Director of Information Security

RevOptimal•New Orleans, LA

About The Position

We are hiring a hands-on Director of Information Security to design, operate, and mature a security, privacy and compliance program that protects our data, enables secure vendor & partner integrations, and keeps RevOptimal audit-ready for SOC 2 and other certifications. You will help design and build a secure cloud architecture, lead SOC 2 and ISO 27001:2022 readiness, drive Zero Trust adoption, own security operations and incident response, and be accountable for privacy compliance across US state laws and GDPR. The role also includes hands-on IT operations for a small company (<20 employees). What you'll do: Security strategy & architecture Define and execute the company security strategy and roadmap across cloud, data, application, and infrastructure security. Lead the design and pragmatic implementation of Zero Trust architecture principles (identity-centric controls, least-privilege access, micro-segmentation, device posture and conditional access). Design and enforce secure cloud architecture patterns (AWS best practices for S3, IAM, KMS, VPCs, cross-account roles and clean-room integrations). Implement secure key management, encryption at rest / in transit, and data classification & retention standards appropriate for sensitive data. Compliance, GRC & Privacy (SOC 2, ISO 27001 & Data Privacy) Own SOC 2 readiness, audit lifecycles and evidence automation. Lead ISO 27001:2022 readiness and the ISMS lifecycle when appropriate (scoping, risk assessment & treatment, SoA, internal/external audits). Own data privacy compliance frameworks across relevant regimes: US state privacy laws (e.g., CPRA/CCPA and other state statutes) and EU GDPR. Responsibilities include: Maintain a comprehensive data map / Record of Processing Activities (RoPA) covering personal data flows, storage locations, retention and processors. Run Data Protection Impact Assessments (DPIAs) for high-risk processing and partner integrations. Operate a DSAR / DSR process (data subject access/deletion/portability requests) and ensure timely responses that meet legal deadlines. Manage Data Processing Agreements (DPAs) and contractual privacy controls with vendors and partners. Implement and enforce privacy-by-design/default controls and data minimization across technical and product solutions. Ensure lawful cross-border data transfer mechanisms (e.g., SCCs, adequacy assessments, and technical safeguards) and document them appropriately. Operate and maintain compliance automation tooling (e.g., Vanta) and privacy management tooling; track remediation and evidence collection. Security operations & engineering Build and operate detection & monitoring (centralized logging, alerting and lightweight SIEM). Manage vulnerability scanning, third-party pen testing, remediation workflows and risk treatment. Partner & cloud integrations Secure onboarding and hardening of partner integrations (S3 buckets, IAM roles, cross-account access, clean-room patterns). Assess and govern third-party security and privacy posture with technical and contractual controls. IT operations & employee support Manage day-to-day IT for a company <20 people: device lifecycle (MDM), endpoint protection, SSO/MFA, Google Workspace/Slack/Atlassian administration, onboarding/offboarding and enforcement of 2FA. Own vendor relationships for IT/security/privacy services and provide escalated IT support. Team, communication & culture Evangelize security and privacy across the company: training, phishing simulations, privacy awareness. Report security and privacy KPIs to executives (SOC 2/ISO coverage, Zero Trust adoption, DSAR SLAs, MTTR).

Requirements

7+ years of professional experience in information security, with at least 3 years in a leadership/managerial role.
Hands-on cloud security experience in AWS (S3, IAM, KMS, CloudTrail, CloudWatch, VPCs, cross-account roles).
Proven experience leading SOC 2 readiness and audit programs and operating compliance automation tools.
Practical experience implementing Zero Trust principles in cloud environments.
Practical experience with GDPR and with US state privacy laws (CCPA/CPRA and/or other modern state privacy statutes), including DSAR/DSR handling, DPIAs, RoPA, DPAs and breach notification processes.
Strong operational security capabilities (vulnerability management, IR, logging/monitoring, IAM, encryption).
Practical IT operations experience for small companies (MDM, SSO/MFA, onboarding/offboarding).
Excellent written and verbal communication skills.
Formal security certification preferred (CISSP, CISM).

Nice To Haves

Experience directly driving or supporting ISO 27001:2022 certification and managing an ISMS.
Privacy certifications: CIPP/US, CIPP/E or equivalent.
Experience designing and implementing Zero Trust at scale and familiarity with NIST SP 800-207.
Familiarity with privacy and governance tooling (OneTrust, TrustArc, BigID) and with SOC 2 automation (Vanta).
Infrastructure as code experience (Terraform/CloudFormation) and secure CI/CD pipelines.
Experience with global privacy topics (Schrems II implications, SCCs, adequacy) and with managing cross-border transfer risk.
Familiarity with CPRA, Virginia, Colorado, Connecticut, Utah privacy rules and breach notification regimes.

Responsibilities

Define and execute the company security strategy and roadmap across cloud, data, application, and infrastructure security.
Lead the design and pragmatic implementation of Zero Trust architecture principles (identity-centric controls, least-privilege access, micro-segmentation, device posture and conditional access).
Design and enforce secure cloud architecture patterns (AWS best practices for S3, IAM, KMS, VPCs, cross-account roles and clean-room integrations).
Implement secure key management, encryption at rest / in transit, and data classification & retention standards appropriate for sensitive data.
Own SOC 2 readiness, audit lifecycles and evidence automation.
Lead ISO 27001:2022 readiness and the ISMS lifecycle when appropriate (scoping, risk assessment & treatment, SoA, internal/external audits).
Own data privacy compliance frameworks across relevant regimes: US state privacy laws (e.g., CPRA/CCPA and other state statutes) and EU GDPR.
Maintain a comprehensive data map / Record of Processing Activities (RoPA) covering personal data flows, storage locations, retention and processors.
Run Data Protection Impact Assessments (DPIAs) for high-risk processing and partner integrations.
Operate a DSAR / DSR process (data subject access/deletion/portability requests) and ensure timely responses that meet legal deadlines.
Manage Data Processing Agreements (DPAs) and contractual privacy controls with vendors and partners.
Implement and enforce privacy-by-design/default controls and data minimization across technical and product solutions.
Ensure lawful cross-border data transfer mechanisms (e.g., SCCs, adequacy assessments, and technical safeguards) and document them appropriately.
Operate and maintain compliance automation tooling (e.g., Vanta) and privacy management tooling; track remediation and evidence collection.
Build and operate detection & monitoring (centralized logging, alerting and lightweight SIEM).
Manage vulnerability scanning, third-party pen testing, remediation workflows and risk treatment.
Secure onboarding and hardening of partner integrations (S3 buckets, IAM roles, cross-account access, clean-room patterns).
Assess and govern third-party security and privacy posture with technical and contractual controls.
Manage day-to-day IT for a company <20 people: device lifecycle (MDM), endpoint protection, SSO/MFA, Google Workspace/Slack/Atlassian administration, onboarding/offboarding and enforcement of 2FA.
Own vendor relationships for IT/security/privacy services and provide escalated IT support.
Evangelize security and privacy across the company: training, phishing simulations, privacy awareness.
Report security and privacy KPIs to executives (SOC 2/ISO coverage, Zero Trust adoption, DSAR SLAs, MTTR).