For the last 10 years I have worked as a security architect or security risk manager. Those roles often required me to design security in technical solutions, correct security language in contracts, assessed organizations for acquisition or merger, conduct and respond to auditors in regards to regulatory compliance in an effort to achieve certification or alignment to a security framework. My reviews have covered both pubic and private sector, as well as NIST, various ISOs, and Fedramp.
NOTE: I am not a penetration or vulnerability tester. One will have to be acquired.