Cybersecurity · GRC · AI Governance

A higher vantage point on cyber and AI risk.

STICC helps enterprises and regulated organizations turn security, compliance, and AI governance into board-ready, audit-defensible assurance — mapped to the frameworks your auditors, customers, and regulators already trust.

Aligned to
NIST CSFNIST AI RMFISO/IEC 27001ISO/IEC 42001SOC 2SOXFedRAMPCMMC
Why STICC

No two organizations carry the same risk.

So no two should be handed the same playbook. We start with your environment, your obligations, and your goals — then build a strategy that fits.

🎯

Tailored, not templated

Every engagement is scoped to your unique environment and regulatory obligations — never a copy-paste framework.

🛡️

Audit-grade assurance

Controls and evidence engineered to hold up under auditors, customers, and regulators.

🤝

Business-aligned security

We embed security into business decisions and initiatives instead of bolting it on afterward.

Ready for a clearer line of sight on your risk?

Book a free 20-minute scoping call. We'll confirm fit, recommend an approach, and outline next steps.

About STICC

Tailored assurance for a risk landscape that's anything but standard.

StrongTower InfoTech and Cybersecurity Consultancy (STICC) is a cybersecurity, GRC, and AI governance advisory firm built on a simple premise: no two organizations carry the same risk, so no two should be handed the same playbook. We start by understanding your environment, your obligations, and your goals — then build a strategy that fits, mapped to the frameworks your auditors, customers, and regulators already trust. Whatever the engagement, the outcome is the same: a comprehensive, defensible strategy that turns uncertainty into board-ready assurance — and gives you a clear line of sight over your risk.

Our approach

From blind spots to board-ready.

We serve as the strategic interface between cybersecurity and the business — translating organizational goals into security requirements, and security realities into decisions leaders can act on.

  • Assess — inventory your environment, AI use, data flows, and risk exposure.
  • Map — align current state to the frameworks that matter to your business.
  • Prioritize — rank gaps by severity with a sequenced 30/60/90-day plan.
  • Assure — deliver defensible evidence, and a partner to help sustain it.
Who we serve

Regulated industries, high stakes.

We partner with functional leaders across Finance, Legal, Supply Chain, R&D, and Technology in regulated sectors — financial services, healthcare, pharma, manufacturing, and the defense industrial base.

The through-line: organizations where compliance failures carry real consequences, and where security has to enable the business rather than block it.

Anthony Adeoti
Principal Consultant & Senior Cybersecurity Advisor
10+ years · GRC · IT Audit · IAM · AI Governance
Financial Services · Government / DoD · Consulting
Chicago, IL & remote, nationwide
Credentials

Certified across security, audit & compliance.

  • CISM
  • CISA
  • CCP (Candidate)
  • CC (ISC2)
  • CNSS
  • SC-900
  • ITIL v4
  • ESCP
  • DoD CUI v2024
  • AuditBoard (CMMC / TPRM)
What we do

A full range of services, tailored to your needs.

End-to-end cybersecurity, compliance, and AI governance advisory — scoped to your organization’s specific IT and security priorities.

Governance, Risk & Compliance (GRC)

Program design and maturity across regulatory compliance, risk management, and control frameworks.

Audit & Compliance Readiness

IT audit, control testing, and evidence that holds up to SOC 1/2, SOX, and internal review.

AI Governance

Operationalizing NIST AI RMF, ISO/IEC 42001, and the EU AI Act into controls you can actually run.

IAM Strategy & Access Governance

Closing access gaps without slowing the business down.

Third-Party / Vendor Risk (TPRM)

Programs that scale with your supply chain and your exposure.

CMMC Readiness

Preparing defense-sector and CUI-handling organizations for assessment.

Compliance & Security Consulting

Advisory that aligns security priorities with business strategy.

Hands-On Cybersecurity Training

Practical, role-tailored education that builds a security-aware culture.

Not sure where to start?

Tell us your goals and obligations — we'll recommend the right entry point. Get in touch →

Let's build a strategy that fits.

Every engagement starts with understanding your unique risk. Reach out and we'll take it from there.

AI Governance & Implementation

AI governance, answered.

How to adopt and govern AI safely, lawfully, and defensibly — mapped to NIST AI RMF, ISO/IEC 42001, and the EU AI Act.

What is an AI Governance & Readiness Assessment, and what's included?
It's an audit-grade evaluation of your organization's AI posture against NIST AI RMF, ISO/IEC 42001, and the EU AI Act. You receive a current-state assessment of your AI inventory and use cases, a control-gap analysis with severity and maturity ratings, a prioritized 30/60/90-day roadmap, an executive briefing, and a board-ready assurance artifact you can hand to auditors, customers, and regulators.
Isn't it too early to invest in AI governance?
No — the pressure is already here. Regulators (led by the EU AI Act), enterprise customers, and boards are asking organizations to prove their AI is used safely and lawfully, and “shadow AI” is spreading faster than most policies. If you can't currently answer “are our AI systems safe, compliant, and monitored?” with evidence, that gap is a present risk, not a future one.
Which frameworks do you use to govern AI?
We work primarily from NIST AI RMF (Govern, Map, Measure, Manage), ISO/IEC 42001 (the AI management-system standard), and the EU AI Act's risk-tier model. Wherever possible we map these onto controls you already run — NIST CSF, ISO/IEC 27001, and your existing risk register — so you extend your program rather than rebuild it.
We're deploying generative AI and LLMs. What risks should we be governing?
The priorities typically include data leakage and privacy exposure, prompt injection and misuse, hallucination and accuracy, intellectual-property and licensing issues, model and vendor (third-party) risk, bias and fairness, and the absence of monitoring or an audit trail. We help you identify which apply to each use case and put proportionate controls in place.
How does AI governance connect to our existing security and compliance program?
AI governance is an extension of your GRC program, not a separate silo. We reuse your control frameworks, risk register, third-party risk process, and identity controls, and map NIST AI RMF onto your existing NIST CSF or ISO 27001 baseline — so security stays a business enabler and you avoid duplicated effort.
What does the EU AI Act mean for a US company?
The Act can reach US organizations whose AI systems or outputs are used in the EU. It classifies systems by risk tier (from minimal to prohibited), with documentation, transparency, and conformity obligations phasing in on set timelines, and meaningful penalties for non-compliance. We help you classify your systems and prepare the required evidence. (This is general guidance, not legal advice — we recommend confirming specific obligations with qualified counsel.)
How long does an engagement take, and what does it cost?
Assessments are fixed-scope and fixed-fee. Typical tiers are a Rapid Readiness Snapshot ($3,500, ~1 week), a Standard Readiness Assessment ($6,500, 2–3 weeks), and a Comprehensive Governance Roadmap ($8,500+, 3–4 weeks). A 50% deposit begins the work, with the balance due on delivery — no open-ended billing.
Can you help us implement AI governance, not just assess it?
Yes. Beyond the assessment we help you stand up the program — AI use-case inventory, policies and standards, a target operating model, control implementation, monitoring, and role-based training — so governance is operational and sustainable, not a document that sits on a shelf.
How do you handle AI vendor and third-party model risk?
We apply proven third-party risk methods to your AI supply chain: due diligence and tiering of AI vendors, review of data handling and model provenance, contractual and security controls, and ongoing monitoring — so a model provider's weakness doesn't become your exposure.
How do we get started with AI governance?
Begin with a free 20-minute scoping call. We'll confirm fit, recommend the right assessment tier, and outline next steps — most engagements start within a week of a signed agreement. Reach out by phone or email to book.

Ready to get your AI house in order? Book a consultation →

Turn AI uncertainty into board-ready assurance.

Start with an AI Governance Readiness Assessment — fixed scope, fixed fee, 50% deposit to begin.

FAQ

Answers to common questions.

What STICC does, how we work, and how to get started — in brief.

What exactly does STICC do — and how is a cybersecurity business advisor different from a typical security consultant?
STICC advises enterprises and regulated organizations on cybersecurity, GRC, and AI governance. What sets us apart is the role we play: a strategic interface between the security function and your business units. Rather than handing over a technical report and leaving, we translate your business goals into security requirements and embed risk-informed decision-making into projects, digital transformations, and daily operations — so security enables the business instead of obstructing it.
How do you make cybersecurity a business enabler rather than a blocker?
We start from your strategic objectives, not a checklist. By partnering directly with leaders across Finance, Legal, Supply Chain, R&D, and Commercial, we surface the cyber and regulatory risks that actually matter to each initiative and recommend controls that balance protection with speed to market. The result is governance that supports decisions and momentum, not friction.
Which frameworks, standards, and regulations do you work across?
Our depth spans the control frameworks and regulations that regulated organizations answer to, including NIST CSF, NIST SP 800-53, CIS Controls, ISO/IEC 27001, ISO/IEC 42001, SOC 1 and SOC 2 (Type 2), SOX, COSO, COBIT, FFIEC, PCI-DSS, GLBA, GDPR, HIPAA, FedRAMP, OWASP Top 10, and CMMC. We map your current state to whichever of these apply to your business and obligations.
We're preparing for a SOC 2, SOX, or ISO 27001 audit — can you get us ready?
Yes. Audit and compliance readiness is core to what we do. We plan and execute the engagement end to end — risk assessment, control design and testing, evidence and documentation — and help you manage both internal and external audits, so you walk in prepared and walk out with findings that hold up.
Do you handle AI governance and emerging AI regulations?
Yes — AI governance is a core focus and a fast-moving risk area. We operationalize NIST AI RMF, ISO/IEC 42001, and the EU AI Act into practical controls, classify your AI systems by risk tier, and deliver a prioritized roadmap so you can adopt AI confidently and defensibly.
What is CMMC readiness, and can you help defense contractors handling CUI?
CMMC (Cybersecurity Maturity Model Certification) applies to Department of Defense contractors and their supply chains that handle Controlled Unclassified Information (CUI). Led by a Certified CMMC Professional (CCP) candidate with current DoD CUI training, we assess your posture against the required practices, close the gaps, and prepare you for formal assessment.
How do you approach third-party and vendor risk (TPRM)?
We build vendor and third-party risk programs that scale with your ecosystem — from onboarding due diligence and tiering to continuous monitoring and contractual controls — so a supplier's weakness doesn't become your breach. Our approach draws on modern TPRM tooling and audit-tested methods.
Can you build our security awareness program and train our teams?
Yes. We promote secure behaviors and a culture of security awareness across business units, and we partner with your enterprise training teams to deliver tailored, role-based education — practical sessions designed for how your people actually work, not generic slideware.
What does a typical engagement look like, and what are your credentials?
Most engagements follow a disciplined path — Assess, Map, Prioritize, Assure — beginning with a short scoping call and ending in documented, defensible evidence. Work is led by a Principal Consultant holding CISM, CISA, CNSS, ISC2 CC, ITIL v4, SC-900, and ESCP credentials, with 10+ years across GRC, IT audit, IAM, and business-aligned cybersecurity in regulated industries.
Where are you located, how do we engage, and how are engagements priced?
We're based in Chicago, IL and serve clients locally and remotely, nationwide. Engagements are scoped to your specific needs with a clear, fixed scope and fee — no open-ended billing. The best first step is a free 20-minute scoping call: we'll confirm fit, recommend an approach, and outline next steps.

Still have a question? Get in touch →

Contact

Start the conversation.

Book a free 20-minute scoping call, or reach out directly. We serve clients in Chicago and remotely, nationwide.

Send us a message

Tell us about your goals and we’ll respond within one business day.

Location & service areaChicago, IL — serving clients remotely, nationwide
HoursMon–Fri, 9:00 AM – 6:00 PM CST