Associate Director, Information Security

📋 Description

• • Lead and mature the company-wide information security program with direct, hands-on involvement across governance, risk, compliance (GRC), IT security operations, and cloud/software security domains.
• • Serve as the primary internal authority on information security, advising leadership and department heads on risk priorities, control effectiveness, and security strategy alignment with business objectives.
• • Own end-to-end management of ISO 27001 certification, including audit preparation, evidence collection, control implementation, and continuous improvement programs.
• • Rationalize and harmonize security controls across multiple frameworks including ISO 27001, SOC 2, NIST CSF, and SOX IT General Controls to streamline compliance and reduce redundancy.
• • Develop and maintain clear, practical security policies and standards without reliance on external consultants or pre-built templates, ensuring they are operationalized across the organization.
• • Embed security practices into the software development lifecycle by partnering with Software, Cloud Security, and DevOps teams to enforce secure SDLC practices and application security controls.
• • Define and enforce cloud security governance standards for SaaS-hosted environments, including identity management, access controls, and data protection across AWS, Azure, or GCP platforms.
• • Directly manage the vendor and third-party risk management program, conducting assessments, reviewing agreements, and ensuring compliance with security requirements for external partners.
• • Implement and maintain security controls aligned with life sciences regulatory requirements, specifically 21 CFR Part 11 and GxP standards for regulated systems and data integrity.
• • Oversee security operations across the corporate IT environment including endpoint protection, identity and access management, vulnerability management, and security monitoring via SIEM tools.
• • Design, deliver, and continuously improve the company-wide security awareness and training program tailored to diverse functions including R&D, clinical, and corporate teams.
• • Build and communicate security metrics and reporting dashboards for both technical teams and executive stakeholders to drive informed decision-making and risk prioritization.
• • Mentor and guide security analysts with day-to-day technical direction, knowledge sharing, and practical guidance in IT security operations and cloud security domains.
• • Champion a pragmatic, risk-based security culture across a fast-moving clinical-stage organization, balancing security rigor with operational agility in a life sciences environment.
• • Actively participate in SOX readiness assessments and IPO-related compliance efforts as needed, ensuring the organization is prepared for external audits and investor scrutiny.
• • Leverage GRC platforms such as Vanta, Drata, or Tugboat Logic to automate evidence collection, control tracking, and audit readiness workflows.
• • Maintain hands-on technical proficiency in security tooling across endpoint detection, SIEM, AppSec, and identity management systems to ensure operational effectiveness and team credibility.
• • Translate complex technical findings into actionable business impact for non-technical audiences to secure executive buy-in and resource allocation for security initiatives.