The Director of IT & Security is a senior strategic leader who serves as the organization’s senior security leader, partnering with technical stakeholders to drive program strategy and business alignment , technology policy, and enterprise software governance. This role goes beyond traditional IT management—it is designed for a leader who can scale and champion a continually maturing security program, driving organizational adoption and executive alignment , drive software lifecycle decisions, and function as a trusted executive partner across the C-suite and business units.

The ideal candidate brings deep InfoSec expertise, a policy-builder’s rigor, and the executive presence to champion security culture at every level of the organization. They will extend and evolve established security frameworks, identifying gaps and leading continuous improvement, lead cross-functional alignment, and translate complex technical risk into clear business language for senior leadership.

Core Responsibilities

1. Information Security Leadership

• Drive organizational maturity and adoption of the enterprise information security program, including threat intelligence, vulnerability management, and incident response.
• Champion and communicate the organization's security posture across on-prem, cloud, SaaS, and hybrid environments.
• Maintain executive visibility into security operations, including SIEM, penetration testing, and incident readiness programs. 
• Serve as a senior strategic advisor on InfoSec, partnering with technical leads on architecture decisions, vendor selection, and product development.
• Partner with the security engineering team to amplify training programs, phishing simulations, and security awareness initiatives across the organization. 
• Own executive communication and stakeholder coordination during security incidents, working in close partnership with technical leads on response execution. 

2. Policy Creation & Governance

• Develop, own, and maintain the full library of IT and security policies, including AI and Agentic Use, Acceptable Use, Data Classification, Access Control, Incident Response, Business Continuity, and Disaster Recovery.
• Maintain and evolve existing governance frameworks, ensuring policies remain enforced, current, and responsive to regulatory changes and emerging threats. 
• Deep understanding and expertise in leading compliance programs: SOC 2 Type II, SOX ITGC, ISO 27001, NIST CSF, GDPR, CCPA, and other applicable standards.
• Build and chair a cross-functional IT Governance Committee to align technology policy with business needs.
• Drive policy adoption through communication, training, and accountability mechanisms across all departments.

3. AI Security, Governance & Enablement

• Maintain and evolve the organization's established AI security policy and governance framework, ensuring it remains current across acceptable use, data handling, model risk, and third-party AI vendor assessment. 
• Continuously assess and mitigate AI-specific security risks, including prompt injection, data leakage through LLMs, model poisoning, and shadow AI adoption across business units.
• Partner with business and product teams to evaluate and approve AI tools and integrations, ensuring data privacy, IP protection, and compliance requirements are met before deployment.
• Extend and deliver an AI literacy and security training program for all staff—covering safe and responsible AI use, recognition of AI-generated threats (deepfakes, AI-assisted phishing), and data hygiene when interacting with AI tools.
• Leverage AI and automation to enhance security operations—including AI-assisted threat detection, anomaly detection, and automated incident triage—while maintaining human oversight for high-stakes decisions.
• Stay current on the evolving AI regulatory landscape (EU AI Act, emerging NIST AI RMF guidance) and advise leadership on compliance obligations and strategic positioning.

4. Security Strategy & Roadmap

• Build and execute a multi-year information security and IT strategy aligned with organizational goals, risk appetite, and growth trajectory.
• Enhance and evolve the existing security roadmap that prioritizes initiatives by risk reduction impact, resource requirements, and business enablement.
• Leverage existing Business Impact Analysis findings to refine and advance the organization's risk-based approach to security investment, continuously quantifying risk in business terms and prioritizing mitigations accordingly. 
• Lead M&A due diligence and integration planning for technology and security, including system consolidation and data migration risk.
• Proactively monitor the evolving threat landscape and adapt strategy in response to emerging risks and industry developments.
• Establish and track security KPIs and OKRs, reporting progress against strategic goals to senior leadership and the board.

5. Software & Technology Management

• Own the end-to-end software asset management (SAM) lifecycle: from evaluation and procurement to deprecation and renewal.
• Define and enforce software standards, approved vendor lists, and procurement workflows to reduce shadow IT and redundancy.
• Create standardized software security reviews (SSRs) for all new applications, including SaaS onboarding and third-party integrations.
• Oversee software licensing, contracts, and renewals, ensuring cost efficiency and compliance.
• Evaluate and rationalize the technology stack, making evidence-based recommendations for consolidation or modernization.

6. Executive Partnership & Stakeholder Engagement

• Act as a trusted technology and security advisor to the C-suite, board of directors, and senior business leaders.
• Communicate complex security risks, investment rationale, and program status in clear, business-focused language for non-technical audiences.
• Partner with Legal, Finance, HR, Product and Engineering to embed security into every stage of the business—from product development to people operations.
• Present to the board and executive team on a regular cadence, including threat briefings, compliance updates, and strategic security investments.
• Serve as the internal advocate for security resources, budget, and headcount—making the business case for security at the highest levels.
• Build partnerships with peer organizations, industry groups (ISACs), regulators, and security vendors to stay ahead of threats.

7. Team Leadership & Culture

• Lead, mentor, and grow a high-performing IT and Security team, fostering a culture of excellence, psychological safety, and continuous learning.
• Define team structure, hire strategically, and build career development pathways for technical staff.
• Manage IT & Security budget, vendor relationships, and resource allocation with fiscal discipline and transparency.
• Champion and sustain the organization's established security-first culture, deepening its reach and impact across all departments and levels. 

Qualifications

Required

• Bachelor’s degree in Computer Science, Information Systems, Cybersecurity, or a related field; advanced degree preferred.
• 10+ years of experience in information security and IT, with at least 5 years in a senior leadership role.
• Demonstrated success building or significantly maturing an enterprise security program from the ground up.
• Deep expertise in InfoSec domains: network security, endpoint security, cloud security (AWS/Azure/GCP), identity management, and application security.
• Proven track record of authoring and implementing enterprise-grade security and IT policies and governance frameworks.
• Hands-on experience managing software asset lifecycles and enterprise SaaS ecosystems at scale.
• Strong command of compliance frameworks: SOC 2, ISO 27001, NIST CSF, SOX ITGC, GDPR, CCPA.
• Executive communication skills—able to present to boards, C-suite, and non-technical stakeholders with authority and clarity.
• Experience partnering with Legal, Finance, HR, and Product teams on cross-functional security and technology initiatives.

Preferred

• Relevant certifications: CISSP, CISM, CISA, CCSP, or equivalent.
• Experience with M&A security due diligence and post-merger IT integration.
• Background in media, technology, or subscription-based businesses.
• Familiarity with DevSecOps practices and embedding security into CI/CD pipelines.
• Experience implementing and operating a Security Operations Center (SOC) or MSSP relationship.

What We Offer:

Entirely remote jobs that could be performed in Colorado: Employees can expect to be paid a salary of  between $160,000 to $200,000. Additional benefits include health care, vision, dental, retirement, Flexible Time Away,  sick leave, and more.  This salary range is merely an estimate and may vary based on an applicant’s location, market data/ranges, an applicant’s skills and prior relevant experience, certain degrees and certifications, and other relevant factors