Director of Security and Compliance

About The Position

Requirements

• 5+ years of progressive experience in Information Security and IT Audit/Compliance.
• Extensive, hands-on experience successfully managing, documenting, and maintaining FedRAMP/GovRamp authorizations (preferably Moderate or High baselines).
• Proven expertise in managing other core compliance frameworks, including SOC 2 Type II.
• Demonstrated experience in a product-focused environment, directly influencing security requirements and architecture during the software development lifecycle (SDLC).
• Experience working in a regulated industry or supporting highly sensitive data environments.

Nice To Haves

• CISSP (Certified Information Systems Security Professional)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CISA (Certified Information Systems Auditor)

Responsibilities

• FedRAMP Ownership: Own the entire process for maintaining and managing FedRAMP/GovRamp authorizations, including control implementation, documentation (e.g., System Security Plan - SSP), continuous monitoring, and annual audits (A&A).
• Audit Management: Serve as the primary point of contact for all external security and compliance audits (including SOC 2 Type II), coordinating efforts between auditors, legal counsel, and technical teams to ensure successful outcomes and high-quality evidence collection.
• Compliance Program Management: Design, implement, and lead the corporate security compliance program, ensuring adherence to the specific controls required by all key frameworks.
• Security-by-Design Review: Collaborate closely with the Product Management and Engineering teams, reviewing product roadmaps, features, and architectures to ensure security and government compliance (especially FedRAMP/GovRamp controls) are integrated from the initial design phase (Security-by-Design).
• Product Requirements Translation: Translate complex regulatory and certification controls into clear, actionable technical requirements and user stories for product development teams.
• Risk Mitigation: Conduct risk assessments on product features, third-party integrations, and new technologies to proactively identify and mitigate compliance and security risks before product launch.
• Contractual Review: Support the Legal Team by critically reviewing and negotiating security and privacy clauses in customer contracts, RFPs, vendor agreements, and data processing addendums (DPAs), specifically pertaining to government and regulated clients.
• Policy & Training: Develop, document, and enforce comprehensive security, privacy, and data governance policies. Conduct targeted training for teams involved in government-facing products.
• Executive Reporting: Provide regular, executive-level reports to the Chief Legal Counsel on the status of compliance efforts, identified risks, and strategic security posture.

Benefits

• We offer an excellent salary and benefits commensurate with experience.