Director, Information Security

About The Position

Requirements

• Bachelor’s degree in information security, Computer Science, Information Systems, or related field.
• 8+ years of progressive experience in IT security or cybersecurity.
• 3–5+ years in a leadership or senior individual contributor role with hands-on accountability.
• Experience in biotech, pharmaceutical, healthcare, or other regulated industries strongly preferred.
• Demonstrated experience supporting audits, inspections, and compliance reviews.
• Proven, hands-on experience with incident response, security investigations, and post-incident remediation.
• Strong expertise in vulnerability management, including scanning, prioritization, remediation tracking, and validation.
• Deep understanding of identity providers and identity security, including IAM, MFA, RBAC, and PrivilegedAccess Management (PAM).
• Experience implementing and operating data security and Data Loss Prevention (DLP) controls.
• Hands-on experience with SIEM platforms, security logging, alerting, and threat detection.
• Strong understanding of network and cloud security concepts, including VPNs, SASE, firewalls, secure network segmentation, and zero-trust principles.
• Proven experience securing cloud platforms (AWS and Azure), including secure architectures and cloud governance models.
• Familiarity with cloud-native security services, such as AWS GuardDuty, AWS Security Hub, Azure Security Center / Defender for Cloud.
• Experience developing and maintaining IT and security policies, standards, and configuration baselines, including BYOD and endpoint security policies.
• Working knowledge of security and risk frameworks such as NIST, CIS Critical Security Controls, and ISO 27001.
• Ability to support incident investigations, perform root cause analysis, and drive preventative remediation actions.
• Hands-on experience with modern security tools and platforms such as CrowdStrike (endpoint detection and response for protecting corporate and regulated workloads), Vanta (continuous compliance evidence collection and audit readiness), Cisco Umbrella (secure DNS, web gateway, and cloud-delivered security), Meraki (secure network and device management), BeyondTrust (privileged access management and credential protection), KnowBe4 (security awareness and phishing resilience), and similar technologies—applied in a business-aware manner to reduce risk while enabling productivity.
• Ability to create custom scripts and tools for ad-hoc investigations, endpoint analysis, and security automation.
• Strong capability to produce clear, compelling security reports and executive-level updates that translate technical risk into business impact, regulatory exposure, and prioritized actions for executive leadership, Legal, Finance, and audit stakeholders.
• Strong execution mindset with the ability to operate hands-on while thinking strategically.
• Excellent communicator with the ability to engage executives, auditors, and technical teams.
• Pragmatic risk manager with sound judgment in regulated environments.
• High integrity, accountability, and passion for protecting patients, data, and the company.

Nice To Haves

• Advanced degrees or certifications preferred.
• CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager) to demonstrate strong security leadership and governance foundations.
• CISA (Certified Information Systems Auditor) for audit, risk, and compliance alignment.
• Certifications aligned to recognized frameworks and standards such as: NIST Cybersecurity Framework (CSF) and NIST 800-53 / 800-61 familiarity
• CIS Critical Security Controls (implementation and operationalization)
• ISO/IEC 27001 / 27002 (information security management systems)
• Cloud security certifications such as Azure Security Engineer Associate or AWS Certified Security – Specialty are strongly preferred.

Responsibilities

• Cybersecurity Strategy & Execution
• Define and execute Soleno’s enterprise IT Security and Cybersecurity strategy, aligned with business growth, commercialization, and pipeline expansion.
• Translate risk assessments and CIS-based gap analyses into practical, prioritized remediation roadmaps.
• Balance security rigor with business agility, ensuring security enables—not blocks—innovation.
• Hands-On Security Operations
• Own day-to-day security operations, including:
• Identity and Access Management (IAM)
• Endpoint security and MDM
• Network and cloud security
• Vulnerability management and remediation
• Partner with IT Operations and Infrastructure teams to embed security into systems, processes, and platforms.
• Lead penetration testing, security assessments, and ongoing control validation.
• Governance, Risk & Compliance (GRC)
• Establish and maintain security policies, standards, and procedures aligned to:
• CIS Critical Security Controls
• GxP / FDA expectations
• SOX ITGCs
• HIPAA and global privacy requirements (GDPR, CCPA)
• Partner closely with Legal, Compliance, QA, and Finance to support audits, inspections, and regulatory inquiries.
• Ensure security controls are documented, auditable, and operationally effective.
• Cloud & Infrastructure Security
• Lead security architecture and controls across Azure and AWS environments.
• Ensure secure configuration, monitoring, and logging across cloud workloads.
• Partner with Infrastructure teams on:
• Network segmentation
• Secure remote access
• Backup, disaster recovery, and business continuity
• Incident Response & Resilience
• Own and continuously improve Soleno’s Security Incident Response program.
• Lead tabletop exercises, incident simulations, and post-incident reviews.
• Ensure readiness for cybersecurity incidents with clear escalation, communication, and recovery procedures.
• Third-Party & Vendor Security
• Lead third-party risk management, including security due diligence, questionnaires, and risk assessments.
• Partner with Procurement and Legal on security requirements in vendor contracts.
• Ensure vendors handling regulated or sensitive data meet Soleno’s security standards.
• Collaboration with Data & AI Initiatives
• Partner with the Director of Data Analytics & AI to ensure:
• Secure data platforms and pipelines
• Responsible and compliant AI usage
• Strong access controls, monitoring, and data protection
• Embed security and privacy-by-design into analytics and AI initiatives.
• Leadership & Culture
• Build and mentor a small, high-impact IT security team and/or managed service partners.
• Promote a shared responsibility model for security across the organization.
• Drive security awareness, training, and adoption across employees and contractors.