Director, Information Security & IT

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, Engineering, or a related field, or equivalent professional experience.
• 10+ years of progressive experience in information security, IT, or compliance roles, with at least 4+ years in a leadership role managing people
• Demonstrated experience as a named ISO, security lead, or equivalent on a FedRAMP package
• CISSP required (CISM or CISA accepted as equivalent)
• Hands-on experience implementing and operating control frameworks: NIST SP 800-53 R5, FedRAMP, DoD IL5, SOC 2, ISO 27001:2022, ISO 27701, and CJIS
• Working knowledge of StateRAMP, TxRAMP, CMMC, GDPR, and U.S. state privacy laws (CCPA/CPRA), with the ability to build a program that addresses applicable obligations across multiple frameworks
• Enterprise IT leadership experience – endpoint management (Windows and Mac, MDM tooling such as Intune or Jamf), identity (Microsoft Entra ID, SSO/SCIM/MFA), Microsoft 365 administration, and corporate networking
• Vulnerability management experience – running scan programs, triaging findings, maintaining a POA&M, and partnering with engineering teams on remediation
• Strong vendor and customer-facing skills, supporting RFPs, security questionnaires, customer audits, and external auditor engagements
• Excellent written and verbal communication; strong technical writing skills with a track record of authoring policies, procedures, and audit documentation
• Working knowledge of software development practices and the security implications of cloud-native architectures (Azure preferred)
• Self-starter who can operate without close supervision; strong attention to detail and judgment under pressure
• English language proficiency
• U.S. citizenship is required for this role due to FedRAMP and DoD environment access
• Eligibility to obtain a DoD Secret clearance is required; an active Secret clearance is preferred
• Must be able to pass a full CJIS compliant fingerprint based background check

Nice To Haves

• CCEP, CRISC, or comparable compliance/risk certifications are a plus

Responsibilities

• Serve as the named Information Security Officer (ISO), with delegated authority for control implementation, evidence collection, and ongoing attestation
• Partner with the executive team on overall security strategy, risk posture, and executive reporting to the leadership team
• Own the compliance program for Kaseware’s active certifications and pursuits, including but not limited to: FedRAMP, SOC 2 Type II, ISO/IEC 27001, State and federal CJIS, StateRAMP and TxRAMP
• Manage 3PAO and external auditor engagements end to end; planning, evidence collection, walkthroughs, findings, and remediation tracking
• Maintain the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and continuous monitoring artifacts
• Author and maintain company security policies, standards, and procedures; perform technical writing as needed
• Review customer contracts, RFP responses, and partner agreements for compliance and security obligations
• Lead enterprise IT operations across endpoint management (Mac and Windows, MDM, patching, lifecycle), identity and access management (Entra ID, SSO, SCIM, joiner/mover/leaver), Microsoft 365, and the corporate network
• Own employee onboarding and offboarding, IT support, and SaaS administration for the corporate environment
• Drive secure-by-default IT engineering – configuration baselines, vulnerability management, asset and license management, and access governance – in alignment with FedRAMP, CJIS, and ISO 27001 control requirements
• Own the security incident response program – playbooks, tabletop exercises, communications, and post-incident review – for both security events and compliance violations
• Coordinate cross-functional response during security incidents, breaches, and compliance escalations; document outcomes and report to leadership and regulatory bodies as required
• Use lessons learned from incidents to evolve policies, controls, and tooling; integrate findings into continuous monitoring and the POA&M
• Partner with Engineering on application security findings (penetration tests, SAST/DAST, container scans) where corporate or compliance reporting is required; AppSec ownership remains with Engineering
• Lead, mentor, and develop a four-person team
• Recruit and onboard new team members as the program grows; conduct performance reviews and career development planning
• Lead company-wide security awareness, new-hire training, and role-specific training programs
• Present compliance posture, audit results, and risk findings to executive leadership and, where appropriate, customers and regulators
• Support the Sales team on customer-facing security and compliance requirements in RFPs, security questionnaires, and customer audits

Benefits

• Excellent health, dental, and vision insurance with generous company contribution
• Flex Spending Accounts
• Unlimited paid vacation
• 12 paid company holidays
• Paid Sick Time
• Paid Parental Leave
• 401k with company matching
• EcoPass provided for Colorado-based employees