Associate Director, Information Security

About The Position

Requirements

• 12+ years of progressive information security experience with a strong track record of hands-on technical execution
• Direct, practitioner-level experience in at least two of the three domains: GRC, IT security operations, and application/cloud security
• Experience collaborating with or embedding security within software engineering or product organizations
• Deep working knowledge of ISO 27001, including post-certification program management and audit readiness
• Familiarity with SOC 2, NIST CSF, HIPAA, SOX IT General Controls, and related frameworks
• Hands-on understanding of application security principles, secure SDLC practices, and cloud security (AWS, Azure, or GCP)
• Able to write and maintain clear, practical policies and standards directly, without relying on external consultants or pre-built templates
• Strong risk assessment skills with the ability to translate technical findings into business impact for non-technical audiences
• Experience supporting or preparing for a SOX readiness assessment or IPO-related compliance effort
• Direct experience with GRC platforms (Vanta, Drata, Tugboat Logic, or similar) and security tooling across endpoint, identity, SIEM, and AppSec domains
• Pragmatic and mission-driven; energized by doing meaningful work in a fast-moving clinical-stage environment

Nice To Haves

• Regulated industry experience strongly preferred; life sciences, biotech, or pharma background is a meaningful plus
• CISM, CISSP, or CRISC certification preferred, AWS Security Specialty, CCSP, or equivalent a plus

Responsibilities

• Drive and mature the company-wide information security program and strategy including managing policies, standards, risk assessments, and the enterprise risk register
• Act as the primary internal authority on information security operations, advising leadership and department heads on risk and priorities
• Develop security metrics and reporting for technical and executive stakeholders
• Serve as a working technical mentor to security analysts, providing hands-on guidance, knowledge sharing, and day-to-day direction across IT and cloud security domains
• Own ISO 27001 certification and maintenance, including audits, evidence collection, and improvement
• Directly manage controls rationalization across frameworks (ISO 27001, SOC 2, NIST CSF, SOX ITGC) to support evolving compliance requirements
• Lead and execute the vendor and third-party risk management program
• Establish and maintain information security controls in alignment with life sciences regulatory requirements, including 21 CFR Part 11 and GxP
• Partner with the Software, cloud security, and DevOps teams on expanding industry-standard security practices into the software development lifecycle
• Actively participate in security operations across the corporate IT environment, including hands-on involvement in endpoint security, identity and access management, vulnerability management, and security monitoring
• Define cloud security governance standards and policies for SaaS-hosted environments and oversee compliance
• Own and continuously improve the company-wide security awareness and training program
• Champion a realistic, risk-based security culture across a diverse workforce spanning research, clinical, and corporate functions

Benefits

• company paid healthcare
• flexible spending accounts
• voluntary life insurance
• 401K matching
• uncapped vacation
• onsite gym
• onsite dining