Head of Cybersecurity Operations

About Us

At CarGurus (NASDAQ: CARG), we empower individuals to navigate their automotive journey with confidence. Originating from a dedicated group of developers, our goal has always been to instill trust and transparency in the car shopping experience. Over the years, our innovative spirit and rapid market entry have positioned us as the leading automotive marketplace, achieving profitability for over 15 years.

Our Mission

As the automotive landscape shifts, we are committed to transitioning the entire vehicle acquisition process online, assisting our customers from selling their old vehicles to financing, purchasing, and delivering new ones. With millions of consumers visiting our platform monthly and approximately 30,000 dealerships utilizing our services, we pride ourselves on a culture that prioritizes our people. We foster an environment of kindness, collaboration, and innovation, empowering our team members to advance their careers. Disrupting a multi-trillion-dollar industry requires diverse and fresh perspectives.

Position Overview

We are in search of a strategic and experienced cybersecurity executive with a background in publicly traded SaaS organizations to fill the role of Director of Information Security. This position entails overseeing and enhancing our information security framework, ensuring the application of best practices, policies, procedures, and technologies to safeguard against evolving cyber threats. The successful candidate will align our information security initiatives with the overarching strategic goals of the organization while keeping the team focused on shared objectives.

As a pivotal leader, collaboration with business stakeholders such as Legal, IT, Enterprise Applications, Product, and Engineering is essential to ensure compliance with relevant regulations and industry standards, while maintaining the confidentiality, integrity, and availability (CIA) of our systems and data. At CarGurus, we value teamwork and cooperative efforts.

A security-first mindset is crucial, as you will play a key role in fostering a culture of privacy and security across the organization by educating staff on standards and best practices in relatable terms. Comfort in being in the spotlight is necessary; this role is not for those who prefer to remain in the background.

Quickly assessing the dynamic security landscape and making informed decisions regarding potential risks and threats to the organization is vital. CarGurus operates at a rapid pace, requiring quick thinking, especially during security incidents, with appropriate escalation to senior management when necessary.

This role reports directly to the VP of Information Security, Technology, and Enterprise Applications, overseeing Security Operations, Application Security, and IT Risk and Compliance.

Key Responsibilities:

• Lead, mentor, and develop a high-performing security team.
• Conduct annual performance reviews and create personal development and onboarding plans.
• Establish strong, collaborative relationships with peers and key partners across the organization.
• Oversee technical regulatory and compliance requirements.
• Embed security awareness within the organizational culture, engaging with the community and driving continuous education through training and discussions.
• Manage vendor relationships effectively.
• Oversee the security budget and collaborate with the VP on annual budget planning.
• Develop long-term strategic plans for Information Security, aligning tactical tasks and goals with business objectives, risk tolerance, and regulatory requirements, and communicate these to key stakeholders.
• Supervise security controls and enhance the organization’s information security maturity.
• Ensure enforcement and regular review of information security policies, standards, and guidelines to mitigate risks and maintain compliance with industry regulations.
• Collaborate with IT Risk and Compliance to identify, assess, and prioritize information security risks.
• Report security metrics, risks, and mitigation strategies to leadership and relevant stakeholders.

Technical Qualifications:

• Bachelor's Degree or equivalent experience in Information Security or Computer Science.
• Previous experience at a Director level; this is not an entry-level position.
• Industry certifications such as GIAC (GSLC, GSTRT, GLEG), CISM, CISA, or CRISC are advantageous but not mandatory.
• In-depth knowledge of cybersecurity and privacy principles, standards, and risk frameworks (e.g., NIST Cybersecurity Framework, CIS Controls, PCI-DSS, GDPR, CPRA).
• Experience with system audits and IT reporting for SOX and SOC compliance is essential.
• Work closely with the Director of IT and Enterprise Applications on large-scale projects and cross-functional initiatives.
• Familiarity with cloud and application security, particularly with GCP, AWS, or Azure.
• Solid understanding of RBAC models, SSO solutions, identity stores, directory services (SAML 2.0, OAuth 2.0, OIDC), and identity governance.
• Provide feedback to security leaders on technical solutions while allowing them the flexibility to make technical decisions.
• Proven experience in authoring and maintaining security policies, standards, and procedures.

Non-Technical Qualifications:

• Ability to prioritize projects and tasks pragmatically, understanding their critical impacts on the business.
• Collaborate with leadership to create quarterly roadmaps, presenting them to key partners for alignment.
• Strong organizational skills are essential.
• Excellent communication and interpersonal skills, capable of conveying complex technical concepts to diverse audiences in an approachable manner.
• Strong writing skills are necessary for drafting detailed reports for leadership and the Audit Committee.
• Adaptability to the security needs of a fast-paced organization is crucial.
• A passion for continuous learning and staying updated on emerging cybersecurity trends and threats is essential.
• Must be comfortable operating in a dynamic environment with a focus on innovation.
• Integrity, ownership, and accountability should be fundamental values.

Working at CarGurus

We recognize and reward our team members' curiosity and passion with competitive benefits and compensation, including equity for all employees. Our career development initiatives and corporate giving programs, along with employee resource groups (ERGs), foster connections while making a meaningful impact. A flexible hybrid work model and generous time-off policies promote work-life balance and individual well-being. Additional perks such as complimentary daily lunch, discounts on new vehicles, wellness apps, commuting cost coverage, and more support our employees in prioritizing what matters most in their personal and professional lives.

Our Commitment to Diversity

CarGurus is dedicated to creating an inclusive environment where individuals can express their true selves and reach their full potential. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We encourage applicants to apply even if they do not meet every qualification listed in the job description. If you require accommodations during the hiring process due to a disability, please inform your recruiter so we can provide the necessary support. We are eager to learn what unique contributions you can bring to CarGurus.