Vice President of Information Security
About The Position
brightfin is seeking a Vice President of Information Security to own their security program end-to-end, including governance, compliance, customer trust, and product security. This is a builder role where the individual will design the program, hire a small team, and grow it as the company scales. The company offers an enterprise SaaS platform built natively on ServiceNow, focusing on IT financial management and managed software subscriptions to help optimize IT spend. The role is crucial for maintaining data security and trust for Fortune 500 and mid-market companies in sectors like healthcare, finance, and global enterprises.
Requirements
- 6+ years in information security, with at least 3 in a leadership role.
- Demonstrated experience building or scaling a security program at a B2B SaaS company.
- Deep SOC 2 ownership experience — led Type II audits.
- Strong working knowledge of NIST CSF, ISO 27001, and cloud security (AWS preferred).
- Experience running the security side of enterprise sales cycles — responding to security questionnaires, hosting customer calls.
- One or more certifications: CISSP, CISM, CISA, CRISC, or equivalent.
Nice To Haves
- Experience at a ServiceNow ecosystem company or enterprise IT management platform.
- Familiarity with HIPAA and financial services security requirements.
- Prior experience reporting to a board or audit committee.
- Startup or high-growth company background — you've built things, not just managed them.
Responsibilities
- Design and run brightfin's Information Security Management System (ISMS), aligned to NIST CSF and ISO 27001 principles.
- Own SOC 2 Type II compliance, including annual audits, evidence collection, and continuous monitoring.
- Maintain and mature security policies, standards, and procedures across the organization.
- Lead the company's incident response program: planning, tabletop exercises, and live incident management.
- Own the security review process for enterprise deals, responding to RFPs, security questionnaires, and customer audits.
- Serve as the security point of contact for enterprise prospects and customers, attending calls as needed to build trust.
- Develop and maintain a security trust portal and standard documentation package.
- Build and maintain a risk register; report on risk posture to the executive team and board quarterly.
- Manage third-party and vendor security risk, including contract review and ongoing monitoring.
- Ensure compliance with applicable data privacy regulations (GDPR, CCPA, HIPAA where applicable).
- Partner with the engineering team on secure SDLC practices, including code scanning, dependency management, and penetration testing.
- Drive cloud security posture management for AWS/Azure/GCP environments.
- Own the vulnerability management program: triage, prioritization, and remediation tracking.
- Hire and manage a small initial security team (target: 2–3 hires in year one).
- Run security awareness training and phishing simulation programs company-wide.
- Build a security-conscious culture without creating friction for a fast-moving engineering team.
Benefits
- Comprehensive health, dental and vision benefits package.
- Paid time off.
- 401K with employer match.
Stand Out From the Crowd
Upload your resume and get instant feedback on how well it matches this job.
What This Job Offers
Job Type
Full-time
Career Level
Executive
Education Level
No Education Listed
