Director of Information and Data Security

About The Position

Requirements

• Independent, self-starter with strong ownership and execution bias.
• Ability to prioritize and execute in a resource-constrained, fast-paced SaaS environment.
• Strategic thinker with operational depth; able to balance long-term maturity goals with immediate risk mitigation.
• Excellent communication skills with the ability to influence and align cross-functional stakeholders.
• Proven experience setting up IT or cybersecurity programs in a SaaS or technology environment.
• Strong understanding of endpoint protection, cloud infrastructure security (AWS/Azure), IAM, and network security.
• Experience with SIEM and/or XDR deployment and tuning for threat detection and monitoring.
• Familiarity with CSPM, SAST/DAST, and vulnerability management tools.
• Knowledge of GRC frameworks (SOC 2, ISO 27001) and translating them into practical, auditable controls.

Responsibilities

• Oversee endpoint management, asset inventory, and identity and access management (IAM).
• Establish standards for device hardening, patch management, and secure configuration.
• Define and manage the budget for all security and IT tools, services, and human capital, ensuring cost-effectiveness and alignment with the overall security roadmap.
• Implement centralized visibility and control across systems and SaaS applications.
• Lead threat detection, vulnerability management, and incident response operations.
• Implement and maintain a Cloud Security Posture Management (CSPM) solution to monitor cloud infrastructure (AWS/Azure) for misconfigurations and compliance issues.
• Deploy and tune SIEM/XDR solutions to enhance visibility and threat detection across environments.
• Conduct regular penetration testing, track remediation, and drive security awareness programs.
• Define and enforce data protection policies covering classification, encryption, and retention.
• Partner with external GRC consultants to design and operationalize Eltropy’s information security and compliance framework.
• Translate consultant-driven recommendations into actionable internal controls, policies, and monitoring mechanisms.
• Manage the Third-Party Risk Management (TPRM) program, including vendor due diligence, security questionnaires, and ongoing risk monitoring.
• Maintain a centralized risk register and oversee remediation tracking.
• Own operational compliance for frameworks such as SOC 2, ISO 27001, and GDPR.
• Work closely with Engineering and Product teams to embed security-by-design principles in SaaS architecture and cloud deployments.
• Implement automated security testing (SAST/DAST) within the CI/CD pipeline to shift security left and reduce vulnerabilities early in the development lifecycle.
• Review architecture and third-party integrations to ensure alignment with data security and privacy standards.
• Establish and operationalize the company’s Incident Response Plan (IRP) and Business Continuity/Disaster Recovery (BCP/DR) framework.
• Conduct tabletop exercises and post-incident reviews to enhance preparedness and learning.
• Develop and implement a company-wide security awareness program.
• Partner with HR and Operations to ensure onboarding/offboarding includes security compliance and periodic training.
• Foster a security-first culture emphasizing accountability and vigilance across teams.
• Build and lead a high-performing IT and Security team, including IT administrators and cybersecurity engineers.
• Define structure, roles, and hiring priorities aligned with the company’s growth stage.
• Create a phased roadmap for security maturity, including technology adoption and process optimization.