Director of Security

About The Position

Requirements

• 10+ years of progressive experience in information security or cybersecurity.
• 3+ years leading and developing security teams.
• Demonstrated M&A, private equity, or roll-up experience.
• Strong understanding of cloud security principles with hands-on Azure and Microsoft security experience.
• Experience managing and governing compliance standards (NIST, CSF, CIS, and SOC2 Type II preferred)
• Experience managing business continuity programs and lifecycle
• Microsoft Azure/Intune experience
• Experience managing third-party security services (MDR/SOC, IR retainers, testing vendors).
• Proven ability to design and run a complete enterprise security control program.
• Excellent stakeholder management and executive communication skills.
• Bachelor’s degree or equivalent experience; security certifications preferred (CISSP).
• Professional services experience and /or accounting and CPA firm experience strongly preferred.

Responsibilities

• Define the multi-year security strategy and roadmap across Crete and member firms in a federated model, aligning priorities to business risk and acquisition cadence.
• Establish and maintain the security policy framework, standards, and minimum control baseline across all firms; design pragmatic exception handling and remediation plans for varying maturity levels.
• Build security operating rhythms and executive reporting: KPIs, risk posture, incident trends, audit/compliance status, and program progress for Crete leadership and firm leaders.
• Partner with IT, data, and engineering leadership to embed security into operations, architecture decisions, and change management across the portfolio.
• Lead security diligence for M&A: current-state control assessments, key risk identification, remediation estimates, and repeatable post-close stabilization playbooks (30/60/90-day plans).
• Drive security integration of new firms (people/process/technology) across separate environments — identity, endpoint/email, logging/monitoring, data protection — with scalable onboarding playbooks and control alignment patterns.
• Provide security architecture oversight for cloud and hybrid environments with emphasis on Azure, Intune, and Microsoft Defender; define secure patterns for privileged access, conditional access, PAM, RBAC, and separation of duties.
• Oversee day-to-day security operations: vulnerability management, patch/risk prioritization, endpoint and email security, tooling lifecycle, and event triage across Crete and member firms.
• Manage third-party MDR/SOC providers — scope, SLAs, escalation paths, detection coverage, playbooks, reporting — and drive continuous improvement of monitoring outcomes.
• Own the incident response program end-to-end: runbooks, tabletop exercises, ransomware preparedness, forensics coordination, and post-incident reviews with corrective actions.
• Implement consistent risk management across firms — periodic assessments, control testing, remediation tracking — and own third-party/vendor security risk management for corporate and shared vendors.
• Support member firms with client-driven security and compliance requirements (NIST CSF, CIS, SOC 2 Type II); ensure evidence collection is repeatable and accurate.
• Lead security awareness and training programs tailored to professional services workflows, with measurable adoption and behavioral outcomes.
• Lead, coach, and develop the cybersecurity team; serve as escalation point for security decisions, incidents, and complex risk tradeoffs.
• Build documentation, playbooks, and implementation guides that enable consistent security outcomes across firms; influence firm leaders and local teams to drive baseline control adoption.