Director of Enterprise Security

Position Summary  

Reporting directly to the Vice President, Information Technology, the Director of Enterprise Security (DES) responsibilities include offering guidance, best practices, and support across businesses, leading risk reviews and vulnerability assessments, identifying threats, communicating with senior leaders and other stakeholders.  

The prime responsibilities of the DES role are to identify, quantify and proactively address security issues and changes in the businesses risk profile. The DES will focus on improving the end-to-end risk posture, and ensure appropriate controls are implemented across the technology landscape to operate within risk appetite. The DES will be expected to drive effective risk & controls management and support the IT team through identification of control weaknesses and recommendations for improved security; articulation of the business impact and associated risk; and educate on proactive measures to remediate.  

The DES will manage the overall security program, ensuring the security compliance facing off to auditors, Cybersecurity DDQ’s (Due Diligence Questionnaires) from clients, and providing all Cybersecurity training. You will partner closely with the IT/Engineering/DevOps departments to ensure the work is appropriately prioritized to ensure the technology landscape is operating within the risk appetite and provide transparent reporting to senior management on the overall risk position.  

Primary Job Functions  

• Define and articulate a clear vision for the organization's information security strategy, aligning it with the overall business objectives and technological advancements. Lead the development and implementation of comprehensive security programs that not only protect the organization's assets but also enable business innovation and growth. 
• Cultivate strong relationships with leaders across key business units, such as HR, Legal, and Finance, to ensure that security measures are seamlessly integrated with business processes and aligned with organizational goals. Act as a trusted advisor to these departments, offering insights on security implications related to their specific functions and initiatives. 
• Lead cross-departmental security committees or working groups to facilitate open dialogue on security challenges, priorities, and strategies. Encourage collaborative planning and execution of security initiatives, ensuring that each department's unique needs and risks are addressed in the overall security framework. 
• Champion the importance of security within all business units by providing regular updates on the security landscape, emerging threats, and the organization's security posture. Utilize these sessions as opportunities to advocate for security best practices and the adoption of secure behaviors at all levels of the organization. 
• Serve as a visionary leader who can anticipate emerging security trends and adapt strategies to mitigate future risks. Influence organizational culture and policies to prioritize security at every level, ensuring it is integrated into the DNA of the organization's operations and decision-making processes. 
• Actively participate in strategic projects and initiatives across the organization to provide security guidance from the inception phase. Ensure that security considerations are embedded in project lifecycles, from planning and design to implementation and review. 
• Champion a culture of security awareness and best practices throughout the organization, engaging with all levels of staff to foster an environment where every employee understands their role in maintaining security. Initiate and lead enterprise-wide security awareness and training programs that empower employees to be proactive in recognizing and mitigating security threats. 
• Act as the principal security advisor to C-suite executives and the board, providing strategic insights and updates on the security landscape, risk management, and compliance matters. Build strong relationships with stakeholders across the organization to ensure seamless collaboration and support for security initiatives. 
• Encourage innovation within the security team by fostering an environment that supports creativity, experimentation, and the exploration of cutting-edge security technologies and practices. Regularly review and refine security strategies and processes to ensure they remain effective against evolving threats and align with industry best practices. 
• Lead, mentor, and develop a high-performing security team, setting clear goals and expectations, providing regular feedback, and supporting career development. Create an environment that promotes teamwork, diversity, inclusion, and mutual respect, where team members are motivated to achieve excellence. 
• Develop strategic goals and objectives for the department and provide written and verbal updates to the CPTO and business leadership.  
• Ensure that all information security policies remain up-to-date and are regularly reviewed.  
• Ensure all firm information security systems are configured and operating according to policies and standards. 
• Ensure technology risk impacting the business is effectively identified, quantified, communicated, and managed, including recommendations for resolution, and identifying the root cause/key themes. 

• Develop and articulate strategic goals and objectives for the information security department, aligning with business objectives and technological advancements. Provide regular updates to CPTO and senior leadership to ensure strategic alignment and transparency. 
• Oversee the development, implementation, and regular review of information security policies and systems to ensure they are up-to-date, effective, and aligned with industry best practices and compliance standards. 
• Lead comprehensive risk management efforts, including the identification, quantification, and communication of technology risks to the business. Collaborate with relevant departments to implement effective risk mitigation strategies and ensure the organization operates within its risk appetite. 
• Establish and maintain partnerships with third-party providers, such as Managed Detection and Response services, to enhance the organization's security posture through advanced logging, monitoring, and incident response capabilities. 
• Direct the organization's incident response efforts, including leading high-level strategy for triage, containment, investigation, and remediation of security incidents. Ensure the development and maintenance of incident response plans and playbooks. 
• Champion security awareness and best practices across the organization, leading enterprise-wide training and awareness programs to foster a security-conscious culture. 
• Drive the continuous assessment and improvement of security controls and processes to address emerging threats and vulnerabilities. This includes overseeing the management of security technologies such as privileged access management software and ensuring the effectiveness of security controls. 
• Facilitate cross-functional collaboration to integrate security considerations into business and IT projects from inception through execution, ensuring that security is a foundational element of all organizational initiatives. 
• Provide leadership in conducting and responding to security audits, third-party reviews, and client due diligence inquiries, ensuring that the organization's security measures meet or exceed industry standards and client expectations. 

Certifications (Any of the Following) 

• (CISSP) Certified Information Systems Security Professional 
• (CISM) Certified Information Security Manager 
• (Security+) CompTIA Security+ 
• (CEH) EC-Council Certified Ethical Hacker 
• (GISF) GIAC Information Security Fundamentals 
• (GSEC) GIAC Security Essentials 

Basic Qualifications:  

• Bachelor’s degree in computer science or a related field, or equivalent work experience  
• Minimum 8 years of experience at the senior level working in information security. 
• Extensive experience with technologies used for vulnerability management, identity and privileged access management, data protection, security information and event management (SIEM), endpoint detection and response (EDR), and data loss prevention (DLP)  
• Experience with Active Directory and Group Policy  
• Experience with information security frameworks including SOC2, ISO 27001, NIST Cybersecurity Framework, and other compliance frameworks.  
• Experience undergoing audits and developing security policies and procedures.  
• CISA (Certified Information Security Auditor) or Certified Ethical Hacker (CEH) is a plus. 
• Familiarity with Artificial Intelligence (AI) and Machine Learning (ML) usage and security controls is a plus. 
• Experience conducting security vulnerability assessments, penetration testing, and ethical hacking is required; familiarity with the ISO/IEC 27001 standards and compliance is required. 
• Clear understanding of the latest Microsoft Windows, Apple OSx, and Linux operating systems; intimate knowledge of mobile devices. 
• Must understand information systems security; network architecture; network security; general database concepts; document management; hardware and software troubleshooting; electronic mail systems, such as Exchange, Document Management Systems; intrusion test tools; and computer forensic tools.  
• Excellent written and verbal communication skills, including the ability to articulate complex issues to technical and non-technical stakeholders.  
• Demonstrated critical thinking, problem-solving, and project management skills.