Director of IT Security

Director Of IT Security

The Director of IT Security serves as the company's security hub and "quarterback"aligning IT, Engineering/R&D, Quality, Legal, and business leadership around a clear security strategy, and coordinates end-to-end delivery across teams that may not sit within a dedicated security organization. This role drives prioritization, establishes clear ownership, and coordinates end-to-end security operations, keeps execution moving (risk management, incidents, audits, vendor/security reviews, and training), and provides timely visibility to leadership on posture, gaps, and remediation progress.

In addition, this position owns and coordinates security obligations tied to the National Security Agreement (NSA) and related federal/customer requirements, including audit readiness, documentation, and evidence management - ensuring the organization can demonstrate compliance while maintaining operational efficiency.

Success depends on the ability to influence without authority, create clarity, and prioritize, partnering closely with Engineering/R&D, Quality, Legal, HR, Finance, Operations, and business leaders to embed security into day-to-day operations and product development.

• A practical security program that scales with clear priorities, minimal bureaucracy, and measurable risk reduction.
• Audit- and customer-ready security posture (evidence organized, controls operating, owners assigned).
• Cross-functional security ownership: security responsibilities embedded across IT, Engineering, and business teams rather than centralized in a large security staff.
• Reliable incident response, monitoring, and reporting pathways that work with limited tools and people.
• Sustained compliance with NSA obligations and related security plans (e.g., FOCI mitigation artifacts) with predictable cadence and governance.

1) Security Leadership and Governance

• Establish and maintain the company's security strategy, annual roadmap, and control framework aligned to business priorities and resource constraints.
• Lead a lightweight security governance cadence (e.g., monthly risk review, quarterly executive updates) to drive decisions, remove blockers, and maintain accountability.
• Define security standards, patterns, and guardrails that teams can follow without heavy security staffing.
• Own security policies, exceptions, and compensating controls; ensure policies are practical, adopted, and periodically reviewed.

2) Risk Management

• Maintain an enterprise risk register, including IT, product/engineering, vendor, and compliance risks; drive mitigation plans with clear owners and deadlines.
• Provide security architecture direction for cloud/services, endpoints, identity, networks, and corporate applications - focusing on standardization and simplification.
• Partner with R&D to implement scalable controls (e.g., MFA, least privilege, secure configurations, patching SLAs, logging baselines).

3) Cross-Functional Partnership

• Collaborate with Engineering/R&D to implement secure development practices appropriate for the organization (secure SDLC expectations, code and dependency risk management, environment protections).
• Partner with QA/Quality and Legal to maintain certifications, manage findings, and ensure contractual/regulatory obligations are met.
• Partner with Legal on interpretation of regulatory, NSA, customer, and contractual security obligations, translating requirements into operational controls.
• Influence leaders to build security responsibilities into roles, objectives, and operating routines.
• Partner with parent company and sister company Security teams to align security strategy, standards, and risk posture; share risk and incident intelligence; coordinate on shared controls, incidents, audits, and assurance activities; and ensure efficient information sharing while respecting organizational boundaries, regulatory obligations, and data segregation requirements.

4) Compliance, Audit Readiness & Evidence Management

• Lead planning and coordination for internal, customer, third-party, parent-company, and government-related audits/reviews.
• Support review and operationalization of customer and partner security obligations in coordination with Legal, ensuring commitments are implementable and evidence backed.
• Maintain an evidence program: control narratives, procedures, test results, access reviews, training completion, incident records, and corrective actions.
• Support ISO 27001 and other applicable certifications/attestations; ensure alignment and minimize duplicate work across frameworks.

5) National Security Agreement (NSA) & Federal/Controlled Data Responsibilities

• Serve as the primary Security authority accountable for defining sustainable security controls required by the NSA and government-approved security plans.
• Protect classified, controlled unclassified information (CUI), export-controlled, and NSA-governed data through appropriate technical and procedural safeguards.
• Maintain alignment with relevant frameworks and…