Senior Director, Information Security & Compliance

About The Position

Requirements

• Bachelor's degree in Information Security, Computer Science, Information Technology, or a related discipline; equivalent professional experience accepted.
• 12+ years of progressive information security experience with at least 5 years in a security leadership role (Manager, Director, or equivalent) preferred.
• Demonstrated experience building or significantly maturing an information security program, including policy development, risk management, and compliance framework implementation.
• Experience with security frameworks: NIST CSF, NIST SP 800-53, ISO 27001, or equivalent.
• Direct experience with SOX IT General Controls — either implementing ITGCs for IPO readiness or supporting ongoing SOX compliance at a public company.
• Strong working knowledge of Microsoft 365 security controls, including Entra ID, Conditional Access, Defender, and Purview.
• Experience managing managed security service providers (MDR, MSSP, or similar) and coordinating external security assessments (penetration testing, controls testing, risk assessments).
• Independent judgment and self-direction — this role operates as a solo security practitioner at a small company and must prioritize effectively without day-to-day supervision.
• Strong written and verbal communication with the ability to translate security risks into business terms for executive and non-technical audiences.

Responsibilities

• Own the information security policy framework, including development, maintenance, and periodic review of all security policies, standards, and procedures.
• Ensure policies align with NIST CSF 2.0, NIST SP 800-53, and applicable regulatory requirements (SOX, GDPR, GxP).
• Present the security posture and risk landscape to IT leadership and executive stakeholders.
• Lead IT risk management activities, including risk identification, assessment, treatment planning, and risk register maintenance.
• Conduct and coordinate vendor security risk assessments for third-party service providers.
• Support the company's broader enterprise risk management process with IT-specific risk inputs.
• Own IT General Controls (ITGCs) for SOX compliance readiness, including access controls, change management controls, computer operations, and audit evidence preparation.
• Coordinate with external SOX auditors, providing documentation, walkthroughs, and remediation of findings.
• Manage relationships with external firms performing penetration testing, NIST controls mapping, and security control assessments.
• Manage the company's managed security service provider ecosystem, including SentinelOne Vigilance MDR (endpoint detection and response), Huntress (identity threat detection, SIEM), and Zscaler ZIA (network security).
• Define alert escalation procedures, review detection efficacy, and ensure coordinated incident response across all providers.
• Own the security incident response program, including the incident response plan, tabletop exercises, breach notification procedures, and post-incident reviews.
• Serve as the primary technical incident coordinator, working with managed security providers for detection and containment and with Legal and the external DPO for regulatory notification obligations.
• Design and enforce identity and access management controls in Microsoft Entra ID, including Conditional Access policies, privileged access governance, access reviews, and role-based access control.
• Ensure access controls satisfy SOX ITGC requirements, FDA 21 CFR Part 11 electronic access provisions, and GDPR data access minimization principles.
• Own security awareness and training program execution in coordination with KnowBe4, including phishing simulation campaigns, security awareness training content, completion tracking, and remedial training for failed simulations.
• Maintain training records as audit evidence for SOX and GxP compliance.
• Perform other duties and responsibilities as assigned

Benefits

• Medical, Dental & Vision insurance (employee premiums 100% covered by company)
• 20 accrued days combined time off (PTO/Sick)
• 12 company holidays
• Winter recharge
• Health Savings Account (HSA)
• Discretionary annual bonus
• Long-term incentive award (e.g., equity)