Information Security & Compliance Manager

Information Security & Compliance Manager

Location:

Providence, RI (Hybrid work environment available)

Chisholm Chisholm & Kilpatrick (CCK) is a nationally recognized law firm committed to providing exceptional client service in the areas of Veterans Law, Litigation, and Bequest Management. CCK is seeking an Information Security & Compliance Manager (ISCM) to lead its information governance, security and compliance program. This individual will serve as the firm’s primary authority on cybersecurity strategy, data governance, and regulatory compliance, ensuring that client data, attorney‑client privileged communications, and firm intellectual assets are protected at the highest standard.

The role requires both strategic thinking and hands‑on execution, with strong cross‑functional collaboration across IT, legal, operations, and client‑facing teams. Given the sensitive nature of legal practice and the firm’s obligations under applicable bar rules, data protection regulations, and client contractual requirements, this role demands a leader who can create and adapt policy, implement controls, cultivate a security‑aware culture, and maintain compliance with evolving legal and regulatory frameworks.

• Develop, implement, and maintain the firm's data governance framework, information security strategy, multi‑year roadmap, and security architecture.
• Establish and operationalize cybersecurity and data governance policies, standards, and procedures firmwide, including applicable state statutory requirements, HIPAA data security requirements, and SOC 2 Trust Services Criteria.
• Oversee vulnerability management, penetration testing programs, and security monitoring operations.
• Manage security technologies including SIEM, endpoint detection and response (EDR), identity and access management (IAM), email security, and data loss prevention (DLP) tools.
• Evaluate third‑party vendors for compliance with internal policies and procedures, state statutory requirements, HIPAA data security requirements, SOC 2 standards and best practices.
• Lead incident response planning, tabletop exercises, and post‑incident review processes.
• Foster a culture of security and compliance across the firm, including collaborating with the firm’s internal stakeholders from across departments regarding information security initiatives.
• Partner with practice group leaders and attorneys to embed data handling standards into legal workflows.
• Maintain current knowledge of emerging security alerts, issues, threats and trends to enhance the firm’s Information Security posture.

• Minimum 5 years of experience in information security, cybersecurity, and/or compliance roles, with demonstrated career growth.
• Demonstrated experience building an information security program from the ground up, including policy development, control implementation, and program governance.
• Hands‑on experience conducting or overseeing security risk assessments, audits, and compliance evaluations.
• Experience managing vendor/third‑party risk and reviewing technology contracts with security implications.
• Demonstrated understanding of state data security laws and regulations, HIPAA data security requirements, and SOC 2 Type II audit criteria.
• Experience using and administering security tools (SIEM, endpoint protection, DLP, MFA, etc.).
• Experience with the incident response life cycle.
• Familiarity with NIST, ISO 27001, or COBIT frameworks.
• Excellent written and communication skills and ability to work with legal, technical staff and non‑technical staff.
• Ability to translate complex technical risk and mitigation into clear business terms for non‑technical audiences, including firm partners and executive leadership.
• Strong project management skills and ability to manage multiple concurrent initiatives with competing priorities.
• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a closely related field; equivalent combination of education and experience considered.

• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified HIPAA Security Professional (CHSP) or equivalent
• Certified Information Privacy Professional (CIPP/US or CIPM)
• Certified in Risk and Information Systems Control (CRISC)
• CompTIA Security+ or equivalent foundational certification

• Competitive salary based on experience
• Options for medical, dental, and vision insurance (including employer‑paid medical insurance for the employee)
• Gym membership reimbursement
• 15 days of PTO which increase to 20 days of PTO after 1 year plus 14 paid company holidays in 2026
• 35 Work from Home Days per year that can be used for any reason
• 401k matching
• Paid Parental Leave