Director, Information Security (Remote, US)

Job Details

As the Director of Information Security at Openly, you will be responsible for maintaining and maturing the company's security program. This involves collaborating with cross-functional teams to identify and mitigate risks, establishing security policies and procedures, and ensuring compliance throughout the organization. You will apply a risk-informed approach to security and compliance, enabling the business to operate safely and securely.

Key Responsibilities 

• Develop and execute a comprehensive information security roadmap in collaboration with technology leadership and compliance leadership.
• Provide oversight for security governance and risk management, including risk assessments, vulnerability management, and incident response planning.
• Promote a culture of security awareness throughout the organization by conducting training sessions and awareness campaigns.
• Provide regular updates and reports to senior management and stakeholders on the state of information security within the organization.
• Lead SOC II Type II audit including audit coordination, controls, and evidence collection.
• Evaluate and manage security risks associated with third-party vendors and service providers.
• Establish and maintain information security policies, standards, and procedures in compliance with relevant industry regulations (e.g., GDPR, PCI DSS, state Insurance Data Security laws) and best practices.

Qualifications

• Education: BS degree in Computer Science, IT, related technical discipline or equivalent years of experience.
• Experience
  • 8+ years of experience in information security roles with a balance of management, compliance, and technical expertise.
  • Proven management abilities
    • Experience guiding and growing teams of teams, balancing security, compliance and engineering needs with the needs of the business.
    • Demonstrated ability to leverage resources and teams to deliver multiple projects from start to finish in reasonable overlapping time frames
    • Experience developing a strategy or roadmap for your teams
  • Proven experience leading SOC II audits and evidence collection
  • Familiarity and willingness to work with Agile methodologies
  • Excellent written and verbal communication
  • CISSP, CISM, or other cybersecurity certifications preferred, but not required
  • Working knowledge of one or more public cloud technologies (AWS, Azure, Google Cloud) and information security in a hybrid cloud environment
  • Risk management experience
  • Knowledge of PCI Data Security Standards including scoping and implementation
  • Working knowledge of PAM, SIEM, SSO, WAF, endpoint detection, and email threat management technologies
  • Startup or SaaS and remote work experience preferred

• Leadership
  • Defaults to a collaborative mindset to work with multiple stakeholders to maximize our resources
  • No Egos - focuses on the best outcomes for the security, engineering, and IT teams and the company over ownership of any particular project, process, or people, demonstrating high engagement and low attachment
  • Comfortable making decisions,owning and being accountable for results
  • A high level of comfort navigating and making decisions and recommendations in environments of ambiguity
  • Bias towards action over perfection
  • Ability to juggle both a long term investment approach and an iterative approach to address immediate needs while understanding long term implications
  • When presented with a complex problem, process, or existing system, you can consistently reduce the complexity to get more done with less work
  • Passion for fostering DE&I to build effective, capable teams

• Technical Acumen
  • A breadth of knowledge and experience across the information security domain, with familiarity in a combination of endpoint, email, network, identity management, cloud security; vulnerability management; incident response; and threat intelligence.
  • Extensive experience with common security tools - e.g., EDR, MDR, SIEM, CSPM, email security, web filtering, and threat intel platforms.
  • Experience with incident management and security operations including analyzing and responding to security events, such as conducting log analysis, developing queries and analytics, troubleshooting security issues, and correlating complex data sets.
  • Experience with Okta, Google Workspace, Jira, and other SaaS applications.
  • Experience with public cloud infrastructure (e.g. GCP, AWS) implementation and architecture.
  • Knowledge of scripting languages.
  • Knowledge of Terraform or other infrastructure-as-code frameworks.
  • Knowledge of version control systems (Github, Git, etc.).

Our stack (for reference)

We do not expect competency in this stack to be successful, but awareness in security concerns associated is a plus:  

• Backend/Core: Go & Postgresql
• Frontend: Browser-based, VueJS, Webpack, Nuxt &, Tailwind
• Research/Data Science: R, ArcGIS, H2O, & Python
• Infrastructure: Google Cloud, specifically Cloud Run, Cloud Build, and CloudSQL, managed with Terraform. We use GitHub for code hosting and CircleCI for running our CI/CD pipelines.
• Remote work tools: Slack, Zoom