Director, Information Security & IT

About The Position

Requirements

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, Engineering, or a related field, or equivalent professional experience.
• 10+ years of progressive experience in information security, IT, or compliance roles, with at least 4+ years in a leadership role managing people.
• Demonstrated experience as a named ISO, security lead, or equivalent on a FedRAMP package.
• CISSP required (CISM or CISA accepted as equivalent).
• Hands-on experience implementing and operating control frameworks: NIST SP 800-53 R5, FedRAMP, DoD IL5, SOC 2, ISO 27001:2022, ISO 27701, and CJIS.
• Working knowledge of StateRAMP, TxRAMP, CMMC, GDPR, and U.S. state privacy laws (CCPA/CPRA), with the ability to build a program that addresses applicable obligations across multiple frameworks.
• Enterprise IT leadership experience – endpoint management (Windows and Mac, MDM tooling such as Intune or Jamf), identity (Microsoft Entra ID, SSO/SCIM/MFA), Microsoft 365 administration, and corporate networking.
• Vulnerability management experience – running scan programs, triaging findings, maintaining a POA&M, and partnering with engineering teams on remediation.
• Strong vendor and customer-facing skills, supporting RFPs, security questionnaires, customer audits, and external auditor engagements.
• Excellent written and verbal communication; strong technical writing skills with a track record of authoring policies, procedures, and audit documentation.
• Working knowledge of software development practices and the security implications of cloud-native architectures (Azure preferred).
• Self-starter who can operate without close supervision; strong attention to detail and judgment under pressure.
• English language proficiency.
• U.S. citizenship is required for this role due to FedRAMP and DoD environment access.
• Eligibility to obtain a DoD Secret clearance is required.

Nice To Haves

• CCEP, CRISC, or comparable compliance/risk certifications are a plus.
• An active Secret clearance is preferred.

Responsibilities

• Serve as the named Information Security Officer (ISO), with delegated authority for control implementation, evidence collection, and ongoing attestation.
• Partner with the executive team on overall security strategy, risk posture, and executive reporting to the leadership team.
• Own the compliance program for Kaseware’s active certifications and pursuits, including FedRAMP, SOC 2 Type II, ISO/IEC 27001, State and federal CJIS, StateRAMP and TxRAMP.
• Manage 3PAO and external auditor engagements end to end; planning, evidence collection, walkthroughs, findings, and remediation tracking.
• Maintain the System Security Plan (SSP), Plan of Action & Milestones (POA&M), and continuous monitoring artifacts.
• Author and maintain company security policies, standards, and procedures; perform technical writing as needed.
• Review customer contracts, RFP responses, and partner agreements for compliance and security obligations.
• Lead enterprise IT operations across endpoint management (Mac and Windows, MDM, patching, lifecycle), identity and access management (Entra ID, SSO, SCIM, joiner/mover/leaver), Microsoft 365, and the corporate network.
• Own employee onboarding and offboarding, IT support, and SaaS administration for the corporate environment.
• Drive secure-by-default IT engineering – configuration baselines, vulnerability management, asset and license management, and access governance – in alignment with FedRAMP, CJIS, and ISO 27001 control requirements.
• Own the security incident response program – playbooks, tabletop exercises, communications, and post-incident review – for both security events and compliance violations.
• Coordinate cross-functional response during security incidents, breaches, and compliance escalations; document outcomes and report to leadership and regulatory bodies as required.
• Use lessons learned from incidents to evolve policies, controls, and tooling; integrate findings into continuous monitoring and the POA&M.
• Partner with Engineering on application security findings (penetration tests, SAST/DAST, container scans) where corporate or compliance reporting is required; AppSec ownership remains with Engineering.
• Lead, mentor, and develop a four-person team.
• Recruit and onboard new team members as the program grows; conduct performance reviews and career development planning.
• Lead company-wide security awareness, new-hire training, and role-specific training programs.
• Present compliance posture, audit results, and risk findings to executive leadership and, where appropriate, customers and regulators.
• Support the Sales team on customer-facing security and compliance requirements in RFPs, security questionnaires, and customer audits.

Benefits

• Excellent health, dental, and vision insurance with generous company contribution
• Flex Spending Accounts
• Unlimited paid vacation
• 12 paid company holidays
• Paid Sick Time
• Paid Parental Leave
• 401k with company matching
• EcoPass provided for Colorado-based employees