Director of IT Security (Remote US)
Directive · United States · 2 wk ago
RemoteRemoteInformation Technology$150k–$190k/yrFull-time
Cybersecurity Strategy And Governance
Develop and execute the company's information security strategy and scalable security roadmap.
Establish and maintain enterprise security policies, standards and governance frameworks.
Present cybersecurity risks, recommendations and security metrics to executive leadership.
Partner with department leaders to ensure security is integrated into business operations and decision-making.
Stay ahead of emerging cybersecurity threats, AI risks and industry best practices.
Risk Management And Threat Assessments
- Conduct ongoing enterprise-wide cybersecurity risk assessments across infrastructure, endpoints, applications and business processes.
Build and maintain the organization's cybersecurity risk register and remediation roadmap.
Lead vulnerability management efforts and prioritize remediation based on business risk.
Perform third-party vendor security assessments and ongoing vendor risk management.
Continuously evaluate new technologies and recommend security improvements.
Configure and enforce data governance policies across distributed tools (Notion, Drive, Stratos) to prevent data silos.
Manage device security policies using MDM software (Kandji) to protect company assets.
Security Operations & Incident Response
- Own the organization's incident response program, including playbooks, tabletop exercises and post-incident reviews.
Oversee endpoint security, identity and access management, privileged access controls, MFA and device security.
Partner with the Senior IT Manager to implement technical security controls and monitor the health of the environment.
Coordinate with external security vendors and managed security providers when necessary.
Develop and oversee business continuity and disaster recovery planning.
Compliance & Client Security
- Lead security compliance initiatives including SOC 2 Type II and future security certifications.
Own customer security questionnaires and support enterprise sales opportunities by demonstrating Directive's security posture.
Partner with Legal, Insurance, and Finance on privacy, data governance, and regulatory compliance.
Maintain documentation for security policies, controls, audits, and evidence collection.
Security Awareness & Culture
- Build and/or manage company-wide security awareness and phishing training programs.
Promote a security-first culture across the organization.
Educate employees on evolving cybersecurity threats, social engineering, AI usage and data protection best practices.
Establish security metrics and regularly report organizational security maturity.
What You Offer /Qualifications
- 7+ years of experience in cybersecurity, information security or risk management.
3+ years leading enterprise security programs or security teams.
Demonstrated experience performing cybersecurity risk assessments and threat modeling.
Strong knowledge of cloud-first and SaaS-based environments including Google Workspace, Salesforce, NetSuite, Okta and modern identity platforms.
Experience implementing and maintaining security frameworks such as SOC 2, ISO 27001 or the NIST Cybersecurity Framework.
Deep understanding of endpoint security, identity management, vulnerability management, incident response and security operations.
Experience working within fully remote organizations supporting distributed workforces.
Strong executive communication skills with the ability to translate technical risk into business impact.
CISSP, CISM, CRISC, or equivalent cybersecurity certification is strongly preferred.
What Success Looks Like
- Develop and execute a scalable cybersecurity roadmap that measurably improves Directive's overall security posture.
Complete enterprise-wide risk and threat assessments, resulting in prioritized remediation plans for critical vulnerabilities.
Maintain successful SOC 2 compliance and establish audit readiness across all security controls and documentation.
Reduce organizational cybersecurity risk through stronger identity management, endpoint protection, and security governance.
Build a proactive security awareness program that significantly reduces phishing susceptibility and increases employee security engagement.
Establish measurable security KPIs and provide regular executive reporting on risks, trends, and program maturity.
Create a resilient incident response and disaster recovery program that enables the business to respond confidently to security events with minimal operational disruption.
Become a trusted strategic partner to executive leadership by balancing strong security practices with business agility and growth.