits or customer security reviews (for example, SOC 2-style expectations or vendor assessments)
  • Clarifying security and privacy commitments in contracts and documentation
  • Updating policies and procedures so they match how your organization actually operates

The goal is to make your security story clear, honest, and sustainable - not a binder of controls that no one follows.

Tools, templates, and open source

Much of our work is codifying repeatable security and privacy tasks into small tools, templates, and checklists. These are available under open source or permissive licenses; if they help you, we can work together to tailor and operationalize them.

Available now:

  • zigmark – A Markdown parser and renderer written in Zig. Free for noncommercial use; commercial licensing available through SC2.

See the Projects page for details and updates as these are released.

About SC2 and Ben Craton

Ben Craton, SC2’s founder and principal consultant, has more than 20 years of experience across software development, operations, application protection, and compliance management. That work has included healthcare and Medicaid systems, application security engineering, and leading compliance and security programs for SaaS products.

Along the way we have earned certifications such as CISSP and PMP, and worked with frameworks including ISO-style medical technology standards, Scrum, and the Secure Controls Framework. We bring that mix of technical depth and program experience to organizations that need pragmatic, not theatrical, security.

SC2 is intentionally a small practice. If we work together, you work directly with Ben - no handoffs to juniors or rotating account teams.

Read more on the bio page or on LinkedIn.

Pricing

We do not publish a price sheet because each engagement depends on your size, urgency, and what you are trying to achieve. Most work falls into one of three shapes:

  • A fixed-scope Security & Privacy Baseline
  • A monthly vCISO Essentials retainer
  • A time-bound Compliance & Customer Assurance project

For planning purposes: baseline engagements typically land in the low four figures for local organizations (e.g. the price of a decent laptop), and ongoing vCISO retainers are designed to feel reasonable for small to mid-sized teams - not enterprise budgets.

During our first conversation, we will suggest one of these shapes (or tell you if we are not the right fit) and give you a clear price and scope before we start.

Working together

Consulting is limited and by appointment. We reserve most of our time for developing tools and frameworks and for a small number of ongoing vCISO clients.

If you think we might be a fit:

  • Send a short note about your organization, what you are trying to achieve, and any deadlines you are under
  • We will respond with availability and, if appropriate, a suggestion for a short introductory call