Key Responsibilities
- Develop and maintain the company-wide security strategy, policies, and governance frameworks.
- Ensure ongoing compliance with SOC 2, GDPR, NIST.
- Determine in conjunction with the other security stakeholders the company’s strategy to pursue additional certifications) and other relevant global security standards (e.g., ISO 27001).
- Participate in building the Governance, Risk & Compliance (GRC) function, aligning with privacy, compliance, and enterprise risk function; maintaining and executing against a risk matrix
- Ensure that each branch of Information Security (Product Security, IT Security, GTM, Vendor Due Diligence, Customer facing topics; Governance, Policies & Audits) is performing its responsibilities effectively and operating in a coordinated manner.
- Lead enterprise-wide security risk assessments, gap analyses, and mitigation planning.
- Partner closely with Legal/Privacy on regulatory obligations, including GDPR, data residency requirements, and incident reporting.
- Oversee vendor risk management and security due diligence, ensuring consistent assessment standards and cross-functional alignment.
- Build and manage a scalable vendor security program, including due diligence, remediation, and monitoring.
- Maintain and refine incident response policies, workflows, roles, and communication procedures.
- Coordinate cross-functional participation during security events, ensuring documentation, communication, and post-incident reporting.
- Serve as the point of escalation for major security events.
- Ensure clear reporting lines, accountability, and coordination between IT Security and Engineering/Product Security.
- Work closely with IT, Product, Engineering, and Data teams to embed security-by-design throughout the development lifecycle.
- Manage dotted-line reporting relationships with Security Engineers and IT team members, ensuring unified strategic direction while respecting functional dependencies.
- Represent Information Security to the Board, Audit Committee, customers, and regulators, as needed.
- Lead company-wide security training and awareness initiatives.
- Promote a security-first culture across all functions, ensuring employees understand their role in protecting company and customer data.
Qualifications
- 8+ years of experience in Information Security, including security governance or GRC leadership roles within SaaS or cloud based companies.
- Deep knowledge of SOC 2, ISO 27001, NIST, GDPR, and modern security frameworks.
- Hands-on experience with GRC platform (Drata, One Trust, Vanta etc.)
- Experience leading cross-functional initiatives and managing multiple stakeholders.
- Experience with risk management, vendor security, and policy development.
- Proven ability in dealing with incident response and security operations.
- Strong communication skills, with experience presenting to executives or boards.
