Director of Security

📋 Description

• Take charge of the enterprise information security, compliance, and business continuity program across Crete (corporate) and all member firms.

• Develop standardized, scalable security controls, governance, and operations across various independent control environments.

• Formulate the multi-year security strategy and roadmap across Crete and member firms in a federated model.

• Create and uphold the security policy framework, standards, and minimum control baseline across all firms.

• Establish security operating rhythms and executive reporting: KPIs, risk posture, incident trends, audit/compliance status, and program progress for Crete leadership and firm executives.

• Collaborate with IT, data, and engineering leadership to integrate security into operations, architectural decisions, and change management across the portfolio.

• Lead security diligence for mergers and acquisitions: assessing current-state controls, identifying key risks, and estimating remediation efforts.

• Facilitate the security integration of new firms (people/process/technology) across distinct environments.

• Provide oversight for security architecture in cloud and hybrid environments, emphasizing Azure, Intune, and Microsoft Defender.

• Supervise daily security operations: including vulnerability management, patch/risk prioritization, endpoint and email security, tooling lifecycle, and event triage.

• Manage third-party MDR/SOC providers and promote continuous improvement in monitoring outcomes.

• Oversee the incident response program from start to finish: including runbooks, tabletop exercises, and ransomware preparedness.

• Implement uniform risk management across firms through periodic assessments, control testing, and remediation tracking.

• Assist member firms with client-driven security and compliance requirements (NIST CSF, CIS, SOC 2 Type II).

• Spearhead security awareness and training programs tailored to professional services workflows.

• Lead, mentor, and develop the cybersecurity team.

⛳️ Requirements

• Over 10 years of progressive experience in information security or cybersecurity.

• More than 3 years of experience in leading and developing security teams.

• Proven experience in mergers and acquisitions, private equity, or roll-up activities.

• Strong grasp of cloud security principles with practical experience in Azure and Microsoft security.

• Background in managing and governing compliance standards (preferred: NIST, CSF, CIS, and SOC2 Type II).

• Experience in managing business continuity programs and their lifecycle.

• Proficient in Microsoft Azure/Intune.

• Experience overseeing third-party security services (MDR/SOC, incident response retainers, testing vendors).

• Demonstrated capability to design and implement a comprehensive enterprise security control program.

• Exceptional stakeholder management and executive communication skills.

• Bachelor’s degree or equivalent experience; security certifications such as CISSP are preferred.

• Previous experience in professional services and/or accounting and CPA firms is strongly preferred.

🏝️ Benefits

• Offers a bonus.