As the Senior Director of Information Security, you will build our security structure from the ground up and establish our security footprint to fit the needs of a growing organization. You will do this by working closely with cross-functional teams to identify potential risks and develop strategies to mitigate them. You will establish security policies, procedures, and guidelines, and enable compliance throughout the organization. In this role, you will apply a risk-informed approach to security and compliance, enabling the business to operate in safe and secure ways.

Key Responsibilities

Security Strategy:

• Develop and execute a comprehensive information security strategy that aligns with the organization’s business goals and objectives.

• Collaborate closely with the VP of Engineering, VP of Legal and Compliance, IT Director, and CTO on security strategy

• Provide oversight for security governance and risk management, including risk assessments, vulnerability management, and incident response planning.

• Develop and implement an incident response plan, including detection, containment, mitigation, and recovery strategies.

• Promote a culture of security awareness throughout the organization by conducting training sessions and awareness campaigns.

• Provide regular updates and reports to senior management and stakeholders on the state of information security within the organization.

Policy and Compliance:

• Establish and maintain information security policies, standards, and procedures in compliance with relevant industry regulations (e.g., GDPR, PCI DSS, state Insurance Data Security laws) and best practices.

• Coordinate and oversee internal and external security audits, assessments, and penetration testing activities.

• Evaluate and implement security technologies and solutions to protect the organization’s assets.

• Evaluate and manage security risks associated with third-party vendors and service providers.

What You’ll Bring

Experience

• Experience establishing a security program from the ground up to fit growing business needs as an individual contributor and leader

• Proven management abilities

• Experience guiding and growing teams of teams, balancing security, compliance and engineering needs with the needs of the business.

• Demonstrated ability to leverage resources and teams to deliver multiple projects from start to finish in reasonable overlapping time frames

• Experience developing a strategy or roadmap for your teams

Teamwork

• Defaults to a collaborative mindset to work with multiple stakeholders to maximize our resources

• No Egos – focuses on the best outcomes for the security, engineering, and IT teams and the company over ownership of any particular project, process, or people, demonstrating high engagement and low attachment

• Passion for fostering DE&I to build effective, capable teams

Accountability

• Comfortable making decisions, owning and being accountable for results

• A high level of comfort navigating and making decisions and recommendations in environments of ambiguity

Problem-solving

• Bias towards action over perfection

• Ability to juggle both a long term investment approach and an iterative approach to address immediate needs while understanding long term implications.

• When presented with a complex problem, process, or existing system, you can consistently reduce the complexity to get more done with less work.

Requirements

• Typically requires 10+ years of experience across management and security domains

• Familiarity and willingness to work with Agile methodologies

• Excellent written and verbal communication

• CISSP, CISM, or other cybersecurity certifications preferred, but not required

• Working knowledge of one or more public cloud technologies (AWS, Azure, Google Cloud) and information security in a hybrid cloud environment

• Risk management experience

• Familiarity with PCI Data Security Standards and other financial industry-accepted security standards and frameworks

• Working knowledge of PAM, SIEM, SSO, WAF, endpoint detection, and email threat management technology

• Proficient with network and application security tools and best practices

LI-CB1

Our stack (for reference)

We do not expect competency in this stack to be successful, but awareness in security concerns associated is a plus:

• Backend/Core: Go & Postgresql

• Frontend: Browser-based, VueJS, Webpack, Nuxt &, Tailwind

• Research/Data Science: R, ArcGIS, H2O, & Python

• Infrastructure: Google Cloud, specifically Cloud Run, Cloud Build, and CloudSQL, managed with Terraform. We use GitHub for code hosting and CircleCI for running our CI/CD pipelines.

• Remote work tools: Slack, Zoom

$50,000 — $80,000/year