Sr Director, IT Security

AmeriLife•Clearwater, FL

About The Position

Explore how you can contribute at AmeriLife. For over 50 years, AmeriLife has been a leader in the development, marketing and distribution of annuity, life and health insurance solutions for those planning for and living in retirement. Associates get satisfaction from knowing they provide agents, marketers and carrier partners the support needed to succeed in a rapidly evolving industry. The Sr. Director of IT Security serves as AmeriLife’s leader for enterprise cybersecurity, responsible for defining, implementing, and operating a comprehensive cybersecurity program spanning security architecture, cloud security, identity & access management, DevSecOps, incident response, security operations, governance, risk, and compliance. This role provides regular cybersecurity insights and updates to the Board or Audit/Risk Committee and leads a high‑performing organization that includes Security Operations, Security Engineering, Governance, Risk & Compliance (GRC), and additional specialized functions. The Sr. Director ensures that cybersecurity initiatives are fully aligned with business priorities, regulatory requirements, and AmeriLife’s overall risk appetite, while driving a multi‑year roadmap that strengthens AmeriLife’s enterprise security posture. This leader is accountable for consistent regulatory compliance, improved audit and examination outcomes, and the reduction of cyber risk across all AmeriLife entities. Through strategic leadership and operational excellence, the Sr. Director will advance mature, scalable security operations and engineering capabilities and foster a security‑aware culture embedded across the enterprise, enabling increased resilience and ongoing protection of AmeriLife’s technology ecosystem.

Requirements

Bachelor’s degree required; Master's degree or MBA preferred.
CISSP or CISM required; CRISC, CISA, CCSP preferred.
6-8 years of progressive cybersecurity leadership; 3-5 years leading teams or major security functions.
Strong experience in financial services or insurance.
Deep knowledge of NYDFS Part 500, SOX ITGC, GLBA, HIPAA.
Expertise in cloud security (Azure/M365), IAM, network security, SOC operations, incident response, and DevSecOps.
Exceptional communication skills and the ability to present complex issues to executives and the Board.

Responsibilities

Strategic Leadership & Cybersecurity Program Execution: Develop and drive a unified, enterprise‑wide cybersecurity strategy. Monitor emerging threats, technologies, and regulatory requirements, update strategy accordingly. Establish a multi‑year roadmap aligned with AmeriLife’s technology and business goals.
Regulatory Compliance & Risk Management: Lead compliance with NYDFS Part 500, SOX ITGC, GLBA, HIPAA, and other regulations. Oversee SOX IT controls, evidence collection, testing, remediation, and audit liaison. Conduct regular cybersecurity risk assessments and report findings to executives and the Board.
Security Architecture & Cloud Security: Oversee enterprise security architecture across on‑prem, cloud, and hybrid environments. Lead Azure and Microsoft 365 cloud security programs, including CSPM, secure configuration, and tenant governance. Implement Zero Trust principles across identity, devices, networks, and applications. Ensure secure cloud migrations and consistent standards across AmeriLife affiliates.
DevSecOps & Application Security: Integrate security into SDLC and CI/CD pipelines. Establish secure coding standards and oversee SAST/DAST, dependency scanning, and penetration testing. Promote security‑by‑design principles across development and engineering.
Security Operations & Incident Response: Direct all SOC activities, including internal analysts and external MDR providers. Oversee MDR and EDR operations, ensuring integration, tuning, detection fidelity, and coordinated response. Maintain the enterprise Incident Response Plan, including triage, containment, forensics, recovery, and root‑cause analysis. Partner with external incident‑response firms for escalated investigations. Oversee managed vulnerability services, ensuring timely scanning, risk scoring, prioritization, and remediation tracking. Manage enterprise vulnerability management lifecycle and patch governance.
Governance, Compliance & Audit Oversight: Maintain cybersecurity policies and standards aligned to NIST CSF, NIST 800‑53, ISO 27001. Chair cybersecurity governance forums to coordinate enterprise adoption and alignment. Lead regulatory exams, audit responses, evidence readiness, and remediation tracking.
Team Leadership & Organizational Development: Build and lead a high‑performing cybersecurity organization. Define roles, competencies, and KPIs; mentor and develop staff. Promote collaboration between security, IT, and business functions.
Enterprise Collaboration & Stakeholder Engagement: Partner with IT, Legal, Compliance, ERM, and business leaders to embed security into projects and operational processes. Serve as primary cybersecurity liaison to affiliates. Promote cybersecurity awareness and education enterprise‑wide.
Vendor Oversight & Third‑Party Risk Management: Manage and monitor third‑party security vendors, including MDR, EDR, incident response, threat intelligence, pen‑testing, and other specialized services. Oversee all third‑party security evaluations, including red team exercises, purple team engagements, external and internal penetration testing, social engineering assessments, and remediation follow‑through. Lead third‑party cyber risk management, including due diligence, SOC report review, contractual controls, and ongoing monitoring. Manage vendors delivering managed vulnerability services, ensuring coverage, SLA adherence, and reporting accuracy. Conduct structured vendor performance reviews and optimize the cybersecurity vendor ecosystem.
Executive Reporting & Budget Management: Serve as cybersecurity advisor to the CIO, executive leadership, and the Board. Provide business‑aligned reporting on threats, risks, incidents, compliance, and program maturity. Own and manage the cybersecurity budget; prioritize investments based on risk and regulatory drivers.