Information Security Lead (Remote)

About The Position

Requirements

• 5+ years of experience in information security, with at least 2 years in a leadership or senior individual contributor role
• Experience in fintech, banking, healthcare, payments, or other highly regulated industries
• Proven track record managing SOC 2 compliance, including audit preparation and evidence gathering
• Deep understanding of GRC frameworks and compliance requirements for fintech companies
• Experience developing and enforcing security policies in a rapidly growing organization
• Strong knowledge of endpoint security, including EDR solutions and mobile device management
• Experience conducting vendor security assessments and managing third-party risk
• Hands-on experience with security tools and technologies (SIEM, EDR, vulnerability management, etc.)
• Demonstrated ability to work cross-functionally with Legal, HR, Engineering, and Product teams
• Excellent written and verbal communication skills, with the ability to explain complex security concepts to non-technical stakeholders
• Strong project management skills and ability to manage multiple initiatives simultaneously
• Experience working with managed IT service providers or in-house IT teams
• Ability to travel to our Palo Alto and/or NYC on a quarterly basis

Nice To Haves

• CISSP, CISM, or similar security certifications
• Experience with ISO 27001 certification and maintenance
• Familiarity with Zero Trust security architecture principles and implementation
• Knowledge of SEC compliance requirements for investment advisers
• Experience implementing VPN solutions and network security controls
• Familiarity with AWS security services and best practices
• Experience with Secureframe or similar GRC platforms
• Background in security awareness training program development
• Previous experience building out a security team from scratch

Responsibilities

• Own and evolve the GRC program in partnership with Legal and our CCO
• Lead all efforts to achieve and maintain critical compliance certifications (SOC 2, potentially ISO 27001)
• Manage external SOC2 audits and coordinate with third-party auditors (currently 4-6 week intensive periods annually)
• Conduct quarterly user access reviews and maintain comprehensive access control documentation
• Lead responses to due diligence questionnaires (DDQs) for information security matters
• Develop, maintain, and enforce clear, practical security policies across all departments
• Work cross-functionally with IT and HR to ensure consistent policy adherence
• Monitor compliance with laptop MDM requirements, 2FA, policy attestations, and security training
• Manage policy updates and communicate changes effectively to the organization
• Review logs, access permissions, and information sharing practices to identify compliance gaps
• Develop and execute a comprehensive information security roadmap aligned with business objectives
• Lead the organization's migration to a Zero Trust security approach
• Drive cultural change around data protection practices across all business units
• Plan for and implement security improvements to support company growth
• Select, implement, and manage endpoint detection and response (EDR) solutions
• Lead rollout of security technologies across all employee devices
• Establish continuous monitoring protocols for endpoint security
• Manage BYOD policies and company device distribution
• Implement virtual office network capabilities for Allocate devices
• Oversee relationship with our managed IT service provider
• Act as a security-focused intermediary for IT requests, ensuring appropriate access controls
• Manage general IT operations, including email, machine compliance, and onboarding/offboarding
• Manage support ticket flow and ensure sensitive information is properly protected
• Evaluate and implement ticket management systems for security-sensitive support requests
• Conduct vendor security reviews, risk assessments, and ongoing monitoring
• Evaluate SaaS tools and API connectors for security implications
• Lead the due diligence evaluation of our vendors
• Manage vendor access and integration security
• Research, evaluate, and select security tools to build a mature, cost-effective security stack
• Develop and execute security awareness training programs for all employees
• Coordinate phishing tests and manage remediation for failing results
• Ensure cyber security and AML training requirements are met for all employees
• Implement training programs for new hires and ongoing education initiatives
• Build a security-conscious culture, especially around PII handling and phishing awareness

Benefits

• Medical
• dental
• vision
• 401(k)
• responsible time off