Director, Information Security

About The Position

Requirements

• Minimum of 10 years of experience in Information Security or a related field is required.
• At least 5 years of people management experience leading technical security teams is also required.
• Demonstrated track record of building security programs from a reactive state to a proactive, process-driven posture.
• Multi-framework compliance experience: hands-on ownership of ISO 27001, SOC 2, and at least one additional framework (NIST, HIPAA, or equivalent).
• Technical credibility across vulnerability management, IAM platforms (Okta, Entra ID), and cloud security (Azure preferred).
• Experience leading or contributing to security due diligence in M&A or major customer onboarding contexts.
• BLUF communicator: structures every briefing around the bottom line, with supporting context available but not leading.

Nice To Haves

• Experience managing a security program under a rapidly changing environment and adoption of new technology.
• Experience or a strong perspective on establishing guardrails for AI/LLM adoption, referencing frameworks such as ISO/IEC 42001.
• Familiarity with vulnerability management, IAM platforms, and Azure cloud security standards.
• Relevant certifications: CISSP, CISM, ISO 27001 Lead Implementer or Lead Auditor, CCSP, or Azure Security Engineer Associate.

Responsibilities

• Owns the organizational risk register as a living management tool that reflects current exposure and drives resource decisions.
• Defines what security success looks like for the organization; develops and tracks KPIs that provide senior leadership a transparent, actionable view of risk posture and program ROI.
• Leads, develops, and grows the security team across five operational pillars; establishes clear ownership, career paths, and accountability structures.
• Shifts the security function from reactive, task-driven operations to a proactive, process-driven culture.
• Serves as the organization’s primary security authority; makes risk-based decisions independently within agreed organizational risk appetite.
• Serves as operational lead during and after security incidents — triage, resource coordination, retrospective and escalation to legal counsel and senior leadership per established protocols.
• Oversees execution of ISO 27001 and SOC 2 Type II compliance programs as a unified control framework. Leads audit readiness, evidence collection, and control testing.
• Governs vendor risk management, including third-party security assessments and ongoing vendor performance against security requirements.
• Establishes guardrails for AI/LLM adoption, referencing emerging standards such as ISO/IEC 42001.
• Serves as a cross-functional risk consultant to managers and directors, helping them recognize and articulate risk within their own domains.
• Standardizes and streamlines the response process for customer security inquiries; develops a library of repeatable, high-quality responses.
• Directs vulnerability management operations — scanning, prioritization, remediation tracking, and closure verification.
• Owns the external threat intelligence program, ensuring the team monitors the threat landscape relevant to the organization’s industry.
• Oversees penetration testing engagements including scope definition, vendor selection, and findings remediation.
• Sets IAM strategy and governance including role-based access design, MFA enforcement, privileged access management, and periodic access review cadence.
• Ensures the IAM function operates within a defined governance structure with clear strategic direction.
• Defines and maintains security baselines for cloud infrastructure (Azure), DevOps pipelines, and application development.
• Embeds security guardrails into the development lifecycle as a natural part of engineering — not a gate or afterthought.
• Owns API security standards and cloud security posture management.
• Partners with engineering and architecture to ensure new systems are designed with security first approach to development.
• Owns DR and BCP strategy, annual testing, and tabletop exercises. Ensures recovery objectives are clearly defined, achievable, and aligned with business needs.
• Ensures incident response plans are tested and current before they are needed.
• Operates with full programmatic authority within the organizational risk appetite — makes security decisions independently rather than seeking approval on every call.
• Escalates and provides recommendation to senior leadership on issues requiring executive or legal engagement.
• Briefs the VP of IT and executive leadership using BLUF (Bottom Line Up Front) communication — clear context, current posture, and recommended action.
• Represents the security program during M&A due diligence and new customer onboarding, providing accurate and credible security posture assessments.
• Translates technical risk into business language that non-technical stakeholders can act on without requiring translation.
• Provide clear direction to ensure collective achievement of goals and objectives. Create an environment of respect, collaboration, and open communication.
• Identify and support development needs of direct reports and team members including connecting them to resources both internally and externally to ensure a culture of continuous improvement.
• Create high levels of employee engagement by understanding organizational and personal drivers that impact drivers and developing action plans that deliver increased engagement.
• Set clear goals and expectations for teams, monitor, and enable performance and intervene with appropriate action when performance gaps occur and provide timely, honest feedback. Ensure that associates complete assigned actions by required deadlines.
• All other duties as assigned.

Benefits

• shared success is built through meaningful work, recognition, and opportunities for growth