About the Role
INFORMATION SECURITY MANAGER needed! Hybrid 3 times a week in NYC or London. Base $125k - $175k in NYC and £85k - £120k in London plus discretionary bonus and equity. Open to experience in pretty much any industry but must have familiarity/experience with SaaS/AI technology products. Must also be experienced/comfortable handling inbound DDQs as well as managing SOC2 compliance.
With our client, you will be part of a dynamic team that is at the forefront of AI technology in the investment management industry. You will have the opportunity to work with cutting-edge products and make a significant impact on their clients' success. Join them to be part of a company that values innovation, client satisfaction, and continuous improvement.
Job Description
The Information Security Manager plays a critical role in safeguarding the organization's information assets by designing, implementing, and maintaining a comprehensive information security program. The Information Security Manager ensures compliance with SOC 2 requirements, conducts thorough vendor risk assessments, oversees vulnerability scans, coordinates penetration tests, and completes client security due diligence questionnaires (DDQs) in a timely and accurate manner. The Information Security Manager will develop, maintain, and update cybersecurity documentation, including policies, procedures, and guidelines, serving as the primary resource for compliance readiness. By collaborating with cross-functional teams, including technical, operational, and executive stakeholders, the Information Security Manager identifies, evaluates, and mitigates risks while fostering a security-first culture throughout the organization. A key focus is on building a robust and efficient security program that actively enhances business growth by streamlining processes and eliminating unnecessary slowdowns. Operating in a fast-paced start-up environment, this role requires a high degree of versatility, resilience, and determination to adapt and thrive in a dynamic setting.
Responsibilities
1. SOC 2 Compliance Oversight:
• Manage end-to-end SOC 2 compliance, including evidence collection, maintenance, testing, and issue remediation.
• Oversee internal controls related to Trust Services Criteria, ensuring continuous audit readiness.
• Communicate SOC 2 requirements and updates to stakeholders, aligning teams on control improvements and best practices.
2. Documentation Management:
• Develop, update, and maintain comprehensive information security documentation, ensuring alignment with industry best practices and regulatory requirements.
• Provide stakeholders with easily accessible, up-to-date security documentation for smooth coordination and reference.
3. Evidence Collection and Audit Readiness:
• Implement efficient processes for gathering and organizing audit-relevant documentation.
• Maintain a secure central repository for security evidence to streamline audit preparation and ensure data integrity.
• Regularly review collected evidence to confirm the effectiveness of implemented security controls.
4. Client Information Security DDQs:
• Serve as the primary point of contact for client-facing security DDQs, ensuring accurate and timely completion.
• Collaborate with internal teams to articulate the organization's security posture effectively.
• Proactively support sales and client success teams in responding to client and prospect due diligence requests.
5. Vendor Risk Assessments:
• Establish and maintain a robust vendor risk management process, from initial assessment through ongoing monitoring.
• Thoroughly evaluate vendors for alignment with security requirements and recommend remedial measures as needed.
6. Vulnerability Management and Penetration Testing:
• Oversee regular vulnerability scans and coordinate comprehensive penetration testing activities.
• Collaborate with development and infrastructure teams to incorporate secure development practices and promptly address identified security weaknesses.
7. Security Policies and Procedures:
• Lead initiatives to continuously review, revise, and improve security policies and procedures, ensuring alignment with organizational goals and industry standards.
• Effectively communicate policy changes across departments and provide engaging training to reinforce adherence.
8. Risk Management and Reporting:
• Develop and maintain a proactive risk management framework, identifying, assessing, and tracking mitigation activities for risks that impact security and compliance.
• Prepare insightful reports for leadership on key security metrics, SOC 2 readiness, vulnerabilities, and emerging threats, offering data-driven recommendations for improvement.
9. Security Awareness and Training:
• Champion a culture of security awareness across the organization, elevating the importance of safe computing practices and adherence to security procedures.
• Design and deploy training programs to enhance security knowledge and foster a security-first mindset.
• Monitor training effectiveness through assessments, surveys, and feedback, continuously refining the curriculum to address evolving needs and knowledge gaps.
10. Collaboration with Product and Development Teams:
• Work closely with product and development teams to seamlessly integrate security considerations into the product lifecycle.
• Ensure that security best practices are embedded in product design, development, and deployment processes.
11. Balancing Security and Business Growth:
• Build a robust security program that actively enhances business growth by streamlining processes, automating tasks, and eliminating unnecessary slowdowns.
• Implement efficient security processes that align with business objectives, facilitate innovation, and maintain a competitive edge.
12. Versatility in a Start-Up Environment:
• Demonstrate exceptional versatility, resilience, and determination to adapt and thrive in a dynamic start-up setting.
• Embrace change, think creatively, and maintain a positive attitude in the face of challenges and evolving priorities.
What You Bring
Required:
1. Education and Experience:
• Bachelor's degree in Computer Science, Information Security, or a related field. Equivalent experience may be considered in lieu of formal education.
• 3-5 years of hands-on experience in information security, governance, or compliance roles, with a strong preference for SOC 2 experience.
2. Technical Knowledge and Skills:
• Deep familiarity with information security frameworks and standards (e.g., SOC 2, ISO 27001, NIST CSF).
• Proficiency with vulnerability scanning and penetration testing methodologies, tools, and remediation best practices (e.g., Nessus, Qualys, Burp Suite).
3. Analytical and Communication Abilities:
• Exceptional organizational skills to manage complex documentation requirements and coordinate multiple ongoing projects.
• Strong ability to interpret technical findings and communicate them effectively to both technical and non-technical stakeholders.
• Meticulous attention to detail in aligning processes with compliance requirements and ensuring the accuracy of collected evidence.
4. Soft Skills:
• Proactive and self-motivated in identifying security gaps, anticipating future threats, and proposing innovative improvements.
• Excellent interpersonal skills to build rapport across diverse teams, collaborate effectively, and lead cross-functional initiatives.
• Ability to handle sensitive information with the utmost discretion and maintain the highest ethical standards.
Preferred:
1. Certifications:
• Relevant industry certifications such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC).
2. Industry-Specific Compliance:
• Knowledge of additional regulatory requirements (e.g., GDPR, DORA)