Information Security & Compliance Manager

About The Position

Requirements

• Minimum 5 years of experience in information security, cybersecurity, and/or compliance roles, with demonstrated career growth.
• Demonstrated experience building an information security program from the ground up, including policy development, control implementation, and program governance.
• Hands-on experience conducting or overseeing security risk assessments, audits, and compliance evaluations.
• Experience managing vendor/third-party risk and reviewing technology contracts with security implications.
• Demonstrated understanding of state data security laws and regulations, HIPAA data security requirements, and SOC 2 Type II audit criteria.
• Experience using and administering security tools (SIEM, endpoint protection, DLP, MFA, etc.).
• Experience with the incident response life cycle.
• Familiarity with NIST, ISO 27001, or COBIT frameworks.
• Excellent written and communication skills and ability to work with legal, technical staff and non-technical staff.
• Ability to translate complex technical risk and mitigation into clear business terms for non-technical audiences, including firm partners and executive leadership
• Strong project management skills and ability to manage multiple concurrent initiatives with competing priorities
• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a closely related field; equivalent combination of education and experience considered

Nice To Haves

• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified HIPAA Security Professional (CHSP) or equivalent
• Certified Information Privacy Professional (CIPP/US or CIPM)
• Certified in Risk and Information Systems Control (CRISC)
• CompTIA Security+ or equivalent foundational certification

Responsibilities

• Develop, implement, and maintain the firm's data governance framework, information security strategy, multi-year roadmap, and security architecture.
• Establish and operationalize cybersecurity and data governance policies, standards, and procedures firmwide, including applicable state statutory requirements, HIPAA data security requirements, and SOC 2 Trust Services Criteria.
• Oversee vulnerability management, penetration testing programs, and security monitoring operations.
• Manage security technologies including SIEM, endpoint detection and response (EDR), identity and access management (IAM), email security, and data loss prevention (DLP) tools.
• Evaluate third-party vendors for compliance with internal policies and procedures, state statutory requirements, HIPAA data security requirements, SOC 2 standards and best practices.
• Lead incident response planning, tabletop exercises, and post-incident review processes
• Foster a culture of security and compliance across the firm, including collaborating with the firm’s internal stakeholders from across departments regarding information security initiatives.
• Partner with practice group leaders and attorneys to embed data handling standards into legal workflows
• Maintain current knowledge of emerging security alerts, issues, threats and trends to enhance the firm’s Information Security posture.

Benefits

• Competitive salary based on experience
• CCK offers options for medical, dental, and vision insurance (including employer-paid medical insurance for the employee!) and other wellness benefits
• Gym membership reimbursement
• 15 days of PTO which increase to 20 days of PTO after 1 year plus 14 paid company holidays in 2026
• 35 Work from Home Days per year that can be used for any reason
• 401k matching
• Paid Parental Leave