Sr. Director, Information Security: CloudSec & GRC (Remote)

The Senior Director, Information Security position plays an integral role in protecting iHerb from internal and external threats and works closely with key business stakeholders and technology teams to implement and improve an efficient information security program that embeds security throughout all processes and systems. This role will also ensure that operational, legal, regulatory, and security risks related to IT are assessed and mitigated in a cost-effective manner in accordance with the business requirements.

Job Expectations:
•    This is a leadership role that has accountability for identifying, evaluating, reporting, and managing information security risks in ways that meet security, compliance, and regulatory requirements with focus on GRC and Cloud Security.
•    Develop a vision and strategy for trust, comprised of cybersecurity, compliance, and risk management, that will include measurable goals, objectives, and metrics
•    Design, develop, coordinate, and document the secure operation of information systems and develop best practices for securing enterprise-wide data and information systems
•    Ensure cloud security practices align with relevant industry standards, regulations, and compliance frameworks. Lead efforts to maintain and obtain necessary certifications.
•    Oversee the implementation of advanced security monitoring and analysis tools to detect and respond to security incidents and vulnerabilities 
•    Evaluate the security posture of third-party cloud providers and vendors. Develop and implement strategies to manage and mitigate associated risks.
•    Build, mentor, and lead a team of cloud security and GRC professionals. Foster a collaborative and innovative work environment that encourages skill development and knowledge sharing.

Knowledge, Skills and Abilities:
•    Master’s degree in an Information Technology related field of study or equivalent post-high school education and/or work-related experience 
•    Strong team leadership skills of direct teams in Cybersecurity, Security Architecture and Engineering, Education and Awareness, Governance Risk and Compliance, and Identity and Access Administration (IAM)
•    Experience leading and developing a strategic, comprehensive enterprise information security and IT risk and privacy management program
•    15+ years of experience in Cybersecurity, System security, cloud security, and risk management.
•    Knowledge and clear understanding of cloud-based infrastructures/software and how they affect security needs.
•    Experience implementing security practices in CI/CD environment, 
•    Self-motivation and the ability to work under minimal supervision are a must
•    Excellent at multitasking, and open to constant learning
•    Excellent problem solving and analytical skills; outstanding oral and written communication skills
•    Energetic and positive attitude

Cloud Security area 

Key Tasks – Establish proactive secure approach to cloud related technologies and services; standardize builds; robust monitoring; DevSecOps approach to scale; identify and mitigate security risks

-    Develop and implement comprehensive cloud security strategies, policies, and procedures to safeguard our cloud infrastructure and data assets.
-    Collaborate with DevOps and engineering teams to integrate security into the software development lifecycle (SDLC) and cloud deployment processes.
-    Implement and manage security controls and tools, including identity and access management (IAM), encryption, network security, and intrusion detection and prevention systems.
-    Monitor and analyze cloud security logs and alerts, investigate security incidents, and coordinate incident response efforts.
-    Conduct regular cloud vulnerability assessments and penetration testing and oversee the remediation of identified vulnerabilities.
-    Ensure compliance with industry standards and regulations (e.g., NIST, GDPR, PCI) by establishing and maintaining appropriate security controls.
-    Stay up to date with the latest security threats, vulnerabilities, and best practices, and recommend enhancements to our security infrastructure and processes.
-    Lead and contribute to security awareness and training initiatives for employees, supporting colleagues to build a security mindset. 

GRC area
This function is responsible for the planning, implementation and successful delivery of programs for the Governance, Risk and Controls Center of Excellence and may include leading project teams and Project Managers that are each responsible for various elements of project.
Key Tasks - Technology/Security Governance; Risk Assessment and Management; Supplier Chain/Vendor Risk; Security Awareness Training
-    This includes architecting program or project structures, plans to enable fulfillment an articulated business strategy and managing large program budgets
-    They will manage end-to-end complex crossline of business impacting change initiatives in alignment with Enterprise Change Management Framework
-    This includes all phases of program delivery from idea generation, business case development, planning, execution, transition, and operation 
-    They will challenge/review program status in partnership with business and technology stakeholders to ensure sound risk and issue management throughout the project lifecycle
-    Program elements may include areas such as organization structure, processes, operational support and technology
-    Engages and partners with Risk/Compliance to meet regulatory commitments while driving down risk to iHerb

#LI-JC1