Our Story

MedMen is North America’s leading cannabis retailer with flagship locations in Los Angeles, Las Vegas, Chicago, and New York. MedMen offers a robust selection of high-quality products, including MedMen-owned brands [statemade], LuxLyte, and MedMen Red through its premium retail stores, proprietary delivery service, as well as curbside and in-store pick up. MedMen Buds, an industry-first loyalty program, provides exclusive access to promotions, product drops and content. MedMen believes that a world where cannabis is legal and regulated is safer, healthier and happier. Learn more about MedMen and The MedMen Foundation at www.medmen.com

Job Summary

MedMen, the nation’s leading cannabis retail brand, is seeking an experienced Director of Information Security to lead the company’s exciting InfoSec and data privacy initiatives.

The Director is a visible and proactive leader across all security domains, provides expert security guidance and awareness at all levels of the company, and leads efforts to protect MedMen networks, clouds, systems, and data nationwide at corporate, retail, manufacturing, and distribution facilities.

The ideal candidate has strong business acumen, a proven understanding of complex Information Security threats and defenses, a deep understanding of data privacy laws and best practices, stellar project management and communication skills, and a long history of hands-on experience in application and database security, network security architecture, and penetration testing.

The Director is responsible for protecting web and mobile sites and applications before and after deployment, penetration testing, managing vulnerability remediation, investigating security incidents, providing security architecture guidance, optimizing security hardware and software, vetting vendor and partner security, researching new threats and defenses, gathering and analyzing security metrics, writing security policies in accordance with industry best practices and compliance requirements, maintaining security awareness and training for staff, ensuring compliance with laws like CCPA, HIPAA, and SOX, and leading internal and external IT audits.

If you're a senior-level security manager or director ready to take the next step in your career at an exciting, fast-growing company, this is the opportunity for you!

Job Functions

Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Proactively, independently, and continually analyzes, improves, and leads MedMen’s Information Security and data privacy program across the company’s corporate, retail, manufacturing, and distribution landscape to protect all company data, networks, clouds, systems, and applications against cyberattacks, malware infections, phishing, data abuses and leaks, compliance violations, and material audit findings.
Ensures MedMen’s business practices and technologies comply with CCPA, HIPAA, SOX, and other applicable laws, and follow InfoSec best practice frameworks like PCI, NIST, OWASP, etc.
Proactively builds partnerships with Retail, Development, Infrastructure, Desktop Support, Marketing, Finance, Legal, Operations, and executive teams to ensure InfoSec and data privacy remain part of every project’s DNA
Researches, plans, and leads security and privacy projects across all security domains, including application and database security, network security, access controls, firewalls, encryption, and intrusion detection.
Using hands-on security tools, performs own risk assessments, vulnerability tests, penetration tests, and gap analyses against MedMen web and mobile applications, retail store systems, databases, servers, wired and wireless networks, cloud environments, and third party systems, and gives expert-level recommendations on best controls to harden systems.
Serves as Subject Matter Expert (SME) on application and database security. Able to read and understand programming code, performs penetration testing at the code and protocol levels of web and mobile apps, and teaches developers and database administrators how to secure systems against attack. Able to isolate and secure sensitive data using segregation of duty, encryption, monitoring, and similar methods.
Manages testing and hardening of cloud systems, including Azure and Amazon Web Services (AWS). Follows cloud best practices to apply cloud security controls as needed, such as access controls, network segmentation, network and application firewalls, encryption, and monitoring tools.
Discovers, documents, prioritizes, and remediates MedMen vulnerabilities using standard threat risk models, while balancing threat risks against other critical and competing business priorities
Leads efforts to test, deploy, harden, manage, monitor, and inventory core Information Security technologies, including monitoring systems, intrusion detection and anti-virus systems, patching & updating systems, access control systems, firewalls, anti-spam systems, data retention and loss prevention systems, key management systems, encryption appliances, cloud security controls, and backups for data and systems.
Prepares for, and leads the IT portion of MedMen’s annual SOX audit, while ensuring applicable access, availability, integrity, monitoring, and backup controls remain compliant with auditor expectations throughout the year.
Reviews controls of potential third-party vendors using interviews, questionnaires, and testing to verify alignment with company security and privacy standards, and provides feedback on vendor legal contracts to ensure language protect MedMen’s brand, data, and customers.
Leads investigations of cybersecurity and data privacy incidents, while correlating, analyzing, and preserving evidence using forensics tools and best practices.
Analyzes and reports on MedMen’s security metrics and trends gathered from company’s security hardware and software, testing efforts, and vulnerability rankings.
Leads efforts to present and improve training and awareness of security best practices for all employees, while also frequently disseminating actionable intel about emerging security and privacy news and trends, threats, and defenses
Researches, evaluates, tests, and recommends new security products on the market to help ensure MedMen’s defenses remain effective against emerging threats.
Writes, updates, and maintains MedMen’s written security policies, standards, guidelines, and procedures.
Leads, mentors, and inspires security staff, while teaching developers, infrastructure engineers, and project managers about the best ways to protect MedMen and its customers.

(Note: The Company complies with the Americans with Disabilities Act (ADA), as amended by the ADA Amendments Act (ADAAA), and all applicable state and local fair employment practices laws, and is committed to providing equal employment opportunities to qualified individuals with disabilities. Consistent with this commitment, the Company will provide a reasonable accommodation to disabled applicants and employees if the reasonable accommodation would allow the individual to perform the essential functions of the job, unless doing so would create an undue hardship.)

Basic Qualifications

10+ years’ experience building, managing, and leading effective Information Security and data privacy programs, teams, and controls
Expert-level knowledge of CCPA, HIPAA, PCI, and SOX, and their security control requirements
10+ years’ of hands-on experience in security architecture, security engineering, and penetration testing
Expert-level knowledge of common web, application, cloud, network, malware, and phishing attacks, plus defenses recommended by best practice bodies such as OWASP
Prior experience managing external SOX or other audits successfully
Exceptional communication, mentoring, and training soft skills, with proven ability to simplify complex topics for lay audiences, and influence and inspire others toward stronger security and data privacy practices
Prior experience writing, maintaining, and socializing InfoSec and privacy policies, standards, and guidelines
In-depth knowledge of common security best practice frameworks, such as NIST
Strong understanding of modern web and networking protocols, including TCP, HTTP, and DNS
Hands-on web, mobile, API, and wired/wireless network penetration skills using common commercial and/or open source tools; ability to create own custom tools using Python, Powershell, or other languages is a plus
Proven ability to own, track, analyze, prioritize, and remediate security vulnerabilities using common quantitative risk models and effective defenses
Understanding of Secure SDLC best practices, with proven ability to mentor developers
Prior experience evaluating new products and third party vendors through RFPs or other processes
One or more advanced Information Security certifications, such as CISSP, CISM, CCSP, CEH, GPEN, CMWAPT, OSCP, or equivalent
Bachelor’s Degree or higher preferred (or equivalent experience)
Experience with the following required:

Penetration testing tools for web, mobile, API, and network targets
Active Directory hardening
OS hardening (e.g., Windows, OS X, etc.)
Cloud hardening (bonus points for Azure & AWS)
Database security (SQL knowledge a plus)
Firewalls (Palo Alto a plus)
Intrusion Detection/Prevention Systems (IDS/IPS)
Networking security (e.g., TCP/IP, switches, routers)
Encryption (e.g., SSL/TLS, X.509 certs, PKI, symmetric)
Endpoint & anti-malware (e.g., Cylance, Carbon Black, BitDefender)

Experience with one or more of the following strongly desired:

Prior leadership experience in assessing and securing companies being acquired during merger activity
Prior experience assessing and securing retail Point of Sale (POS) or credit card processing systems
Prior experience assessing and securing cryptocurrency technologies
Manual penetration testing methods (e.g., raw protocol manipulation)
Prior coding experience in compiled or scripting languages (e.g., .Net, Python, PHP, shell)
Ability to create own hacking tools/scripts
SIEM tools (e.g., syslog, QRadar, ELK Stack)
Knowledge of two-factor authentication (2FA) systems
Data Loss Prevention (DLP) methods and tools
Anti-spam tools
Anti-fraud measures for inventory and POS software
Forensic tools for gathering, analyzing, and preserving evidence

Supervisory Responsibility

This position will have supervisory responsibilities.

Working Conditions

This job operates in a professional corporate setting. This role routinely uses standard office equipment such as computers, phones, photocopiers, and filing cabinets. This role also routinely uses standard networking equipment such as racks, firewalls, switches, WAPs, and UPSs.

Physical Requirements

While performing the duties of this job, the employee is occasionally required to stand; walk; sit; use hands to finger, handle, or feel objects, tools, or controls; reach with hands and arms; climb stairs; talk or hear. The employee must occasionally lift or move office products and supplies, up to 50 pounds.

Travel Requirements

Travel to support other MedMen locations is expected for this position.

Other Duties

Please note this job description is not designed to cover or contain a comprehensive listing of activities, duties or responsibilities that are required of the employee for this job. Duties, responsibilities, and activities may change at any time with or without notice.

Work Authorization/Security Clearance

There is no visa or H1-B sponsorship. Applicant must successfully complete and pass background and drug screening, and live scan.

MedMen Is An Equal Opportunity Employer

We are committed to equal employment opportunity regardless of race, color, religion, creed, national origin or ancestry, ethnicity, sex, sexual orientation, gender, age, physical or mental disability, citizenship, past, current, or prospective service in the uniformed services, genetic information, or any other characteristic protected under applicable laws.

Apply for this Job

* Required

First Name

Last Name

Phone

Location (City)

Resume/CV

Attach Dropbox Google Drive Paste

Cover Letter

Attach Dropbox Google Drive Paste

When autocomplete results are available use up and down arrows to review

+ Add Another Education

LinkedIn Profile

Website

Street Address

City

State

Zip Code

How did you hear about this job?

Have you ever worked or currently work for MedMen ?

If no, can you submit a work permit if hired?

If hired, can you present evidence of your U.S. Citizenship or proof of your legal right to live and work in this country?

Hours Available:

Are you able to work overtime?

Do you have hour restrictions?

If yes, what are the times restrictions?

What date are you available to start work?

Were you referred to this role by a MedMen employee? If so, what was their name?

Are you at least 21 years old?

Will you now or in the future require sponsorship for employment visa status (e.g., H-1B visa status)?

I hereby certify that I have not knowingly withheld any information that might adversely affect my chances for employment and that the answers given by me to the foregoing questions and statements are true and correct. I hereby authorize MedMen (the "Company") to verify the same. I also authorize my former employers and educational institutions to give any information they may have regarding me to the fullest extent permissible under any and all applicable laws. I further certify that I have personally completed this application. I understand that any omission or misstatement of material fact on this application or on any document used to secure employment shall be grounds for rejection of this application or for immediate discharge if I am employed, regardless of the time elapsed before discovery.

I understand that nothing contained in the application, or conveyed during any interview is intended to create an employment contract between me and the Company and that if I accept an offer that is extended to me, I will be employed at all times on an at-will basis. As an at-will employee, my employment may terminate at any time, with or without cause. Should I accept a position offered to me by MedMen, I agree to conform to the rules and regulations of the Company. I further understand that the Company expressly reserves its inherent authority to manage and control the business enterprise and to exercise its sole discretion to determine all issues pertaining to my employment, including all matters pertaining to promotion, job assignment, the size of the workforce, demotion, transfer and discipline.

I agree that any dispute between me and MedMen arising out of or relating to my application for employment will be submitted to individual binding arbitration in accordance with the employment dispute arbitration rules of JAMS, which can be obtained at www.jamsadr.org. Class or collective actions are not permitted by this arbitration agreement. Any issues regarding the scope or validity of this arbitration agreement shall be decided by a court of competent jurisdiction and not the arbitrator. If I become employed, I understand that I may be required to sign the Mutual Agreement to Arbitrate Claims as a condition of employment

Voluntary Self-Identification

For government reporting purposes, we ask candidates to respond to the below self-identification survey. Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

As set forth in MedMen’s Equal Employment Opportunity policy, we do not discriminate on the basis of any protected group status under any applicable law.

Gender

Are you Hispanic/Latino?

Please identify your race

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to the Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.

Veteran Status

Form CC-305

OMB Control Number 1250-0005

Expires 05/31/2023

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

We are a federal contractor or subcontractor required by law to provide equal employment opportunity to qualified people with disabilities. We are also required to measure our progress toward having at least 7% of our workforce be individuals with disabilities. To do this, we must ask applicants and employees if they have a disability or have ever had a disability. Because a person may become disabled at any time, we ask all of our employees to update their information at least every five years.

Identifying yourself as an individual with a disability is voluntary, and we hope that you will choose to do so. Your answer will be maintained confidentially and not be seen by selecting officials or anyone else involved in making personnel decisions. Completing the form will not negatively impact you in any way, regardless of whether you have self-identified in the past. For more information about this form or the equal employment obligations of federal contractors under Section 503 of the Rehabilitation Act, visit the U.S. Department of Labor’s Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

How do you know if you have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

Autism
Autoimmune disorder, for example, lupus, fibromyalgia, rheumatoid arthritis, or HIV/AIDS
Blind or low vision
Cancer
Cardiovascular or heart disease
Celiac disease
Cerebral palsy
Deaf or hard of hearing
Depression or anxiety
Diabetes
Epilepsy
Gastrointestinal disorders, for example, Crohn's Disease, or irritable bowel syndrome
Intellectual disability
Missing limbs or partially missing limbs
Nervous system condition for example, migraine headaches, Parkinson’s disease, or Multiple sclerosis (MS)
Psychiatric condition, for example, bipolar disorder, schizophrenia, PTSD, or major depression

Disability Status

¹Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.

Director, Information Security

Apply for this Job

Voluntary Self-Identification

Voluntary Self-Identification of Disability