Cybersecurity. Built by a Lawyer.
Where legal expertise meets technical defense. Your security partner who speaks both languages fluently.
Security Consulting That Actually Understands the Law
Most cybersecurity firms will sell you technical solutions. We give you legal protection. Steele Fortress exists because the industry needed someone who could navigate both NIST frameworks and breach notification statutes, who could deploy encryption while understanding privilege implications, who could respond to ransomware while coordinating regulatory reporting with your counsel.
We are not another faceless consulting firm with sales teams and junior analysts. We are a boutique practice built on deep expertise, direct access, and pragmatic solutions that work in the real world—not just in compliance checklists.
Meet the Founder
Jonathan D. Steele, Esq.
Cybersecurity Consultant | Privacy Advisor | Attorney
Jonathan founded Steele Fortress to solve a problem he saw repeatedly in legal practice: businesses receiving security advice that was technically sound but legally naive, or legal counsel that did not understand the technology.
With a J.D. from law school and CompTIA Security+ certification, Jonathan bridges the gap between legal compliance and technical security. He has deployed encryption systems for law firms handling sensitive litigation, guided healthcare practices through HIPAA breach response, and helped defense contractors achieve CMMC certification.
Before founding Steele Fortress, Jonathan practiced law with a focus on technology, privacy, and data protection issues. He saw clients repeatedly caught between security vendors selling FUD (fear, uncertainty, doubt) and attorneys who could not evaluate technical controls. Steele Fortress was built to be different—expert-level security consulting grounded in legal reality.
What makes Jonathan different: He will not sell you a $500K security stack when $50K of targeted controls will actually solve your problem. He understands that "maximum security" is not the goal—appropriate security that enables your business is. And when an incident happens, he knows both how to contain the breach and how to navigate the legal aftermath.
Certifications & Training
- ISC2 Certified in Cybersecurity (CC)
- CompTIA Security+
- University of Pennsylvania Privacy Law and Data Protection
- Google Cybersecurity Professional Certificate
- Johns Hopkins AI for Cybersecurity Specialization
Jonathan is also a practicing family law attorney. Learn more about his legal practice at Steele Family Law.
J.D., Juris Doctor
Law degree with focus on technology law, privacy rights, and regulatory compliance
CompTIA Security+
Industry-recognized certification in cybersecurity fundamentals and best practices
Dual Expertise
Rare combination of legal training and hands-on technical security experience
Why We are Different
Plenty of firms can run a vulnerability scan. Very few can tell you whether your incident response plan supports privilege protections or if your data retention policy creates litigation risk.
Legal + Technical DNA
We speak both languages fluently. Understanding breach notification laws while performing digital forensics. Interpreting HIPAA while deploying encryption. This dual expertise means you get security solutions that actually comply with the law—not just vendor promises.
Not Another Faceless Firm
When you call us, you talk to Jonathan—the person who will actually do the work. No sales team handoffs, no junior consultants learning on your dime. You get senior-level expertise on every engagement, every time.
Pragmatic, Not Paranoid
We will not sell you a $500K security stack you do not need. Our recommendations are proportional to your actual risk profile, budget, and operational realities. Security should enable your business, not cripple it.
Privacy-First Philosophy
We build security architectures that protect privacy by design. End-to-end encryption, zero-knowledge systems, and data minimization are not optional add-ons—they are foundational principles in everything we deploy.
Industries We Serve
We focus on sectors where data protection is not optional—it is existential. Industries with strict regulatory requirements, high-value data, and severe consequences for breaches.
Healthcare
HIPAA compliance, EHR security, patient data protection, and breach prevention for medical practices and healthcare organizations.
Legal
Attorney-client privilege protection, litigation hold procedures, secure document management, and ethics compliance for law firms.
Financial Services
GLBA compliance, fraud prevention, secure payment processing, and customer data protection for financial institutions.
Manufacturing
CMMC compliance for defense contractors, intellectual property protection, OT/IT security, and supply chain risk management.
Technology
SOC 2 certification, secure SDLC, cloud security architecture, and data protection for SaaS companies and startups.
Professional Services
Client data protection, regulatory compliance, secure remote work, and cybersecurity awareness training for service firms.
Built on Trust and Results
How We Work With You
No high-pressure sales, no cookie-cutter solutions. Our engagement process is designed to understand your unique situation and deliver security improvements that actually fit your business.
Discovery
Understanding your security posture and goals
- Initial consultation to understand your business, industry, and security concerns
- Review existing security controls, policies, and past incidents
- Identify regulatory compliance requirements (HIPAA, CMMC, SOC 2, etc.)
- Define success metrics and engagement scope
- No-obligation assessment of immediate security risks
Assessment
Comprehensive evaluation of your security environment
- Technical security assessment (network, endpoints, cloud infrastructure)
- Policy and procedure gap analysis against industry frameworks
- Threat modeling specific to your industry and risk profile
- Compliance readiness evaluation for applicable regulations
- Prioritized remediation roadmap with cost/benefit analysis
Implementation
Deploying security controls and processes
- Execute high-priority security improvements first
- Deploy technical controls (MFA, encryption, monitoring, backups)
- Develop and implement security policies and procedures
- Configure security tools and integrate with existing systems
- Conduct security awareness training for your team
Ongoing Support
Continuous monitoring and improvement
- Regular security reviews and risk reassessments
- Threat intelligence monitoring and advisory updates
- Incident response support and emergency assistance
- Compliance audit preparation and documentation
- Strategic security roadmap updates as your business evolves
Our Core Values
🎯 Integrity
We tell you what you need to hear, not what you want to hear. If your current security posture is adequate, we will say so—even if it means less business for us. Our reputation is built on honesty, not sales quotas.
🔒 Confidentiality
Your security posture and incidents stay confidential. Period. We do not use client work as case studies without permission, we do not gossip about breaches, and we understand the legal and business sensitivity of everything we touch.
🚀 Adaptability
Threat landscapes shift faster than compliance frameworks can keep up. We stay ahead of emerging threats, new attack techniques, and evolving regulations—so you do not have to. Your security strategy adapts as risks change.
💡 Pragmatism
Perfect security does not exist, and pursuing it will bankrupt you. We focus on cost-effective controls that reduce real risk—not theoretical vulnerabilities that will never be exploited. Security must serve the business, not the other way around.
What We Offer
Comprehensive security and privacy services, from emergency incident response to long-term strategic guidance.
🚨 Incident Response
24/7 emergency support for ransomware, data breaches, and cyber attacks. Rapid containment, forensic investigation, and recovery—with legal expertise to navigate breach notification laws.
Learn More →🛡️ Virtual CISO (vCISO)
Part-time strategic security leadership without full-time costs. Security program development, risk management, vendor oversight, and board-level reporting.
Learn More →📋 Compliance Consulting
HIPAA, SOC 2, CMMC, GDPR, CCPA—we guide you through the compliance maze with practical implementations that satisfy auditors without crushing your operations.
Learn More →🔐 Privacy Consulting
Privacy policy development, data protection strategies, anonymous LLC formation, and privacy-by-design architecture for individuals and businesses serious about data protection.
Learn More →Frequently Asked Questions
Why should I choose a lawyer for cybersecurity consulting?
Because breaches are not just technical problems—they are legal nightmares. When ransomware hits, you need someone who understands both incident response AND breach notification laws. When deploying security controls, you need expertise in attorney-client privilege, data retention laws, and regulatory compliance—not just firewall rules.
Jonathan's legal background means security solutions that actually protect you from legal liability, not just technical vulnerabilities.
Do you only work with large enterprises?
Absolutely not. We work with organizations of all sizes—from solo practitioners to 100+ person companies. Our flexible engagement models (hourly, project-based, retainer) make expert security accessible whether you are a startup, small business, or established enterprise.
Small businesses are actually our sweet spot—you get enterprise-grade expertise without enterprise pricing.
What makes Steele Fortress different from other cybersecurity firms?
Three things: (1) Legal expertise that most security firms do not have. (2) Direct access to senior consultants, not a rotating cast of junior analysts. (3) Pragmatic recommendations based on your actual risk and budget, not vendor commissions or fear-mongering.
We are a boutique firm that competes on expertise and client service, not sales volume.
Do you work nationwide or only in specific states?
We work with clients nationwide and internationally. Cybersecurity consulting does not require state-by-state licensing (unlike practicing law), and most of our work is performed remotely. We travel on-site for incident response, compliance audits, and executive strategy sessions when needed.
How do you charge for services?
We offer three engagement models: (1) Hourly consulting for one-off projects and incident response. (2) Project-based pricing for defined scope work like SOC 2 certification or security assessments. (3) Monthly retainers for ongoing vCISO services and continuous security management.
All pricing is transparent and provided upfront. No surprise bills, no scope creep without approval.
Can you help with both cybersecurity and privacy consulting?
Yes—that is our specialty. We handle technical security (firewalls, encryption, incident response) and privacy consulting (GDPR/CCPA compliance, privacy policies, data protection strategies). Many firms do one or the other; we do both because modern data protection requires both technical controls and legal compliance.
Ready to Build a Real Security Strategy?
No sales pitch. No obligations. Just a straightforward conversation about your security challenges and whether we are the right fit to solve them.
Here is what happens next:
- Schedule a 30-minute consultation (free, no strings attached)
- We will discuss your biggest security concerns and compliance requirements
- You will get honest feedback—even if that means we are not the right solution
- If we are a good fit, we will propose a clear scope and transparent pricing