Director of Information and Data Security

Role Purpose
The Director of Information and Data Security will establish and lead Eltropy's IT and
Cybersecurity function, responsible for developing foundational systems, processes, and
governance across infrastructure, data protection, and compliance. This leader will drive
security maturity across the organization, balancing hands-on execution with long-term
strategic planning, and partnering with external GRC consultants to build a scalable security
and compliance framework aligned with industry standards (e.g., SOC 2, ISO

Key Responsibilities
IT and Infrastructure Security

• Oversee endpoint management, asset inventory, and identity and access management
  (IAM).
• Establish standards for device hardening, patch management, and secure configuration.
• Define and manage the budget for all security and IT tools, services, and human capital,
  ensuring cost-effectiveness and alignment with the overall security roadmap.
• Implement centralized visibility and control across systems and SaaS applications.

Cybersecurity and Data Protection

• Lead threat detection, vulnerability management, and incident response operations.
• Implement and maintain a Cloud Security Posture Management (CSPM) solution to
  monitor cloud infrastructure (AWS/Azure) for misconfigurations and compliance issues.
• Deploy and tune SIEM/XDR solutions to enhance visibility and threat detection across
  environments.
• Conduct regular penetration testing, track remediation, and drive security awareness
  programs.
• Define and enforce data protection policies covering classification, encryption, and
  retention.

Governance, Risk, and Compliance (in partnership with GRC Consultant)

• Partner with external GRC consultants to design and operationalize Eltropy's information
  security and compliance framework.
• Translate consultant-driven recommendations into actionable internal controls, policies,
  and monitoring mechanisms.
• Manage the Third-Party Risk Management (TPRM) program, including vendor due
  diligence, security questionnaires, and ongoing risk monitoring.
• Maintain a centralized risk register and oversee remediation tracking.
• Own operational compliance for frameworks such as SOC 2, ISO 27001, and GDPR.

Security Architecture and Product Collaboration

• Work closely with Engineering and Product teams to embed security-by-design principles
  in SaaS architecture and cloud deployments.
• Implement automated security testing (SAST/DAST) within the CI/CD pipeline to shift
  security left and reduce vulnerabilities early in the development lifecycle.
• Review architecture and third-party integrations to ensure alignment with data security
  and privacy standards.

Incident Management and Business Continuity

• Establish and operationalize the company's Incident Response Plan (IRP) and Business
  Continuity/Disaster Recovery (BCP/DR) framework.
• Conduct tabletop exercises and post-incident reviews to enhance preparedness and
  learning.

Security Awareness and Culture

• Develop and implement a company-wide security awareness program.
• Partner with HR and Operations to ensure onboarding/offboarding includes security
  compliance and periodic training.
• Foster a security-first culture emphasizing accountability and vigilance across teams.

Leadership and Department Setup

• Build and lead a high-performing IT and Security team, including IT administrators and
  cybersecurity engineers.
• Define structure, roles, and hiring priorities aligned with the company's growth stage.
• Create a phased roadmap for security maturity, including technology adoption and process optimization.

Key Performance Indicators (KPIs)

• Security Tool Coverage: Achieve at least X% deployment and agent coverage across all
  corporate and cloud assets within the first 6 months.
• Vulnerability Remediation: Maintain average time-to-remediate critical and high
  vulnerabilities below X days.
• Compliance Milestones: Achieve SOC 2 / ISO 27001 readiness within agreed timelines.
• Asset Visibility: 100% endpoint and asset inventory completeness.
• Incident Management: Reduction in mean time to detect (MTTD) and mean time to
  respond (MTTR) for incidents.
• Team Ramp; Process Setup: Completion of key hires and operational processes within the first
  year.

Requirements

• Independent, self-starter with strong ownership and execution bias.
• Ability to prioritize and execute in a resource-constrained, fast-paced SaaS environment.
• Strategic thinker with operational depth; able to balance long-term maturity goals with
  immediate risk mitigation.
• Excellent communication skills with the ability to influence and align cross-functional
  stakeholders.
• Proven experience setting up IT or cybersecurity programs in a SaaS or technology
  environment.
• Strong understanding of endpoint protection, cloud infrastructure security (AWS/Azure),
  IAM, and network security.
• Experience with SIEM and/or XDR deployment and tuning for threat detection and
  monitoring.
• Familiarity with CSPM, SAST/DAST, and vulnerability management tools.
• Knowledge of GRC frameworks (SOC 2, ISO and translating them into practical,
  auditable controls.

Reporting to: VP of Operations
Level: Senior Leadership

Direct Reports:
- IT Team
- Cybersecurity Engineer(s)