Director of IT & Security

The Director of IT & Security is a senior strategic leader who serves as the organization’s senior security leader, partnering with technical stakeholders to drive program strategy and business alignment , technology policy, and enterprise software governance. This role goes beyond traditional IT management—it is designed for a leader who can scale and champion a continually maturing security program, driving organizational adoption and executive alignment , drive software lifecycle decisions, and function as a trusted executive partner across the C-suite and business units.

The ideal candidate brings deep InfoSec expertise, a policy-builder’s rigor, and the executive presence to champion security culture at every level of the organization. They will extend and evolve established security frameworks, identifying gaps and leading continuous improvement, lead cross-functional alignment, and translate complex technical risk into clear business language for senior leadership.

• Drive organizational maturity and adoption of the enterprise information security program, including threat intelligence, vulnerability management, and incident response.
• Champion and communicate the organization's security posture across on-prem, cloud, SaaS, and hybrid environments.
• Maintain executive visibility into security operations, including SIEM, penetration testing, and incident readiness programs. 
• Serve as a senior strategic advisor on InfoSec, partnering with technical leads on architecture decisions, vendor selection, and product development.
• Partner with the security engineering team to amplify training programs, phishing simulations, and security awareness initiatives across the organization. 
• Own executive communication and stakeholder coordination during security incidents, working in close partnership with technical leads on response execution. 

• Develop, own, and maintain the full library of IT and security policies, including AI and Agentic Use, Acceptable Use, Data Classification, Access Control, Incident Response, Business Continuity, and Disaster Recovery.
• Maintain and evolve existing governance frameworks, ensuring policies remain enforced, current, and responsive to regulatory changes and emerging threats. 
• Deep understanding and expertise in leading compliance programs: SOC 2 Type II, SOX ITGC, ISO 27001, NIST CSF, GDPR, CCPA, and other applicable standards.
• Build and chair a cross-functional IT Governance Committee to align technology policy with business needs.
• Drive policy adoption through communication, training, and accountability mechanisms across all departments.

• Maintain and evolve the organization's established AI security policy and governance framework, ensuring it remains current across acceptable use, data handling, model risk, and third-party AI vendor assessment. 
• Continuously assess and mitigate AI-specific security risks, including prompt injection, data leakage through LLMs, model poisoning, and shadow AI adoption across business units.
• Partner with business and product teams to evaluate and approve AI tools and integrations, ensuring data privacy, IP protection, and compliance requirements are met before deployment.
• Extend and deliver an AI literacy and security training program for all staff—covering safe and responsible AI use, recognition of AI-generated threats (deepfakes, AI-assisted phishing), and data hygiene when interacting with AI tools.
• Leverage AI and automation to enhance security operations—including AI-assisted threat detection, anomaly detection, and automated incident triage—while maintaining human oversight for high-stakes decisions.
• Stay current on the evolving AI regulatory landscape (EU AI Act, emerging NIST AI RMF guidance) and advise leadership on compliance obligations and strategic positioning.

• Build and execute a multi-year information security and IT strategy aligned with organizational goals, risk appetite, and growth trajectory.
• Enhance and evolve the existing security roadmap that prioritizes initiatives by risk reduction impact, resource requirements, and business enablement.
• Leverage existing Business Impact Analysis findings to refine and advance the organization's risk-based approach to security investment, continuously quantifying risk in business terms and prioritizing mitigations accordingly. 
• Lead M&A due diligence and integration planning for technology and security, including system consolidation and data migration risk.
• Proactively monitor the evolving threat landscape and adapt strategy in response to emerging risks and industry developments.
• Establish and track security KPIs and OKRs, reporting progress against strategic goals to senior leadership and the board.

• Own the end-to-end software asset management (SAM) lifecycle: from evaluation and procurement to deprecation and renewal.
• Define and enforce software standards, approved vendor lists, and procurement workflows to reduce shadow IT and redundancy.
• Create standardized software security reviews (SSRs) for all new applications, including SaaS onboarding and third-party integrations.
• Oversee software licensing, contracts, and renewals, ensuring cost efficiency and compliance.
• Evaluate and rationalize the technology stack, making evidence-based recommendations for consolidation or modernization.

• Act as a trusted technology and security advisor to the C-suite, board of directors, and senior business leaders.
• Communicate complex security risks, investment rationale, and program status in clear, business-focused language for non-technical audiences.
• Partner with Legal, Finance, HR, Product and Engineering to embed security into every stage of the business—from product development to people operations.
• Present to the board and executive team on a regular cadence, including threat briefings, compliance updates, and strategic security investments.
• Serve as the internal advocate for security resources, budget, and headcount—making the business case for security at the highest levels.
• Build partnerships with peer organizations, industry groups (ISACs), regulators, and security vendors to stay ahead of threats.

• Lead, mentor, and grow a high-performing IT and Security team, fostering a culture of excellence, psychological safety, and continuous learning.
• Define team structure, hire strategically, and build career development pathways for technical staff.
• Manage IT & Security budget, vendor relationships, and resource allocation with fiscal discipline and transparency.
• Champion and sustain the organization's established security-first culture, deepening its reach and impact across all departments and levels. 

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field; advanced degree preferred.
• 10+ years of experience in information security and IT, with at least 5 years in a senior leadership role.
• Demonstrated success building or significantly maturing an enterprise security program from the ground up.
• Deep expertise in InfoSec domains: network security, endpoint security, cloud security (AWS/Azure/GCP), identity management, and application security.
• Proven track record of authoring and implementing enterprise-grade security and IT policies and governance frameworks.
• Hands-on experience managing software asset lifecycles and enterprise SaaS ecosystems at scale.
• Strong command of compliance frameworks: SOC 2, ISO 27001, NIST CSF, SOX ITGC, GDPR, CCPA.
• Executive communication skills—able to present to boards, C-suite, and non-technical stakeholders with authority and clarity.
• Experience partnering with Legal, Finance, HR, and Product teams on cross-functional security and technology initiatives.

• Relevant certifications: CISSP, CISM, CISA, CCSP, or equivalent.
• Experience with M&A security due diligence and post-merger IT integration.
• Background in media, technology, or subscription-based businesses.
• Familiarity with DevSecOps practices and embedding security into CI/CD pipelines.
• Experience implementing and operating a Security Operations Center (SOC) or MSSP relationship.