MedMen is North America’s leading cannabis retailer with flagship locations in Los Angeles, Las Vegas, Chicago, and New York. MedMen offers a robust selection of high-quality products, including MedMen-owned brands [statemade], LuxLyte, and MedMen Red through its premium retail stores, proprietary delivery service, as well as curbside and in-store pick up. MedMen Buds, an industry-first loyalty program, provides exclusive access to promotions, product drops and content. MedMen believes that a world where cannabis is legal and regulated is safer, healthier and happier. Learn more about MedMen and The MedMen Foundation at www.medmen.com
MedMen, the nation’s leading cannabis retail brand, is seeking an experienced Director of Information Security to lead the company’s exciting InfoSec and data privacy initiatives.
The Director is a visible and proactive leader across all security domains, provides expert security guidance and awareness at all levels of the company, and leads efforts to protect MedMen networks, clouds, systems, and data nationwide at corporate, retail, manufacturing, and distribution facilities.
The ideal candidate has strong business acumen, a proven understanding of complex Information Security threats and defenses, a deep understanding of data privacy laws and best practices, stellar project management and communication skills, and a long history of hands-on experience in application and database security, network security architecture, and penetration testing.
The Director is responsible for protecting web and mobile sites and applications before and after deployment, penetration testing, managing vulnerability remediation, investigating security incidents, providing security architecture guidance, optimizing security hardware and software, vetting vendor and partner security, researching new threats and defenses, gathering and analyzing security metrics, writing security policies in accordance with industry best practices and compliance requirements, maintaining security awareness and training for staff, ensuring compliance with laws like CCPA, HIPAA, and SOX, and leading internal and external IT audits.
If you're a senior-level security manager or director ready to take the next step in your career at an exciting, fast-growing company, this is the opportunity for you!
Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
- Proactively, independently, and continually analyzes, improves, and leads MedMen’s Information Security and data privacy program across the company’s corporate, retail, manufacturing, and distribution landscape to protect all company data, networks, clouds, systems, and applications against cyberattacks, malware infections, phishing, data abuses and leaks, compliance violations, and material audit findings.
- Ensures MedMen’s business practices and technologies comply with CCPA, HIPAA, SOX, and other applicable laws, and follow InfoSec best practice frameworks like PCI, NIST, OWASP, etc.
- Proactively builds partnerships with Retail, Development, Infrastructure, Desktop Support, Marketing, Finance, Legal, Operations, and executive teams to ensure InfoSec and data privacy remain part of every project’s DNA
- Researches, plans, and leads security and privacy projects across all security domains, including application and database security, network security, access controls, firewalls, encryption, and intrusion detection.
- Using hands-on security tools, performs own risk assessments, vulnerability tests, penetration tests, and gap analyses against MedMen web and mobile applications, retail store systems, databases, servers, wired and wireless networks, cloud environments, and third party systems, and gives expert-level recommendations on best controls to harden systems.
- Serves as Subject Matter Expert (SME) on application and database security. Able to read and understand programming code, performs penetration testing at the code and protocol levels of web and mobile apps, and teaches developers and database administrators how to secure systems against attack. Able to isolate and secure sensitive data using segregation of duty, encryption, monitoring, and similar methods.
- Manages testing and hardening of cloud systems, including Azure and Amazon Web Services (AWS). Follows cloud best practices to apply cloud security controls as needed, such as access controls, network segmentation, network and application firewalls, encryption, and monitoring tools.
- Discovers, documents, prioritizes, and remediates MedMen vulnerabilities using standard threat risk models, while balancing threat risks against other critical and competing business priorities
- Leads efforts to test, deploy, harden, manage, monitor, and inventory core Information Security technologies, including monitoring systems, intrusion detection and anti-virus systems, patching & updating systems, access control systems, firewalls, anti-spam systems, data retention and loss prevention systems, key management systems, encryption appliances, cloud security controls, and backups for data and systems.
- Prepares for, and leads the IT portion of MedMen’s annual SOX audit, while ensuring applicable access, availability, integrity, monitoring, and backup controls remain compliant with auditor expectations throughout the year.
- Reviews controls of potential third-party vendors using interviews, questionnaires, and testing to verify alignment with company security and privacy standards, and provides feedback on vendor legal contracts to ensure language protect MedMen’s brand, data, and customers.
- Leads investigations of cybersecurity and data privacy incidents, while correlating, analyzing, and preserving evidence using forensics tools and best practices.
- Analyzes and reports on MedMen’s security metrics and trends gathered from company’s security hardware and software, testing efforts, and vulnerability rankings.
- Leads efforts to present and improve training and awareness of security best practices for all employees, while also frequently disseminating actionable intel about emerging security and privacy news and trends, threats, and defenses
- Researches, evaluates, tests, and recommends new security products on the market to help ensure MedMen’s defenses remain effective against emerging threats.
- Writes, updates, and maintains MedMen’s written security policies, standards, guidelines, and procedures.
- Leads, mentors, and inspires security staff, while teaching developers, infrastructure engineers, and project managers about the best ways to protect MedMen and its customers.
(Note: The Company complies with the Americans with Disabilities Act (ADA), as amended by the ADA Amendments Act (ADAAA), and all applicable state and local fair employment practices laws, and is committed to providing equal employment opportunities to qualified individuals with disabilities. Consistent with this commitment, the Company will provide a reasonable accommodation to disabled applicants and employees if the reasonable accommodation would allow the individual to perform the essential functions of the job, unless doing so would create an undue hardship.)
- 10+ years’ experience building, managing, and leading effective Information Security and data privacy programs, teams, and controls
- Expert-level knowledge of CCPA, HIPAA, PCI, and SOX, and their security control requirements
- 10+ years’ of hands-on experience in security architecture, security engineering, and penetration testing
- Expert-level knowledge of common web, application, cloud, network, malware, and phishing attacks, plus defenses recommended by best practice bodies such as OWASP
- Prior experience managing external SOX or other audits successfully
- Exceptional communication, mentoring, and training soft skills, with proven ability to simplify complex topics for lay audiences, and influence and inspire others toward stronger security and data privacy practices
- Prior experience writing, maintaining, and socializing InfoSec and privacy policies, standards, and guidelines
- In-depth knowledge of common security best practice frameworks, such as NIST
- Strong understanding of modern web and networking protocols, including TCP, HTTP, and DNS
- Hands-on web, mobile, API, and wired/wireless network penetration skills using common commercial and/or open source tools; ability to create own custom tools using Python, Powershell, or other languages is a plus
- Proven ability to own, track, analyze, prioritize, and remediate security vulnerabilities using common quantitative risk models and effective defenses
- Understanding of Secure SDLC best practices, with proven ability to mentor developers
- Prior experience evaluating new products and third party vendors through RFPs or other processes
- One or more advanced Information Security certifications, such as CISSP, CISM, CCSP, CEH, GPEN, CMWAPT, OSCP, or equivalent
- Bachelor’s Degree or higher preferred (or equivalent experience)
- Experience with the following required:
- Penetration testing tools for web, mobile, API, and network targets
- Active Directory hardening
- OS hardening (e.g., Windows, OS X, etc.)
- Cloud hardening (bonus points for Azure & AWS)
- Database security (SQL knowledge a plus)
- Firewalls (Palo Alto a plus)
- Intrusion Detection/Prevention Systems (IDS/IPS)
- Networking security (e.g., TCP/IP, switches, routers)
- Encryption (e.g., SSL/TLS, X.509 certs, PKI, symmetric)
- Endpoint & anti-malware (e.g., Cylance, Carbon Black, BitDefender)
- Experience with one or more of the following strongly desired:
- Prior leadership experience in assessing and securing companies being acquired during merger activity
- Prior experience assessing and securing retail Point of Sale (POS) or credit card processing systems
- Prior experience assessing and securing cryptocurrency technologies
- Manual penetration testing methods (e.g., raw protocol manipulation)
- Prior coding experience in compiled or scripting languages (e.g., .Net, Python, PHP, shell)
- Ability to create own hacking tools/scripts
- SIEM tools (e.g., syslog, QRadar, ELK Stack)
- Knowledge of two-factor authentication (2FA) systems
- Data Loss Prevention (DLP) methods and tools
- Anti-spam tools
- Anti-fraud measures for inventory and POS software
- Forensic tools for gathering, analyzing, and preserving evidence
This position will have supervisory responsibilities.
This job operates in a professional corporate setting. This role routinely uses standard office equipment such as computers, phones, photocopiers, and filing cabinets. This role also routinely uses standard networking equipment such as racks, firewalls, switches, WAPs, and UPSs.
While performing the duties of this job, the employee is occasionally required to stand; walk; sit; use hands to finger, handle, or feel objects, tools, or controls; reach with hands and arms; climb stairs; talk or hear. The employee must occasionally lift or move office products and supplies, up to 50 pounds.
Travel to support other MedMen locations is expected for this position.
Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.
Work Authorization/Security Clearance
There is no visa or H1-B sponsorship. Applicant must successfully complete and pass background and drug screening, and live scan.
MedMen Is An Equal Opportunity Employer
We are committed to equal employment opportunity regardless of race, color, religion, creed, national origin or ancestry, ethnicity, sex, sexual orientation, gender, age, physical or mental disability, citizenship, past, current, or prospective service in the uniformed services, genetic information, or any other characteristic protected under applicable laws.