Our Story

MedMen is North America’s leading cannabis retailer with flagship locations in Los Angeles, Las Vegas, Chicago, and New York. MedMen offers a robust selection of high-quality products, including MedMen-owned brands [statemade], LuxLyte, and MedMen Red through its premium retail stores, proprietary delivery service, as well as curbside and in-store pick up. MedMen Buds, an industry-first loyalty program, provides exclusive access to promotions, product drops and content. MedMen believes that a world where cannabis is legal and regulated is safer, healthier and happier. Learn more about MedMen and The MedMen Foundation at www.medmen.com

Job Summary

MedMen, the nation’s leading cannabis retail brand, is seeking an experienced Director of Information Security to lead the company’s exciting InfoSec and data privacy initiatives.

The Director is a visible and proactive leader across all security domains, provides expert security guidance and awareness at all levels of the company, and leads efforts to protect MedMen networks, clouds, systems, and data nationwide at corporate, retail, manufacturing, and distribution facilities.

The ideal candidate has strong business acumen, a proven understanding of complex Information Security threats and defenses, a deep understanding of data privacy laws and best practices, stellar project management and communication skills, and a long history of hands-on experience in application and database security, network security architecture, and penetration testing.

The Director is responsible for protecting web and mobile sites and applications before and after deployment, penetration testing, managing vulnerability remediation, investigating security incidents, providing security architecture guidance, optimizing security hardware and software, vetting vendor and partner security, researching new threats and defenses, gathering and analyzing security metrics, writing security policies in accordance with industry best practices and compliance requirements, maintaining security awareness and training for staff, ensuring compliance with laws like CCPA, HIPAA, and SOX, and leading internal and external IT audits.

If you're a senior-level security manager or director ready to take the next step in your career at an exciting, fast-growing company, this is the opportunity for you!

Job Functions

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

  • Proactively, independently, and continually analyzes, improves, and leads MedMen’s Information Security and data privacy program across the company’s corporate, retail, manufacturing, and distribution landscape to protect all company data, networks, clouds, systems, and applications against cyberattacks, malware infections, phishing, data abuses and leaks, compliance violations, and material audit findings.
  • Ensures MedMen’s business practices and technologies comply with CCPA, HIPAA, SOX, and other applicable laws, and follow InfoSec best practice frameworks like PCI, NIST, OWASP, etc.
  • Proactively builds partnerships with Retail, Development, Infrastructure, Desktop Support, Marketing, Finance, Legal, Operations, and executive teams to ensure InfoSec and data privacy remain part of every project’s DNA
  • Researches, plans, and leads security and privacy projects across all security domains, including application and database security, network security, access controls, firewalls, encryption, and intrusion detection.
  • Using hands-on security tools, performs own risk assessments, vulnerability tests, penetration tests, and gap analyses against MedMen web and mobile applications, retail store systems, databases, servers, wired and wireless networks, cloud environments, and third party systems, and gives expert-level recommendations on best controls to harden systems.
  • Serves as Subject Matter Expert (SME) on application and database security. Able to read and understand programming code, performs penetration testing at the code and protocol levels of web and mobile apps, and teaches developers and database administrators how to secure systems against attack. Able to isolate and secure sensitive data using segregation of duty, encryption, monitoring, and similar methods.
  • Manages testing and hardening of cloud systems, including Azure and Amazon Web Services (AWS). Follows cloud best practices to apply cloud security controls as needed, such as access controls, network segmentation, network and application firewalls, encryption, and monitoring tools.
  • Discovers, documents, prioritizes, and remediates MedMen vulnerabilities using standard threat risk models, while balancing threat risks against other critical and competing business priorities
  • Leads efforts to test, deploy, harden, manage, monitor, and inventory core Information Security technologies, including monitoring systems, intrusion detection and anti-virus systems, patching & updating systems, access control systems, firewalls, anti-spam systems, data retention and loss prevention systems, key management systems, encryption appliances, cloud security controls, and backups for data and systems.
  • Prepares for, and leads the IT portion of MedMen’s annual SOX audit, while ensuring applicable access, availability, integrity, monitoring, and backup controls remain compliant with auditor expectations throughout the year.
  • Reviews controls of potential third-party vendors using interviews, questionnaires, and testing to verify alignment with company security and privacy standards, and provides feedback on vendor legal contracts to ensure language protect MedMen’s brand, data, and customers.
  • Leads investigations of cybersecurity and data privacy incidents, while correlating, analyzing, and preserving evidence using forensics tools and best practices.
  • Analyzes and reports on MedMen’s security metrics and trends gathered from company’s security hardware and software, testing efforts, and vulnerability rankings.
  • Leads efforts to present and improve training and awareness of security best practices for all employees, while also frequently disseminating actionable intel about emerging security and privacy news and trends, threats, and defenses
  • Researches, evaluates, tests, and recommends new security products on the market to help ensure MedMen’s defenses remain effective against emerging threats.
  • Writes, updates, and maintains MedMen’s written security policies, standards, guidelines, and procedures.
  • Leads, mentors, and inspires security staff, while teaching developers, infrastructure engineers, and project managers about the best ways to protect MedMen and its customers.

(Note:­ The Company complies with the Americans with Disabilities Act (ADA), as amended by the ADA Amendments Act (ADAAA), and all applicable state and local fair employment practices laws, and is committed to providing equal employment opportunities to qualified individuals with disabilities. Consistent with this commitment, the Company will provide a reasonable accommodation to disabled applicants and employees if the reasonable accommodation would allow the individual to perform the essential functions of the job, unless doing so would create an undue hardship.)

Basic Qualifications

  • 10+ years’ experience building, managing, and leading effective Information Security and data privacy programs, teams, and controls
  • Expert-level knowledge of CCPA, HIPAA, PCI, and SOX, and their security control requirements
  • 10+ years’ of hands-on experience in security architecture, security engineering, and penetration testing
  • Expert-level knowledge of common web, application, cloud, network, malware, and phishing attacks, plus defenses recommended by best practice bodies such as OWASP
  • Prior experience managing external SOX or other audits successfully
  • Exceptional communication, mentoring, and training soft skills, with proven ability to simplify complex topics for lay audiences, and influence and inspire others toward stronger security and data privacy practices
  • Prior experience writing, maintaining, and socializing InfoSec and privacy policies, standards, and guidelines
  • In-depth knowledge of common security best practice frameworks, such as NIST
  • Strong understanding of modern web and networking protocols, including TCP, HTTP, and DNS
  • Hands-on web, mobile, API, and wired/wireless network penetration skills using common commercial and/or open source tools; ability to create own custom tools using Python, Powershell, or other languages is a plus
  • Proven ability to own, track, analyze, prioritize, and remediate security vulnerabilities using common quantitative risk models and effective defenses
  • Understanding of Secure SDLC best practices, with proven ability to mentor developers
  • Prior experience evaluating new products and third party vendors through RFPs or other processes
  • One or more advanced Information Security certifications, such as CISSP, CISM, CCSP, CEH, GPEN, CMWAPT, OSCP, or equivalent
  • Bachelor’s Degree or higher preferred (or equivalent experience)
  • Experience with the following required:
    • Penetration testing tools for web, mobile, API, and network targets
    • Active Directory hardening
    • OS hardening (e.g., Windows, OS X, etc.)
    • Cloud hardening (bonus points for Azure & AWS)
    • Database security (SQL knowledge a plus)
    • Firewalls (Palo Alto a plus)
    • Intrusion Detection/Prevention Systems (IDS/IPS)
    • Networking security (e.g., TCP/IP, switches, routers)
    • Encryption (e.g., SSL/TLS, X.509 certs, PKI, symmetric)
    • Endpoint & anti-malware (e.g., Cylance, Carbon Black, BitDefender)
  • Experience with one or more of the following strongly desired:
    • Prior leadership experience in assessing and securing companies being acquired during merger activity
    • Prior experience assessing and securing retail Point of Sale (POS) or credit card processing systems
    • Prior experience assessing and securing cryptocurrency technologies
    • Manual penetration testing methods (e.g., raw protocol manipulation)
    • Prior coding experience in compiled or scripting languages (e.g., .Net, Python, PHP, shell)
    • Ability to create own hacking tools/scripts
    • SIEM tools (e.g., syslog, QRadar, ELK Stack)
    • Knowledge of two-factor authentication (2FA) systems
    • Data Loss Prevention (DLP) methods and tools
    • Anti-spam tools
    • Anti-fraud measures for inventory and POS software
    • Forensic tools for gathering, analyzing, and preserving evidence

Supervisory Responsibility

This position will have supervisory responsibilities.

Working Conditions

This job operates in a professional corporate setting. This role routinely uses standard office equipment such as computers, phones, photocopiers, and filing cabinets.  This role also routinely uses standard networking equipment such as racks, firewalls, switches, WAPs, and UPSs.

Physical Requirements

While performing the duties of this job, the employee is occasionally required to stand; walk; sit; use hands to finger, handle, or feel objects, tools, or controls; reach with hands and arms; climb stairs; talk or hear. The employee must occasionally lift or move office products and supplies, up to 50 pounds.

Travel Requirements

Travel to support other MedMen locations is expected for this position.

Other Duties

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.

Work Authorization/Security Clearance

There is no visa or H1-B sponsorship. Applicant must successfully complete and pass background and drug screening, and live scan.

MedMen Is An Equal Opportunity Employer

We are committed to equal employment opportunity regardless of race, color, religion, creed, national origin or ancestry, ethnicity, sex, sexual orientation, gender, age, physical or mental disability, citizenship, past, current, or prospective service in the uniformed services, genetic information, or any other characteristic protected under applicable laws.

Apply for this Job

* Required

When autocomplete results are available use up and down arrows to review
+ Add Another Education

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in MedMen’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Autism
  • Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
  • Blind or low vision
  • Cancer
  • Cardiovascular or heart disease
  • Celiac disease
  • Cerebral palsy
  • Deaf or hard of hearing
  • Depression or anxiety
  • Diabetes
  • Epilepsy
  • Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
  • Intellectual disability
  • Missing limbs or partially missing limbs
  • Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
  • Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.