Head of Information Security & Privacy

Datasite•New York City, NY

About The Position

We’re a fast-growing SaaS company working with clients around the world who trust us with sensitive and privileged data — including proprietary IP, PII, and MNPI. Security and trust sit at the heart of our product and our client relationships. We’re already SOC 2 Type II certified and now preparing for ISO 27001 while maintaining compliance with GDPR and other global privacy frameworks. As we scale, we’re looking for a Head of Information Security & Privacy to strengthen our security posture, modernize our controls, and help us stay secure without slowing innovation. The Opportunity This is a hands-on role for a doer who can design, implement, and run a fit-for-purpose security and privacy program. You’ll work closely with engineering, product and operations to embed best practices across our AWS-based infrastructure and software development lifecycle. You’ll maintain key certifications, manage risk assessments, handle client security reviews, and help shape a security-first culture as we grow.

Requirements

5–8 years’ experience in information security, cloud security, or risk management, ideally within a SaaS environment.
Solid knowledge of AWS security architecture and best practices.
Experience embedding controls into a modern SDLC (e.g., CI/CD, GitHub Actions, IaC).
Working understanding of privacy and data protection frameworks (GDPR, CCPA, etc.).
Familiarity with generative AI / LLM architectures and associated security and data-governance risks.
Strong communicator who can explain complex security issues in plain business terms.
Commercial and pragmatic mindset — able to balance protection with agility.
Hands-on, proactive, and comfortable working independently in a fast-moving environment.

Nice To Haves

Relevant certifications (AWS Security Specialty, CISSP, CISM, ISO 27001 Implementer, CIPP/E) a plus.

Responsibilities

Own and evolve the information security management system, maintaining SOC 2 Type II and leading the path to ISO 27001 certification.
Implement and monitor security controls across AWS, including IAM, KMS, networking, and logging.
Partner with engineering to embed security in the SDLC: threat modelling, secure coding, vulnerability management, and DevSecOps practices.
Lead risk assessments, incident response, and vendor security reviews, ensuring timely and pragmatic remediation.
Maintain and continuously improve security and privacy policies, aligning them with global regulations and client requirements.
Support privacy compliance (GDPR, CCPA, and similar), including data mapping, retention, and cross-border transfer considerations.
Oversee security reviews and due-diligence requests from clients, auditors, and partners.
Stay ahead of emerging threats and regulatory changes, translating them into actionable guidance.
Champion security awareness and training across the company.