Director of Information Security

This is a full time / direct hire role.  No agencies please.

About the Position

The Director of Information Security is a key leadership role in enabling and maintaining a stable, scalable, and secure ecosystem while ensuring that our business and customer data is protected and available. This position is responsible for leading and managing all functions within the Information Security Program that involves developing the strategic roadmap and overseeing the effective daily operations of the Security Program concerning Security Engineering, Operations, Governance, Risk, and Compliance. The Director of Information Security will drive the development and implementation of security controls, create security policies, manage vendor risks, raise cyber security awareness, monitor and respond to security incidents, and ensure data security, classification, and compliance are maintained. This position will also be responsible for the administration, implementation, and oversight of all IT Information Security and Data Protection strategies for the organization to ensure alignment with relevant laws, regulations, and industry standards.

Job Responsibilities:

• Develop and execute the strategic roadmap for the security program, including security engineering, operations, governance, risk, and compliance. Focusing on fostering a culture of accountability and customer service.

• Establish, implement, and oversee a comprehensive program to ensure the integrity, confidentiality, and availability of data. This includes staying current on security trends and the threat landscape, as well as maintaining and enhancing existing cybersecurity tools.

• Create high-quality documentation for the strategic security vision, including blueprints, standards, and frameworks that align with business goals.

• Manage cybersecurity risks and ensure all security strategies aligned with relevant laws, regulations, and industry standards. This also involves overseeing cybersecurity compliance and leading security awareness and data privacy training programs.

• Act as the primary escalation point for all security incidents, including those involving third parties. Lead the response and containment efforts for any breaches and ensure that the organization can effectively detect, protect, respond, and recover from threats.

• Oversee information security projects, ensuring they are appropriately resourced and delivered on time, within scope, and on budget.

• Responsible for managing vendor risks as part of the Information Security Program. Actively engage with vendors to understand their security roadmaps, technology directions, and investments aimed at enhancing security capabilities.

Experience:

• 10+ years of progressive IT experience with at least 7 years in cybersecurity and 3+ years of management experience is required.

• Demonstrated expertise in implementing and defining IT control frameworks and security controls such as NIST CSF, CIS as well as OWASP.

• Deep technical knowledge of modern hosting, computing, and data delivery platforms, with a strong emphasis on security, is a must.

• Proven ability to manage vendor relationships and govern third-party risks, ensuring their security practices align with organizational needs.

• Deep and hands-on expertise in Microsoft-based cloud security products and services is required, along with familiarity in other cloud environments like AWS.

• Proficiency with Data Loss Prevention (DLP) tools, including network, endpoint, and cloud-based solutions, is required. You must also have strong knowledge of cryptographic services and experience with the development of risk reduction strategies through technical and non-technical controls.

• Strong knowledge of EDR, MDR, vulnerability management, and penetration testing is essential. Experience with SIEM, IPS/IDS, and Threat Intelligence tools is required for monitoring and analysis. The ideal candidate must act as the primary escalation point for all security incidents, including those involving third parties, and lead the response and containment of any breaches.

• The ability to plan for and execute recovery procedures following a security incident is essential.

• A strong understanding of global data privacy regulations and guidelines, such as GDPR and CCPA, is critical.

• The ideal candidate must be skilled in drafting security standards, reference architectures, policies, procedures, and implementation guidelines.

• Demonstrated understanding of technological trends and developments in the areas of information security, risk management, compliance controls, and cybersecurity best practices.

• Experience in managing department budgets and recruiting staff is required.

• The ideal candidate must be able to dive deep with the team and provide hands-on guidance to ensure proper project delivery.

Education & Certifications:

• Bachelor’s degree in Engineering, Computer Science, or related field and/or related experience.

• Professional security management certification such as CISSP, CISM, CISA, CompTIA Security +, or other similar credentials, preferred.

Skills and Attributes:

• The ability to articulate complex cybersecurity issues and recommendations to non-technical stakeholders is crucial. This is particularly important for gaining support and funding from leadership and for creating effective security awareness training programs.

• The ability to develop a strategic vision and roadmap for the security program that aligns with overall business objectives. This goes beyond day-to-day technical tasks and requires forward-looking, high-level planning.

• Experience with project management methodologies like Agile or Waterfall, as well as the ability to manage scope, timelines, and budgets.

• The ability to collaborate effectively with different departments, including IT, legal, and operational teams, is critical for successful security implementation. The security leader must be seen as a partner, not a roadblock.

• Attention to detail is vital for drafting security policies, analyzing logs, and identifying potential vulnerabilities.

• The role requires excellent analytical skills to solve complex problems, especially during a security incident. The ability to perform root cause analysis (RCA) and develop effective remediation plans is a key skill.

• Experience with Identity Management and Active Directory supporting SSO and MFA, OAuth and SAML based authentication, role-based access control, and identity federation such as Okta, EntraID, SailPoint, or similar platforms.

• Working knowledge of EDR/MDR and Endpoint Management platforms such as CrowdStrike, Sophos, SentinelOne, Microsoft Defender, or similar services.

• Experience with Vulnerability Management tools and ASV services such as Rapid 7, Qualys, Tenable or similar.

• Strong understanding of network protocols, firewalls, VPN’s, IDS/IPS, and other common security technologies including Cisco, Meraki, Fortinet, Palo Alto, etc.

• Working knowledge of Email Security platforms such as CheckPoint, Proofpoint, Microsoft 365, Mimecast, or similar.

• Experience with GRC platforms to manage governance processes such as Drata, Vanta, OneTrust, or similar.

• Knowledge and practical application of auditing various information security/risk management frameworks.