Data Security Compliance Director

Syllo•New York, NY

3d•$140,000 - $175,000•Remote

About The Position

Syllo is a legal technology company building infrastructure that law firms and legal teams trust with sensitive data. Compliance isn't a checkbox here — it's a product feature. We're looking for a Data Security Compliance Director to own our certification programs, manage vendor security relationships and processes, own the accurate and timely completion of our security disclosures in the sales context, and keep our posture audit-ready year-round. This role sits at the intersection of compliance and engineering. While this role does not own the security of our technical stack from an engineering perspective, you will work directly with technical teams to implement controls, close evidence gaps, and translate technical postures and requirements into concrete and well communicated action.

Requirements

5+ years in information security compliance, GRC, or a closely related function
Hands-on experience managing ISO 27001 and SOC 2 audits — not just supporting them
Direct experience working with engineering teams on control implementation, log configuration, access reviews, or infrastructure hardening
Direct experience responding to and issuing VSQs and security questionnaires
Demonstrated technical experience and fluency
Familiarity with vendor risk management programs and tiering methodologies
Working knowledge of common control frameworks: ISO 27001, SOC 2, NIST CSF, CIS Controls
Hands-on experience with Vanta or a comparable GRC platform (Drata, Secureframe, Tugboat Logic)
Cloud IAM and access control models, logging and monitoring pipelines (CloudTrail, SIEM fundamentals), endpoint management, and encryption at rest and in transit
Working knowledge of cloud-native environments (AWS, GCP, or Azure) and how controls apply in practice
Clear written communication — you'll be writing policies, audit responses, and customer-facing materials
Technically fluent enough to engage in and evaluate critically architecture reviews and engineering threads, evaluate proposed control fixes, and identify gaps that a purely compliance-focused lens would miss
Organized under pressure — audit cycles don't move, and you'll manage multiple workstreams simultaneously
Collaborative — compliance happens through engineering, legal, and operations, not around them

Nice To Haves

Familiarity with legal or regulated-industry data requirements is a plus
CISSP, CISM, CRISC, ISO 27001 Lead Implementer/Auditor, or equivalent
Candidates with a technical background (engineering, infrastructure, DevSecOps) who have moved into GRC are strongly encouraged to apply.

Responsibilities

Maintain and continuously improve our Information Security Management System (ISO 27001). Manage internal audits, corrective actions, and annual surveillance cycles through Vanta.
Coordinate evidence collection, liaise with external auditors, and drive remediation across engineering and operations (SOC 2 Type II).
Lead vendor security assessments, manage VSQ responses (inbound and outbound), and maintain a tiered vendor risk register.
Author, review, and update security policies, standards, and control mappings across frameworks. Maintain alignment as the business scales.
Engage directly with engineering on control implementation — access reviews, logging pipelines, encryption configuration, and infrastructure hardening.
Respond to customer security questionnaires and due diligence requests. Represent Syllo's security posture in enterprise sales conversations.
Run the formal risk assessment process. Identify gaps, assign ownership, and track remediation to closure.
Coordinate security awareness training and phishing simulation programs.
Work with our Operations Engineering team and broader leadership to design and implement effective automations for as much of the security stack and responsibilities as can be automated.