Vice President of Information Security

About brightfin

brightfin provides clients with a suite of IT financial management and managed software subscriptions to enable your organization to rationalize, comprehend, normalize, optimize, and allocate spend to clearly show IT’s value in delivering revenue, services, and organizational enablement for the enterprise. Our goal is to shape a world where every technology decision is grounded in financial truth, operational clarity, and intelligent automation — enabling organizations to reduce total spend and reinvest in critical innovation.

About the role

brightfin is an enterprise SaaS platform built natively on ServiceNow, helping Fortune 500 and mid-market companies optimize IT spend across telecom, FinOps, and technology asset management. Our customers include large healthcare systems, financial institutions, and global enterprises — organizations where data security and trust are non-negotiable. This is the first dedicated security leadership hire at Brightfin. The VP of Information Security owns our security program end to end: governance, compliance, customer trust, and product security. This is a builder role — you'll design the program, hire a small team, and grow it as we scale.

Areas of Responsibility

Security program ownership

• Design and run brightfin's Information Security Management System (ISMS), aligned to NIST CSF and ISO 27001 principles
• Own SOC 2 Type II compliance — including annual audits, evidence collection, and continuous monitoring
• Maintain and mature security policies, standards, and procedures across the organization
• Lead the company's incident response program: planning, tabletop exercises, and live incident management

Customer and sales enablement

• Own the security review process for enterprise deals — respond to RFPs, security questionnaires, and customer audits
• Serve as the security point of contact for enterprise prospects and customers; attend calls as needed to build trust
• Develop and maintain a security trust portal and standard documentation package

Risk and compliance

• Build and maintain a risk register; report on risk posture to the executive team and board quarterly
• Manage third-party and vendor security risk, including contract review and ongoing monitoring
• Ensure compliance with applicable data privacy regulations (GDPR, CCPA, HIPAA where applicable)

Product and engineering security

• Partner with the engineering team on secure SDLC practices — code scanning, dependency management, penetration testing
• Drive cloud security posture management for our AWS/Azure/GCP environments
• Own the vulnerability management program: triage, prioritization, and remediation tracking

Team and culture

• Hire and manage a small initial security team (target: 2–3 hires in year one)
• Run security awareness training and phishing simulation programs company-wide
• Build a security-conscious culture without creating friction for a fast-moving engineering team

What we're looking for

Required

• 6+ years in information security, with at least 3 in a leadership role
• Demonstrated experience building or scaling a security program at a B2B SaaS company
• Deep SOC 2 ownership experience — you've led Type II audits, not just participated in them
• Strong working knowledge of NIST CSF, ISO 27001, and cloud security (AWS preferred)
• Experience running the security side of enterprise sales cycles — responding to security questionnaires, hosting customer calls
• One or more certifications: CISSP, CISM, CISA, CRISC, or equivalent

Preferred

• Experience at a ServiceNow ecosystem company or enterprise IT management platform
• Familiarity with HIPAA and financial services security requirements
• Prior experience reporting to a board or audit committee
• Startup or high-growth company background — you've built things, not just managed them

What this role is not

This is not a steady-state security manager role at a mature company with an established program. If you're looking to maintain, this isn't it. You'll be building in a fast environment with lean resources, and making tradeoffs between speed and rigor every week. The right person is energized by that.

Compensation & Benefits:

• brightfin offers a comprehensive health, dental and vision benefits package.
• Paid time off. We strongly believe in work-life balance and taking time for yourself.
• 401K with employer match

Location: Remote, US-Based

The above is intended to describe the general content of and requirements for the performance of this job.  It is not to be construed as an exhaustive statement of duties, responsibilities, or physical requirements.  Nothing in this job description restricts management’s right to assign or reassign duties and responsibilities to this job at any time. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions. brightfin is an equal opportunity employer. The company will consider all qualified applicants without regard to race, color, religion, sex, pregnancy, sexual orientation, gender identity, national origin, disability, veteran or military status, age, genetic information or other characteristics protected by federal, state, or local applicable law. Candidates are subject to a background check. All employees must adhere to brightfin’s Information Security and Privacy policies and procedures.