Director of Information and Data Security

Role Purpose

The Director of Information and Data Security will establish and lead Eltropy’s IT and

Cybersecurity function, responsible for developing foundational systems, processes, and

governance across infrastructure, data protection, and compliance. This leader will drive

security maturity across the organization, balancing hands-on execution with long-term

strategic planning, and partnering with external GRC consultants to build a scalable security

and compliance framework aligned with industry standards (e.g., SOC 2, ISO 27001).

Key Responsibilities

IT and Infrastructure Security

• Oversee endpoint management, asset inventory, and identity and access management

(IAM).

Establish standards for device hardening, patch management, and secure configuration.

Define and manage the budget for all security and IT tools, services, and human capital,

ensuring cost-effectiveness and alignment with the overall security roadmap.

Implement centralized visibility and control across systems and SaaS applications.

Cybersecurity and Data Protection

Lead threat detection, vulnerability management, and incident response operations.

Implement and maintain a Cloud Security Posture Management (CSPM) solution to

monitor cloud infrastructure (AWS / Azure) for misconfigurations and compliance issues.

Deploy and tune SIEM / XDR solutions to enhance visibility and threat detection across

environments.

Conduct regular penetration testing, track remediation, and drive security awareness

programs.

Define and enforce data protection policies covering classification, encryption, and

retention.

Governance, Risk, and Compliance (in partnership with GRC Consultant)

Partner with external GRC consultants to design and operationalize Eltropy’s information

security and compliance framework.

Translate consultant-driven recommendations into actionable internal controls, policies,

and monitoring mechanisms.

Manage the Third-Party Risk Management (TPRM) program, including vendor due

diligence, security questionnaires, and ongoing risk monitoring.

Maintain a centralized risk register and oversee remediation tracking.

Own operational compliance for frameworks such as SOC 2, ISO 27001, and GDPR.

Security Architecture and Product Collaboration

Work closely with Engineering and Product teams to embed security-by-design principles

in SaaS architecture and cloud deployments.

Implement automated security testing (SAST / DAST) within the CI / CD pipeline to shift

security left and reduce vulnerabilities early in the development lifecycle.

Review architecture and third-party integrations to ensure alignment with data security

and privacy standards.

Incident Management and Business Continuity

Establish and operationalize the company’s Incident Response Plan (IRP) and Business

Continuity / Disaster Recovery (BCP / DR) framework.

Conduct tabletop exercises and post-incident reviews to enhance preparedness and

learning.

Security Awareness and Culture

Develop and implement a company-wide security awareness program.

Partner with HR and Operations to ensure onboarding / offboarding includes security

compliance and periodic training.

Foster a security-first culture emphasizing accountability and vigilance across teams.

Leadership and Department Setup

Build and lead a high-performing IT and Security team, including IT administrators and

cybersecurity engineers.

Define structure, roles, and hiring priorities aligned with the company’s growth stage.

Create a phased roadmap for security maturity, including technology adoption and process optimization.

Key Performance Indicators (KPIs)

Vulnerability Remediation : Maintain average time-to-remediate critical and high

vulnerabilities below X days.

Compliance Milestones : Achieve SOC 2 / ISO 27001 readiness within agreed timelines.

Asset Visibility : 100% endpoint and asset inventory completeness.

Incident Management : Reduction in mean time to detect (MTTD) and mean time to

respond (MTTR) for incidents.

Team Ramp; Process Setup : Completion of key hires and operational processes within the first

year.

Requirements

Independent, self-starter with strong ownership and execution bias.

Ability to prioritize and execute in a resource-constrained, fast-paced SaaS environment.

Strategic thinker with operational depth; able to balance long-term maturity goals with

immediate risk mitigation.

Excellent communication skills with the ability to influence and align cross-functional

stakeholders.

Proven experience setting up IT or cybersecurity programs in a SaaS or technology

environment.

Strong understanding of endpoint protection, cloud infrastructure security (AWS / Azure),

IAM, and network security.

Experience with SIEM and / or XDR deployment and tuning for threat detection and

monitoring.

Familiarity with CSPM, SAST / DAST, and vulnerability management tools.

Knowledge of GRC frameworks (SOC 2, ISO 27001) and translating them into practical,

auditable controls.

Reporting to : VP of Operations

Level : Senior Leadership

Direct Reports :

IT Team

Cybersecurity Engineer(s)