Chief Information Security Officer
About the role
We are a growing Managed Service Provider expanding our security leadership and building a unified security function across our business. This is a high-priority executive investment with a dual mandate: protect our internal operations and the clients who trust us with their infrastructure, while expanding our security service lines into a strategic revenue driver.
Responsibilities
Define and execute the enterprise information security strategy activities, roadmap, and budget.
Own the internal risk management program: threat management, vulnerability management, access governance, and third-party risk.
Lead all compliance and audit activities including SOC 2 Type II, and CMMC Level 2 certification.
Serve as the executive security voice in client contracts, vendor contracts, security questionnaires, RFP responses and other compliance-related requests.
Drive the security awareness and training program across all employees and contractors.
Lead, mentor, and grow the existing security team; make the hiring and structural decisions needed to scale.
Represent the company's security practice externally at industry events, in analyst briefings, and with strategic partners.
Translate threat landscape shifts and client pain into product requirements and differentiated offerings.
Represent the voice of the security practitioner in architecture and build-vs-buy decisions.
Report regularly to the CTO and executive team on security posture, risk, and program investment.
Maintain budgetary accountability for the Security Operations Team, and the Security Services Business Revenue.
Requirements
7–10 years of security leadership experience, including 3+ years in a Chief Information Security Officer or equivalent role (IT Security Officer, Deputy CISO, Managing Partner, IT Security Practice).
Hands-on ownership and successful completion of multiple: SOC 2, HIPAA, CMMC, or NIST 800-171/800-53 audit cycles, including designing, leading and supporting the program.
Demonstrated experience leading incident response for material incidents, including executive and customer communication, response strategy and repeatable successful outcomes.
Experience managing and closely partnering with multiple 24x7 SOC teams (in-house, co-managed, and outsourced).
Track record of building or significantly scaling a security team and the program it runs.
Strong written and verbal communication, for example, demonstrated ability to move fluently between a board deck, a customer sales call, and a specific security service event.
Comfort in operating in a fast-moving, client-service environment where security is both internal function and a company revenue driver.
Warm and welcoming team-oriented demeanor with clear abilities to craft a positive security aware culture throughout an organization, and with its client base.
Strongly Preferred: Prior experience at an Enterprise Scale Organization, MSP, MSSP, or security consultancy.
Direct vCISO or fractional CISO client facing delivery experience.
Experience preparing an organization for new compliance certifications.
Relevant certifications such as CISSP, CISM, CCSP, or CISA.
Familiarity with the tooling common to MSP environments (RMM, PSA, EDR/XDR/AV, SIEM, ITDR, SAT etc).