Chief Information Security Officer

About Us

At CarGurus (NASDAQ: CARG), we empower individuals to navigate their journeys with confidence. Our origins trace back to a dedicated group of developers committed to instilling trust and transparency in the automotive marketplace. Over the years, our innovative spirit and rapid market entry have propelled us to become the largest and most rapidly expanding automotive platform, maintaining profitability for over 15 years.

Our Mission

The automotive landscape is shifting, and so are we. We are transitioning the entire vehicle purchasing experience online, assisting our customers at every stage—from selling their old vehicles to financing, purchasing, and delivering new ones. Each month, millions of consumers engage with our platform, supported by approximately 30,000 dealerships utilizing our services. Our employees thrive in a culture that prioritizes people, fostering collaboration, kindness, and innovation while equipping our Gurus with the necessary tools for career advancement. Disrupting a multi-trillion-dollar industry requires diverse and fresh perspectives.

Position Overview

We are in search of a proficient and strategic leader in cybersecurity, with experience in publicly traded SaaS organizations, to take on the role of Director of Information Security. This position entails overseeing and enhancing our information security framework, ensuring the application of best practices, policies, procedures, and technologies to safeguard against emerging cyber threats. The successful candidate will align established information security initiatives with the overarching strategic goals of the organization while ensuring the team remains informed and focused on shared objectives.

As a pivotal leader, collaboration with business stakeholders such as Legal, IT, Enterprise Applications, Product, and Engineering is essential to ensure compliance with relevant regulations and industry standards, while upholding the confidentiality, integrity, and availability (CIA) of our systems and data. CarGurus values teamwork and collaborative efforts.

A security-first mindset is crucial, as you will be responsible for fostering a culture of privacy and security across the organization by educating staff on standards and best practices in accessible language. Comfort in being in the spotlight is necessary; this role is not suited for those who prefer to remain in the background.

Rapid assessment of the ever-evolving security landscape is required, enabling practical decision-making regarding potential risks and threats to the organization. CarGurus operates at a fast pace, necessitating quick thinking, especially during security incidents, with appropriate escalation to senior management.

This role reports directly to the VP of Information Security, Technology, and Enterprise Applications, overseeing Security Operations, Application Security, and IT Risk and Compliance.

Key Responsibilities:

• Lead, mentor, and develop a high-performing security team.
• Conduct annual performance reviews and create personal development and onboarding plans.
• Establish strong, collaborative relationships with peers and key partners across the organization.
• Maintain oversight of technical regulatory and compliance obligations.
• Embed security awareness within the company culture, engaging with the community and driving continuous education through training and discussions.
• Manage vendor relationships effectively.
• Oversee the security budget in collaboration with the VP during annual budget planning.
• Develop long-term strategic plans for Information Security, aligning tactical tasks and goals with business objectives, risk tolerance, and regulatory requirements.
• Supervise security controls and the advancement of the organization's information security maturity.
• Ensure enforcement and regular review of information security policies, standards, and guidelines to mitigate risks and maintain compliance with industry regulations.
• Collaborate with IT Risk and Compliance to identify, assess, and prioritize information security risks across the organization.
• Report security metrics, risks, and mitigation strategies to leadership and relevant stakeholders.

Technical Qualifications:

• Bachelor's Degree or equivalent experience in Information Security or Computer Science.
• Previous experience at a Director level; this is not an entry-level position.
• Industry certifications such as GIAC (GSLC, GSTRT, GLEG), CISM, CISA, or CRISC are advantageous but not mandatory.
• Comprehensive understanding of cybersecurity and privacy principles, standards, and risk frameworks (e.g., NIST Cybersecurity Framework, CIS Controls, PCI-DSS, GDPR, CPRA).
• Experience with system audits and IT reporting for SOX and SOC compliance is essential.
• Collaborate closely with the Director of IT and Enterprise Applications on large-scale projects and cross-functional initiatives.
• Familiarity with cloud and application security fundamentals, including GCP, AWS, or Azure.
• Solid understanding of RBAC models, SSO solutions, identity stores, and identity governance.
• Provide constructive feedback to security leaders on technical solutions while allowing them the autonomy to make technical decisions.
• Proven ability to author and maintain security policies, standards, and procedures.

Non-technical Qualifications:

• Ability to prioritize projects and tasks pragmatically, understanding their critical impacts on the business.
• Collaborate with leadership to develop quarterly roadmaps, presenting them to key partners for alignment.
• Strong organizational skills are essential.
• Excellent communication and interpersonal skills, capable of conveying complex technical concepts to diverse audiences.
• Strong writing skills are necessary for preparing detailed reports for leadership and the Audit Committee.
• Adaptability to the security needs of a dynamic organization is crucial.
• A passion for continuous learning and staying updated on emerging cybersecurity trends and threats.
• Comfort with calculated risk-taking and innovation in a fast-paced environment.
• Integrity, accountability, and ownership must be fundamental values.

Working at CarGurus

We recognize and reward our Gurus' curiosity and passion with competitive benefits and compensation, including equity for all employees. Our career development initiatives and corporate giving programs, along with employee resource groups (ERGs), foster connections while making a meaningful impact. A flexible hybrid work model and generous time-off policies promote work-life balance and personal well-being. Additional perks, such as daily complimentary lunch, discounts on new vehicles, and wellness resources, help our team focus on what matters most in their professional and personal lives.

Our Commitment to Inclusion

CarGurus is dedicated to creating an environment where individuals can express their true selves and realize their potential. We do not discriminate based on race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. We value diverse skills, experiences, and perspectives, and encourage applications from all qualified candidates.